>> You can run a cache manager remotely, using the rx protocol.
> And such a setup eliminates any security because anyone can forge IP
> packets and pretend to be the client workstation, yes. Case in point.
I think you're generalizing too much, and being perhaps a bit simplistic.
Running a remote cache manager may not be wise in some circumstances,
but it makes a nice solution when the client is large (eg, a mainframe)
and not of an architecture that supports AFS natively.
Mainframes, being what they are, don't allow users root access and
generally have enough political clout to justify a unique subnet number.
The private subnet prevents other hosts from imitating the mainframe's
IP conversations, and lack of root access prevents users from attempting
imaginative spoofing techniques. If the authenticating AFS client, the
"remote executor", is physically secured and configured so that it is
protected from remote network access, then shared AFS access by
mainframe users can be made quite secure. For added security, you could
place the AFS executor right next to the mainframe, on the same private
subnet, where you could keep an eye on it, and the router that its