[nfsv4] binding user credentials to client host in draft-ietf-nfsv4-rpcsec-gssv3-16
Benjamin Kaduk <kaduk@MIT.EDU> Sat, 23 January 2016 19:47 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EEBD1ACEAC for <nfsv4@ietfa.amsl.com>; Sat, 23 Jan 2016 11:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6Ba7vv5JL3Q for <nfsv4@ietfa.amsl.com>; Sat, 23 Jan 2016 11:47:45 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33A121ACEAB for <nfsv4@ietf.org>; Sat, 23 Jan 2016 11:47:45 -0800 (PST)
X-AuditID: 1209190d-f79306d000006b70-bc-56a3d8df831f
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 1E.76.27504.FD8D3A65; Sat, 23 Jan 2016 14:47:43 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u0NJlghd012910; Sat, 23 Jan 2016 14:47:43 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0NJld3J024280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 23 Jan 2016 14:47:42 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u0NJlcFZ027903; Sat, 23 Jan 2016 14:47:39 -0500 (EST)
Date: Sat, 23 Jan 2016 14:47:38 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: nfsv4@ietf.org
In-Reply-To: <20160121191052.316.9921.idtracker@ietfa.amsl.com>
Message-ID: <alpine.GSO.1.10.1601231434460.26829@multics.mit.edu>
References: <20160121191052.316.9921.idtracker@ietfa.amsl.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixG6nrnv/xuIwg3Pz1C1mv3/EanHq2hE2 ByaPl6fOMXosWfKTKYApissmJTUnsyy1SN8ugSvj5GHuggOiFTtfXWBtYGwU7GLk5JAQMJG4 1jKFBcIWk7hwbz1bFyMXh5DAYiaJ+1sms0A4GxklvnQ2MUM4h5gkzp+/zAThNDBKzP20iA2k n0VAW2LL7OvMIDabgIrEzDcbweIiAkISW67eYwexmQUkJe6sOcoKYgsLhEl0XT3DCGJzCthL LJp3FszmFXCU2LJ7BVi9kICdxMVXrWAzRQV0JFbvh7iVV0BQ4uTMJywQM7Uklk/fxjKBUXAW ktQsJKkFjEyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdI30cjNL9FJTSjcxgkKVU5J3B+O7g0qH GAU4GJV4eD0mLgoTYk0sK67MPcQoycGkJMqrV7M4TIgvKT+lMiOxOCO+qDQntfgQowQHs5II 78WrQDnelMTKqtSifJiUNAeLkjjvro65YUIC6YklqdmpqQWpRTBZGQ4OJQnendeBGgWLUtNT K9Iyc0oQ0kwcnCDDeYCG94PU8BYXJOYWZ6ZD5E8xKkqJ824CSQiAJDJK8+B6walkN5PqK0Zx oFeEeRmAiUWIB5iG4LpfAQ1mAhr8VxNscEkiQkqqgZH3lPsawdpjCQXuG4NKVfuKT0motdyW t3txMbBFrfQZa/Qk9yyTuB+vLp5nN/mlwyd4vv6K/fzGd1OrPnW2TFAQ+MjHs/7W3MO6RzuZ s+2W6areN0m0Fm71Pv44T43Htmqfz9KNK7UlizaoHBNR1X3yS59D+LHP4h3HROver1njKsj7 4rbVTiWW4oxEQy3mouJEAMfj2GwAAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/nfsv4/7lWaq7wQ4oKdk3iN_WbV1rU2oAA>
Cc: nico@cryptonector.com
Subject: [nfsv4] binding user credentials to client host in draft-ietf-nfsv4-rpcsec-gssv3-16
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 19:47:47 -0000
On Thu, 21 Jan 2016, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Network File System Version 4 Working Group of the IETF. > > Title : Remote Procedure Call (RPC) Security Version 3 > Authors : William A. (Andy) Adamson > Nico Williams > Filename : draft-ietf-nfsv4-rpcsec-gssv3-16.txt > Pages : 23 > Date : 2016-01-21 > > Abstract: > This document specifies version 3 of the Remote Procedure Call (RPC) > security protocol (RPCSEC_GSS). This protocol provides support for > multi-principal authentication of client hosts and user principals to > a server (constructed by generic composition), security label > assertions for multi-level and type enforcement, structured privilege > assertions, and channel bindings. > > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpcsec-gssv3/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-nfsv4-rpcsec-gssv3-16 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-rpcsec-gssv3-16 The change in this version that is attempting to remediate the issue raised by Nico is: OLD: A MIC of the RPC call header up to and including the credential is computed using the GSS-API security context associated with the inner context handle and is placed in rgmp_rpcheader_mic field. NEW: A MIC of the RPC call header up to and including the credential plus the GSS security mechanism client host principal name is computed using the GSS-API security context associated with the inner context handle and is placed in rgmp_rpcheader_mic field. Unfortunately, I do not think this is sufficient to produce interoperable implementations. Is "plus the [principal name]" supposed to mean that I put it at the beginning, the end or in the middle. Furthermore (and more problematic), GSS name objects have a lot of moving parts and different representations. In order to get all the pieces lined up, something like this would be needed, I think: "a GSS name identifying the client host is constructed, of type GSS_C_NT_HOSTBASED_SERVICE, converted to a mechanism name for the GSS mechanism in use with GSS_Canonicalize_name(), then converted to wire format with GSS_Export_name(). The resulting octet string is included in the MIC." Given the extra complications, I would suggest a more explicit description of the input to the MIC operation than the running prose currently used. -Ben
- [nfsv4] I-D Action: draft-ietf-nfsv4-rpcsec-gssv3… internet-drafts
- [nfsv4] binding user credentials to client host i… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Adamson, Andy
- Re: [nfsv4] binding user credentials to client ho… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Adamson, Andy