IETF Logo Mail Archive

Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review

"J. Bruce Fields" <bfields@fieldses.org> Wed, 30 July 2014 16:30 UTC

Return-Path: <bfields@fieldses.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D411F1A0290; Wed, 30 Jul 2014 09:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5DcgRcae7F1; Wed, 30 Jul 2014 09:30:08 -0700 (PDT)
Received: from fieldses.org (fieldses.org [174.143.236.118]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25A771A02FA; Wed, 30 Jul 2014 09:30:08 -0700 (PDT)
Received: from bfields by fieldses.org with local (Exim 4.76) (envelope-from <bfields@fieldses.org>) id 1XCWlS-0001ui-Bc; Wed, 30 Jul 2014 12:30:06 -0400
Date: Wed, 30 Jul 2014 12:30:06 -0400
To: "Adamson, Andy" <William.Adamson@netapp.com>
Message-ID: <20140730163006.GG26316@fieldses.org>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
From: "J. Bruce Fields" <bfields@fieldses.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/maZ4zRKjSrwzs4Ry_4_1KCT1BWY
X-Mailman-Approved-At: Wed, 30 Jul 2014 13:08:55 -0700
Cc: "kitten@ietf.org" <kitten@ietf.org>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv3: request for review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 16:30:12 -0000

On Wed, Jul 30, 2014 at 02:47:44PM +0000, Adamson, Andy wrote:
> Hello
> 
> I spoke with Shawn Emery (the Kitten WG Chair) last week at IETF 90, and he agreed that I should cross-post the RPCSEC_GSSv3 draft to the Kitten WG as well as to the NFSv4 WG to solicit reviews.  Please review the draft which adds two new RPCSEC GSS operations and is a normative reference to draft-ietf-nfsv4-minorversion2.
> 
> As we are working to finish draft-ietf-nfsv4-minorversion2 , please submit your reviews by Aug 31, 2014.
> 
> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpcsec-gssv3

I'm confused by multi-principal authentication:

The RPCSEC_GSS_CREATE request should demonstrate that the caller knows
both parent and child's credentials.  That's easy for the parent since
an RPCSEC_GSS_CREATE request is also just an ordinary RPCSEC_GSS request
sent as the parent.

For the child the caller has to calculate the mic of a nonce using the
child context, but as far as I can tell the choice of nonce is entirely
up to the caller.

Couldn't it then just choose as the nonce some data that it had
previously seen a mic for?  If so, would it work to remove the nonce and
instead calculate, say, a mic of the rpc header (as we do when
calculating the verifier?).

Apologies if the question's already answered somewhere.

I'm not sure about the reply either:

	On a successful reply, the rgss3_gss_mp_auth field in the
	rgss3_create_res reply uses the parent RPCSEC_GSSv3 context as
	the rgmp_handle, the same rgmp_nounce as was sent in the call
	data with the rgmp_nounce_mic created using the GSS-API security
	context associate with the parent handle.  Verification of the
	rbg_nounce_mic by the initiator demonstrates that the target
	agrees to the multi-principal authentication.

"The target" here is ambiguous.  The reply is already authenticated as
the parent, the problem again is authenticating as the child, so I think
it should be calculating a mic using the child context (maybe over the
header data again, as in section 2.3?).

(Also, note the draft uses at least "nonce", "nounc", and "nounce", a
spellcheck would help here.)

--b.

v2.29.0 | Report a Bug | By Email | System Status