IETF Logo Mail Archive

Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review

Nico Williams <nico@cryptonector.com> Mon, 04 August 2014 16:43 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CCD71A0601; Mon, 4 Aug 2014 09:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQNTaI8VLYKx; Mon, 4 Aug 2014 09:43:05 -0700 (PDT)
Received: from homiemail-a103.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 31A001A05F5; Mon, 4 Aug 2014 09:43:05 -0700 (PDT)
Received: from homiemail-a103.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTP id EE6AA20047B8D; Mon, 4 Aug 2014 09:43:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=qvUWt/s7uFy8pX mmokKhFYo4RFw=; b=THgqrR+w2JexnmQSqtjbKbxYF4gyahAFJD6JHZv907MADx /SxLSzGXazxt1SrSTwILbkmStXFGwJ/87HJvXqhMoVsZlegzH4yluTpZqWGCPwFi 3qZ6mGdM5qSwkAssgi9HBXM00/qMNVoHuPvyVovFErH5Z8MOvUmvhSZNuSf10=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTPA id 8AE1220047B8C; Mon, 4 Aug 2014 09:43:04 -0700 (PDT)
Date: Mon, 04 Aug 2014 11:43:04 -0500
From: Nico Williams <nico@cryptonector.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Message-ID: <20140804164302.GJ3579@localhost>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <alpine.GSO.1.10.1407301239260.21571@multics.mit.edu> <20140801055401.GA7409@localhost> <8FD0C272-6FD3-44FE-BD3D-BAB220E0FF13@netapp.com> <20140801221535.GA3579@localhost> <20140804160016.GC23341@fieldses.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140804160016.GC23341@fieldses.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/LyGlA9Q-TPpkOtmXtk234u-VhjM
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 16:43:06 -0000

On Mon, Aug 04, 2014 at 12:00:16PM -0400, J. Bruce Fields wrote:
> On Fri, Aug 01, 2014 at 05:15:36PM -0500, Nico Williams wrote:
> > It was always my intention that traditional (read: multi-user
> > shared-cache) NFS client implementations would just always use
> > "multi-principal" contexts when doing any RPCs on a user's behalf.
> > 
> > That is, addressing the "user can impersonate the server to the client"
> > problem was always my first and foremost goal with this protocol, though
> > I didn't always say so explicitly (since at the time the attack was not
> > well-known, I didn't want to publicize it).
> 
> Oh, that's really helpful to know.

Yeah :(  I mentioned it several times at meetings.  The cat has been
out of the bag for a long time as to the vulnerability for shared-cache
clients, so we might as well state this motivation clearly.

Note that such clients really need server support for this.  The only
other alternative for clients is to not share the NFSv4 cache _at all_,
but this is very difficult for some client architectures.

It's trivial for clients that can do Plan9-style namespace management,
though even then it's critical that when the system does an exec() it
doesn't trust any set-uid/gid bits from an executable's vnode.  I.e.,
it's critical that the cache not be shared even with the privilege
management parts of the system.

Even where cache non-sharing is trivial, cache sharing has significant
resource usage benefits in multi-user systems, therefore it is or can be
highly desirable.  It's worth noting that multi-user systems are
becoming less common, but multiple levels of privilege for a single
user's processes is still likely to be a common situation.

> It'd be great if we could get a paragraph into the draft explaining
> this.  (And also the server-to-server copy stuff, and any other example
> uses.)  It's easier to understand with the motivations.

Yes.

Nico
--

v2.29.0 | Report a Bug | By Email | System Status