Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt
"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Wed, 17 April 2019 20:37 UTC
Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D17D1203B7 for <nfsv4@ietfa.amsl.com>; Wed, 17 Apr 2019 13:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ocIR-KwKLj4 for <nfsv4@ietfa.amsl.com>; Wed, 17 Apr 2019 13:37:10 -0700 (PDT)
Received: from smtp-o-2.desy.de (smtp-o-2.desy.de [IPv6:2001:638:700:1038::1:9b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08CEF1203A7 for <nfsv4@ietf.org>; Wed, 17 Apr 2019 13:37:07 -0700 (PDT)
Received: from smtp-buf-3.desy.de (smtp-buf-3.desy.de [131.169.56.166]) by smtp-o-2.desy.de (Postfix) with ESMTP id BD6DA160155 for <nfsv4@ietf.org>; Wed, 17 Apr 2019 22:37:04 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-2.desy.de BD6DA160155
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1555533424; bh=/Cn1GApy4+x5WeGTqloWJXd0YPLjmwur66Omf1Bj1Vk=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=PXr3wzw4UpKMmY+ttcGliZs5YlfYa78Y97NpVc6USR4yn5ZWuTafvWHXV2bKfSTpu a36LPMhEKglZsOvAMFhaWaXVkWQMWPzASfdHhi+qMSl+3TmLXJdmbKEZkkybkkqPCB A56Z4+ff3PpabHTuuhm+SiDXyzjBU2V4uh9WTutY=
Received: from smtp-m-3.desy.de (smtp-m-3.desy.de [131.169.56.131]) by smtp-buf-3.desy.de (Postfix) with ESMTP id B36EEA0077; Wed, 17 Apr 2019 22:37:04 +0200 (CEST)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (DESY-INTRA-1) with ESMTP id 70FB33E901; Wed, 17 Apr 2019 22:37:04 +0200 (MEST)
Date: Wed, 17 Apr 2019 22:37:04 +0200
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Trond Myklebust <trondmy@gmail.com>
Cc: Chuck Lever <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Message-ID: <1338340997.1150847.1555533424364.JavaMail.zimbra@desy.de>
In-Reply-To: <CAABAsM4_812FbhLZHcT6YxuAczbumR6s+cZ+ZcV+-zR_o7FbyQ@mail.gmail.com>
References: <155535049832.10773.1565621811584007627@ietfa.amsl.com> <E72181B0-6F38-4A02-8C65-ECF30581CBD5@oracle.com> <CAABAsM4_812FbhLZHcT6YxuAczbumR6s+cZ+ZcV+-zR_o7FbyQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.10_GA_3781 (ZimbraWebClient - FF66 (Linux)/8.8.10_GA_3786)
Thread-Topic: I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt
Thread-Index: AddpE37RAI4tMmG1PiYGUsDAtliKvQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/4lJXrWU74ffoEZjGjl38YP1UDgI>
Subject: Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2019 20:37:12 -0000
----- Original Message ----- > From: "Trond Myklebust" <trondmy@gmail.com> > To: "Chuck Lever" <chuck.lever@oracle.com> > Cc: "NFSv4" <nfsv4@ietf.org> > Sent: Tuesday, April 16, 2019 2:37:54 PM > Subject: Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt > On Mon, 15 Apr 2019 at 18:14, Chuck Lever <chuck.lever@oracle.com> wrote: >> >> >> >> > Begin forwarded message: >> > >> > From: internet-drafts@ietf.org >> > Subject: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt >> > Date: April 15, 2019 at 1:48:18 PM EDT >> > To: <i-d-announce@ietf.org> >> > Cc: nfsv4@ietf.org >> > Reply-To: nfsv4@ietf.org >> > >> > >> > A New Internet-Draft is available from the on-line Internet-Drafts directories. >> > This draft is a work item of the Network File System Version 4 WG of the IETF. >> > >> > Title : Remote Procedure Call Encryption By Default >> > Authors : Trond Myklebust >> > Charles Lever >> > Filename : draft-ietf-nfsv4-rpc-tls-01.txt >> > Pages : 17 >> > Date : 2019-04-15 >> > >> > Abstract: >> > This document describes a mechanism that opportunistically enables >> > encryption of in-transit Remote Procedure Call (RPC) transactions >> > with minimal administrative overhead and full interoperation with ONC >> > RPC implementations that do not support this mechanism. This >> > document updates RFC 5531. >> > >> > >> > The IETF datatracker status page for this draft is: >> > https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/ >> > >> > There are also htmlized versions available at: >> > https://tools.ietf.org/html/draft-ietf-nfsv4-rpc-tls-01 >> > https://datatracker.ietf.org/doc/html/draft-ietf-nfsv4-rpc-tls-01 >> > >> > A diff from the previous version is available at: >> > https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-rpc-tls-01 >> > >> > >> > Please note that it may take a couple of minutes from the time of submission >> > until the htmlized version and diff are available at tools.ietf.org. >> > >> > Internet-Drafts are also available by anonymous FTP at: >> > ftp://ftp.ietf.org/internet-drafts/ >> >> Does this document need to say anything specific about reverse-direction >> RPC operations? (i.e., NFSv4.1 callbacks on the same communication channel) > I don't think so. You just describe RPC related behavior. All NFS4 protocol specific recommendation probably should go into to a different document. > We might perhaps note that if the server uses a TLS protected channel > to send back channel RPC calls, then those calls are automatically > authenticated by virtue of the server certificate used to set up TLS. > i.e. the client may just want to accept all back channel RPC calls, > including those using AUTH_NULL or AUTH_SYS authentication. > > There is the question of the NFSv4 back channel, which is server initiated. The same here, a different document that talks about what NFS client should do, what server should do, implication on pNFS (same security..), migration and so on. > If we want servers to be able to use that as a replacement > for RPCSEC_GSS, then we'd need to specify a certificate for the client > to present to the server. Ditto for NLM, if we want to go even further > back in time... > Do we care? > > A more general question that this raises is: Do we consider TLS as > part of the authentication mechanism, and if so, what is its role? > IOW: if the client does present a certificate when it sets up the TLS > channel, then should that suffice to prevent an attacker from setting > up a new TCP connection to the same server, and spoofing the identity > of that client without possessing the original client certificate? > If we do want that ability, then we should also look at consequences > for the NFSv4 state model and perhaps add a SP4_TLS mode to the state > protection negotiation in EXCHANGE_ID (as we already do for SSV). The same way as rfc1831 enforces unix security - up to service specific doc. Even RPCSEC_GSS doesn't require gss context per user. TLS session per user might be a challenging task. > > There is also the issue of trunking. Do we want to allow NFS clients > to use TLS authentication as a way to identify multi-homed servers? This is an interesting one. What about migration? Require 'Subject Alternative Name'? Is this different from kerberos based trunking? Regards, Tigran. > > Cheers > Trond > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-01.t… internet-drafts
- [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc-tls… Chuck Lever
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc… Trond Myklebust
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc… David Noveck
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… David Noveck
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… David Noveck
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc… Mkrtchyan, Tigran
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc… Trond Myklebust
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-rpc… David Noveck
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… David Noveck
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Benjamin Kaduk
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Mkrtchyan, Tigran
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Olga Kornievskaia
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… David Noveck
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Mkrtchyan, Tigran
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… David Noveck
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… David Noveck
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… Mkrtchyan, Tigran
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-… David Noveck