IETF Logo Mail Archive

Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt

Chuck Lever <chuck.lever@oracle.com> Thu, 18 April 2019 23:15 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12622120140 for <nfsv4@ietfa.amsl.com>; Thu, 18 Apr 2019 16:15:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3B8gzUuMhQB for <nfsv4@ietfa.amsl.com>; Thu, 18 Apr 2019 16:15:13 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00A761200FE for <nfsv4@ietf.org>; Thu, 18 Apr 2019 16:15:12 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3IN3qtp126153; Thu, 18 Apr 2019 23:15:11 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=wNZBVqf/eOmdhAZeoYvC/4Av7qzhMQH1fbHmJL0v5Rk=; b=eYA2bXhZJSphHd9BAONa8+bx+lf2FEKSombJq9rkTV8/NlyLMCKMlOFthVHHwE9h9GvC VaMe/Or5FKkw9pJS4Xg3yIMQ0jre6sbk/zLwG0CpB3RQO1wApWeXitq1BlgajRUGpyrr JPkMiu8wLMTzptoFJm1UE+wXJcEUfcgdiI+hxyTvlpJ7qwnTltOLyneNKxa+Pw0IZtUV ykrR10LiwQgKGnPzMQEcoHiAbW+TdUbpiOMAZWsEOm7mFW3obkdPDYeEbPGpP/leLd41 v7yn1LrljuYL4CEhLNSWec51XaC5phoWIFybbz/pUXLUDyF403+e1AzNzUDs5W79Ri5O wg==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by aserp2130.oracle.com with ESMTP id 2ru59dkgt5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Apr 2019 23:15:10 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3INF5FE158392; Thu, 18 Apr 2019 23:15:10 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userp3030.oracle.com with ESMTP id 2ru4vuntwr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Apr 2019 23:15:10 +0000
Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x3INF9WK001568; Thu, 18 Apr 2019 23:15:09 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 18 Apr 2019 16:15:09 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CADaq8jfqPxkCBEEb2M3vxgqoVW5xyggArxUHxLVr2RDWQCMSuw@mail.gmail.com>
Date: Thu, 18 Apr 2019 19:15:08 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BD4D98F6-4491-4547-A05C-2EFF1F95C0A0@oracle.com>
References: <155535049832.10773.1565621811584007627@ietfa.amsl.com> <E72181B0-6F38-4A02-8C65-ECF30581CBD5@oracle.com> <CAABAsM4_812FbhLZHcT6YxuAczbumR6s+cZ+ZcV+-zR_o7FbyQ@mail.gmail.com> <CADaq8jfqPxkCBEEb2M3vxgqoVW5xyggArxUHxLVr2RDWQCMSuw@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9231 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904180134
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9231 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904180134
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/3M99cHvYkBXBAxRqkFqIWzqwaaI>
Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 23:15:15 -0000


> On Apr 16, 2019, at 9:39 AM, David Noveck <davenoveck@gmail.com> wrote:
> 
> > Does this document need to say anything specific about reverse-direction
> > RPC operations? 
> 
> I don't think it needs to, but there are certainly los of reasons we would want it
> to.   The issue that needs to be resolved is that this is a document that is not 
> specfic to NFSv4, but is RPC-generic.   If we don't want to change that right now,
> and it would be disruptive, we made need another document about NFv4-specific
> considerations about use of rpc-tls.
> 
> > (i.e., 
> 
> In this document, it would have to be "e.g."
> 
> > NFSv4.1 callbacks on the same communication channel)  
> 
> In this document, I'm not sure it is worth bothering with.

Well, let's set aside the parenthetical for a moment.

At one point, Tigran said this:

> But what sould be part of your document is the handling of TLS session
> termination. Something like (please make it rfc language compliant):
> 
> 
>   Client can terminate the TLS session after sending a TLS closure alert.
>   After TLS session termination any other RPC requests over the same connection
>   will fail with AUTH_ERROR.


I think what is intended is that all traffic on that connection,
after the TLS session is established, should be encapsulated and
protected, until the TLS session is terminated.

What I'm wondering is whether it needs to be made explicit that
this would include reverse direction operations. Unlike GSS,
which provides per-request encapsulation, meaning that each
request can use its own security flavor.

TLS is transport-level. We might want to stipulate that operations
in both directions MUST be sent using the negotiated TLS session.


--
Chuck Lever

v2.23.0 | Report a Bug | By Email