IETF Logo Mail Archive

[nfsv4] Re: WGLC review of draft-ietf-nfsv4-uncacheable-directories-05

David Noveck <davenoveck@gmail.com> Wed, 22 April 2026 18:17 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@mail2.ietf.org
Delivered-To: nfsv4@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BEE36E10A0F4 for <nfsv4@mail2.ietf.org>; Wed, 22 Apr 2026 11:17:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776881837; bh=/++sYcReF1kKkdHvbXPqiCPYJlmUQNLXmC/Sx1j2ujw=; h=In-Reply-To:References:From:Date:Subject:To:Cc; b=n0zAfa52S/761ghGqlz8/YQbq6oANsulUE5eLdU/rpdlSp1eUFTq8gDfYj6qngyjf axFLKLSbG+xp7BdBj/4n7v0Hi2x2nOs7pUMlG2IWQJPlBi5FAwGvPA6XF+Q7vNr/Mm ta7hv5V5TS5sMW6rPzlFlUeRVlP+a07+YBzKmYGo=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.098
X-Spam-Level:
X-Spam-Status: No, score=-1.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LONGWORDS=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lo4TNJL1Epa4 for <nfsv4@mail2.ietf.org>; Wed, 22 Apr 2026 11:17:15 -0700 (PDT)
Received: from mail-oo1-xc30.google.com (mail-oo1-xc30.google.com [IPv6:2607:f8b0:4864:20::c30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 11DC8E109F8F for <nfsv4@ietf.org>; Wed, 22 Apr 2026 11:16:01 -0700 (PDT)
Received: by mail-oo1-xc30.google.com with SMTP id 006d021491bc7-66f747175d8so2801877eaf.0 for <nfsv4@ietf.org>; Wed, 22 Apr 2026 11:16:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776881753; cv=none; d=google.com; s=arc-20240605; b=eJMPzABLMaH2yQOQpPHkFBZQ84eJaQU/4BoTkYe8+n8kGUGCq6WaheRetrJK0LNkCC ZAmC6MWvw2lFBaiqJdFgL7uglR6oSc/jpJnqJwv62fFN15UvvLqi9sYKhkm7pm4gSOUK DCWkwZPsh2vTpNO9KhlDWPi1YwTU3G5gFaaxC9wDKtLDSrgFAFZtxiJbSwj2BJs/nBBQ b8Z1osWHCaQErLQue4Y8aAYU77b30KpDKWsQ1MYD3sbW8rVO+EUVWymGOPBtQLnHi5YT NzTP+ixk88atJ9gtsof+w+cIL2zO6zcItfYwQfeWWO6V3mjhvFVKJh47p1DRpkCc/h1+ JlWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:dkim-signature; bh=8zG9fyR0z072d/Y1520jUzXVENZ3W2/ueaGDA2bAISs=; fh=PO3q6cKei7F9NXwQWoaEOb/2a77AHFlxLVFOPlBPC+s=; b=X/TZGZhr67xjSFscKsqgkcvXm4N5ghf5pecohFLGDEE2SnHAf0ejSz/77Br+GAFawF H5N/qKLPIC6ttHuCktsp/dDD9/mg5vV1qbfKbwx66QSqco171IWQIxfMQLhJ/pokW6Z2 tTjiHXFiLJ/sCm4tGKllyZkhCQW0AzsdpK8TTy+Qn/9h0Pb3XYcOrJqFpM2737WaAt/n ff+Mg87ULsSe6w+1TOVGxGHrNFffV+tDsbCHJC/HQUem9WXJ729GGYO84qTe5fR+3Rkx YpkS4XhxGwvW1wU7oLlFI17CLPwgiuvwHFdcNECfA7BcQZSBtZMqsI/fXjcBRtxHAPzy N80Q==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776881753; x=1777486553; darn=ietf.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8zG9fyR0z072d/Y1520jUzXVENZ3W2/ueaGDA2bAISs=; b=oz1cUHPPzNOANakuPcO3Tz3r8o0GYi+QOiA/sIdneDLzsfOdh/PoIYyDSWUMM3uSMK 2DlsEWxTpC2r8zyN6M0H2ck09SnkxXiAsT6hYb4otW/xoAB7lg9tAdh56KCObsGQFsig 1J3DLFQj3G53UunXlRsHOoVy+47JCcB1SW/WmfRu829NY6gR8Q5gY7I2t6Ha6+eptY1h InQbeGmXUTBATZdS0uVIpcDI4qUBSaGTgjF3BTn8b+32CbdbXgXit3jJZSeqgNNVnBnp zAA7mx+zE0hLTQC9QbWXEV/STJrCKpo/Ndz9jcps2lEXyfVsHcYegGmhxK1edxTuG0/9 pu7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776881753; x=1777486553; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8zG9fyR0z072d/Y1520jUzXVENZ3W2/ueaGDA2bAISs=; b=J/2tVjctdWOLJPNGwRf1a71R/VE17/0v3qeJ7frRgQ2LkKNkd85N2AiZNU4Rf/7o7O WBaP4f9/swZjW7jn9Fom8OY4NjYupmWgSmdBMaolJ6yhyntM5lysmyUV4edbBjIJLCzf egA6EArTWk9m6bpBglH8RgIdKfkneomvJXuII0inNryIBefSrbIzOTkkxJBkYI0XJBmN WbtpcB+J+vJ28fNiBZreBjEFuJxjNZw5JihCpsUDu9iBJLtY9vTITSLhiPowFNl3dH4n MDFmcjsaDkD1CmjKAXorQBCYaWwJTdFWk34vx6wgqWgcPbsejLmes4FR7MmGo/pziguH 2/kg==
X-Gm-Message-State: AOJu0Yx9h6ZHs7Wxumhj3w5CtvRNJ4SlgDpEbNom+MdRv7ym6wyPiXRc VhOu2BOxRg82CFRlnEGYVUXivdA6FYyvgcgEUORqKII4GIeUXm34t6SCpRu2tbFuoW/3FnKzA0s x34JgFISDCapyF+b10z3NV3QN6On5Z7xUbA==
X-Gm-Gg: AeBDies1YMdx51E9+cQzR7JhF1EWabAPtEt0Sfsq2PqAz9O+sFvfVrA9cpEKOI3RiUa GYxXyyyCw2jDCEpnrdZ1gmBVPI3vZL2gs/yJaeJiN27NjyGuI386E+g4fS3eq3n20wKLZJAJYck IBDCfGioZZEdFPRrCl07QBVMRIwHrgUJktAzIOPJ99kNc7mWm+y5CXgW5BVzs56AiB+ie+H8R9y qLZTRa7RhR03eTstMk/06RyJnisAvTwJef+sEgTWvFpuyB6e34bNfXmJX5rwpDJIqJp/YaIGm0W Xs+NFt+CAPbsi0VwBaM+HW3gsq8eSNatbBeqrdxT2TZt3oQM
X-Received: by 2002:a05:6820:62a:b0:67d:e619:5c5a with SMTP id 006d021491bc7-69462e48395mr14011382eaf.16.1776881753383; Wed, 22 Apr 2026 11:15:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a05:6638:8b95:b0:5d1:febd:b79a with HTTP; Wed, 22 Apr 2026 11:15:52 -0700 (PDT)
In-Reply-To: <3044B8D2-EE9D-499D-8629-2FF0339D01C0@gmail.com>
References: <CADaq8jeSSR2V-rL=ko__9j9dpMZro+Ls_qvjfgBEFsYLhq6Mog@mail.gmail.com> <3044B8D2-EE9D-499D-8629-2FF0339D01C0@gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 22 Apr 2026 14:15:52 -0400
X-Gm-Features: AQROBzDjwBTN_brZdWQCcwqiC5hpRYvW-OJtSGRA6-wRKIz909G4X7Taou52gto
Message-ID: <CADaq8jdSnmmaTqsZVkCUks=mHDuGvb4tnAM5Y8J9yS0NqFhcaA@mail.gmail.com>
To: Thomas Haynes <loghyr@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b7e731065010857b"
Message-ID-Hash: PB44OJZ3TJCPLINUNEJYQ4R6OC767YYX
X-Message-ID-Hash: PB44OJZ3TJCPLINUNEJYQ4R6OC767YYX
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nfsv4] Re: WGLC review of draft-ietf-nfsv4-uncacheable-directories-05
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/8C2a07vu1aVEK7Ck3kUdHZwSyEI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

Is that rework available?   In its absence, I'm having trouble
understanding how you intend to address the lack of motivation for the
feature that I cited in my review.

As far as I can determine, you still believe the server can validly give
inconsistent values for the contents of directories or file attributes and
it is the job of client to deal with that behavior.  That seems to be your
motivation for this proposed attribute.

We clearly disagree as to the validity of a server returning such
inconsistent data (in your terms, data which is "not globally
consistent").   If it is not valid, as I believe to be the case,  then your
motivation is not a valid one and this attribute a should not be added as
an extension.  I think the chairs have everything they need to complete the
WGLC although, until they declare this WGLC over other opinions can be
entertained.

If you could cite a valid instance of servers returning data that is not
globally consistent, we could restart the discussion from there.  However,
I cannot see adding work based on speculation that this situation might
exist in the future, which seems to be where you are now with this.



On Friday, March 27, 2026, Thomas Haynes <loghyr@gmail.com> wrote:

>
>
> On Mar 27, 2026, at 7:20 AM, David Noveck <davenoveck@gmail.com> wrote:
>
> Overall Evaluation  Appropriateness of Publication
>
> It is not appropriate to proceed with publication of this document at this
> time because, as discussed in  *Lack of Feature Motivation*, there is no
> clear description of a needed feature that would motivate the addition of
> this attribute.  It appears that the motivations presented in the existing
> *Abstract* are purely speculative, as discussed in *Close Reading of
> Existing Abstract*.   This makes it inadvisable to proceed with
> publication until motivations are clarified or addressed as described in *Possible
> Future Motivations*.
> Absence of Detailed Review
>
> Because of uncertainties as to intent and a lack of concern with
> important details as discussed in *Close Reading of Existing Abstract*,
> much of this document has not had a detailed review.  Given the discussion
> in *Lack of Feature Motivation*, it appears likely that one will be
> delayed until a successor document is available, when a clear motivation
> for the proposed attribute is provided. This could enable reconsideration
> of this attribute at that later time, including a detailed review.
> Lack of Feature Motivation Previous Motivations
>
> As originally specified, it was anticipated that this feature, including
> variation of some attribute values (i.e., the data-related ones like size)
> was needed as a complement to work described in
> *draft-ietf-nfsv4-uncacheable-files*.  However, further work on that
> document had the following effects:
> ·       It was decided that variability of the attributes needed  to
> support *draft-ietf-nfsv4-uncaceable-files* (i/e.., those tied closely to
> file contents) could be handled directly within
> *draft-ietf-nfsv4-uncaceable-files*..
> ·       Furthermore, the necessary variability was not per-user but
> per-client reflecting simultaneous modification of file contents by
> multiple clients.
>
> ·       In any case, because of changes to
> *draft-ietf-nfsv4-uncacheable-files*, one of the motivations for this
> feature ceased to exist although the mischaracterization of file attributes
> as “dirent metadata” might have made that difficult to see.
>
> Later it was anticipated that per-user variability might be necessary to
> support ABE, as discussed in *Access-based Enumeration*.  However:
> ·       Tom felt that now was not the time to specify the semantics of
> this feature in detail.
> ·       Tom did not feel ready to drop this effort despite the fact  that
> there were no substantive motivations yet identified.   As will be
> discussed  in  *Close Reading of Existing Abstra**ct*,  the result was
> essentially a motivation placeholder, which now needs to be filled in.
>
> ·       While the Working Group is free to proceed on the basis of the
> speculative motivations currently present, doing so would present
> difficulties, deriving from the current assumption that *all* file
> attributes can legitimately be treated as validly presented differently
> based on the identity of the interrogator.  For reasons discussed in *Gaps
> that Need to be Addressed Elsewhere*, *Need for Semantic Description*,
> and *Needs for an Abstract for a Possible Successor Document*, this would
> move the protocol in a bad direction, making it necessary that we have a
> more concrete discussion of a necessary use case before including this
> extension in NFSv4.2
> Current Status of Feature Motivation
>
> As discussed above, this feature, which seemed a natural correlate of
> *draft-ietf-nfsv4-uncacheable-files*, has, during ongoing discussion,
> experienced a loss of its original motivation and possible replacements,
> resulting in an attempt at  motivation that relies on some unjustifiable
> assumptions that have been erroneously adopted while the existing NFSv4. 1
> specifications did not discuss authorization in detail, despite the need to
> do so to support ACL definition.  These matters are discussed in *Gaps
> that Need to be Addressed Elsewhere* where suggestions regarding
> necessary clarification also appear.
>
> As a result of this unfortunate history, we are forced to conclude that a
> new justification will be necessary, as will be discussed in  *Possible
> Future Motivations*.
> Possible Future Motivations Access-based Enumeration
>
> Despite the circumstances that make it impossible to immediately proceed
> with specification of an ABE extension, it remains possible that it might
> serve as a basis for an attribute limiting metadata caching, keeping in
> mind the following issues:
> ·       ABE has no need for varying attribute values on a per-user basis
> but deals with visibility only.
>
> ·       The potential need for per-user visibility is connected to the
> question of whether visibility restrictions apply to LOOKUP (or OPEN), in
> addition to READDIR.
> Need for Semantic Description
>
> To provide an ABE-based specification, the following issues would need to
> be addressed:
> ·       A clear description of the filtering to be provided that applies
> to the use of modes or ACLs  (presumably including draft-POSIX ACLs as
> well).
>
> ·       Clear guidelines with regard to the handling of LOOKUP, OPEN, and
> CREATE.
> Other Possibilities
>
> While none are now known, we will need to consider the possibility that
> features needing this sort of per-user variability will be needed in the
> future.  An Important matter to consider for such features is whether they
> can be provided for within the extension model described in *RFC8178.*
> Per-section Discussion
>
> In light of the problems in the existing *Abstract *and the lack of
> justification for many of the assumptions made in deciding to include this
> attribute, our discussion will be limited to issues raised by the existing
> *Abstract*.
> Close Reading of Existing Abstract
>
> To provide better insight into the difference between my views and Tom’s
> regarding the issues involved, the abstract is reproduced together with:
> ·       My comments on the existing text in *red italics*.
> ·       Possible replacements in *blue italics*
>
> ·       Other related comment in *green italics*.
>
> To summarize the discussion below, it appears that Tom has some feature in
> mind that might, legitimately depend on user-specific attributes but is
> unwilling at this time to present it in detail.  As a result, in attempting
> to motivate this feature, he supposes that servers have an astounding level
> of freedom in making such decision and characterizes it as part of server
> access control.
>
> This is not valid and access control needs to be limited to authorization
> to be describable by the protocol specification.  Although user identity is
> valid in effecting quota restrictions and might be extended to other sorts
> or resource-allocation decisions, it cannot and must not be extended to
> allow the server, at will, to report different values of attributes on a
> per-user basis.  Access control needs to be kept restricted, even if there
> were a valid argument for particular attributes to be interrogated on a
> per-user basis.
>
> The existing abstract is to be found below, with my comments:
>
> Network File System version 4.2 (NFSv4.2) clients may cache
> directory-entry (dirent) metadata returned by READDIR to improve
> performance.
>
> *It is not clear here what is intended by the phrase “directory-entry
> metadata”.  It seems that Tom is referring to the file attributes that can
> be returned by READDIR.  The fact that they are returned with dirents does
> not justify calling them “directory-entry metadata”, however.  *
>
> *This is more than a purely verbal issue since this identification causes
> us to neglect the very real constraints that should apply to per-file
> attributes and obscures the fact that the protocol makes no provision for
> them to be different as seen by different users.*
>
> *Network File System version 4.2 (NFSv4.2) clients will sometimes cache
> file attributes returned by READDIR in order to improve performance.*
>
> Such caching typically assumes that directory-entry  metadata and
> visibility are identical for all users of a client.  In some deployments,
>
> *With regard to attribute values, they make that assumption as part of the
> protocol is to give multiple users access to the same file, whether that is
> stated explicitly in RFC8881 or not.*
>
> However, servers may present directory entries or associated metadata
> based on the identity of the requesting user.
>
> *This can happen since there is no way of stopping a putative NFS server
> from doing so.  *
>
> *This would be clearer if “may” were “replaced by “might”.  Even though
> “MAY” is not used, this gives the impression that this OK simply because
> servers might do it. *
>
> *This is not so since there are strong reasons for a file’s attributes to
> be the same as seen by all users.  For example, if I set the ACL attribute
> of a file, I would not want  other users to see a different ACL that
> allowed it access I did not intend.*
>
> Reuse of cached directory-entry metadata across users can therefore result
> in clients presenting directory contents or attributes that do not reflect
> the server's current access control decisions.
>
> *The phrase “current access control decisions” is troubling.  Generally,
> access control decisions are used to effect authorization and I am
> uncomfortable with the assumption that servers are free to make such
> decisions volidly simply because they area capable of doing so.*
>
> This  document introduces an uncacheable dirent metadata attribute for
> NFSv4.2 that allows servers to advise clients that directory-entry metadata
> returned by READDIR and related operations should not be  reused across
> users.
>
> *What is missing here is some explanation of why servers are to be allowed
> the freedom assumed above or why clients should be encouraged to modify
> their behavior to enable it.*
> Gaps that Need to be Addressed Elsewhere
>
> As we consider the assumptions made in the existing *Abstract*, it
> appears that there is a fundamental disagreement about what it is valid for
> a server to do based on the identity of the requester.  Part of this is
> undoubtedly the result of the previous unwillingness to address
> authorization in detail.   While the v4.1 respecification effort was
> intended to address the gaps in the discussion of these matters, it now
> appears that further work will be required in making it clear what, if
> anything, a server might validly do differently based on user identity, in
> addition to effecting the authorization semantics defined by the protocol.
>
> In the past, it had been assumed, in connection with authorization, that
> the fact that a server chose to do something, somehow made it incumbent on
> clients to adapt to that behavior.   That issue was addressed with respect
> to ACLs  in *draft-ietf-nfsv4-acls-update* but needs to be addressed more
> generally.
>
> As a result, when work resumes on the unaccountably delayed
> *draft-ietf-nfsv4-security*, it will be necessary to address these
> questions and provide reasonable limits regarding uses of user identity
> other than those mandated by the NFSv4 authorization model,
> Needs for an Abstract for a Possible Successor Document
>
> It appears to me that the information missing in this document that would
> need to be provided in a successor (not necessarily in the abstract) has to
> include following:
>
> ·       An explanation of the scope of the variability including whether
> differences in contents are to be accommodated or whether the same file can
> be described with different attribute values for different users.
>
> For example, ABE-like extensions might report different directory contents
> without providing different attribute values for different users.
> ·       If per-user attributes need to be accommodated, then it needs to
> be clear which attributes are allowed to be returned in this way and
> whether any can be set differently based on the user doing the modification.
>
> ·       It needs to be clearly specified how per-user visibility (or
> attribute variability ( if that is to be allowed) is affected by the use of
> different operations.
>
> For example, it is not clear whether the arguments to  LOOKUP are to be
> filtered in the same way that READDIR results are.  This is a matter of ABE
> semantics that needs to be resolved.  In addition, the corresponding case
> of OPEN is even more difficult to deal with since the normal response to
> specification of a non-existing file name is to create a new file.
>
>
> Hi Dave,
>
> I want to address one point directly, since I think it may be driving some
> of the concern.
>
> There isn’t an unstated feature behind this work, nor is this document
> intended to introduce or define something like access-based enumeration.
>
> The intent of this document is limited to specifying client behavior
> necessary to maintain correctness in situations where directory contents or
> associated metadata observed by a client may differ, whether over time or
> across clients. The document does not define the mechanisms that might lead
> to such variation, and does not rely on any specific model for how or why
> it occurs.
>
> In particular, the goal is to ensure that client-side caching does not
> result in incorrect behavior when observations are not globally consistent.
> This is a cache correctness issue, independent of any specific server-side
> feature.
>
> I agree that the current text can be read as implying new server-side
> semantics, and I’ll rework it to make the scope clearer and avoid that
> implication.
>
> – Tom
>
>
>

v2.46.0 | Report a Bug | By Email | System Status