Re: [Gen-art] Gen-art Telechat review of draft-ietf-nfsv4-rpcsec-gssv3-15

Elwyn Davies <> Fri, 22 January 2016 16:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 37B1F1AD364; Fri, 22 Jan 2016 08:19:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DuZAY6dCgIg5; Fri, 22 Jan 2016 08:19:08 -0800 (PST)
Received: from ( [IPv6:2001:8b0:0:30::51bb:1e33]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 80BF41AD356; Fri, 22 Jan 2016 08:19:07 -0800 (PST)
Received: from ([2001:8b0:bf:1:f903:d5f5:684c:8047]) by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77) (envelope-from <>) id 1aMeQK-0003ZC-Dt; Fri, 22 Jan 2016 16:19:00 +0000
To: "Adamson, Andy" <>
References: <> <>
From: Elwyn Davies <>
Message-ID: <>
Date: Fri, 22 Jan 2016 16:18:48 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Painless-Spam-Score: -4.0
Archived-At: <>
Cc: General area reviewing team <>, Tom Haynes <>, "" <>
Subject: Re: [Gen-art] Gen-art Telechat review of draft-ietf-nfsv4-rpcsec-gssv3-15
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2016 16:19:13 -0000

Hi, Andy.

Thanks for the update.

Version 16 is fine by me - all done.

As regards minorversion2, I'm afraid I misunderstood the implications 
(or otherwise) of the discussions of multiple principals.  As you say, 
minorversion2 doesn't use the multiprincipal option.


On 20/01/2016 19:49, Adamson, Andy wrote:
>> On Jan 16, 2016, at 1:15 PM, Elwyn Davies <> wrote:
>> I am the assigned Gen-ART reviewer for this draft. The General Area
>> Review Team (Gen-ART) reviews all IETF documents being processed
>> by the IESG for the IETF Chair. Please wait for direction from your
>> document shepherd or AD before posting a new version of the draft.
>> For more information, please see the FAQ at
>> <>.
>> Document: draft-ietf-nfsv4-rpcsec-gssv3-15.txt
>> Reviewer: Elwyn Davies
>> Review Date: 2016/01/16
>> IETF LC End Date: 2015/12/09
>> IESG Telechat date: 2016/01/21
> Hi Elwyn
> Where can I find the telechat details (time off call and phone #)?
>> Summary: Almost ready.  Thank you for addressing my comments from the last call review.  For the record there are a couple of other points that have been raised elsewhere that need to be addressed.
>> Major issues:
>> s2.7.1/s4: There is a security issue with RPCSEC_GSS_CREATE when multi-principal authentication is required.  See mail [1] below. This may have a (minor) knock-on effect of the NFSv4.2 specification where this is used; as currently specified (draft-ietf-nfsv4-minorversion2-40) use of privacy is already mandated for at least some of the relevant uses of RPCSEC_GSS_CREATE in NFSv4.2 which will mitigate the problem.  I have raised this issue in the Telechat review of the NFSv4.2 draft to ensure that privacy is mandated in *all* relevant cases - and to ensure changes are coordinated.
> NFSv4.2 does not use the multi-principal assertion.
> —>Andy
>> Minor issues:
>> s2.7.1.4: Some refinement of the constraints on the rp_name string marked as 'human readable' would be desirable.
>> Nits/editorial comments:
>> None
>> ========================================
>> [1]
>>> From: Nico Williams <>
>>> Subject: Re: rpcsec-gssv3
>>> Date: January 11, 2016 at 8:01:52 PM EST
>>> To: Benjamin Kaduk <>
>>> Cc: Stephen Farrell <>, "" <>, Spencer Dawkins <>, Martin Stiemerling <>, "Adamson, Andy" <>
>>> On Thu, Jan 07, 2016 at 02:14:01PM -0600, Nico Williams wrote:
>>>> Ok, thanks.  I'll post a write up this Saturday.
>>> Or on Monday.
>>> OK, so, a while back Ben Kaduk noticed that there is a security problem
>>> with the RPCSEC_GSS_CREATE procedure with multi-principal
>>> authentication.
>>> The attack varies from easy to difficult to mount depending on whether
>>> the server implements a global or per-connection GSS context handle
>>> namespace, and whether it assigns them in a way that the attacker can
>>> get a specific context handle number assigned to it.
>>> There are two fixes, the simplest of which is to require that the
>>> RPCSEC_GSS_CREATE procedure be called with privacy protection when using
>>> the multi-principal authentication feature.
>>> To recap how the RPCSEC_GSS_CREATE procedure with multi-principal
>>> authentication feature works, the client first makes a MIC token with a
>>> GSS context that authenticates the user to the server, then it it uses
>>> that MIC in the payload of the RPCSEC_GSS_CREATE procedure. The
>>> RPCSEC_GSS_CREATE procedure is itself protected with a GSS context that
>>> authenticates the client.
>>> The problem is that the data that the user GSS context MICs is
>>> insufficiently strong a statement of intent because it only identifies
>>> the client host GSS context by its RPCSEC_GSS context handle ID and
>>> nothing more.  An attacker that can intercept an RPCSEC_GSS_CREATE
>>> procedure and cause the RPCSEC_GSS context handle to get re-assigned
>>> will be able to steal the victim's identity.
>>> There are a number of solid fixes that fall into two classes:
>>> 1) Add to the data that the user context MICs in order to improve the
>>>    quality of the statement of intent.
>>>    E.g., add the client host principal's name.  Or add a MIC made with
>>>    the client host's GSS context.
>>> 2) Make it so the attacker cannot steal the MIC made with the user GSS
>>>    context.
>>>    E.g., use privacy protection for the RPCSEC_GSS_CREATE procedure,
>>>    thus the MIC made with the user GSS context cannot be obtained by the
>>>    attacker without having the client host's or server's credentials.
>>>    Stephen proposed this.
>>>    (The OpenAFS rxgk protocol uses GSS_Pseudo_random() [RFC4401] to
>>>    similar effect.)
>>> At this stage the simplest thing to do is to require that clients always
>>> use privacy protection for the RPCSEC_GSS_CREATE procedure. Note
>>> that there is nothing that the server can do to prevent this attack if
>>> clients don't use privacy protection for this, but the server should
>>> still reject RPCSEC_GSS_CREATE procedure calls without privacy
>>> protection.  (All of this is only for the multi-principal authentication
>>> case.)
>>> Nico
>>> --