Provides better security, telephone support, and privacy protection
Source: Internet
Author: User
Article Title: provides better security, telephone support, and privacy protection. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Network File System and security 2.6 The kernel has improved the Network File System (NFS) by introducing NFS Version 4 ). This new version of NFS provides better security. It considers more support across different operating systems and reduces the overhead of backend processes on the server.
2.6 kernel introduction to Network File System Version 4 (NFSv4) brings security and functional improvements that have never been seen in previous versions of NFS. Remote procedure call (RPC) is implemented using the General Security Service (GSS) API. NFS users can now perform secure transaction processing. The designer also introduced the idea of composite process (combining multiple RPC into one call. The combination of calls means that fewer RPC is required for file system operations, making NFS response faster.
To further reduce NFS overhead, NFS now uses the file "handle to path" name mouning (mountd) and the file lockd In the byte range ), this reduces the number of backend processes required by the server. To facilitate server implementation, NFSv4 introduces additional file handle types and provides classification of file and file system attributes. This new NFS version also provides support for server migration and replication, allowing users to seamlessly change the server as needed. Finally, NFSv4 can now authorize the server to some responsibilities of the client in the cache state. This option is required in that case.
Nfs rpc requests can be authenticated using passwords to provide end-to-end NFS security support. NFSv4 uses the RPCSEC_GSS framework to extend the basic security of RPC. This security framework enables NFSv4 to provide authentication, integrity, and privacy mechanisms between servers and clients. This joint security negotiation allows the client to securely match the security policy of the server to meet the needs of both the server and the client.
The combination process is another improvement of NFS in version 4 design. Previous versions of NFS have no way for the client to generate File System RPC with complex logic. By using the composite process, the client can combine LOOKUP, OPEN, and READ operations into an RPC request, so that the client can READ data from the file with only one request. The NFS of the old version requires the client to execute RPC once for each of the three operations. The implementation of processing these composite requests on the server side is very simple. The server splits the composite request into a list of separate requests. The server traverses and executes each operation in the list until it ends or fails, return the results of all operations to the client.
NFSv4 is further simplified by reducing the number of non-NFS Server protocols required by servers. With version 4, the NFS code can map the file handle to the path name. In the old version, this is done by the mountd protocol. The server provides a root file handle, which corresponds to the top of the file system tree exported by the server. The server supports multiple file systems by connecting them with a pseudo file system, which masks the potential differences in path names between real file systems. This conversion is to support globally classified namespaces.
In addition, this new version of NFS protocol supports file locking in a byte range, while previous versions use the lockd protocol provided by the Network Lock Manager. The restructures supported by File Locking allow the server to maintain the file locking status using the lease-based model. Basically, the client must submit a lock request to the server. If permitted, the client must also update the lease within the lease term specified by the server. After the lease expires, the server can release the client lock. Mountd and lockd are deprecated, reducing the processing overhead of running the NFS server.
The new version of NFS also includes improvements to simplify the implementation of NFS servers. The file handle must be permanently maintained within the lifecycle of the file system object referenced by it, which is difficult for some old NFS Server implementations. NFSv4 adds a variable file handle type to supplement the persistent file handle type. With these two file handle types, the server implementation can be comparable to the file system of the operating system on the server. The client can identify and prepare the type of the file handle provided by the server, and then set operations for each handle.
File and file system attribute classification is another supplement to NFS, making server implementation more convenient. The old NFS version uses a fixed set of attributes, but mainly considers UNIX files and file systems. If the server or client does not support specific attributes, it must simulate the attributes as much as possible. Version 4 classifies attributes into three categories: Mandatory, recommended, and named.
The mandatory attribute is the minimum set of file or file system attributes that the server must correctly provide and describe. The recommended attributes describe different file system types and operating systems, taking into account the better inclusion and interoperability between operating systems. The named file system attribute classification is a byte stream associated with a directory or file, which is referenced by a string name. Client Applications can use these named attributes to associate specific data to a file and/or file system. The attribute classification system creates a simple method to add new attributes without making major changes to the Code.
To achieve better redundancy, NFSv4 supports file system replication and migration on the server side. With a special file system location attribute, the client can query the file system location on the server. If the Server File System is copied for load balancing or other similar reasons, the client can obtain all the locations of the requested file system. The client can use its own policies to mount and access the appropriate location of the file system requested by the client. Similarly, if a file system is migrated, the client queries the new location of the file system based on the error obtained when accessing the old location and makes necessary changes to adapt to the location.
The last highlight of NFSv4 is that it allows the server to authorize some responsibilities to clients in the cache state, which is necessary to provide true data integrity. With NFSv4, the server can provide read or write authorization for a specific file. If a client is authorized to read a file, no other client is allowed to write the file during the authorization period. In addition, if a client is authorized to write a file, no other client can write or read the file during the authorization period. When a client requests a file and the file has been authorized to another client, a conflict occurs and the authorization may be revoked by the server. In this case, the server notifies the authorized user through a callback path between the client and the server and revokes the authorization. Authorization allows the client to use NFS cache for local service operations without real-time interaction with the server. This reduces server load and network transmission.
TCP improvement Stream Control transmission protocol (SCTP) is a new transport layer protocol added in the 2.6 kernel. In addition to the same features of the Transmission Control Protocol (TCP), SCTP also provides additional features for telephone, data communication, and high-availability applications.
SCTP provides a function similar to TCP, which ensures error-free and serialized data transmission, and establishes a session-oriented, end-to-end connection between two endpoints throughout the data transmission process. However, SCTP also provides functions not available in TCP, such as multi-streaming and multi-homing, which are crucial for some tasks, such as telephone signals over IP networks.
Multi-streaming allows data to be divided into multiple independent sequential streams. As a result, the loss of messages in any stream will only affect the stream, but will not affect other streams. SCTP is message-oriented (TCP is byte-oriented). It supports the construction of independent message boundaries and multiple data streams. If you use a single data stream method used in TCP, more latency may occur when messages are lost or a sequence error occurs. TCP must delay transmission to the application layer until the correct sequence is restored. The delay in data transmission affects the performance of applications that do not require message sorting, such as telephone signals or webpages with multimedia content. Although the phone signal needs to sort messages of the same source (such as the same call), the transmission of other related messages does not require the integrity of the sequence.
For webpages that contain multimedia objects of different types and sizes, you can use multi-streaming to transmit the content in a partially ordered manner instead of using a strictly ordered method. This data transmission flexibility will improve the user experience of transmission. In addition, the idea of data transmission in a single SCTP connection means that all streams can depend on a common traffic and congestion control mechanism, which reduces the work required by the transport layer.
Multi-homing is another feature that makes SCTP different from traditional transport layer protocols. Multi-homing allows a single SCTP endpoint to support multiple IP addresses and provides redundancy when there are multiple routes to the target. TCP and UDP use single-homed sessions. In this way, when access to the local LAN fails, the terminal system will be isolated and the failure in the entire network will result in ?? Failed, until the IP routing protocol re-route transmission.
Multi-homed SCTP works together with redundant LAN to enhance access to local endpoints. Multiple IP addresses and/or routes with different prefixes plus SCTP multi-homing improve network redundancy. The multi-homing feature of SCTP does not provide network load balancing and sharing functions. The key purpose of this mechanism is to provide redundant connections for applications on SCTP. SCTP specifies an address as the "master" address and uses this address for all data communication. When re-transmission is required, data is sent to all addresses to increase the possibility of reaching another endpoint. When the master connection fails completely, all data is routed to another address. Similar to the method used in standard high availability, a "Heartbeat" signal is sent to the failed master connection, which can be used to determine whether the original connection can be reestablished.
IP Security and Compression Internet Protocol Security (IPSec) is another enhancement to the 2.6 kernel. IPSec provides methods to authenticate and encrypt network communication on the LAN and Internet. In addition to packet encryption, the 2.6 kernel also provides improved transmission through IP Payload Compression (IPComp. IPComp is a protocol that uses compression and decompression algorithms to improve transmission quality on slow and/or congested networks.
2.6 The introduction of the kernel to Internet Protocol Security (IPSec) provides users with secure transmission services at the Internet Protocol (IP) layer. IPSec provides a common solution for media and various applications that are combined to form the Internet. 2.6 The kernel supports two IPSec mechanisms: Authentication Header (AH) and Encapsulated Security Payload (ESP ). They all depend on the authentication algorithm provided by the Cryptographic API contained in the 2.6 kernel.
Authentication Header (AH) is an additional header directly added to the IP header to provide Packet Authentication. Packet-level Authentication allows users to ensure that the received package comes from a specific machine and its content is not changed on the transfer path. This mechanism does not try to hide or protect the contents of the package. Main features provided by AH
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.