IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Chuck Lever <chuck.lever@oracle.com> Wed, 22 April 2020 16:09 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F693A0DF6 for <nfsv4@ietfa.amsl.com>; Wed, 22 Apr 2020 09:09:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T_9RqCQmVi1Z for <nfsv4@ietfa.amsl.com>; Wed, 22 Apr 2020 09:09:00 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57F783A0BB9 for <nfsv4@ietf.org>; Wed, 22 Apr 2020 09:09:00 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03MG2nZq079517; Wed, 22 Apr 2020 16:08:55 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=T9KXcnLczAFLtR8H7U2TMuCTopXswxhyjOQbfZviJ0Q=; b=ZcROjlRsqcRend6R+DGNEGJpecSmnlvGgYV/5TkZRVyYS3SqznfzGOPrt26FWc4kNZo3 uxQOPJk7qcf0F2f8KWU6Upd3ZJnK2Q2gfweY0QZUqLNyYe/dMwTDajhxnL6mFJxF5ZcL hCilzZB0rz+HamkyDGY8dOfzX7uMRg+VZr6V2xoqCSCxgb5Rc5ivK/PUQpEf3PihuHXE lkriggXMzj1Hd+gkm1qz0dNw8bycT+eviayLPl4jAd073VloQn+b7kxoQwlUQOzyQxmf TfbyyoAbRPO3DXmeDlIdFZxhkSa354ct/42/3ezBOXB94DnM3SlkuAgGhpDSueEeggH4 tA==
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by userp2120.oracle.com with ESMTP id 30jhyc2n6c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Apr 2020 16:08:54 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03MG8kS8067742; Wed, 22 Apr 2020 16:08:54 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserp3020.oracle.com with ESMTP id 30gbbh9f2u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Apr 2020 16:08:54 +0000
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 03MG8rka028544; Wed, 22 Apr 2020 16:08:53 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 22 Apr 2020 09:08:52 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <HE1PR0702MB3772D2EF118A844C6527171995D20@HE1PR0702MB3772.eurprd07.prod.outlook.com>
Date: Wed, 22 Apr 2020 12:08:51 -0400
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>, Trond Myklebust <trondmy@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5CC44355-69D5-4C26-A976-FBECB182033D@oracle.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com> <C89BF8F3-7F65-4995-9CDB-CC1673E01463@oracle.com> <7833b21f09aaffdb35e1a578e2a07b533002d318.camel@ericsson.com> <7B26B15B-DE0C-4B6C-BBB0-D8F7B00EF328@oracle.com> <HE1PR0702MB3772D2EF118A844C6527171995D20@HE1PR0702MB3772.eurprd07.prod.outlook.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9599 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 malwarescore=0 suspectscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004220122
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9599 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 spamscore=0 mlxscore=0 clxscore=1015 suspectscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004220122
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/8jsOceAtU9Bi_96Qnz2osDcnlhk>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 16:09:02 -0000


> On Apr 22, 2020, at 11:57 AM, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:
> 
> Hi,
> 
> I have reviewed the diff for the editor's copy and have the below comments. 
> Only E I think needs any more significant consideration. My evaluation is that 
> all my previous AD comments has been resolved or answered. Thanks for the 
> work.
> 
> A. Section 4.1:
> 
> RPC operation can continue, but in the clear.
> 
> I would propose that this sentence is reformulated to make it even more 
> evident that there are no security protection.
> 
> NEW:
> 
> RPC operation can continue, however it will be without any confidentiality, 
> integrity or authentication protection from (D)TLS.
> 
> B. Section 4.2.1:
> 
> RPCSEC GSS can also protect per-request integrity or confidentiality.
> 
> I think the language is botched here. I guess something like this was 
> intended:
> 
> NEW: RPCSEC GSS can also perform per-request integrity or confidentiality 
> protection.
> 
> C. Section 5.
> 
> Implementations MUST NOT negotiate TLS versions prior to v1.3 ([RFC8446] or 
> [I-D.ietf-tls-dtls13]).
> 
> I think it need to be more explicit about that the second reference is DTLS 
> 1.3. Propose
> 
> Implementations MUST NOT negotiate TLS versions prior to v1.3 (for TLS 
> [RFC8446] or DTLS [I-D.ietf-tls-dtls13] respectively).
> 
> D. Section 5.:
> 
> Client implementations MUST include the 
> "application_layer_protocol_negotiation(16)" extension in their "ClientHello" 
> message and MUST include the protocol identifier defined in Section 8.2 in 
> that message's ProtocolNameList value.
> 
> I propose to include an reference here to what the 
> "application_layer_protocol_negotiation(16)" is. So proposed wording:
> 
> Client implementations MUST include the 
> "application_layer_protocol_negotiation(16)" extension [RFC7301] in their 
> "ClientHello" message and MUST include the protocol identifier defined in 
> Section 8.2 in that message's ProtocolNameList value.
> 
> Likely it makes sense to make a similar change to the next sentence to:
> 
> Similary, in response to the "ClientHello" message, server implementations 
> MUST include the "application_layer_protocol_negotiation(16)" extension 
> [RFC7301] in their "ServerHello" message and MUST include only the protocol 
> identifier defined in Section 8.2 in that message's ProtocolNameList value.

Your proposed changes look sensible to me. I'll see to applying them after
today's meeting.


> E. Section 5.1.2:
> 
> When using connectionless operation, each DTLS session endpoint is identified 
> by its 5-tuple -- the source and destination IP address and port numbers, 
> along with the UDP transport protocol number (17). When using connected 
> operation, the DTLS session endpoints are identified by connection ID (CID), 
> as described in [I-D.ietf-tls-dtls-connection-id]. Connected operation is 
> strongly RECOMMENDED.
> 
> So I don't know if I looked to quickly at DTLS 1.3 and the dtls-connection-id 
> draft. However, I don't see any discussion of a connectionless operation. This 
> might be a terminology issue primarily. However, my understanding which might 
> be flawed are that the DTLS connection is created by the DTLS handshake. That 
> DTLS connection can either be identified by the 5-tuple or use this CID 
> extension.
> 
> The primary goal of the CID extension is to avoid need for a new DTLS 
> handshake and creating a new DTLS connection if the 5-tuple changes, for 
> example due to NAT port rebinding.
> 
> In addition my understanding is that [I-D.ietf-tls-dtls-connection-id] is 
> defining the extension for CID for DTLS 1.2. Section 9 in the DTLS1.3 
> specification imports that extension into DTSL 1.3. Thus, if you want to 
> recommend its usage it might be better to point to Section 9 and only use 
> [I-D.ietf-tls-dtls-connection-id] informationally.

Yes, I noticed that connection-id refers specifically to DTLS 1.2, but
assumed (erroneously) that it would also apply to DTLS 1.3. I didn't
think to look that the CID extension was already integrated into tls-dtls13.

I'll check into this further. It might be fine to simply drop the reference
to connection-id, replacing it as you suggest above.


--
Chuck Lever

v2.23.0 | Report a Bug | By Email