IETF Logo Mail Archive

Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)

Tom Haynes <loghyr@gmail.com> Wed, 11 April 2018 17:38 UTC

Return-Path: <loghyr@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5D4D128954; Wed, 11 Apr 2018 10:38:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4fXQK8yubGEY; Wed, 11 Apr 2018 10:38:30 -0700 (PDT)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B817D12785F; Wed, 11 Apr 2018 10:38:30 -0700 (PDT)
Received: by mail-pg0-x22f.google.com with SMTP id y63so1061320pgy.12; Wed, 11 Apr 2018 10:38:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=p1xcGyRYZq1CiYEJj2HPS4OoDqk1c7adaGzCbVHQYDA=; b=UwmCB0CTZRuAGhsGr/zzIN855kepKpbJk9pZhd+518Yrd5gaI6enuJA4tFHy2swira wiqmClVtbJh3hA9DZb2M4eiMDuO2qTytFYLv6RBpsBxL4wL387rqgt0efSPyWeCesPaq dhphXzIp0X3yxPZ7BOKEEV9LKAFcEpjk/Wb0nh4J/ySxztbA2w+s/Uwi9qjN8HfWHgXc fR0AgSkRSAt2EfOFpNu+eHTNFSJqLr0SUnamIflTuZJyUMH9AbFamrpbvGl/CY354SBv MY1/goNxtFpxhL6q3Ob2x4gkMYVq/Pj6Sf7v8k+qqIhFkcRZigjPyYHLyqpyfvUjCZqt idjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=p1xcGyRYZq1CiYEJj2HPS4OoDqk1c7adaGzCbVHQYDA=; b=phd1bxRDdx6OXfhkyizgZ+bXKs+FdFE+a+L27P6/0Wr3xgU3lvR6ir+Ll6UlQ0LmaF rZAIY3HriYq5iPLFZsrE/CbyQJl8xc4qcgzkgqdd4/sOxbr1kFKAqF7VisW9ZXxJnRX0 o6xPsob5Ow77xXwWMdqGDgd7goqEqn+SBnv6GCbpV3M+iwEvabx6JL2vYvZu26BNcs2Q bX16DVC9ZmgpT4ktwuKPEjxq18uJHN8IXEXbFrL0tEazMVo0s9D+2gR+d2D42WArMoi8 J9vewDnkGxXLuCNV8FOk8XvgbiBc283y+MNczKvn/2wxs5HD+UD5f03HPmzyO23TDgPw kpzg==
X-Gm-Message-State: ALQs6tAzNV5wnqG17SJhgViFdoE0xKIB/vmzkKcYzelURr8JDtKoAYyv qfzg7Je4qHsV/chIfX27fZU=
X-Google-Smtp-Source: AIpwx49UUuaW3y5d12MpAnXhyKpCr6sHyav5OM/l2My6rO2y6/c+kupeW50u0e383nz/aAxp3wyZAg==
X-Received: by 10.98.163.153 with SMTP id q25mr4853151pfl.189.1523468310278; Wed, 11 Apr 2018 10:38:30 -0700 (PDT)
Received: from kinslayer.corp.primarydata.com (63-157-6-18.dia.static.qwest.net. [63.157.6.18]) by smtp.gmail.com with ESMTPSA id p26sm3345359pgn.18.2018.04.11.10.38.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Apr 2018 10:38:29 -0700 (PDT)
From: Tom Haynes <loghyr@gmail.com>
Message-Id: <3670A5DF-4E11-4848-AE28-354F45F50D2B@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CA565607-AE79-4198-AE78-5B5AF53CD2A4"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Wed, 11 Apr 2018 10:38:27 -0700
In-Reply-To: <CAKKJt-deRBop1n8sv6dNaqUL_RUWxWMELutWubRdTOovKXEHwg@mail.gmail.com>
Cc: draft-ietf-nfsv4-flex-files@ietf.org, Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
References: <151683050192.22597.10931170494891133045.idtracker@ietfa.amsl.com> <9FD918F5-D08C-45FC-B6BB-30CBB3D4EC51@gmail.com> <CABcZeBPE5gV3KPpRpRxAtYRSSCZh8+3-fcf-1VsxF3AxmomnwQ@mail.gmail.com> <F2ADAD73-6AB3-45EF-B6FE-033E01F58D8E@gmail.com> <CAKKJt-e=81qyR3YXNb9imu8kzk6+nCYgMjeZqHNwt3xi4CfNxQ@mail.gmail.com> <CABcZeBPM_Rnb0QZvbvBpUCNd6yurtz0ipexUQscmnG_samb2RA@mail.gmail.com> <FD8AF7AF-632A-461C-A82A-BC0711B2F8D0@gmail.com> <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com> <5C013DFE-96E3-4B74-B597-5F3FE1D314C6@gmail.com> <CAKKJt-deRBop1n8sv6dNaqUL_RUWxWMELutWubRdTOovKXEHwg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/4oqjziths56pUI6bONVHu2XlPIM>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 17:38:34 -0000

So actually, after thinking about, the discussion about securing the namespace on
the storage device is wrong.

The current text is:


   The combination of file handle, synthetic uid, and gid in the layout
   are the way that the metadata server enforces access control to the
   data server.  The directory namespace on the storage device SHOULD
   only be accessible to the metadata server and not the clients.  In
   that case, the client only has access to file handles of file objects
   and not directory objects.  Thus, given a file handle in a layout, it
   is not possible to guess the parent directory file handle.  Further,
   as the data file permissions only allow the given synthetic uid read/
   write permission and the given synthetic gid read permission, knowing
   the synthetic ids of one file does not necessarily allow access to
   any other data file on the storage device.

   The metadata server can also deny access at any time by fencing the
   data file, which means changing the synthetic ids.  In turn, that
   forces the client to return its current layout and get a new layout
   if it wants to continue IO to the data file.

   If the configuration of the storage device is such that clients can
   access the directory namespace, then the access control degrades to
   that of a typical NFS server with exports with a security flavor of
   AUTH_SYS.  Any client which is allowed access can forge credentials
   to access any data file.  The caveat is that the rogue client might
   have no knowledge of the data file's type or position in the metadata
   directory namespace.

My replacement would be:

   The combination of file handle, synthetic uid, and gid in the layout
   are the way that the metadata server enforces access control to the
   data server.  The client only has access to file handles of file
   objects and not directory objects.  Thus, given a file handle in a
   layout, it is not possible to guess the parent directory file handle.
   Further, as the data file permissions only allow the given synthetic
   uid read/write permission and the given synthetic gid read
   permission, knowing the synthetic ids of one file does not
   necessarily allow access to any other data file on the storage
   device.

   The metadata server can also deny access at any time by fencing the
   data file, which means changing the synthetic ids.  In turn, that
   forces the client to return its current layout and get a new layout
   if it wants to continue IO to the data file.


> On Apr 11, 2018, at 7:14 AM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> wrote:
> 
> Hi, Dear Authors,
> 
> On Tue, Apr 10, 2018 at 11:20 PM, Thomas Haynes <loghyr@gmail.com <mailto:loghyr@gmail.com>> wrote:
> Hi Eric,
> 
> You are asking good questions, they illustrate how the community is too close to
> the problem.
> 
> That can happen with NFSv4, through no fault of that community! 
> 
> In the fourth paragraph of Section 15, there is the recommended case:
>   
>    The combination of file handle, synthetic uid, and gid in the layout
>    are the way that the metadata server enforces access control to the
>    data server.  The directory namespace on the storage device SHOULD
>    only be accessible to the metadata server and not the clients. 
> ….
> 
> In that context, the client has no access to the storage device’s namespace,
> and as such, cannot easily do a READDIR or LOOKUP for traversing.
> It can snoop the file handles going to the storage device, but unlike a
> normal server, the credentials can change underneath the client. I.e.,
> they are not controlled by an app, but by the metadata server.
> 
> If we allow access to the directory namespace, as suggested by paragraph 5:
> 
> 
> 
>    If the configuration of the storage device is such that clients can
>    access the directory namespace, then the access control degrades to
>    that of a typical NFS server with exports with a security flavor of
>    AUTH_SYS.  Any client which is allowed access can forge credentials
>    to access any data file.  The caveat is that the rogue client might
>    have no knowledge of the data file's type or position in the metadata
>    directory namespace.
> 
> then we “degrade” the security back to that faced by a normal server.
> 
> The point isn’t that flex file is more secure, but that by taking care of
> how exports are managed on the storage devices, admins can do a bit
> better than awful.
> 
> Hope this explains it.
> 
> When I see authors explaining something about existing text (in any document), I usually think that it would be helpful to propose text that would provide the same insights to future readers. At a minimum, that's what Eric would be looking at, in considering his ballot position, rather than email threads that other readers wouldn't have access to.
> 
> Do you folks know what such proposed text would look like?
> 
> And thanks to all involved, in moving this conversation forward.
> 
> Spencer (D)
>  
> Thanks,
> Tom
> 
> 
>> On Apr 10, 2018, at 5:53 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>> 
>> 
>> On Tue, Apr 10, 2018 at 5:02 PM, Tom Haynes <loghyr@gmail.com <mailto:loghyr@gmail.com>> wrote:
>> No, it does not have better security than typical NFS, it has the same security.
>> 
>> OK, then I'm confused about "degrades to"  Can you help me with that?
>> 
>> 
>> The synthetic IDs control access to the files and the metadata server can
>> modify them to fence off a rogue client*, but in the end, the security of any
>> AUTH_SYS approach is limited.
>> 
>> * By rogue client I do not mean malicious, I mean one which had established
>> a connection with the metadata server, was handed a layout, and then when
>> the layout was recalled, took over 91s to return that layout. It is probable that
>> there is a network partition between the client and the metadata server and
>> it is unknown if there is one between the client and the storage device. The
>> fencing act causes the client to become aware that it needs to once again
>> reach out to the metadata server.
>> 
>> The security aspect of this version of the flex file layout type is to be as secure
>> as any other NFS in a data center environment.
>> 
>> The goal of the next version of the flex file layout type is to be as secure
>> as any other NFS in the WAN. I.e., kerberized connections.
>> 
>> 
>>> On Apr 10, 2018, at 4:25 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>>> 
>>> Not entirely. I'm inferring from the following text that this draft is
>>> supposed to have somewhat better security than typical NFS, but it's
>>> not really clear.
>>> 
>>> 
>>>    If the configuration of the storage device is such that clients can
>>>    access the directory namespace, then the access control degrades to
>>>    that of a typical NFS server with exports with a security flavor of
>>>    AUTH_SYS.
>>> 
>>> On Tue, Apr 10, 2018 at 11:43 AM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> wrote:
>>> Hi, Eric,
>>> 
>>> On Mon, Apr 2, 2018 at 2:56 PM, Tom Haynes <loghyr@gmail.com <mailto:loghyr@gmail.com>> wrote:
>>> Hi Eric,
>>> 
>>> Kathleen has removed her “discuss” from this document (the new version was pushed,
>>> which satisfied her need for the SecDir review.
>>> 
>>> Could you please revisit your position on this draft?
>>> 
>>> I'm just following up on this one - could you take a look at whether -17 addresses your Discuss position?
>>> 
>>> Thanks,
>>> 
>>> Spencer
>>> 
>>> (diff from telechat version is https://tools.ietf.org/rfcdiff?url1=draft-ietf-nfsv4-flex-files-15.txt&url2=draft-ietf-nfsv4-flex-files-17.txt <https://tools.ietf.org/rfcdiff?url1=draft-ietf-nfsv4-flex-files-15.txt&url2=draft-ietf-nfsv4-flex-files-17.txt>)

v2.23.0 | Report a Bug | By Email