>>>>> "rs" == Ragnar Sundblad <ra...@csc.kth.se> writes:
rs> use IPSEC to make IP address spoofing harder.
IPsec with channel binding is win, but not until SA's are offloaded to
the NIC and all NIC's can do IPsec AES at line rate. Until this
happens you need to accept there will be some protocols used on SAN
that are not on ``the Internet'' and for which your axiomatic security
declarations don't apply, where the relevant features are things like
doing the DNS lookup in the proper .rhosts manner and doing uRPF,
minimum, and more optimistically stop adding new protocols without
IPv6 support, and start adding support for multiple IP stacks / VRF's.
If saying ``the only way to do any given thing is twicecrypted
kerberized ipsec within dnssec namespaces'' is blocking doing these
immediate plaintext things that allow a host to participate in both
the internet and a SAN at once, well that's no good either.
pgptkJNIK5h42.pgp
Description: PGP signature
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
