Specifically, in this article we will address improvements to the Networking File System (NFS) and Internet Protocol Security (IPSec). We will also meet two new members of the TCP/IP protocol family, Stream Control Transmission Protocol (SCTP) and Internet Protocol version 6 (IPv6).

Network File System and security
The 2.6 kernel improves the Networking File System (NFS) by including version 4. This new version of NFS has better security, allows for more support across different operating systems, and has a reduced server daemon overhead.

The inclusion of version 4 of the Networking File System (NFSv4) into the 2.6 kernel allows for improvements in security and functionality not seen in previous versions of NFS. Users of NFS may now conduct secure transactions using a remote procedure call (RPC) implementation of the General Security Service (GSS) API. Designers also introduced the idea of a compound procedure, which combines multiple RPCs into one call. This combination of calls means that file system operations need fewer RPCs, leading to faster NFS response.

Reducing NFS overhead even more, NFS now handles file handle-to-path name mapping (mountd), as well as byte range file locking (lockd), which lessens the number of server-side support daemons required. To ease server-side implementations, NFSv4 includes an additional file handle type and provides classifications of file and file system attributes. This new NFS version also includes support for server migration and replication to enable clients to seamlessly change servers when needed. Finally, NFSv4 now has the ability to allow the server to delegate certain responsibilities to the client in caching situations where this option is desired.

The ability to use cryptographic authentication for NFS RPC requests provides support for end-to-end NFS security. NFSv4 uses the RPCSEC_GSS framework to extend the basic security of RPC. This security framework allows NFSv4 to provide mechanisms for authentication, integrity, and privacy between clients and servers. Clients also have the ability to query servers about their security policies with respect to which mechanisms must be used for access. This in-band security negotiation allows the client to securely match the server's security policy to the mechanism that meets both client and server requirements.

Compound procedures are another improvement to NFS included in the version 4 design. Previous versions of NFS did not have a method of allowing clients to build complex logical file system RPCs. By using compound procedures, clients can read data from a file in one request by combining LOOKUP, OPEN, and READ operations in a single RPC request. Older versions of NFS require clients to perform an RPC for each of these three operations. The implementation of handling these compound requests on the server side is very simple. The compound request is broken into a list of separate requests by the server. The server iterates through and performs each operation in the list until it reaches the end or fails, and then returns the results of all operations to the client.

NFSv4 introduces further streamlining by reducing the number of non-NFS server protocols required on the server. With version 4, the NFS code is able to map filehandles to path names, which the mountd protocol does in older versions. The server provides a root file handle that represents the top of the file system tree exported by the server. The server allows for multiple filesystems by attaching them together with pseudo filesystems that cover potential gaps in the path names between real filesystems. This translates to support for a global hierarchical namespace.

In addition, this new version of the NFS protocol supports byte range file locking, whereas previous versions used the lockd protocol provided by the Network Lock Manager. The restructuring of file locking support allows the server to maintain the lock state of files using a lease-based model. Basically, clients are required to issue lock requests to the server. If granted, a client must renew its lease within a server-specified lease time. The server may release the client's lock after the lease expires. The elimination of these two protocols, mountd and lockd, reduces the processing overhead for operating an NFS server.

The new version of NFS also contains improvements that provide for easier NFS server implementations. File handle persistence over the lifetime of the file system object it referred to was a difficult requirement to meet for some older NFS server implementations. NFSv4 adds a volatile file handle type, in addition to the persistent file handle type. With these two file handle types, the server implementation can match the abilities of the file system at the server along with the operating system. Clients can know and be prepared for the type of filehandles provided by the server and set up operations to handle each.

(Lots more good stuff in here. Read this now! --LS Staff)

Read this full article at IBM DeveloperWorks

Only registered users can write comments.
Please login or register.

Powered by AkoComment!