Re: [nfsv4] Secdir last call review of draft-ietf-nfsv4-rpcrdma-cm-pvt-data-06
Chuck Lever <chuck.lever@oracle.com> Mon, 27 January 2020 15:01 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3BD4120821; Mon, 27 Jan 2020 07:01:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdON_ooAjIm5; Mon, 27 Jan 2020 07:01:20 -0800 (PST)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81D3A120845; Mon, 27 Jan 2020 07:01:17 -0800 (PST)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00RErVxM181443; Mon, 27 Jan 2020 15:01:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2019-08-05; bh=L5U+h9heGm7hvAm6g7e1ZPzE3h793on2YQAJ3P3YUgg=; b=p8aNt7FIWVTpnNJPv/Dd328S4/v+A+84CzqMtSH56Tc/ZrQ+OU1V8K72IJKwwIr8bLfE 0b0Eqv46YIfRU2qNc+lCJXlYoetDcss8ph66JVOSk1cBbgu9BAYqRYMOGNoDHziXOAe/ zfBoX3QHldTCv63oDQxzvsq1IFCq9fNa1x6Dv7qxabDq+VPBFFWz8sYr1R2IlfQGm01U xKJ5X5xhJr94AsFVq4H2HwYzXYURYjd3WP4y8V5XQIIefjycbY1DOnkZ2ihuWxItLvMv H3hhseJz6DF1dGqyFO6nVxzYB1kRy4mNSYu1+WNInuRr/uMK792PInOx13j3e8YFTQHM rQ==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2130.oracle.com with ESMTP id 2xrd3tyvc3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 27 Jan 2020 15:01:16 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00REraQW175095; Mon, 27 Jan 2020 15:01:15 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3030.oracle.com with ESMTP id 2xry4uhtg1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 27 Jan 2020 15:01:15 +0000
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 00RF1Dun014902; Mon, 27 Jan 2020 15:01:13 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 27 Jan 2020 07:01:13 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <158007038921.30641.13334124837519126164@ietfa.amsl.com>
Date: Mon, 27 Jan 2020 10:01:12 -0500
Cc: secdir@ietf.org, last-call@ietf.org, nfsv4@ietf.org, draft-ietf-nfsv4-rpcrdma-cm-pvt-data.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <80F557DD-BD17-4119-98B9-614B7A9FDDFB@oracle.com>
References: <158007038921.30641.13334124837519126164@ietfa.amsl.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9512 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001270127
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9512 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001270127
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/4elF4OPQrIycUnXy_QJTZ9ow5tw>
Subject: Re: [nfsv4] Secdir last call review of draft-ietf-nfsv4-rpcrdma-cm-pvt-data-06
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 15:01:26 -0000
Hello Yaron- Thanks for your review and comments. I will respond to your comments below, then we can determine how to clarify the text to improve matters. > On Jan 26, 2020, at 3:26 PM, Yaron Sheffer via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Yaron Sheffer > Review result: Has Issues > > The document defines limited parameter negotiation for RPC-RDMAv1, using a > private message sent over the underlying transport protocol (e.g., InfiniBand). > > The document is clear enough, until it comes to the Security Considerations. As > a newcomer to this domain, there are several points that I fail to understand: > > - The CM Private Data described here is not one of the messages of the RPC-RDMA > protocol. So how can it "inherit the security considerations of the protocols > it extends," - where this refers to RPC-RDMA? The private data is conveyed on the same transport connection as the other messages in RPC-over-RDMA. The exchange of private data is part of the connection handshake, and does not appear after the connection is established. The intended purpose of this paragraph is introductory, referring the reader to the Security Considerations section of RFC 8166 as background material. > - The next paragraph explains that the integrity is ensured by use of RC QP > (whatever that is). But there's no mention of this entity in RFC 8166, which is > supposed to define the security for this protocol. (Or in RFC 5042, for that > matter). That does seem to be an omission of background material in these documents. The queue pair (QP) type used for RPC-over-RDMA is Reliable Connected (RC). This is part of the RDMA Verbs API, thus it is not defined in any published IETF document. However, a relevant definition can be found in Section 9.7.7 of InfiniBand Trade Association, "InfiniBand Architecture Specification Volume 1", Release 1.3, March 2015. Available from https://www.infinibandta.org/ Section 8.1.1 of RFC 8166 discusses one aspect of Reliable Connected behavior but does not provide an adequate citation. The document as a whole does not make a specific compliance statement about the use of RC QPs. draft-ietf-nfsv4-rpcrdma-version-two rectifies that omission. However, the protocol framework depends on the semantics of RC QPs, thus RPC-over-RDMA version one implementations to date use only the RC QP type. That makes it rather a de facto requirement up to this point. > - I am usually suspicious of pre-2010 RFCs that recommend IPsec as a > per-protocol solution (RFC 5042, Sec. 5.4.3). Is IPsec deployed in real life to > protect these protocols, and if so, does it also protect the new CM Private > Data? IPsec is appropriate for iWARP (defined in the RFC 504x series), as iWARP can operate on public untrusted networks. Typically IPsec is implemented along side iWARP in NIC hardware, and thus is relatively transparent to the host (aside from initial configuration). When deployed, IPsec would establish a protected channel before iWARP operations are exchanged, and thus would protect the exchange of private data that occurs as each QP connection is established. IPsec is not used for InfiniBand or RoCE. Deployment of these fabrics is typically in monolithic security environments. > - And then after saying that integrity protection is ensured, we say that even > if integrity was compromised and the parameters were modified anyway, no > problem, this would only result in "self imposed denial of service". Even if > true for the currently negotiated parameters, this cannot be true for every > conceivable parameter that may be added in the future. That's correct. Practically speaking, even though we made this private data mechanism extensible, we are already busy creating an RPC-over-RDMA version two, where the same exchange is done via RPC-over-RDMA messages rather than via CM Private Data. It's not likely that cm-pvt-data itself will ever be extended. -- Chuck Lever
- [nfsv4] Secdir last call review of draft-ietf-nfs… Yaron Sheffer via Datatracker
- Re: [nfsv4] Secdir last call review of draft-ietf… Chuck Lever
- Re: [nfsv4] Secdir last call review of draft-ietf… Chuck Lever
- Re: [nfsv4] Secdir last call review of draft-ietf… Yaron Sheffer
- Re: [nfsv4] Secdir last call review of draft-ietf… Chuck Lever
- Re: [nfsv4] Secdir last call review of draft-ietf… Yaron Sheffer