IETF Logo Mail Archive

Re: [nfsv4] Stephen Farrell's No Objection on draft-ietf-nfsv4-lfs-registry-04: (with COMMENT)

Tom Haynes <thomas.haynes@primarydata.com> Wed, 08 April 2015 23:42 UTC

Return-Path: <thomas.haynes@primarydata.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA49A1B35B0 for <nfsv4@ietfa.amsl.com>; Wed, 8 Apr 2015 16:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tnMP-Sup6Xqc for <nfsv4@ietfa.amsl.com>; Wed, 8 Apr 2015 16:42:27 -0700 (PDT)
Received: from mail-pd0-f176.google.com (mail-pd0-f176.google.com [209.85.192.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE20C1B347D for <nfsv4@ietf.org>; Wed, 8 Apr 2015 16:42:26 -0700 (PDT)
Received: by pdbnk13 with SMTP id nk13so131920483pdb.0 for <nfsv4@ietf.org>; Wed, 08 Apr 2015 16:42:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Ap5DwXppCUFtN1MMrm0AevFDNlexcesZOrZs57lvnMo=; b=l6C/kMhboY0OX1nZrMw92SdWjO3+MBoLzjFXyIuYU9Sr//cug46FdhRf48Kfy2x26i TYkSwSErCwjjhvTuvxfjakj1IDBTPbCd7h2eZD1kELtmbigPXq4fmF2uv84fajsouHmX xgnlTMbWHEoVkmBhatcneWKcfX8bsyE/peEtSArhr8xf7YsrWuzrsQqIWny1vNnkJIxQ dm/0mfj1iQSo2+RQVTWOEIrPHln9CxP84gTV8Sdgvy5/PrzBAFgnbVlvBv8pJ+/bKz0i 4i4zhE5CXLrbyr3PaC88AomAkwkVHoQtWjCJzOIosaUYmFQ/FBQtqQnK01zrI1K9Bpdz Wflw==
X-Gm-Message-State: ALoCoQn/pgexGZr4uOw7Vrg6wsL4BtWWtJCwkNm5fPP6UqOKHqZPnbWyNcu0E6T0KvWVAC9qfezS
X-Received: by 10.68.132.194 with SMTP id ow2mr50240030pbb.51.1428536546482; Wed, 08 Apr 2015 16:42:26 -0700 (PDT)
Received: from [10.30.8.5] ([50.242.95.105]) by mx.google.com with ESMTPSA id al13sm12584260pac.23.2015.04.08.16.42.25 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 08 Apr 2015 16:42:25 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_6BD02B44-9A77-4D0C-ABC8-39A949B311EC"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Tom Haynes <thomas.haynes@primarydata.com>
In-Reply-To: <20150408130405.12556.51971.idtracker@ietfa.amsl.com>
Date: Wed, 08 Apr 2015 16:42:24 -0700
Message-Id: <3B937B3D-B8CE-4F8F-B028-3974221ED426@primarydata.com>
References: <20150408130405.12556.51971.idtracker@ietfa.amsl.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/nfsv4/9DbPKp_GimwTKGo0hXyDistbk1c>
Cc: The IESG <iesg@ietf.org>, nfsv4@ietf.org
Subject: Re: [nfsv4] Stephen Farrell's No Objection on draft-ietf-nfsv4-lfs-registry-04: (with COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 23:42:29 -0000

> On Apr 8, 2015, at 6:04 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Stephen Farrell has entered the following ballot position for
> draft-ietf-nfsv4-lfs-registry-04: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-nfsv4-lfs-registry/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> I think there is a possibly missing security consideration in
> section 4 - if two label formats "overlap" so that a value for
> one could represent a (different) value for the other and if
> the label format specifier is not somehow bound to the
> packet/object, then some confusion attacks may be possible.
> The mitigation I think is to either (maybe implicitly) bind
> the format specifier into the object/label or to ensure that
> label values cannot be valid for other label format
> specifiers. (Note that attacks here are probably only
> interesting in highly specific cases, so it's not a huge deal,
> but maybe worth a mention.)
> 


Hi Stephen,

Section 3.3 of RFC7204 has a discussion on this topic:

   Labeled NFS MUST provide a means for servers and clients to identify
   their LFSs for the purposes of authorization, security service
   selection, and security label interpretation.

   Labeled NFS MUST provide a means for servers and clients to identify
   their mode of operation (see Section 4).

   A negotiation scheme SHOULD be provided, allowing systems from
   different Label Formats to agree on how they will interpret or
   translate each other's foreign labels.  Multiple concurrent
   agreements may be current between a server and a client.

So for Labeled NFS, it does bind the Label Format Specifier to the objects
such that translation can occur. I.e., as you point out, the label itself is not
sufficient to describe the intended behavior - it has to be in the context of the
binding.

Thanks,
Tom



> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email