From https://bugzilla.lustre.org/show_bug.cgi?id=18657

In order to prevent clients from incorrectly replaying saved RPC operations after an server failure, it would be desirable to generate a signature of the RPC request on the MDS before replying to the client. The request signature generated on the server would be stored by the client in the saved RPC request that would be sent to the server again in case of recovery, and the signature could be verified by the server after restart to ensure that the RPC is still valid for replay (correct XID for ordering, etc).

Since the client will typically update the RPC request after receiving the server reply (to insert the transno, file layout, etc.), the MDS needs to "preformat" the RPC request in the same way that the client will later send it for replay before generating the signature.

Since only the server will need to generate and verify the RPC signature, it does not need to use a public-key signature, it may be enough to generate a local key periodically that is persistently stored on the target, and the prior key should be kept for a few minutes (subject to XID aging limitations, LU-3290) to ensure that a server crash shortly after key generation does not prevent slightly older RPCs from being replayed.

This would also require the changes from Simplified Interoperability (LU-5703 has an old presentation on this) to allow clients to reopen files on the MDS by FID instead of RPC replay, so that these long-lived open RPCs do not need to be saved explicitly on the client for every open file handle, and do not the exact RPC format for replay, which may not work with older servers and reduces memory usage.