Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-06.txt

"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Sat, 15 February 2020 12:47 UTC

Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB2D5120045 for <nfsv4@ietfa.amsl.com>; Sat, 15 Feb 2020 04:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6
X-Spam-Level:
X-Spam-Status: No, score=-6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ovdsl0quvMvE for <nfsv4@ietfa.amsl.com>; Sat, 15 Feb 2020 04:47:31 -0800 (PST)
Received: from smtp-o-1.desy.de (smtp-o-1.desy.de [131.169.56.154]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8246912001E for <nfsv4@ietf.org>; Sat, 15 Feb 2020 04:47:30 -0800 (PST)
Received: from smtp-buf-1.desy.de (smtp-buf-1.desy.de [131.169.56.164]) by smtp-o-1.desy.de (Postfix) with ESMTP id ACE26E01A8 for <nfsv4@ietf.org>; Sat, 15 Feb 2020 13:47:27 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-1.desy.de ACE26E01A8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1581770847; bh=JmzxnoXYuqYvNVLkegVPtgAkk9leo6lmPqhzh+OKzGY=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=B5cA6xpZJtyHewZxsuilD8+ZK8+Lgc7rPwvDq7BrnHaEd2M+ufOYIw2lcUnedu/Qn GtM966k1OG0i/fy0KTHaWDMr0Qqu62KLiyu46jFM6B4YFuCjgiiLxEGQX+76JwM2kc xpPZ5LSWggNwbrEnzCjWAPnJ0//k8R2+SmNAChtI=
Received: from smtp-m-1.desy.de (smtp-m-1.desy.de [IPv6:2001:638:700:1038::1:81]) by smtp-buf-1.desy.de (Postfix) with ESMTP id A5328120DE9; Sat, 15 Feb 2020 13:47:27 +0100 (CET)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-3.desy.de (Postfix) with ESMTP id 7CC1E803EA; Sat, 15 Feb 2020 13:47:27 +0100 (CET)
Date: Sat, 15 Feb 2020 13:47:27 +0100 (CET)
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Message-ID: <1596201389.6225924.1581770847254.JavaMail.zimbra@desy.de>
In-Reply-To: <4F4B842E-86BB-46BF-92F4-B81ECDDCCD05@oracle.com>
References: <158074451013.28494.10714680016688772019@ietfa.amsl.com> <4F4B842E-86BB-46BF-92F4-B81ECDDCCD05@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.15_GA_3888 (ZimbraWebClient - FF73 (Linux)/8.8.15_GA_3890)
Thread-Topic: I-D Action: draft-ietf-nfsv4-rpc-tls-06.txt
Thread-Index: ZrrMCDhLCCkfV0ihstyiZusS7w4BsQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/05AcqG3vXoINtop2tGQUy4KFgiw>
Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-06.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2020 12:47:35 -0000

Hi Chuck,

Yesterday we were fixing in our (not nfs related) code a TLS bug. 
The issue was that we were redirecting clients to another endpoint
by an IP address. As a result, the client side server certificate
validation was failing, as subject alternative name didn't match
endpoint client was connecting to - subject and and alternative
name were dns names.

This situation is very similar to what we will ger with pNFS, where
data servers are offered as combination of netad and uaddr. Though
there is no direct connection between your spec and pNFS over TLS,
you probably should have a paragraph describing TLS and certificate
handling when server address presented as netid+uaddr.

Regards,
   Tigran.


----- Original Message -----
> From: "Chuck Lever" <chuck.lever@oracle.com>
> To: "NFSv4" <nfsv4@ietf.org>
> Sent: Monday, February 3, 2020 4:44:11 PM
> Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-06.txt

>> On Feb 3, 2020, at 10:41 AM, internet-drafts@ietf.org wrote:
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Network File System Version 4 WG of the IETF.
>> 
>>        Title           : Towards Remote Procedure Call Encryption By Default
>>        Authors         : Trond Myklebust
>>                          Charles Lever
>> 	Filename        : draft-ietf-nfsv4-rpc-tls-06.txt
>> 	Pages           : 21
>> 	Date            : 2020-02-03
>> 
>> Abstract:
>>   This document describes a mechanism that, through the use of
>>   opportunistic Transport Layer Security (TLS), enables encryption of
>>   in-transit Remote Procedure Call (RPC) transactions while
>>   interoperating with ONC RPC implementations that do not support this
>>   mechanism.  This document updates RFC 5531.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/
>> 
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-ietf-nfsv4-rpc-tls-06
>> https://datatracker.ietf.org/doc/html/draft-ietf-nfsv4-rpc-tls-06
>> 
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-rpc-tls-06
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
> 
> I heard no objection to the changes proposed last week.
> This revision addresses recent comments from Rick Macklem.
> 
> 
> --
> Chuck Lever
> 
> 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4