[nfsv4] review of draft-dnoveck-nfsv4-security-03
Chuck Lever III <chuck.lever@oracle.com> Wed, 24 November 2021 17:21 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DE033A0963 for <nfsv4@ietfa.amsl.com>; Wed, 24 Nov 2021 09:21:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com header.b=mLyTC7Ff; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.b=X/VE/w0r
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xnFj0mKdhkgN for <nfsv4@ietfa.amsl.com>; Wed, 24 Nov 2021 09:21:53 -0800 (PST)
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 589B73A096C for <nfsv4@ietf.org>; Wed, 24 Nov 2021 09:21:51 -0800 (PST)
Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1AOH04Gx030855 for <nfsv4@ietf.org>; Wed, 24 Nov 2021 17:21:50 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : subject : date : message-id : content-type : mime-version; s=corp-2021-07-09; bh=jb9F4brh4lvnya0bgPgE4He0VoZGh4sv5toP/5WAlsk=; b=mLyTC7Ff5yTkDBSCHX8uqSvLV3Jr/fF3uDuEpMfRaW1xWcxDt7XFSF0nUt7bw16IzKmC ALiH7M63NV66asNy2Z4h4UKUSL4Buy0aC3rC1MdiUEERzK95bH/0t87PPI10epFuL8Pm dlK1mE8lQLlGk3MF7qzljHBx269XgzOVeJ2Iyy8LWsH9eDXaMr3+fb/IZjvdfAGoKW+f Uw4sQL3FXRBNMdgxp5F+KQTJ1qvkCU702D2IL7CYi8V4e98PTe8gm/8IlZe9zrTIaA9H ltUdpQBjJ3WZFmXkxS/pfzMHmMfjQjUpNitHX9MGL+BscqRW5B2aOUtNJMTpMfpNzmMl /Q==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3chmyy9whd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <nfsv4@ietf.org>; Wed, 24 Nov 2021 17:21:49 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 1AOH6sv7186384 for <nfsv4@ietf.org>; Wed, 24 Nov 2021 17:21:48 GMT
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2173.outbound.protection.outlook.com [104.47.58.173]) by userp3030.oracle.com with ESMTP id 3cep5211p4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <nfsv4@ietf.org>; Wed, 24 Nov 2021 17:21:48 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WoS7lxjY0NExE9wDMwHKZoDXbep8n2xd1Ne543xTP3mhE59Wi6N1VpGnLDOcRlLMpKN0aj3fwNWEpGqAlIY/QDL4fTosJXx6+BxKXhII9WnAe6A9kyzmSdXn5vQHFNJkHHbZpUuB+ZFdNiePLfFFfUvD96YXja0qjJByG6o2K+tOWqy4sZ3euj7h2WAxQ6JiqgtZPBr+u8HYfZkWaMbTP34mYyOspj6AWh7KrxYMomTiclNFZW0b3KRApbhDhz4iv9e1O1JjFfsxAYb8XODW/SrDuqXH1h0a5TjtL/fwXUM8JLUTmGih9XCZxfGVAXsUst5Gfae+jYVOMdto8+n7zA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jb9F4brh4lvnya0bgPgE4He0VoZGh4sv5toP/5WAlsk=; b=fmy4rs6lJD9w43WALn2n0c9jSl7qHv6BRZ/Ui9Jkbo/h211+5b7pNvgjsKQTrAOPsAZeHLF128Ju5NlAkWUaoqRkZovCoLz7imZMuhfE6NMF5+Vxwldd52yQGxcAuPuisu9NZKtrm5JFuyUmglGnd+6ISONR+XQfWOmZDm1rGV/UW539xM21hYefjHvFlMbZQEW8h3LGTDEm69KnrQpZBKBdaTDU00W5WQcUYL2M0UgOmtlNchiXvu3xy4WTS2MlFN74yRDsX9VEPYFn0BjnT62lxEpjcW1MABtXRneCtQND8Fwj0De/9ZVDckcW72okZ9Q7P/2QbiZLTGB5Pdsgzg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jb9F4brh4lvnya0bgPgE4He0VoZGh4sv5toP/5WAlsk=; b=X/VE/w0rviH9hkfeVl0cGIYh57dsPQQwke4Rqg9PGwBV6Q+Ll+OeQF8fecCh+VU5avPiylA86oBVqp90/mK0j6t632W9tGjSFhHTrm53JvvvJ+wId0vURK71V+uDslIRqCzEbYhsctCngND7KlCxEdT4Thlqyy2PqTn+XKMWgSY=
Received: from SJ0PR10MB4688.namprd10.prod.outlook.com (2603:10b6:a03:2db::24) by BY5PR10MB4130.namprd10.prod.outlook.com (2603:10b6:a03:201::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4713.19; Wed, 24 Nov 2021 17:21:46 +0000
Received: from SJ0PR10MB4688.namprd10.prod.outlook.com ([fe80::48f2:bb64:cb4b:372f]) by SJ0PR10MB4688.namprd10.prod.outlook.com ([fe80::48f2:bb64:cb4b:372f%7]) with mapi id 15.20.4713.026; Wed, 24 Nov 2021 17:21:46 +0000
From: Chuck Lever III <chuck.lever@oracle.com>
To: NFSv4 <nfsv4@ietf.org>
Thread-Topic: review of draft-dnoveck-nfsv4-security-03
Thread-Index: AQHX4VfBeMG96hEgIUeT0pMTEubKiQ==
Date: Wed, 24 Nov 2021 17:21:45 +0000
Message-ID: <5AFE5F2F-478B-4FDA-8B5F-8C80F80ED761@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a0b6ec5f-2e67-460a-238f-08d9af6ee444
x-ms-traffictypediagnostic: BY5PR10MB4130:
x-microsoft-antispam-prvs: <BY5PR10MB4130837D55E1D9CC12F0B01793619@BY5PR10MB4130.namprd10.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /2kDJYe9CK7deQggQJO3/nCcg/8G+tRs4099Qq9MGrqjb5/fLDEfHFnAHWFSrknHhMJetzmYW1FleqNGtHjGKMo3n7uJ/q8FgRiTlwAITKZ95u7sMTyRKKm6WmxHwIShh79mLvumeJWs+DAHzUsdvP2nF/pLfPpTk5G04chGzb9/F87p5WZpuRpZQYzFzHXbmohCUdLrv9t8NZzccfp+TKJ1UW9K+ZynChnKDi1LERQcbwYuy5IHXWzoQGf/+KNegY6oXohwC2F18kvVaqC+Y82W+YOM8UMup+/BvMtnifOjrt6QzB5juQXk7S8v8GQQKx89SbTcrT6/WqAWqjwSA2/WC9HiQ8Lp9NMKmGGNI4BMHqBHMZ9nnSSnee3XmAXEjnLQO51XS/XPRENBgsXXkgd6PclR3c/7nmayPOHzkMDfH2lKlB5Gow7tNq6butPgzrI5tA2j61KcXYQs2DWhvGy5Yh3nh+vFAZ7XnkTN8anqAxX9t2POpXayysy/P83m6IQEeDNAw8tjb/u/Cec9POgMeBLFlfN0LUi4mYVkpuHDa9GZ5q+toCVwRfXQ2iaBXj5xwo6glvucV9R12GhvfMwitENsNtItLyAFFGxprCsBPpNHRij9oH+j3kFt061nJ7Lzrs7rJ+RCj1LqFHP1X1DLaWhzjIlmQF8EcWhW8xkUbZi77xbcPeimwNIB7240jtaCZr+OPWeSUH9+j3BYOH6nmL9X4AB2/mslWfN2CFpY2G0OlK7BNK5d9wHObmXZ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR10MB4688.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(36756003)(508600001)(8936002)(2906002)(38070700005)(45080400002)(6506007)(26005)(86362001)(5660300002)(122000001)(38100700002)(6512007)(186003)(8676002)(2616005)(15650500001)(91956017)(33656002)(76116006)(66946007)(83380400001)(316002)(6916009)(66556008)(66476007)(66446008)(64756008)(71200400001)(6486002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ka+0FNVAj6fH2zpyl6c9ChIuD85/rPf7V+iOcx8ypjcwL5GSFFoaWhRm9oYnP1yMjmrLl9c1ykR45gFux1fOzo10GN/FVuMA7lOYIvcDOenYD3lRhcevFmW8OJUzctif3Vdyi5xfjz6G1h16MGqQiZGnPv8JHrKyrcRlVxQEq8YI6YVd/nIV2gLO2KFhbiw43ORJudolWlhfMCiDPVVFTAyG5lCN2Wmi8q7EkzJJslKyej3ZFitwcb4sI3T4cjY0Cn+yIQPQViYhZxljEYfkeI0ekgL0Tf/8AXrbHIp9XFdRVMlbLbresqCFtWMchmLQVAoqPjARYo8X0jtq6cTPupGqDB+pLZuvqqrE3rzIzdbmO2KNgYQ1f1dhQ+DsK8LhLjs6qrnvVYfi2G2hqz9k0BBq1vgannSi1jPFGotUhUMQew3NX/E9vkQaLHM7/nFrj7T4yZC/9cHz8qZyHejQmEtcMDtlKyxbvqHlY+jXnZ8R77T+tBSm0ary24dcQE9T7CRrquHbNmgWb8l20RNkw6Ngki57cqmyQmJgAmJ9bBw9ZsaKaCp7jBx6JcAGQ/Tv8qQ2nA7ejQGbxje5Mx+KfWTGVBpcD0xc4MeL9aCT7EM62Nsx7ccu3sMkYlxqEpUWkq5wHCT6hDHuiGAbi4bHrQ4S6zQ6wPNlSukjkPAZqv6mDr+/YGBx3JmIf4BUcSyiGK6FGN6Y2tsKHpDEkBDq7sKemGCDkllRnmmhbdkbUs/IV5YlpTyngFn3kMQMAge8fETsS9kM3fvUmXmnMcy41deHAWTXJ8ONV5K/3dGggxbIdgditAiaWAPMqivjjYR1a3En7IGnmxiidTHvElcLUv/jMDsGUgQGGr6VQuVKQWit8tyj+tR9rarZK9eHnI0/CzYz+hyd1pSJCGu46IrxV7Bqt0sGyLVHeHYnyMtihOJzGmHqeoTPV8Bqi4McRyKGPOQUeTqGGkyH2jE5TXtXB7xgr06GGkt6knsi1OT9n8U4L5z4vVgpJDC2QawHtqImFWNjWjR2nPGmM9708Dg00nppqTSVYLXfF6d8eFPYYtXYMHLdAfDEAjy79WkG+GIKqBlMK9+XmbxKkU0XcgvSMRPmVnerXcpMpwc9wT9ObiobAemoPwYom30bzPdDkA4gjlfSHwVdMdaSDGu7iwjOgsyq4dwakbPjzXL8PKIX3/qAyz/lrKLfzpX1WjrLmV4wwZxqh1+7TwsK6siHCH4ARREMq6izgZEj2FT+T6YCp/ZZ5EVbPqD+kaz2mdgivL4eyZ5IWun8asd9KErUO9mgOTPoBVDiz0GheTbdC/MAWoEe2firVIMFJgF+b7St5CHC4SwiiOqdYVYJ2wZYse8Kt0W4rfEmyFdUvPyPQPdAMLxMAMsrMqO6n+L+X37TH7EvlY/EMafz7UUUFH8FDt52R2PZts/CJmQUmjV5lmAA6Hd2pgt8D0gXxmm3FEzyszmAcXweXFEDgHNC6hDgwMI2M14rpTrPt+ERtGZZQKoPd852nL1YTKveJFv7fp75y7Exp286OGkUwYAmBPuI3470JCmzZS+rdRoG6TtCV+5XAcELlJIZ5rV7rEITIYdwcSNP7RDRUOMlu99EcZJnpU4B5Fz8fZAl6S8rDePuQ5WPuiI=
Content-Type: multipart/alternative; boundary="_000_5AFE5F2F478B4FDA8B5F8C80F80ED761oraclecom_"
MIME-Version: 1.0
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR10MB4688.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a0b6ec5f-2e67-460a-238f-08d9af6ee444
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Nov 2021 17:21:45.9166 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PZEmHlY8zPjAq2MiTZwUpSOtRKBwYGJ2VT491scUNi1+ndJ7U22J3Ia4EASA2GcEW2cY0sLOuShKxPpDR6hZTg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4130
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10178 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 malwarescore=0 mlxlogscore=999 bulkscore=0 mlxscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111240093
X-Proofpoint-ORIG-GUID: eg-935Mv0VU7vNB1DL7i33Ok4-mZN6TJ
X-Proofpoint-GUID: eg-935Mv0VU7vNB1DL7i33Ok4-mZN6TJ
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/7WZ0VhCwukaX36mclqPYlR7LYMc>
Subject: [nfsv4] review of draft-dnoveck-nfsv4-security-03
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2021 17:22:02 -0000
General comments: Editorial bugaboo: the overuse of commas in this document, especially where a speaker might pause for emphasis but the comma does not serve a proper grammatical purpose. The RFC Editor will be merciless in removing these. Example: This document describes the security features of the NFSv4 protocol and is unable to address security threats that are, inherently outside the control of the protocol implementors. Or: [Author Aside]: Giving servers a general freedom to to not support the masks defined in this section, creates an unacceptable level of potential interoperability problems. Document organization: The increasing size and scope of this document is concerning. In general I prefer to see nfsv4-security focus on security architecture and threat analysis, and leave protocol details to other documents. A good guideline might be: if you don't normally see this type of text in a Security Considerations section, then it doesn't belong in this document. For example, Section 5 is indeed security related, but it specifies protocol elements, thus IMO it should remain in 5661bis. Or put another way: the protocol elements that define ACLs are an implementation of the security architecture. The protocol implementation details belong in 5661bis, while the architecture can be described in this document. It is perfectly acceptable for 5661bis to cite this document as explaining the security considerations for ACLs. As an alternative, a complete discussion of access control is substantial and perhaps should be a separate document. I also propose that Sections 13 through 15 be moved to a separate document. I explain the reasons below. Section 6: There might be more going on within a server filesystem's authorization decisions than the NFS service can present to NFS clients. MAC security labels, file capabilities, and per-file data integrity checking policies are typically not visible via client access, yet can block access to file content. Is Section 6 stating that NFS servers MUST NOT use other authorization methods except those that are visible to clients via the NFS protocol? Sections 7 and 8: These sections should discuss the authorization models in terms of discretionary (ie, user-directed) and mandatory (ie, system-controlled) authorization models, as is the industry norm. I would like to see an expansion of the discussion of the "superuser" concept, as that is a POSIX holdover concept and needs detailed coverage as part of, for example, user identity squashing. This level of privilege is also key to discussing MAC security, or remotely setting other privileged attributes on files and directories. And POSIX-like clients need guidance on how to emulate superuser privileges via the facilities provided within NFS. Section 9: The current NFSv4.0 and NFSv4.1 descriptions of this share one unfortunate characteristic in that they both are written to give server implementations a broad latitude in implementation choices while neglecting entirely the need for the clients and users to have a reliable description of what servers are to do in this area. As a result, one of the goals of this new combined treatment will be to limit this excessive freedom, while taking proper account of the possibility of compatibility issues that a more tightly drawn specification might give rise to. I don't see any rationale given explaining why the existing "broad latitude" is inadequate. What real world problems have arisen from it? What are the consequences of not coordinating updates to mode bits and ACLs? Why is it necessary that all NFS servers and filesystems do this the same way? These two paragraphs make a lot of assumptions which need to be explicitly included here. It's been emphasized to me over the years that over-specifying will either limit innovation or prompt implementers to ignore the specification. There needs to be clear justification for making significant constrictions in this area. As above, it could be impossible to crisply describe ACL-to-mode translation in the face of other, non-standard authorization mechanisms that might restrict server security policy. I prefer that this section retain the "broad latitude" approach and instead work to make clients operate properly in the face of client-invisible authorization mechanisms on the server (a la ACCESS). But I agree that the use of BCP14 keywords could be improved in this area, especially with regard to explaining in the context of SHOULD when alternative approaches are appropriate. Is there a treatment in the POSIX standard or within Microsoft Windows protocols publications of ACL-to-mode translation? Would any of that be helpful to review or adopt? I missed the introduction and definition of the terms "forward-slope" and "reverse-slope". The discussion in this section needs to avoid using lowercase "must" and "should" as these are easily confused with BCP14 terms. Generally speaking, it's not clear to me that "cleaning up the ACL specification" is part of the original scope for nfsv4-security, which was to provide a Security Considerations section and threat analysis for NFSv4.x. As it is a substantial piece of work, perhaps it needs its own charter mandate. Section 13.1: I don't understand the motivation for replacing the historical term "RPC authentication flavor". Also, the term "RPC flavor" is generic enough to unhelpfully obscure its meaning and purpose. I don't currently have an alternative term, but subsequent discussion in this section is able to successfully distinguish between identification and authentication and state plainly which authentication flavors provide one, both, or neither. I don't see a problem with keeping the traditional terminology. Section 13.4: I find the linking of "connection type" with "RPC flavor" to be deeply problematic and without precedent. First, and I cannot stress this enough, TLS IS NOT A CONNECTION TYPE. For example, QUIC, which is a connection type, uses TLS just like TCP does, though with QUIC TLS happens to always be enabled. We will be better served if the RPC layer simply tells the upper layer: yes I can authenticate the peer (eg: GSS or transport layer security is in use), or no I can't; yes I can provide confidentiality (eg: GSS, IPsec, or TLS is in use), or no I can't. This section needs analysis of specific use cases and explicit rationale for why negotiating connection types is necessary. Since this is a proposed new feature, that analysis and rationale is paramount. Burying this proposal in a large document with a broad scope will prevent adequate discussion IMO. I prefer to see these three sections split into their own document that can proceed to publication as soon as possible rather than being chained to the completion of the other potentially lengthier tasks in nfsv4-security. Section 14: Since authentication and confidentiality are handled by RPC, why is this section necessary to include in a document about NFS? The NFS layer should simply ask for a particular security service; the RPC layer then provides that service -- the actual mechanism can and should be opaque to NFS. Yes, the introduction of transport layer security is as revelatory as suggested. But I think this document is too specific about how it works in the one instance we have today (RPC-with-TLS). NFS should request abstract security services -- that's exactly what it does for GSS -- and the RPC layer should provide those without exposing mechanism. Section 15: I strongly urge reconsideration of adding connection types to security negotiation. NFS should state the security services that are required, and let the local RPC implementation figure out the mechanisms. * SECINFO and SECINFO_NO_NAME both return arrays of pseudoflavors. I don't see a provision in RFC 8178 to permit changing these procedures to exchange something that is not defined in the RPC protocol documents and number registries as a pseudoflavor. * Especially XPT_TCP does not make sense; as stated above, QUIC has TLS built in. Do we really want to add a new connection type pseudoflavor for every new RPC transport? * The discussion in this section is necessarily NFS-centric, but a complete discussion of security for all RPC transport types would need to include datagram transports. Such a discussion needs to start at the RPC layer, not as something grafted onto an upper layer protocol. Section 15.4 and 15.4.1 belong in section 15.5. And again, because this subsection is specifying protocol elements, it does not belong in an architectural document, but instead should be either a separate smaller document that will be replaced eventually by rfc5661bis, or this material should appear in rfc5661bis's SECINFO and SECINFO_NO_NAME implementation guidance subsections. Section 15.4.2 and .3 -- may be incomplete, but I fail to see the purpose of including these details. -- Chuck Lever
- [nfsv4] review of draft-dnoveck-nfsv4-security-03 Chuck Lever III
- Re: [nfsv4] review of draft-dnoveck-nfsv4-securit… David Noveck
- Re: [nfsv4] review of draft-dnoveck-nfsv4-securit… Chuck Lever III
- Re: [nfsv4] review of draft-dnoveck-nfsv4-securit… David Noveck