IETF Logo Mail Archive

Re: [nfsv4] Last call start for "RPCSEC_GSS Version 2"

"Mike Eisler" <mre-ietf@eisler.com> Fri, 13 June 2008 20:35 UTC

Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1499E3A69B3; Fri, 13 Jun 2008 13:35:16 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 453413A69B3 for <nfsv4@core3.amsl.com>; Fri, 13 Jun 2008 13:35:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aef+NZZA8EcA for <nfsv4@core3.amsl.com>; Fri, 13 Jun 2008 13:35:13 -0700 (PDT)
Received: from webmail2.sd.dreamhost.com (sd-green-dreamhost-133.dreamhost.com [208.97.187.133]) by core3.amsl.com (Postfix) with ESMTP id 839B13A6929 for <nfsv4@ietf.org>; Fri, 13 Jun 2008 13:35:13 -0700 (PDT)
Received: from webmail.eisler.com (localhost [127.0.0.1]) by webmail2.sd.dreamhost.com (Postfix) with ESMTP id 65F4DDC713 for <nfsv4@ietf.org>; Fri, 13 Jun 2008 13:35:46 -0700 (PDT)
Received: from 198.95.226.230 (SquirrelMail authenticated user mre-ietf@eisler.com) by webmail.eisler.com with HTTP; Fri, 13 Jun 2008 13:35:46 -0700 (PDT)
Message-ID: <38432.198.95.226.230.1213389346.squirrel@webmail.eisler.com>
In-Reply-To: <20080613190050.GT2735@Sun.COM>
References: <559831BE-8E35-43E4-911C-EE570E511C38@Sun.COM> <20080613190050.GT2735@Sun.COM>
Date: Fri, 13 Jun 2008 13:35:46 -0700
From: Mike Eisler <mre-ietf@eisler.com>
To: nfsv4@ietf.org
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Subject: Re: [nfsv4] Last call start for "RPCSEC_GSS Version 2"
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org

On Fri, June 13, 2008 12:00 pm, Nicolas Williams wrote:
> On Mon, Jun 02, 2008 at 11:30:43PM -0500, Spencer Shepler wrote:
>> http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-rpcsec-gss-v2-03.txt
>
> There's a rather minor, but easy to fix attack on RPCSEC_GSSv2 as
> described in -03.
>
> I started wondering what kind of games an attacker could play with the
> RPCSEC_GSS version number.  I think an MITM could modify RPCs from a v1
> client, talking to a v2 server, to set the RPCSEC_GSS version to 2, and
> in the process obtain a few MICs that it might, by sheer luck, cause the
> server to accept in the channel binding portion of the protocol.

I'm not seeing it. The MIC in the verifier of both v1 and v2
of RPCSEC_GSS is compute from the RPC header "up to and including
      the credential"

Since the credential contains the RPCSEC_GSS version number (field
rgc_version below) the RPCSEC_GSS target will reject the MITM's
modified RPCs.

      union rpc_gss_cred_t switch (unsigned int rgc_version) {
        case RPCSEC_GSS_VERS_1:
        case RPCSEC_GSS_VERS_2: /* new */
          rpc_gss_cred_vers_1_t rgc_cred_v1;
      };


-- 
Mike Eisler, Senior Technical Director, NetApp, 719 599 9026,
http://blogs.netapp.com/eislers_nfs_blog/



_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email