IETF Logo Mail Archive

Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review

"Adamson, Andy" <William.Adamson@netapp.com> Mon, 04 August 2014 20:41 UTC

Return-Path: <William.Adamson@netapp.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C1E91A0313; Mon, 4 Aug 2014 13:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhga9xj9msCM; Mon, 4 Aug 2014 13:41:51 -0700 (PDT)
Received: from mx1.netapp.com (mx1.netapp.com [216.240.18.38]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CDF81A02F4; Mon, 4 Aug 2014 13:41:51 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.01,800,1400050800"; d="scan'208";a="337422793"
Received: from vmwexceht01-prd.hq.netapp.com ([10.106.76.239]) by mx1-out.netapp.com with ESMTP; 04 Aug 2014 13:41:52 -0700
Received: from HIOEXCMBX02-PRD.hq.netapp.com (10.122.105.35) by vmwexceht01-prd.hq.netapp.com (10.106.76.239) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 4 Aug 2014 13:41:48 -0700
Received: from HIOEXCMBX03-PRD.hq.netapp.com (10.122.105.36) by hioexcmbx02-prd.hq.netapp.com (10.122.105.35) with Microsoft SMTP Server (TLS) id 15.0.913.22; Mon, 4 Aug 2014 13:41:47 -0700
Received: from HIOEXCMBX03-PRD.hq.netapp.com ([::1]) by hioexcmbx03-prd.hq.netapp.com ([fe80::6112:44a3:1946:292f%21]) with mapi id 15.00.0913.011; Mon, 4 Aug 2014 13:41:47 -0700
From: "Adamson, Andy" <William.Adamson@netapp.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
Thread-Index: AQHPsCP82UXQ/XAWfUqGp9getM05yZvBXhWA
Date: Mon, 04 Aug 2014 20:41:46 +0000
Message-ID: <A8C15D09-B389-4565-B61A-80C7A15E655E@netapp.com>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <alpine.GSO.1.10.1407301239260.21571@multics.mit.edu> <20140801224505.GB3579@localhost> <DB49D4A2-0EFF-4338-8F15-8459EEEBD5E8@netapp.com> <20140804164406.GK3579@localhost> <alpine.GSO.1.10.1408041411510.21571@multics.mit.edu> <20140804184503.GS3579@localhost> <1C1E7672-8E50-482D-A5B3-8C4E56458BA9@netapp.com> <20140804190715.GW3579@localhost> <alpine.GSO.1.10.1408041631220.21571@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1408041631220.21571@multics.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.1874)
x-originating-ip: [10.122.56.79]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <35638B53FB7D7246BAB0CAE7CA078011@hq.netapp.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/PHekydm9W-UsaZtQ61XbUKeg1w4
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 20:41:53 -0000

On Aug 4, 2014, at 4:37 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:

> On Mon, 4 Aug 2014, Nico Williams wrote:
> 
>> On Mon, Aug 04, 2014 at 06:59:27PM +0000, Adamson, Andy wrote:
>>> On Aug 4, 2014, at 2:45 PM, Nico Williams <nico@cryptonector.com> wrote:
>>>> - v3 (all versions so far) permits the use of any RPCSEC_GSS context
>>>>  handle, whether a v1, v2, or v3 handle.
>>> 
>>> No, multiple handle versions were left behind once we made v3 a proper
>>> superset of v2 (and v1). Only v3 handles allowed in v3.
>> 
>> My idea was that existing code to setup v1 contexts could be left as-is
>> and augmented with code that uses v1 contexts to setup v3 contexts when
>> compound authentication and/or assertions are required.
>> 
>> This would help interop: the client sets up v1 contexts, and if it can't
>> setup v3 contexts, then it either gives up (e.g., if it needs protection
>> for the shared-cache case, or if it has critical assertions to make) or
>> continues and hopes for the best (if it has non-critical assertions to
>> make).
> 
> Section 2.2 currently has:
>   The initiator MUST NOT attempt to use an RPCSEC_GSS handle returned
>   by version 3 of a target with version 1 or version 2 of the same
>   target.  The initiator MUST NOT attempt to use an RPCSEC_GSS handle
>   returned by version 1 or version 2 of a target with version 3 of the
>   same target.
> 
> which does not seem to permit this mixed-version worldview.
> 
> 
>> RPCSEC_GSS_BIND_CHANNEL should be explicitly forbidden on v3 handles,
>> as v3 has a different mechanism for channel binding.  It is listed only
>> for completeness given that v3 is an extension of the earlier versions.
> 
> Section 2.6 currently has:
>   The client MUST use one of the following security services to protect
>   the RPCSEC_GSS_CREATE or RPCSEC_GSS_LIST control message:
> 
>   o  rpc_gss_svc_channel_prot (see RPCSEC_GSSv2 [4])

Yeah - thanks for the review - f rpc_gss_svc_channel_prot should also not be used. I can clean this up.

—>Andy
> 
>   o  rpc_gss_svc_integrity
> 
>   o  rpc_gss_svc_privacy
> 
> which does not match with the quoted statement above (I think is from Nico; copied from a different mail).
> 
> Note that though Section 2.6.1.4 permits rpc_gss_svc_channel_prot to be used by a child RPCSEC_GSSv3 handle that was created with channel bindings, but child handles are forbidden from being used for RPCSEC_GSS_CREATE calls by the last item in section 2 (aka section 2.0)
> 
> -Ben
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.29.0 | Report a Bug | By Email | System Status