Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review

Benjamin Kaduk <kaduk@MIT.EDU> Mon, 04 August 2014 20:37 UTC

Date: Mon, 04 Aug 2014 16:37:44 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <20140804190715.GW3579@localhost>
Message-ID: <alpine.GSO.1.10.1408041631220.21571@multics.mit.edu>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <alpine.GSO.1.10.1407301239260.21571@multics.mit.edu> <20140801224505.GB3579@localhost> <DB49D4A2-0EFF-4338-8F15-8459EEEBD5E8@netapp.com> <20140804164406.GK3579@localhost> <alpine.GSO.1.10.1408041411510.21571@multics.mit.edu> <20140804184503.GS3579@localhost> <1C1E7672-8E50-482D-A5B3-8C4E56458BA9@netapp.com> <20140804190715.GW3579@localhost>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/QK_dFmJVg4LOxpu75v0hdjv5xOI
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
Precedence: list

On Mon, 4 Aug 2014, Nico Williams wrote:

> On Mon, Aug 04, 2014 at 06:59:27PM +0000, Adamson, Andy wrote:
>> On Aug 4, 2014, at 2:45 PM, Nico Williams <nico@cryptonector.com> wrote:
>>> - v3 (all versions so far) permits the use of any RPCSEC_GSS context
>>>   handle, whether a v1, v2, or v3 handle.
>>
>> No, multiple handle versions were left behind once we made v3 a proper
>> superset of v2 (and v1). Only v3 handles allowed in v3.
>
> My idea was that existing code to setup v1 contexts could be left as-is
> and augmented with code that uses v1 contexts to setup v3 contexts when
> compound authentication and/or assertions are required.
>
> This would help interop: the client sets up v1 contexts, and if it can't
> setup v3 contexts, then it either gives up (e.g., if it needs protection
> for the shared-cache case, or if it has critical assertions to make) or
> continues and hopes for the best (if it has non-critical assertions to
> make).

Section 2.2 currently has:
    The initiator MUST NOT attempt to use an RPCSEC_GSS handle returned
    by version 3 of a target with version 1 or version 2 of the same
    target.  The initiator MUST NOT attempt to use an RPCSEC_GSS handle
    returned by version 1 or version 2 of a target with version 3 of the
    same target.

which does not seem to permit this mixed-version worldview.


> RPCSEC_GSS_BIND_CHANNEL should be explicitly forbidden on v3 handles,
> as v3 has a different mechanism for channel binding.  It is listed only
> for completeness given that v3 is an extension of the earlier versions.

Section 2.6 currently has:
    The client MUST use one of the following security services to protect
    the RPCSEC_GSS_CREATE or RPCSEC_GSS_LIST control message:

    o  rpc_gss_svc_channel_prot (see RPCSEC_GSSv2 [4])

    o  rpc_gss_svc_integrity

    o  rpc_gss_svc_privacy

which does not match with the quoted statement above (I think is from 
Nico; copied from a different mail).

Note that though Section 2.6.1.4 permits rpc_gss_svc_channel_prot to be 
used by a child RPCSEC_GSSv3 handle that was created with channel 
bindings, but child handles are forbidden from being used for 
RPCSEC_GSS_CREATE calls by the last item in section 2 (aka section 2.0)

-Ben

[kitten] draft-ietf-nfsv4-rpcsec-gssv3: request f… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
[kitten] rpcsec-gssv3 multi-principal authenticat… Benjamin Kaduk
Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
Re: [kitten] rpcsec-gssv3 multi-principal authent… Adamson, Andy
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk