IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Rick Macklem <rmacklem@uoguelph.ca> Thu, 24 December 2020 23:41 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2813A0E67 for <nfsv4@ietfa.amsl.com>; Thu, 24 Dec 2020 15:41:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMIfrB-q02ey for <nfsv4@ietfa.amsl.com>; Thu, 24 Dec 2020 15:41:21 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670046.outbound.protection.outlook.com [40.107.67.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D74643A0E63 for <nfsv4@ietf.org>; Thu, 24 Dec 2020 15:41:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ST2fZN/A3lmL2mKWidGNLdqQyaSJv0N5xoIohR6AZUpd6cyZCIClQCsGUeJl7AKUvEoNYZEopPPMbZpbJgu1rMA/b3OQ5y9dLEY5CCU0RE4kOocImI8FbyZo+qAyiYnYspJt7FnJydSwIMM/75IO7xHg5ht7ZzB6OnmYlUe7ppkagTu8M0iNvLEU5LuBNN2sSexRJq/zfprJOouNeqB2prZUdvf9gaKxOySDNU5pY+BFB0I+NgWc6+Xatr3E8fSXztUEpLiF4u3vwq48Di4LLWUH8AoBwiWEgvcRF9StqPafs5tOwekFp7dooldETXxrh+z6y6InoEJqhG+gwJDz0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hrzZE7t1JDdaGmLvv+SuAUoZS6cE1YXnzjzZ3yJYifY=; b=a65zIRU8VnsPxosSxtMkwTT0XsuHLmd3WIaqKd2cGNyPB6AJjaVOSJkUv0OoR6D+KW3oe15sbxycItGWMfy9mCBzGK4C+gM+O6NO8GqEee8oL/tJqveyXOi89t//yjYoI5RHM7/AKzHgHP9QUf6okI+ve8mrWFtSUjhr+cbgiYA5oYTnVdQPv6T8upI5AfnfzCP8PEclnpdjZQ262kngs90VaAqK56zfdtay03Fd/hzpyZPG+x6/YCk03MKk2lVF971OZcuNhv7Vuz993f9W05CaeCLQRi7WidMMtFHGq6JmjmufZwEac+2zFQYW9y8K1epYq7rDE2b46Lcc/IiFcw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hrzZE7t1JDdaGmLvv+SuAUoZS6cE1YXnzjzZ3yJYifY=; b=VhzXPmOYiwULfsWJS0Z4VvqtsMaQckXdHSDlW7UCtwOHEsvyw7vHuVhLbUHnNgT4E4wigSkmwI/sA4Nh1/yxZDil89JSOL3qOdvgnkAgU8pwsPoGk0WPPyGSr6Xan1eyI15hUMlAlknSFmfC1SB419+25gBkODgVxKxLitWHIeHwJK/sIrCcZzO0j/1MLf42YxojQkUnnA41lHAH65nqZuiojNO0B9cEZsfVt9hLk44t2KFly186qQEKwtEDUyTaHvNdAcMw+f2ANvFnv+2Phn8s1LYKvfBYn3le433mJN6PgQrZeM9LKyMz2d0TvbZcZxws5GFwVW8eiRN2FH0M5Q==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by QB1PR01MB2867.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:3d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.28; Thu, 24 Dec 2020 23:41:19 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94%7]) with mapi id 15.20.3676.034; Thu, 24 Dec 2020 23:41:19 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] NFS over TLS for laptops
Thread-Index: AQHW0NppAc3uZqIjgEq2ArIQwELbLqoBNdkAgAW51Pw=
Date: Thu, 24 Dec 2020 23:41:19 +0000
Message-ID: <YQXPR0101MB09683679D8333568D6B6F552DDDD0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <YQXPR0101MB0968F7BF5A6D7E97F39CC739DDC90@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <20201221073456.GC64351@kduck.mit.edu>
In-Reply-To: <20201221073456.GC64351@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 382dd924-2db4-4944-7b64-08d8a86569b1
x-ms-traffictypediagnostic: QB1PR01MB2867:
x-microsoft-antispam-prvs: <QB1PR01MB286759619B926DF06100889CDDDD0@QB1PR01MB2867.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: h4nxz+RfNW1mxcXO1RDHnBszO6OUPIwZIcktlUg6u0TLh6tZvQJbJItzKapZd9Ng38DRkUdzsrg/66ktZ0MtauRz7VRQjEd6uQF9q2oOhjteVRmpSlNvP/EE5Y9jUPLmOvWRYV7YS3PnxpuJtoGj4tK90f1WFPHJ5p2V2BkPTli1Bb9nnoqNJL4ajHCS0JUyfquN6N8quDyBEcUHliV14PzAFhsRzgETezhqUzRFqXZu9oo7+iONrhiWRJIUxfxc12HiWfCzdWTIjFtmrrfjjwl41j2R5mu7/xmvGtF5VDvVlAHTSa+WL94M7+wN3M7Jz8g93E+vcj5q1PNyo8uXkbTLywWGmUIYcm+7DYNZPuT1vB+mLQOrmIxqUVYXrk3Lk1eSlW5U1S+/oSJT3K9H8A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(366004)(396003)(136003)(346002)(39860400002)(83380400001)(52536014)(316002)(786003)(91956017)(2906002)(6916009)(478600001)(66946007)(86362001)(71200400001)(186003)(8936002)(33656002)(26005)(8676002)(66476007)(66556008)(7696005)(9686003)(6506007)(5660300002)(66446008)(4326008)(76116006)(55016002)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: mZgAgwVfBwlzZpjL/tTTuR+/hz3kF5IRbHwzCCBFtI6mZgc5cTJE8O0XEvl5EFDazTI32IMO1NMh9EJOel/lGtas5k2xMDnJSlh2eXPxregTpe/6A0L/0PIGioNcFBlT3TNdyeYl/4+nshH04cjIw6or+Y5Tapquh+JvMbK8A64yWY2mQhfkEaDHGCbVr9sIn61jOv4SjivIFZ+lhdNV2/W9GH/PysCkBsXU/IjWbPAyyEyegZ11tAJjQa483BQccj5YsMBD9VTnQfa2bqR6wNwF4RwHzrt6LP3AvmIJ/p/AHQi73YRE/2NiML9OaUfNewJ+B8wQDG9A0slJGlBXO+KOz7rwT+LJlj2GBPsTIXLwfl+poaICMICynYo6NxCOeH590ljetJY8OYB2ncLtTkVAd8NmNsB7sDiBiyeKDIWfUm/OQ1XOyhzThKsWRMrKWnm6ZK4o3ufxBdlCepHTDQdvKQ+ZBjwfx8IrYvwuiGGKat1lnvOEs8IKjzJQw8YuJTIuceekg4/Bam9he+MwKqGlho4bqnPKjVZ98bOwzHyHEvVhE8rpbraoRGABJRd6/Pt15HIXz9gxcvZoXB2BzHWmhGirK4PYL8xtokcqBcyUUToP6ShN+j9OSsIRmC5YpKAPWO9jYBlwiwjeidWN+ox0dGDaps1zgcWgCjIB2ZmH+7cXXkzeAZMp9a0QCvpAfoHGTut2UhMOTGNwuAHYGAEovg1sdEXlTzYgUwO7bkPQq0e1rqfMFfK+Gkm08y5+CHIwn6P4VsFulh8lDa2dg1att0caxYJ+ApY2gkNs7aLLNaqzymyHDcm0fzNEzojB3/j5TObi1Bw/mz4C8imDSJTblgAM2q+0UPgDLJFsQLQOODRHmShnD6wWe2R5wjFxYCZE45DbpRaB4THgTI469Y1HvTHBzvMoKnoH/tt+V84nUTj/SdPL/4GO/OZW98lxLQuOWdgyTHJOMHKYAfKg7N08Vbi6a2aQDKMiRBPkzGU=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 382dd924-2db4-4944-7b64-08d8a86569b1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Dec 2020 23:41:19.1027 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8N+phjoKoIzmVI3kjmGKH0tZicAELEXfrxjAOlJehcClq31oDFz8YrCsRe/onz8COnwc+mzGhrUeS//pa7SAPg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2867
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/cahC7BZmA4XAYEVSpuSsCFXuub0>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Dec 2020 23:41:23 -0000

Benjamin Kaduk wrote:
[stuff snipped]
>(I agree with Chuck that we should be careful about conflating host and
>user authentication, and that some sort of "squash", or rather,
>constraining the allowed users from a given host/certificate, will be
>useful.)
 Ok. I'd agree. Of course, "careful" can mean just about anything.

Here's a simple analogy:
- I have a mobile phone#.
- I have a mobile device called a smartphone in my backpack.
Does the phone# refer to me, as the user, or the device/host in
my backpack?
I'd say "both".
-->So, yes, I'd say that you need to be careful, when multiple users
     share a host/device.
     When a single user uses a device, I do not see any need for a
     distinction between "user" and "host".
This is the last time I will try and argue this.;-)

[more stuff snipped]
>>
>>         Also, this would require the KDC be accessible from "the world", which
>>         sounds pretty scary to me.
>
>It shouldn't -- the protocol is designed for it, the software is designed
>for it, and lots of sites do it.
My concern would be that it can facilitate a brute force attack on
passwords.

Correct me if I am wrong, but, with a KDC open to the world, I thought
that all an attacker would need to get an encrypted TGT was a valid
principal name.
--> Then they can brute force attack the password that maps to the
      principal's private key for that TGT at their leisure.
You could, correctly I believe, argue that this is really a concern w.r.t.
crappy passwords and not Kerberos.

If there is something in Kerberos to prevent the above brute force
password attack, please let me know.
[yet more snipped]

>>        a database of certificates for different users. A compromised
>>        client system would compromise all those users, etc and so on.
>>        --> For this we have Kerberos and it works. Doing RPCSEC_GSS
>>              with X509 mechanism would require a lot of implementation work
>>              and the result would be less secure and as much effort to manage
>>              as using Kerberos, I think.
>
>"Much effort" seems likely; "less secure" is not so clear -- I think it
>would have somewhat different security properties but which one is better
>or worse would depend on the deployment conditions.
My comment w.r.t. "less secure" came from the fact that the private keys
for the certificates would need to be known to the clients.
For Kerberos, the private keys remain locally on the KDC.
It just seems that distributing the private keys would introduce some
fundamental element of "risk" to the design?

rick

v2.23.0 | Report a Bug | By Email