[9fans] Using 9P(2000) in Unix/Linux(/Windows)

[9fans] Using 9P(2000) in Unix/Linux(/Windows)

[Anssi Porttikivi]

Linux people and other Unix people don't seem have too good a choice
for a networked file system available. NFS and Samba/SMB/CIFS are the
regular alternatives in thousands of production networks. They are far
from satisfactory. AFS and other alternatives are not very well known.

What is the state of the art in trying to use 9P within various Unix
variations and even with Microsoft OS's? There might be a window of
opportunity here to make it a new World Wide Way to connect at file
level.

Maybe we need to promote 9P independent from Plan 9?

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[boyd, rounin]

    http://research.compaq.com/PRL/publications/PRL-Proceedings.html

Roberts Boyd. Ftpnfs : A File system Interface to Ftp, USENIX'93, Cincinnati,
1993.

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[Stephen Wynne]

boyd, rounin wrote:
> Roberts Boyd. Ftpnfs : A File system Interface to Ftp, USENIX'93, Cincinnati,
> 1993.

Any relation to AlexFS?
http://www.anarres.org/projects/alex/

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[boyd, rounin]

> Any relation to AlexFS?

nah, rob showed me ftpfs and i was hooked.  on ultrix you could
write user mode NFS 'servers'.  i knew how bad the protocol was,
having done an NFS kernel port, so i wrote some code, which
'Digital' own ... it prooved how bad the protocol really was.

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[Russ Cox]

9P has no chance of taking off in the Unix/Linux world:

* It's not complicated enough (symlinks, hard links, caching,
	exact Unix semantics)
* The model doesn't match the internal kernel structure
	(it's a bad fit with the vnode layer)
* It fixes things that Unix doesn't want to fix (numeric uids)

It might be possible to make a 9P-like protocol for Unix,
but a lot of the nice things about 9P would have to go away.

Russ

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[Stephen Wynne]

Russ Cox wrote:

> * The model doesn't match the internal kernel structure
> 	(it's a bad fit with the vnode layer) ...
> * It fixes things that Unix doesn't want to fix (numeric uids)

The same thing could be said for NFSv4, but it's moving ahead on the server.
The client vnode layer doesn't encourage taking advantage of the optimization
opportunities provided by COMPOUND, from what I understand. But
Kerberos (via GSSAPI) and UTF user/group identifiers are core features.
Of course implementations can't be nearly as simple as 9P in plan9.

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[ron minnich]

On Wed, 14 May 2003, Anssi Porttikivi wrote:

> What is the state of the art in trying to use 9P within various Unix
> variations and even with Microsoft OS's? There might be a window of
> opportunity here to make it a new World Wide Way to connect at file
> level.

v9fs (v9fs.sourceforge.net) is a Linux VFS that supports 9p2000 and has
been tested to 1024 client nodes here on the Pink cluster. Greg Watson has
made extensions to Russ Cox's u9fs to make it able to serve that many
machines, and the performance is reasonable (though the mount takes 20
seconds total for 1024 nodes -- although it sometimes takes only 9 seconds
-- I love linux tcp).

I've also used v9fs through ssh connections for secure remote mounts over
various networks.

> Maybe we need to promote 9P independent from Plan 9?

Done, now we just need to get some things fixed (factotum on Linux would
be nice) and convince people to try it.

ron

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[ron minnich]

On Wed, 14 May 2003, Russ Cox wrote:

> It might be possible to make a 9P-like protocol for Unix,
> but a lot of the nice things about 9P would have to go away.

that's true, many nice things go away. But it's still so much better than
NFS than I like having it.

ron

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[boyd, rounin]

> 9P has no chance of taking off in the Unix/Linux world:

it's doable, but is it worth the pain?  the lunix (sic) kernel is 2M SLOC.

sysVr2 was bad enough, but 2M SLOC ... err no ...

all you need to see the how ptrace(2) was implented and that
prooved that linus had never seen the unix [say 7th Ed] kernel.

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[boyd, rounin]

> that's true, many nice things go away. But it's still so much better than
> NFS than I like having it.

yup, two choices: buckley's and none.

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[ron minnich]

On Wed, 14 May 2003, boyd, rounin wrote:

> > 9P has no chance of taking off in the Unix/Linux world:
>
> it's doable, but is it worth the pain?  the lunix (sic) kernel is 2M SLOC.

yes, I think it's worth the pain. If I can kill NFS dead, it's worth the
pain.

Besides, it works already :-)

ron

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[boyd, rounin]

> Besides, it works already :-)

QED :-)

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[Anssi Porttikivi]

A practical need I have in mind and which prompted me to ask: when
booting a CD based 'live' Linux (like Knoppix) on an arbitrary PC
machine I'd like to mount my home directory (with all dot filed
settings) securely over the Internet.

[9fans] Re: Using 9P(2000) in Unix/Linux(/Windows)

[Jim Choate]

On Thu, 15 May 2003, Anssi Porttikivi wrote:

> A practical need I have in mind and which prompted me to ask: when
> booting a CD based 'live' Linux (like Knoppix) on an arbitrary PC
> machine I'd like to mount my home directory (with all dot filed
> settings) securely over the Internet.

You'll need to create an encrypted tunnel first. Then the mount should
behave normally, except it will be even slower ;)

Since you want to use a CD you'll of course have the problem of making
sure that the keys burned on the CD are well kept. This means no loaning
of the CD to 3rd parties, and burning a seperate CD for each node you want
to boot remotely, otherwise you increase the chances of a 'known
plaintext' or 'reply' attack. You could use something similar to kerb to
pass tickets/cert's over the net instead of actual keys. This will help
against replay attacks. These sorts of things usually require sync'ed clocks
or something similar, a secure reliable shared resource (ala clock skew).

Anther approach is to use some sort of mod'ed distro (I use Trinux) and a
net-boot (eg bootp or tftp) distro. Then of course you have the 'trusted
computing' problem. If you keep up with the Cypherpunks at all, I believe
Ross Anderson has written a paper on related issues and there is a
conference of some sort coming soon on that sort of topic. Check the
archives, Ross might not be the author. The issue came up within the last
couple of weeks.

These assume that you are booting the machine from the CD.

If instead you simply want to take an existing Linux machine, slap a CD
into a drive, and then open a tunnel and mount the drive; calling that
secure at any point is hopeless with todays technology. The system is
not secrurable (ie TEMPEST/Van Eck, bus snooping, left behind swap and
malloc fragments with code/data sitting around, regular archival runs,
etc.).

You've got yourself a very! hard problem in the second case.


 --
    ____________________________________________________________________

      We are all interested in the future for that is where you and I
      are going to spend the rest of our lives.

                              Criswell, "Plan 9 from Outer Space"

      ravage@ssz.com                            jchoate@open-forge.org
      www.ssz.com                               www.open-forge.org
    --------------------------------------------------------------------

Re: [9fans] Re: Using 9P(2000) in Unix/Linux(/Windows)

[Dan Cross]

> > A practical need I have in mind and which prompted me to ask: when
> > booting a CD based 'live' Linux (like Knoppix) on an arbitrary PC
> > machine I'd like to mount my home directory (with all dot filed
> > settings) securely over the Internet.
>
> You'll need to create an encrypted tunnel first. Then the mount should
> behave normally, except it will be even slower ;)

Which is why he's interested in the Plan 9 way of doing things; you
kind of get that for free.  Ron's done 9p; the challenge is porting
the Plan 9 authentication module to Linux; otherwise, it does the
things you describe as being necessary for security, without storing
anything locally on the CD (so you can lend it out to your hearts
content).

> These assume that you are booting the machine from the CD.
>
> If instead you simply want to take an existing Linux machine, slap a CD
> into a drive, and then open a tunnel and mount the drive; calling that
> secure at any point is hopeless with todays technology. The system is
> not secrurable (ie TEMPEST/Van Eck, bus snooping, left behind swap and
> malloc fragments with code/data sitting around, regular archival runs,
> etc.).

Eh?  How does booting your own distribution of Linux protect you from
someone using a van Eck device?

> You've got yourself a very! hard problem in the second case.

The hardware based attacks, yes.  Someone can always hook a logic probe
up to some random computer and look at stuff going into the memory
banks (potentially they can do that after you're done using the
computer and it's been turned off, too).  But, the
crypto/authentication part is a solved problem, just not on the target
platform.  At least the filesystem is there.

	- Dan C.

Re: [9fans] Re: Using 9P(2000) in Unix/Linux(/Windows)

[boyd, rounin]

gee, better make sure the window vibrators are on and
you're inside the faraday cage ....

Re: [9fans] Using 9P(2000) in Unix/Linux(/Windows)

[ron minnich]

On Thu, 15 May 2003, Anssi Porttikivi wrote:

> A practical need I have in mind and which prompted me to ask: when
> booting a CD based 'live' Linux (like Knoppix) on an arbitrary PC
> machine I'd like to mount my home directory (with all dot filed
> settings) securely over the Internet.

we've done mounts-over-ssh in v9fs, through our firewall. It works, but
the problem is we have no error handling yet. If you lose the connection
for some reason we can't yet unmount the file system in a clean way; and
we don't yet make it possible to recreate the mount (and all the fids
etc.) if you can get the connection back. Error handling for the 'file
server went away' case sucks, basically.

ron

Re: [9fans] Re: Using 9P(2000) in Unix/Linux(/Windows)

[ron minnich]

On Thu, 15 May 2003, Dan Cross wrote:

> Which is why he's interested in the Plan 9 way of doing things; you
> kind of get that for free.  Ron's done 9p; the challenge is porting
> the Plan 9 authentication module to Linux; otherwise, it does the
> things you describe as being necessary for security, without storing
> anything locally on the CD (so you can lend it out to your hearts
> content).

A different question. If you have a small CPU module, with no disk, which
has Plan 9 in flash, and the nvram info in #r/nvram, does this get you
closer to being secure than a CD-based linux boot? My assumption has
always been 'yes' but maybe that's not right. I'm just curious what people
think on this one.

Obviously physical tampering and the other modes are open. But if we rule
those out is the box somewhat safer 'in the field' than a linux box? What
can be done to tighten it up further?

I've always figured that Plan 9 has a fundamental advantage in this case.
It's a not-much-examined assumption on my part.

ron