On Wed, 2018-02-21 at 18:24 -0500, William Allen Simpson wrote: > On 2/21/18 4:51 PM, Jeff Layton wrote: > > On Wed, 2018-02-21 at 13:40 -0800, Frank Filz wrote: > > > We could take this opportunity to change the option to RPCBIND... > > > > > > > Fair enough. > > > > I'd support this. >
Cool, I pushed out an updated patchset that is along these lines. > > > I actually disagree with the "no udp" statement above too. UDP is great > > for single-shot request protocols like rpcbind, and the NFS client will > > use it. DDoS is a possibility, but who exposes their rpcbind port to the > > Internet? > > > > Unfortunately, millions of websites. At one time, portmapper was a > leading method of DDoS. > That's just malpractice. rpcbind really shouldn't be an Internet service in this day and age. > Actually, it's *NOT* great. When Ganesha/ntirpc cannot find something, > it drops back from TCP to UDP. And then tries over and over into the > void. There's no return signal from UDP. > > When the TCP service isn't available, you get a nice RST flag. No need > for all these retry timeouts that UDP requires. > True, but it's a lot less overhead for the cases where it _does_ work. One roundtrip and that's it. > UDP turned out to be a security nightmare for NFS. We all remember the > IP fragmentation DDoS? > > That's why we tried (circa 1992) to eliminate IP fragmentation in IPv6. > Steve Deering was all over this. DNS and NFS were the big culprits, > and NFS over UDP yields far bigger IP fragment chains than DNS.... > No question that TCP is generally superior for NFS. You sort of expect there to be a long-lived association between a NFS client and server though. For rpcbind, that's not generally the case. You query it to get the port and never talk to it again until you need to reconnect a socket (and often not even then). > > > In any case, the real fix to this issue is to move to protocols that > > don't require rpcbind at all. That means NFSv4.0 at a minimum (though > > obviously v4.1+ would be preferred). > > > > Ah, you're speaking to my heart. But we apparently still have a lot > of UDP downstream, and now FSAL_PROXY. > > When will we ever get away from the sins of our fathers, unto the 7th > generation? Yeccchh. I do wonder about the use cases that are driving these configurations. The real question is who really requires v3 these days? -- Jeff Layton <jlay...@redhat.com> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Nfs-ganesha-devel mailing list Nfs-ganesha-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel