IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-01.txt

David Noveck <davenoveck@gmail.com> Fri, 28 January 2022 17:21 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DE463A09C1 for <nfsv4@ietfa.amsl.com>; Fri, 28 Jan 2022 09:21:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yS4Dw1fJvrSu for <nfsv4@ietfa.amsl.com>; Fri, 28 Jan 2022 09:21:37 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BB793A09BA for <nfsv4@ietf.org>; Fri, 28 Jan 2022 09:21:37 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id w14so11160269edd.10 for <nfsv4@ietf.org>; Fri, 28 Jan 2022 09:21:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=258yLPotSm/hoBBh6xyEGiXZgcQzYHfoBpiZd4o9rRU=; b=YJct5JKp6d94Z0vZEJk2J+AC0Z8XEZG1te5Luolukme1h4cKNlnmfTGR1K9eaT5ZlD yVzvgKBrzO65cY+ofw8W/9+z8I4X9ma/Lu/eZZgJ43t+ZdPsnADGsF/wTUpsVSi0k39l bAkWL6juu8FgisOxuHs31wMlKVCVIineE4+zz3JAvth9GXmVOcukUXpIT56KFi+NQdqu FONx4mJDJcfOM56a3GVmIRpdCxzRxixpX2/7MtsrfxNutXxyExrhvw7BUsJn88izwEAm Jm38aioH5xldqNicDjqmri5vUXls9KdyjjnGVAp8hO5FsjVLcTnzmLirSpdu1xfb6lDT h3dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=258yLPotSm/hoBBh6xyEGiXZgcQzYHfoBpiZd4o9rRU=; b=73N+JBnuZSm5bGADwvULWWggEdMMW+mDtEMDNO18EiwzLteWOy07mlXb2o4Jhg3bBY kCaPkdRYbyTyP8Lrf+3nuLNqGsPhD6gUKhdQHRFLRZB2XNnizJiFqkIF6d8YsyVOLKlY oow6ClhNka20yKdXlbWZAZnEVlECJ/M3jZXmL6IGrx64ke0w2/8K/CyI0FI86vtWBqIn xoLYPUmtg8kVpromB1qCdarNcnM8SQyzMv5kwgGvjPh2NlBLQKiainiwwOQesOcss6UW lb+0U/OK4RF9Y3xwAwhyT6UKLlPShnjiidIuMkkAcl8KhyV5AuSIvkzu5uyiRSEVNp45 Izew==
X-Gm-Message-State: AOAM530guCaNio4mI4xJaTTxih5taXBXfVKJY+i7ayGbEFBEA2f9k5zD gOz3JWeUoKx28KcjN+7rJCoGtYH86nDf6loLz7Q=
X-Google-Smtp-Source: ABdhPJwPV44K5SNRslB1UlL4HlnefQICWQm7xW/7q3o2JV6iwiFECQYHOfcGBPFu2Rss//hRIvKhv2B8eFI94nkgO5s=
X-Received: by 2002:aa7:cd57:: with SMTP id v23mr9032289edw.257.1643390493030; Fri, 28 Jan 2022 09:21:33 -0800 (PST)
MIME-Version: 1.0
References: <163958660330.32050.8348110755078780324@ietfa.amsl.com> <EBB4F589-9EFC-4AB6-A66D-7DB556550E12@oracle.com> <YQXPR0101MB0968C1BA8B49146C423C41C0DD7B9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jdvbNDZ1ppwfnuBDcjgXyJh-JEA2XJ2vY=hm5TMHgA=pg@mail.gmail.com> <E79774B9-7AA6-4FCD-976B-CCF16EEFAF09@oracle.com> <CADaq8jejTXr3=yHCR-k-4OgS+EPdGHBi3nHcK10__sFKC30gyw@mail.gmail.com> <9EA15696-9562-4A71-BF9F-0C94FFF11A78@oracle.com>
In-Reply-To: <9EA15696-9562-4A71-BF9F-0C94FFF11A78@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 28 Jan 2022 12:21:21 -0500
Message-ID: <CADaq8je=uH=pTeQw+W=cMcfkZpA3BZASNkYsNDGo13or=kPgaw@mail.gmail.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: Rick Macklem <rmacklem@uoguelph.ca>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000090979a05d6a7aa1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/0yVI7-taa0P6slG56AatGzmlDvw>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2022 17:21:39 -0000

> The issue with that was that NFSv4.0 does not have
> NFS4ERR_WRONG_CRED. Is there a suitable alternative
> for NFSv4.0?

Depends what you mean by "suitable".

I'd like to avoid any need for an rfc7530bis, so I would try to limit
things to errors already returned by SETCLIENTID.  I think I'll try
NFS4ERR_INVAL  in -05 and let the wg discuss its suitability.

I'm

On Fri, Jan 28, 2022 at 11:52 AM Chuck Lever III <chuck.lever@oracle.com>
wrote:

>
> > On Jan 28, 2022, at 11:38 AM, David Noveck <davenoveck@gmail.com> wrote:
> >
> >> On Fri, Jan 28, 2022 at 9:57 AM Chuck Lever III <chuck.lever@oracle.com>
> wrote:
> >>
> >> > On Dec 21, 2021, at 5:34 AM, David Noveck <davenoveck@gmail.com>
> wrote:
> >> >
> >> > > Btw, I like your idea to have ExchangeID return
> >> > > NFS4ERR_WRONG_CRED.
> >> >
> >> > I do as well.
> >> >
> >> > > Hopefully, this minor change to RFC8881 is acceptable for others.
> >
> > I'm assuming that it is.  I hope that anyone who does have an objection
> will state it now
> > to avoid wasting Chuck's time and mine.   I guess the appropriate time
> to discuss consensus
> > for this issue is when rfc5661bis becomes a (set of) working group
> documents(s) .  It seems that
> > is a few months away..
>
> The issue with that was that NFSv4.0 does not have
> NFS4ERR_WRONG_CRED. Is there a suitable alternative
> for NFSv4.0?
>
>
> >> > I had tried to address this issue in security-03, but reading Chuck's
> text has convinced me that further work will be needed.
> >> >
> >> > There is no time to do this in security-04, which will be our by
> Christmas.  Given the need to address both 4.0 and 4.1 there will have to
> be discussion of how to divide this material between security-05 and
> rfc5661bis.
> >>
> >> Is there any objection to adopting
> >> rpc-tls-pseudoflavors as a WG document?
> >
> > Not on my part.
> >
> > I suggest we give people a month to object and proceed to adopt this
>
> Works for me. I will ask again on February 28.
>
>
> >> I was reminded recently that somewhere we have to mandate
> >> the use of RPC-with-TLS on the backchannel connection when
> >> an NFSv4.0 client connects using RPC-with-TLS on the forward
> >> channel. IMO that mandate belongs in nfsv4-security.
> >
> > I will do that draft-ietf-nfsv4-security-05, either as it is done in
> draft-dnoveck-nfsv4-security-04 or
> > in some other way to diding this up that Chuck and I are both
> comfortable with.
> >
> >> Also, I'd like to discuss how to divide the material in
> >> Section 5.2.1 between rpc-tls-pseudoflavors and
> >> nfsv4-security. Where do we begin?
> >
> > I think we begin where we are in -04 with anyone, including most
> particularly you, proposing a different arrangement.
>
> I can have a look at Sections 13 and 14 of -04 and
> propose some alternatives.
>
> By the way, s/Rouge/Rogue
>
>
> --
> Chuck Lever
>
>
>
>

v2.23.0 | Report a Bug | By Email