IETF Logo Mail Archive

Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-xattrs-05: (with DISCUSS)

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 25 May 2017 14:08 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F64129AAD; Thu, 25 May 2017 07:08:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A70eDXr1u_Hn; Thu, 25 May 2017 07:08:34 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8788D127201; Thu, 25 May 2017 07:08:34 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id p73so92654694ywp.0; Thu, 25 May 2017 07:08:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ewYX2zP0HF6j1vY16waMVfTgSQrfEu2PYibd3GhGIYc=; b=NG2XEWsFXn0VIHdnN1d7kpdwNFj3Y5TDCym/bdUOIVbAGY38m5gJBEuaonXCigGEW+ /5ehgpopW8yD57ZOMiqu8tndNlE59OnaFlZyJXYmgUX6x7Uoo8hmkiq5jePFiwIflwOn ZuWVyyroP1JHYGhAvDoziOt4VLRe4zkGKBAG09l4iVwq0kQq+TCIon4rLgDdkMNOUdIf +7pB04LJKQ/RsCOk0QZr7X45ZMF2SnVN3Y/OCuTPYD4RjbcW4dFf76Y9R75fPRVIHn0a 522It+Ng3PGGiVE0Tp7tGT2Kh0TzkblNFn69DXBVTVAM3jl2ELBCjy9N4BPHj4tO7Akw hfJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ewYX2zP0HF6j1vY16waMVfTgSQrfEu2PYibd3GhGIYc=; b=nrbYs8noap1lSwh46a4o+xyaj0qA6wTgoPziuIOqb+u1XYOntzC1bQXadDTduXXwMU vWB8iG8+eNVV6ejIrIJDJmi/EhkNFxrHpjXtpf4CV0uSxagRp8BXYLrUu8iEMP0oo+vZ BOARtLjRYQb1pymJmCf/++RBzTMpfcE7pFOrzlGJ35QnAozqcMJdHluY2OErsM39OxAi Z2I/6JWzTPWMWF6+S1y4V1MTAN8pwJVFCaAncVep5AYcksf5/Qo9Dhlti489ryoKdZ5p iik6C1+pdns2Df0lSi1k1dmdRqWVzkEHcxkr7FWLaBp1/QplLhI+yJyRoBbnRfaOX6Qj Cwcg==
X-Gm-Message-State: AODbwcDTJuu1Rj4UrmdRbLFSsIfs2SIKdjuNTUPSdki2W9icDGEeectB yIusYWuq92G7tcsQg+0UuezGikz7TA==
X-Received: by 10.129.70.195 with SMTP id t186mr15392371ywa.21.1495721313721; Thu, 25 May 2017 07:08:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.195.195 with HTTP; Thu, 25 May 2017 07:08:33 -0700 (PDT)
In-Reply-To: <CABcZeBPc9U1D+sSOnz2_3MwVn527ruuqqWoCsZYafx_rLwpyAQ@mail.gmail.com>
References: <149559305147.28562.14990485255783585477.idtracker@ietfa.amsl.com> <CAKKJt-cHEoBeP++YP-=FWmVTWkoLWLa5OZ=sDYT7kEBrDvvOiw@mail.gmail.com> <CABcZeBPc9U1D+sSOnz2_3MwVn527ruuqqWoCsZYafx_rLwpyAQ@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 25 May 2017 10:08:33 -0400
Message-ID: <CAKKJt-dcjiMFk0NyD-UrBQrtKAZgWaVzcxY67YSDOu0ZVNw9Ng@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, nfsv4-chairs@ietf.org, Spencer Shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>, draft-ietf-nfsv4-xattrs@ietf.org
Content-Type: multipart/alternative; boundary="001a114c7f1496681e055059c130"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/-U3H7eb2vPSQrTYntz91UtfF9GA>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-xattrs-05: (with DISCUSS)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 14:08:37 -0000

Hi, Eric,

On Thu, May 25, 2017 at 9:49 AM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Thu, May 25, 2017 at 9:19 PM, Spencer Dawkins at IETF <
> spencerdawkins.ietf@gmail.com> wrote:
>
>> Hi, Eric,
>>
>> On Tue, May 23, 2017 at 9:30 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>> Eric Rescorla has entered the following ballot position for
>>> draft-ietf-nfsv4-xattrs-05: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to https://www.ietf.org/iesg/stat
>>> ement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-xattrs/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>>       Since xattrs are application data, security issues are exactly
>>> the
>>>       same as those relating to the storing of file data and named
>>>       attributes.  These are all various sorts of application data and
>>>       the fact that the means of reference is slightly different in
>>> each
>>>       case should not be considered security-relevant.  As such, the
>>>       additions to the NFS protocol for supporting extended attributes
>>>       do not alter the security considerations of the NFSv4.2 protocol
>>>       [RFC7862].
>>>
>>> This seems inadequate. The issue is that if machine A writes some
>>> extended attribute which is security relevant (i.e., this file is
>>> only readable under certain conditions) and then machine B doesn't
>>> know about the attribute, then you have a security problem on B
>>> because it will not enforce it. It seems like FreeBSD uses extended
>>> attributes for this purpose, so this isn't just theoretical.
>>
>>
>> I haven't seen a response from the authors on this Discuss, so, at the
>> risk of talking out of my hat, I THINK the answer is going to be that
>>
>>    - either machine B keeps enforcing the incredibly lame access rights
>>    it's already enforcing (all users are part of the "nfs" group, so share the
>>    same access rights anyway, or whatever), or
>>    - machine B isn't enforcing anything now, so wouldn't be enforcing
>>    anything anyway.
>>
>>
> I think that's right.
>
>
>>
>>    -
>>
>> So, at a minimum, this extension would Do No Harm during periods of
>> partial deployment.
>>
>
> This, I don't agree with, because once this capability exists, people come
> to rely on it.
>

The nice people in NFSv4 understand expectations about NFS much better than
I do, so I'll let them take it from here.

The NFSv4 working group has been talking about my question to them about
the best way to signal that an extension is supported, and I didn't see
that they've converged (or at least, they haven't said they've converged).
I suspect that this Discuss position will be useful input to that
discussion, although it's not talking about exactly the same issues.

Spencer

v2.23.0 | Report a Bug | By Email