IETF Logo Mail Archive

Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review

"Adamson, Andy" <William.Adamson@netapp.com> Mon, 04 August 2014 20:37 UTC

Return-Path: <William.Adamson@netapp.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 876761A0301; Mon, 4 Aug 2014 13:37:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KeQJkv--dvOB; Mon, 4 Aug 2014 13:37:05 -0700 (PDT)
Received: from mx12.netapp.com (mx12.netapp.com [216.240.18.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A289D1A0290; Mon, 4 Aug 2014 13:37:05 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.01,800,1400050800"; d="scan'208";a="179976740"
Received: from vmwexceht03-prd.hq.netapp.com ([10.106.76.241]) by mx12-out.netapp.com with ESMTP; 04 Aug 2014 13:37:06 -0700
Received: from HIOEXCMBX06-PRD.hq.netapp.com (10.122.105.39) by vmwexceht03-prd.hq.netapp.com (10.106.76.241) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 4 Aug 2014 13:37:01 -0700
Received: from HIOEXCMBX03-PRD.hq.netapp.com (10.122.105.36) by hioexcmbx06-prd.hq.netapp.com (10.122.105.39) with Microsoft SMTP Server (TLS) id 15.0.913.22; Mon, 4 Aug 2014 13:37:01 -0700
Received: from HIOEXCMBX03-PRD.hq.netapp.com ([::1]) by hioexcmbx03-prd.hq.netapp.com ([fe80::6112:44a3:1946:292f%21]) with mapi id 15.00.0913.011; Mon, 4 Aug 2014 13:37:01 -0700
From: "Adamson, Andy" <William.Adamson@netapp.com>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
Thread-Index: AQHPsA/O768gZXx3NUq3zN1fzegP6pvBPaKAgAAEBoCAAAIugIAAGRWA
Date: Mon, 04 Aug 2014 20:37:00 +0000
Message-ID: <2CE95260-F4BE-45EA-A9C1-B0CB603FFC0C@netapp.com>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <alpine.GSO.1.10.1407301239260.21571@multics.mit.edu> <20140801224505.GB3579@localhost> <DB49D4A2-0EFF-4338-8F15-8459EEEBD5E8@netapp.com> <20140804164406.GK3579@localhost> <alpine.GSO.1.10.1408041411510.21571@multics.mit.edu> <20140804184503.GS3579@localhost> <1C1E7672-8E50-482D-A5B3-8C4E56458BA9@netapp.com> <20140804190715.GW3579@localhost>
In-Reply-To: <20140804190715.GW3579@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.1874)
x-originating-ip: [10.122.56.79]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <3286BA72DAB9BC488520893D3A3E2423@hq.netapp.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/KgynUZjX4CSqoBeA6kxfSR6ywIQ
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 20:37:07 -0000

On Aug 4, 2014, at 3:07 PM, Nico Williams <nico@cryptonector.com> wrote:

> On Mon, Aug 04, 2014 at 06:59:27PM +0000, Adamson, Andy wrote:
>> On Aug 4, 2014, at 2:45 PM, Nico Williams <nico@cryptonector.com> wrote:
>>> - v3 (all versions so far) permits the use of any RPCSEC_GSS context
>>>  handle, whether a v1, v2, or v3 handle.
>> 
>> No, multiple handle versions were left behind once we made v3 a proper
>> superset of v2 (and v1). Only v3 handles allowed in v3.
> 
> My idea was that existing code to setup v1 contexts could be left as-is
> and augmented with code that uses v1 contexts to setup v3 contexts when
> compound authentication and/or assertions are required.
> 
> This would help interop: the client sets up v1 contexts, and if it can't
> setup v3 contexts, then it either gives up (e.g., if it needs protection
> for the shared-cache case, or if it has critical assertions to make) or
> continues and hopes for the best (if it has non-critical assertions to
> make).

It’s not a big deal to negotiate GSS version at context initiation, my Linux prototype tries
v3 and falls back to v1 if it fails.
Not worrying about which context version is a win, and simplifies v3.
The new reply verifier is also a plus.

—>Andy
> 
> Nico
> -- 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.29.0 | Report a Bug | By Email | System Status