Diskless machines and IPSec?

[Jeff Welling]

Greetings to all!

I've got a bunch of diskless machines, some running Debian, some running
Ubuntu.  They mount their home directories via NFS from my fileserver.
Not too strange of a setup.

I've recently started wondering about how I can secure my network, and
that means securing the NFS exports.  After some looking around, it
looks like IPSec is the best bet on securing NFS shares, but the
situation of the machines being diskless complicates things - I tried
setting up a virtual machine as diskless booting from my server and then
set up IPSec on that machine.  It didn't turn out well, the poor
diskless machine couldn't communicate with the tftpd to pull the pxe
file it needed.
Sure, I could do IPSec based on ports so that it doesn't use IPSec for
the tftp port, but thats just going to move the same problem to the NFS
port where its not so easily worked-around.

I've considering installing the systems onto USB drives, but that makes
them non diskless clients with all of the properties therein.


So, I'm wondering, has anyone else toyed with NFSRoot and IPSec?
If anyone else on the list has dealt with securing diskless clients, how
did you go about doing it?

Any comments, thoughts, jokes, and scribbles on napkins will be
appreciated :)
Cheers,
Jeff.