<span style=" font-size:10pt;font-family:sans-serif">There are 3 flavors
of NFS Kerberos (I'm only going to address NFS 4.x):</span><br><span style=" font-size:10pt;font-family:sans-serif">Krb5 - encrypts
authentication</span><br><span style=" font-size:10pt;font-family:sans-serif">Krtbi - encrypts
authentication and provides checksums (reducing man-in-the-middle attacks)</span><br><span style=" font-size:10pt;font-family:sans-serif">Krb5p - End-to-end
encryption with integrity checking</span><br><br><span style=" font-size:10pt;font-family:sans-serif">The Krb5p protocol
provides ultimate security but comes at a cost where all NFS packets will
be encrypted (mount authenticated) and with checksums.   This</span><br><span style=" font-size:10pt;font-family:sans-serif">can add considerable
overhead (for example, using AES-256 is similar to SMB3 signing and sealing).
  There are AES-NI off-loading engines to reduce this</span><br><span style=" font-size:10pt;font-family:sans-serif">overhead.  
So it is not surprising to see significant performance drop when using
Krb5p versus Krb5.</span><br><br><span style=" font-size:10pt;font-family:sans-serif">---</span><br><span style=" font-size:10pt;font-family:sans-serif">Madhav Ponamgi</span><br><span style=" font-size:10pt;font-family:sans-serif">mzp@us.ibm.com</span><br><span style=" font-size:10pt;font-family:sans-serif">(215) 794-6987</span><br><a href="http://www.ibm.biz/FOSDesignEngine"><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>http://www.ibm.biz/FOSDesignEngine</u></span></a><br><a href="https://fileobjectsolutiondesignstudio.ibm.com/"><span style=" font-size:10pt;color:blue;font-family:sans-serif">https://fileobjectsolutiondesignstudio.ibm.com/</span></a><br><span style=" font-size:10pt;font-family:sans-serif">Tech Sales Website:
 w3.ibm.com/w3publisher/ww_storage_tech_sales</span><br><br><br><br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">From:
       </span><span style=" font-size:9pt;font-family:sans-serif">gpfsug-discuss-request@spectrumscale.org</span><br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">To:
       </span><span style=" font-size:9pt;font-family:sans-serif">gpfsug-discuss@spectrumscale.org</span><br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Date:
       </span><span style=" font-size:9pt;font-family:sans-serif">09/20/2021
07:00 AM</span><br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Subject:
       </span><span style=" font-size:9pt;font-family:sans-serif">[EXTERNAL]
gpfsug-discuss Digest, Vol 116, Issue 6</span><br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Sent
by:        </span><span style=" font-size:9pt;font-family:sans-serif">gpfsug-discuss-bounces@spectrumscale.org</span><br><hr noshade><br><br><br><tt><span style=" font-size:10pt">Send gpfsug-discuss mailing list
submissions to<br>                
gpfsug-discuss@spectrumscale.org<br><br>To subscribe or unsubscribe via the World Wide Web, visit<br>                
</span></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><span style=" font-size:10pt">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</span></tt></a><tt><span style=" font-size:10pt"><br>or, via email, send a message with subject or body 'help' to<br>                
gpfsug-discuss-request@spectrumscale.org<br><br>You can reach the person managing the list at<br>                
gpfsug-discuss-owner@spectrumscale.org<br><br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of gpfsug-discuss digest..."<br><br><br>Today's Topics:<br><br>   1. nfs krb5p performance (Jon Diprose)<br><br><br>----------------------------------------------------------------------<br><br>Message: 1<br>Date: Mon, 20 Sep 2021 09:58:02 +0000<br>From: Jon Diprose <jon@well.ox.ac.uk><br>To: "gpfsug-discuss@spectrumscale.org"<br>                
<gpfsug-discuss@spectrumscale.org><br>Subject: [gpfsug-discuss] nfs krb5p performance<br>Message-ID:<br>                
<CF41F7F23121954A8E819732615C61257AAE3DDB@exchange01.well.ox.ac.uk><br>Content-Type: text/plain; charset="us-ascii"<br><br>Hello,<br>We have just started using the nfs protocol with SECTYPE=krb5p and are
a little surprised by the performance impact - looks like down to a third
of that of SECTYPE=krb5. Would any of you using krb5p be kind enough to
share your estimates of impact? Not sure if we have a misconfiguration
of setup or expectation.<br>Thanks,<br>Jon<br><br>--<br>Dr. Jonathan Diprose <jon@well.ox.ac.uk>        
    Tel: 01865 287873<br>Research Computing Manager<br>Henry Wellcome Building for Genomic Medicine<br>Roosevelt Drive, Headington, Oxford OX3 7BN<br><br><br>------------------------------<br><br>_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br></span></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><span style=" font-size:10pt">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</span></tt></a><tt><span style=" font-size:10pt"><br><br><br>End of gpfsug-discuss Digest, Vol 116, Issue 6<br>**********************************************<br></span></tt><br><br><BR>
<BR>