IETF Logo Mail Archive

Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review

Benjamin Kaduk <kaduk@MIT.EDU> Mon, 04 August 2014 17:22 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 771411A0026; Mon, 4 Aug 2014 10:22:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-i8i8-2BhNL; Mon, 4 Aug 2014 10:22:29 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA9871A0019; Mon, 4 Aug 2014 10:22:28 -0700 (PDT)
X-AuditID: 12074423-f79bf6d000007580-ac-53dfc153b874
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 2B.6C.30080.351CFD35; Mon, 4 Aug 2014 13:22:27 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s74HMQ4r020488; Mon, 4 Aug 2014 13:22:26 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s74HMMQn008194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 4 Aug 2014 13:22:25 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s74HMMtY023324; Mon, 4 Aug 2014 13:22:22 -0400 (EDT)
Date: Mon, 04 Aug 2014 13:22:22 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <20140804154746.GE3579@localhost>
Message-ID: <alpine.GSO.1.10.1408041314180.21571@multics.mit.edu>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <alpine.GSO.1.10.1407301239260.21571@multics.mit.edu> <20140801224505.GB3579@localhost> <alpine.GSO.1.10.1408030123160.21571@multics.mit.edu> <20140804154746.GE3579@localhost>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrDIsWRmVeSWpSXmKPExsUixG6noht88H6wwc4/+hZHN69isZj9/hGr xalrR9gspi+ycmDxeHnqHKPHkiU/mTxmfPrCFsAcxWWTkpqTWZZapG+XwJVxoOc2U8EdqYqD 7UuZGhj7RbsYOTkkBEwkHj76ywJhi0lcuLeerYuRi0NIYDaTRM+zT+wQzgZGiRl7v0I5B5kk jmx5wQrSIiRQL9G+8BAbiM0ioCWxtn0DWJxNQEVi5puNYHERAU2J6/OWgtnMAmUS3dPawWqE Bdwkml/9YgaxOQX0JGbNawSzeQUcJQ6dXccKsewto8Skzx/AmkUFdCRW75/CAlEkKHFy5hMW iKGWEuf+XGebwCg4C0lqFpLUAkamVYyyKblVurmJmTnFqcm6xcmJeXmpRbpmermZJXqpKaWb GMGB7KK8g/HPQaVDjAIcjEo8vAJq94OFWBPLiitzDzFKcjApifJq7AUK8SXlp1RmJBZnxBeV 5qQWH2KU4GBWEuGtOwCU401JrKxKLcqHSUlzsCiJ8761tgoWEkhPLEnNTk0tSC2CycpwcChJ 8AaBNAoWpaanVqRl5pQgpJk4OEGG8wANVwIbXlyQmFucmQ6RP8WoKCXOOwEkIQCSyCjNg+uF JZpXjOJArwjzWoJU8QCTFFz3K6DBTECDzXTABpckIqSkGhj7jvQrdzxMMdkzNVis83pVl/ay OpYVxxPm79y0dPXFiBfzubuWfZy92bvwjJeXq6j7CpZDzvW7T+1TLk997v7rXpCr4xlrladV +5au0mA1X3LLvuGM/Y1z2Qyv7jD3aLQ2W+568cXrrXHQCrHla5r+ftbSObdFVvXjX+dgnsYd h2VcIgrdpP8psRRnJBpqMRcVJwIApI1PLw8DAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/Oi6kUJzTJ7E81WaXLUhojs7jlYk
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 17:22:33 -0000

On Mon, 4 Aug 2014, Nico Williams wrote:

> On Sun, Aug 03, 2014 at 01:47:06AM -0400, Benjamin Kaduk wrote:
>> On Fri, 1 Aug 2014, Nico Williams wrote:
>>>> ---
>>> [...]
>>
>> I don't think it's quite that cut-and-dried, as I can see cases
>> where the client should be able to make non-critical requests, but
>> also cases where the client should ask the server to fail the RPC if
>> the request is not fulfillable.
>
> Then you're proposing that criticality be described for the other cases
> where it's provided, correct?  I agree.

I think so?  I'm not sure I understand exactly what you're saying.
The main thing I'm saying is that we define a critical bit for all types 
of rgss3_assertion, but do not specify what to set it to for one branch of 
the rgss3_assertion_u union.  That looks like what you're saying, too.

>>>> In 2.6.1.1, the following text is a little confusing:
>>>>   Thus a server may refuse to
>>>>   grant requested authority to a user acting alone (e.g., via an
>>>>   unprivileged user-space program), or to a client acting alone (e.g.
>>>>   when a client is acting on behalf of a user) but may grant requested
>>>>   authority to a client acting on behalf of a user if the server
>>>>   identifies the user and trusts the client.
>>>>
>>>> It makes more sense when one reads "client" to mean "in-kernel NFS
>>>> client", but would probably be more clear if the "client is acting
>>>
>>> This is tricky.  What's a "client"?  The TCP client?  The physical
>>> hardware running it and the NFS client stack?  The process running the
>>> NFS client?  Does it matter if it's in-kernel or a FUSE process, or some
>>> micro-kernel thing?  For me the only thing that matters is if it has
>>> access to GSS credentials that the server will understand as being a
>>> "client's" as opposed to a "user's".
>>>
>>> Wording this is hard, yes.
>>>
>>>> on behalf of a user" is reworded, possibly to "on behalf of a single
>>>> user, using only that user's credentials).  It looks like the
>>>
>>> That's more verbose!  Yes, we need to distinguish "user with
>>> credentials" from "user without credentials" (since identity assertions
>>> are partly about the latter), but I think that should be clear anyways.
>>
>> Hmm, I was talking about the distinction between "host with
>> credentials" and "host without credentials".  Clearly there is still
>> room for improvement :)
>
> I'm not sure that we can have a "host without credentials" any more
> since anonymous PKINIT (and equivalents for other mechanisms[*])
> suffices for the purpose of protecting the client from the user.

Many krb5 realms do not have PKINIT enabled on the KDC.

> And, obviously, in the case of a user-level, per-user inplementation of
> NFSv4, there's no need for host credentials at all.

Yes.

> The server doesn't need to the client to use compound authentication --
> that's for the client's protection.  But it may demand it in order to
> grant more-than-normal privilege to the user.  Clearly anonymous client
> credentials won't do in that case.  It's fair to expect that the clients
> that should be authorized to have assertions honored must have
> credentials!
>
> [*] The key is that the user must not be able to determine the client's
>    security contexts' session keys, even if the user is in full control
>    of the wire.

Yes.

-Ben

v2.29.0 | Report a Bug | By Email | System Status