IETF Logo Mail Archive

Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication

"Adamson, Andy" <William.Adamson@netapp.com> Thu, 04 September 2014 16:38 UTC

Return-Path: <William.Adamson@netapp.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF3551A0503; Thu, 4 Sep 2014 09:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QMO4EAQb06Zn; Thu, 4 Sep 2014 09:38:21 -0700 (PDT)
Received: from mx12.netapp.com (mx12.netapp.com [216.240.18.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74D861A6F64; Thu, 4 Sep 2014 09:38:20 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.04,467,1406617200"; d="scan'208";a="186418055"
Received: from hioexcmbx01-prd.hq.netapp.com ([10.122.105.34]) by mx12-out.netapp.com with ESMTP; 04 Sep 2014 09:37:59 -0700
Received: from HIOEXCMBX08-PRD.hq.netapp.com (10.122.105.41) by hioexcmbx01-prd.hq.netapp.com (10.122.105.34) with Microsoft SMTP Server (TLS) id 15.0.913.22; Thu, 4 Sep 2014 09:37:52 -0700
Received: from HIOEXCMBX08-PRD.hq.netapp.com ([::1]) by hioexcmbx08-prd.hq.netapp.com ([fe80::3405:c28f:f61a:e768%21]) with mapi id 15.00.0913.011; Thu, 4 Sep 2014 09:37:52 -0700
From: "Adamson, Andy" <William.Adamson@netapp.com>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
Thread-Index: AQHPvIu/oTjXtXsIRU6yu54YN8rMk5vunpMAgAC4SYCAAOO2gIAADJgAgAAPsICAAAL0gIAAAq+AgAASN4CAAAZ9AIAA9fQAgAA8VwCAABHvgA==
Date: Thu, 04 Sep 2014 16:37:51 +0000
Message-ID: <1C1901CB-8F67-4E5C-8B62-DF3C5990539D@netapp.com>
References: <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu> <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu> <alpine.GSO.1.10.1409021306240.21571@multics.mit.edu> <20140903041240.GG2664@localhost> <20140903174741.GA24790@fieldses.org> <CAK3OfOipM10jM=e59q8hZd7niQGinQgWSBVFjKVabKRkvH1HUg@mail.gmail.com> <20140903192855.GA25363@fieldses.org> <CAK3OfOg9KSu7eK8a9zf24gJ92xegJhHvGXX1EEYhuPKE=Q87Vw@mail.gmail.com> <20140903194905.GB25363@fieldses.org> <alpine.GSO.1.10.1409031653010.21571@multics.mit.edu> <CAK3OfOhg8jSGECj-uAEh646Bw9Zb+oT_n8fwtHfk9HYvy30QkQ@mail.gmail.com> <DD57BF66-1EB8-476E-B4C5-CD4FFB8AA401@netapp.com> <CAK3OfOgxW-rOTamYnZFVw21BXLpO6cmuPi6VYnVHTVMrRSF1=Q@mail.gmail.com>
In-Reply-To: <CAK3OfOgxW-rOTamYnZFVw21BXLpO6cmuPi6VYnVHTVMrRSF1=Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.1874)
x-originating-ip: [10.122.56.79]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <EFB8E08ACF4ECB43921A874E920DC424@hq.netapp.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/nXm3sFPl0lr_L-07Y3vSCkeyoLs
Cc: "J. Bruce Fields" <bfields@fieldses.org>, "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 16:38:23 -0000

On Sep 4, 2014, at 11:33 AM, Nico Williams <nico@cryptonector.com> wrote:

> On Thu, Sep 4, 2014 at 6:57 AM, Adamson, Andy
> <William.Adamson@netapp.com> wrote:
>> 
>> On Sep 3, 2014, at 5:17 PM, Nico Williams <nico@cryptonector.com> wrote:
>> 
>>> On Wed, Sep 3, 2014 at 3:54 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>> On Wed, 3 Sep 2014, J. Bruce Fields wrote:
>>>>> Sounds like there's work to do.
>>>> 
>>>> I agree.
>>> 
>>> I agree.  I wrote this eons ago and never got to implement.
>>> 
>>> Multi-principal authentication is critical for security on multi-user
>>> clients.  We should get it right.
>> 
>> Yes. But! If we add more structure to prevent aliasing - e.g. attach it to a client machine (or clientid) then it will
                              ^^^
should be “could” not necessarily “will"


>> prevent it’s use in NFSv4.2 Inter server to server copy where the user principal on one client machine is permitting another client (the destination server acting as a client) to act on it’s behalf.
> 
> Huh?   I don't see the connection.

Have you read the NFSv4.2 use of GSSv3 for inter server to server copy? The destination server (acting as an NFS client) needs to READ the file from the source server.  It needs to do so on behalf of the user-principal that starts the copy from the client. The destination server does not have a GSS context for the user-principal, as the user is logged onto the client, not the destination server.  The multi-principal nonce, MIC of nonce using the user-principal context is created on the client and sent with the user-principal context handle in a privacy protected structured privilege to the detination server which then uses it in a privacy protected multi-principal (plus structured privilege) assertion to the source server.

If the multi-principal nonce was replaced by data that tied the multi-principal use to a client machine, then in the above passing of the multi-principal data from the inter server to server client to the destination server (to allow the destination server to act on behalf of the user-principal) would not work.

In essence, NFSv4.2 inter server to server copy’s use of multi-principal assertion is aliasing.


> 
>> I say we keep the current nonce and simply insist on privacy. This will prevent aliasing and yet allow ti’s only current use case.
> 
> That's too risky.

Perhaps we allow a multi-principal aliasing mode.

—>Andy

> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.29.0 | Report a Bug | By Email | System Status