IETF Logo Mail Archive

Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07

David Noveck <davenoveck@gmail.com> Thu, 07 November 2019 23:13 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0C9A120047 for <nfsv4@ietfa.amsl.com>; Thu, 7 Nov 2019 15:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ri-bKdjmlBF6 for <nfsv4@ietfa.amsl.com>; Thu, 7 Nov 2019 15:13:28 -0800 (PST)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2175412002F for <nfsv4@ietf.org>; Thu, 7 Nov 2019 15:13:28 -0800 (PST)
Received: by mail-ot1-x332.google.com with SMTP id 94so3565542oty.8 for <nfsv4@ietf.org>; Thu, 07 Nov 2019 15:13:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=klWK3k97Z5Vr2S8VRcCF9cSOnoP284yw5tfX8mCz8Is=; b=oOgkVOAwKGBrm8BeRG8su4Q13Zc13VhDAEHhyOBI2NOdy2+Sm0y9pi/vqowAIlHMdR IhnmM/72xFG4tPt0oCXkPsRZjfoCd/PcbNwPVzJSCVIniyPC4oqjSmcdTXrFkX9PIAd5 qmMGSfWzht77BRaDtbPplOotWcwjoFfJEE3DJlvtQ0TwnS0Ih1wfheM7tx8wecU1OzED i36A9GNQwCGnYiAnoEo+TQTYk/rRxkZEaN4x0kI7HmQDl74K0qHPcecWJ701c8uxbBBm WvnGXZQtv32OZZOwehh/vbZxfJw9a17bokYhvnjlmw4p7sSLOyz+7iEA+THeGLRezn0N TBXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=klWK3k97Z5Vr2S8VRcCF9cSOnoP284yw5tfX8mCz8Is=; b=kgSFPCe5g2fiIc3Z8aH1WsMMGRtjhv5P5zWP+UcDvOuM6sjNU1kit0odGDtx9spoVn FBwRFMbiOSEqHTItaM6fEbzeKy3VYHKvrnMUT1bkhrXVKBCUrs/RkdY7GLcdHtlxETco lHtxVXRBAG/gH3zOQZ2G7s/R5j3u/PgPcYZuw4Pi5X/A8QvZAGj2fP+h0cEMNsQYB4k3 UwWnCO72XdkShkcnyd5+Vz6B4EODzVuTS/GLY6QZ2rtmNVlbOHytdMFd3iXtxD+Ujcct bBhTboHhsYRgkBh9X+RRWS5olessrMrxTqoVYkMxMUsNFLL1UeDtRbrE4NYnRosaJAzt ybPw==
X-Gm-Message-State: APjAAAXBC3+8JW1ZOwIy4V3v+zX/nSFj+qKWXb9Owlpo9T8NR4lAkely zVSE9Qv+25TZj/cfzXOxulFMzBMXsiSt4xgnZvg=
X-Google-Smtp-Source: APXvYqxFSGMfBGKl+C7veWbHOz8B6/uEvvV+5gZSTEA2IuH+3PjppEfcelMg697cd60gTL2vTIj8m/zh9H3Fe3VcOYI=
X-Received: by 2002:a9d:5c83:: with SMTP id a3mr1205251oti.208.1573168407104; Thu, 07 Nov 2019 15:13:27 -0800 (PST)
MIME-Version: 1.0
References: <CAFt6BakApq=FJWs+r-jwxvTdXYs9yOg9KS47no93kdnp2gZ_+Q@mail.gmail.com> <9BEBDE7A-522A-4A6B-8132-D9C3A8A4922C@oracle.com> <CAFt6Ba=q=vSt+wtcHsi59gWnwFpuUaDqQue7f=GFSUvd25uV+g@mail.gmail.com> <BFDF314F-B913-4C4A-BAB4-C09FA840F4F6@oracle.com> <CADaq8jc_gM0SWe9weRJYp7s7xjtN9kihbVnUiBN61hF2LUJjzQ@mail.gmail.com> <FD12C92F-BBF4-4174-B896-48738C02B78E@oracle.com> <CAFt6BanwC4uu=9SpZQdiGjFswzkC3cSWPzGia34qBT5W+uuMNw@mail.gmail.com> <5B51BB44-F39D-4EF6-9E1E-3EF958F90260@oracle.com> <20191031192409.GJ88302@kduck.mit.edu> <67D69A00-D231-4845-A840-F3D67D629554@oracle.com> <CAFt6BanShDjwD3SftuDUvChFq9zOU5h1UC2y=W+3bVm++jAEKA@mail.gmail.com> <479C7409-9DCF-4C11-84AB-2E3729D96B22@oracle.com>
In-Reply-To: <479C7409-9DCF-4C11-84AB-2E3729D96B22@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Thu, 07 Nov 2019 18:13:15 -0500
Message-ID: <CADaq8jfMXjewirgvyCgh3D+yXQSNEX3HbWMCnz=XYCKk5T=6iA@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: spencer shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000013d90f0596c9d06c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/8zwLMOLoDVlcivmI6nEa-pvFLUs>
Subject: Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 23:13:32 -0000

> Why isn't the SELinux label work a problem in this regard?

I don't understand Spencer's position well  enough to know if he has
a problem with this, but given that this model has already been adopted
by the working group for arguably system-level attributes, it is hard for
me to believe such objections, if they were to exist, would be widely
shared.

Since adopting a parallel approach for the IMA metadata
format is compatible with your plans for -08, perhaps you should
adopt a similar approach (an IANA registry with a specification-required
policy) for IMA.   I know that such things have been suggested in the past
and seemed at the time like overkill, but, given that there are a number
of existing formats, and likely there will be a more general format which
has not been arrived at  right now, it might be best to take this step,
hoping that it will deal with the objections about the lack of a metadata
format specification even though the Linux community is kind of slow
about producing  one.  I think you ould have to add a new fs-scope
attribute with the id, rather than stick with the local-policy approach,
but there would b no requirement tat the client check this.

BTW, specification-required and even RFC-required do not require a
normative specification.   With specification-required, the IETF does
not have to be involved in writing the spec although a designated-expert
would have to check that it clear enough to enable implementation.

On Thu, Nov 7, 2019 at 10:56 AM Chuck Lever <chuck.lever@oracle.com> wrote:

> Hi Spencer, thanks for your reply. Unfortunately it leaves me with more
> questions.
>
> > On Nov 7, 2019, at 2:05 AM, spencer shepler <spencer.shepler@gmail.com>
> wrote:
> >
> >
> > Apologies for top posting but I would like to address one portion of
> this thread only.
> >
> > I have poached one particular comment.... the below is quoted from
> Chuck's last response on this thread.
> > --
> > > I think I lack the background to understand why Spencer doesn't believe
> > > this is an appropriate use of the NFS protocol, but I don't think that
> this
> > > is the right thread to educate me.
> >
> > I'm also interested in learning more about this. The same argument has
> been
> > made in the past about extending NFS in general, and I guess I had
> assumed
> > that this had been resolved with the publication of RFCs 8178 and 8276.
> >
> > --
> >
> > I agree that RFC 8178 provides the ability to add features, particularly
> attributes, to the protocol and I agree with the utility of 8178 and that
> is appropriate.
> >
> > I also agree with the utility of RFC 8276 but I disagree with the
> interpreted precedent of the RFC per Chuck's comment.
> >
> > To quote from RFC 8276:
> >
> > "Xattr keys and values MUST NOT be interpreted
> > by the NFS clients and servers, as such behavior would lead to
> > non-interoperable implementations.  If there were a need to specify
> > one or more attributes that servers need to act upon, the appropriate
> > semantics would be specified by adding a new attribute for the
> > purpose as provided for by [RFC5661] and [RFC8178]."
> >
> > I read the proposed integrity measurement capability as providing a
> "system-level" interpretation.
>
> The intent of the quoted text was to prevent the use of xattrs as a
> side-channel ioctl mechanism, which I'm not proposing here. However, I am
> proposing "adding a new attribute" as suggested in the quoted text.
> Therefore, I feel that I'm following the letter, if not also the intention,
> of this text.
>
>
> > The decision to allow for the execution of application binaries is a
> "system" level activity or in other words, a feature that explicitly
> requires the client to interpret the semantics of the protocol extension.
> Because of the client's need to interpret the capability, the definition
> should be defined in a way that it can be implemented in an open fashion
> and hopefully, but not required, defined in a way that it is "upgradeable".
>
> "System level activity" is not defined in the quoted text, so it's not
> clear-cut to me that there is any consensus that can be relied upon as
> solid rhetorical ground.
>
> Interpretation of the stored metadata can be done by the NFS
> implementations themselves, by the kernels on those hosts, or by
> unprivileged agents running in user space. The same functionality, but are
> all three "system level activity" ? Not clear where the boundary is.
>
> Why is "outside of the NFS implementation but in the kernel" still a
> system-level activity? How would you draw this line on a non-POSIX or user
> space NFS client, for example?
>
>
> > To the point of "open", I don't believe the availability of open source
> sufficient in this instance.  Yes, a clean-room approach to implementation
> can be executed but even with that action, a patent claim can still be
> made.  Therefore, without the protocol definition being captured in a way
> that clearly allows the reader to have a sense that IETF's policies for
> disclosure have followed, I don't believe it should be allowed as an
> extension of the NFS protocol.
>
> NFS is being used only to transport and store this metadata, in the same
> way that is used to transport and store file content, which is also
> interpreted on clients in ways that are out of the purview of the IETF. It
> would be a stronger argument if there existed an actual IETF document which
> recorded a consensus and an on-point legal opinion about this.
>
> My document also permits an implementation not to interpret the metadata
> at all. If a reader or implementer has any doubts, s/he can simply treat
> that metadata as the opaque blob that it is.
>
>
> > So, I am left with my objection to this work moving forward.
>
> Even if I introduce an Informative definition of the metadata format to
> the document? Does that not meet your second suggested way forward (from
> earlier email)?
>
> Is there a need to make the format Normative, either within the IETF or in
> some other standards setting context?
>
> What if the Linux community made the IMA metadata format completely open
> (ie, stated publicly that it is unencumbered IP) ?
>
> What if Linux stored this metadata in a user xattr instead?
>
>
> > If this proposal would to be accepted, it sets a precedent that a
> individual could define a similar extension for their favorite XYZ product
> in such a way that interoperable implementations could be not implemented.
> In least this could lead to a proliferation of OS, vendor specific feature
> creep and at worse, non IP infringing implementations would be impossible
> to implement.
>
> That's dire. I wish this requirement was clearly documented somewhere.
>
> Why isn't the SELinux label work a problem in this regard?
>
>
> --
> Chuck Lever
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email