Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
Trond Myklebust <trondmy@gmail.com> Mon, 20 April 2020 12:46 UTC
Return-Path: <trondmy@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 506B13A0C38 for <nfsv4@ietfa.amsl.com>; Mon, 20 Apr 2020 05:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGDy6So8Sbr1 for <nfsv4@ietfa.amsl.com>; Mon, 20 Apr 2020 05:46:17 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B70FF3A0C35 for <nfsv4@ietf.org>; Mon, 20 Apr 2020 05:46:02 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id s30so8267160qth.2 for <nfsv4@ietf.org>; Mon, 20 Apr 2020 05:46:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:in-reply-to:references :user-agent:mime-version; bh=JOZHEARp1icwK3kJocMEMEbyxiEB8IITrx2R8ENfi+k=; b=he3UNZMmccHUAgXBV292iJ2prI178exwH9bPlARs5ffLbmHle/BmThYbBe36+TI8iT ydrDLW6o4QioWqftUUs+xX7zt/qvO8vE1rwOLJCV1U9tcyoC5QdMWG1JpYIpRn0tR6kf spmO3Kjg0rCm6TUtTAql9n62m3+Fn7Yj/OoeHCgxYhzRQaqAllNm7rJjCWKkYOaxbT0M Qi94oKqxfzNPR4Jw+zjny3A6WQHBsfG+wE3dWNBeeNf9ivGaefUN18K/n1oEWKaStq37 /MMoiBB+hSWRAOLt3tLXyFTkJqRtMmE2qKXvSIPzv9le1xxeOlbXNsh/EAD2QhdjR09S TJtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version; bh=JOZHEARp1icwK3kJocMEMEbyxiEB8IITrx2R8ENfi+k=; b=abEC/iiPI7Vn44UphmAMMf2pbJdqjuqg4DioctVKtNw28O34nEqvsMxtDd3KilBEXg gxZeRgp/yhWCVBGDuH8q3Im4ZJ5niKKih/BxEWgy1mkKS88W5OnjgVjcdJWW9D7Ebyc7 ppXdduLIc61E7blc0vOgznA1BqH18cQQ6p5h2MnXpwvKa82hRxG6SM98B6mqZ6YwGOyh 7UWPBYgT/SIxE22eWNcEdldGpl7CZZ1fD+okEJMRPOFo28GAGN/p4lThps3KaWW4+Uyq DE7R/tvIWv916zNxsXBN8sL7TykOxnKbafYFYPf0zEE7zLZhQgWZm6gVxcg5nx4Cdqay KNFw==
X-Gm-Message-State: AGi0PubVpA7HdvKVKg7hs6AbYaIpAr/PHD/AOQu+FbXF7nMf3V5SHQsi wCF9GcDTpIwaB1EcqCzLEdtP0/PWVw==
X-Google-Smtp-Source: APiQypI/YJalToV4v8OnAmEXvEkImSJ3N91b7NOh8ghQJn6Evim1DesbOuPTNqV7DMQEemAOoDaewQ==
X-Received: by 2002:aed:250c:: with SMTP id v12mr15167687qtc.351.1587386761144; Mon, 20 Apr 2020 05:46:01 -0700 (PDT)
Received: from leira (c-68-36-133-222.hsd1.mi.comcast.net. [68.36.133.222]) by smtp.gmail.com with ESMTPSA id y9sm417899qtc.12.2020.04.20.05.45.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2020 05:45:59 -0700 (PDT)
Message-ID: <17d789f5353a015cd4dedfce84676a29f87272fb.camel@gmail.com>
From: Trond Myklebust <trondmy@gmail.com>
To: David Noveck <davenoveck@gmail.com>, Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Date: Mon, 20 Apr 2020 08:45:38 -0400
In-Reply-To: <CADaq8jdUtDLDPPKM8GgsNFdOOOS+eAGsjrcoA9N8s8+G7FdxRw@mail.gmail.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com> <C89BF8F3-7F65-4995-9CDB-CC1673E01463@oracle.com> <CADaq8jdUtDLDPPKM8GgsNFdOOOS+eAGsjrcoA9N8s8+G7FdxRw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="=-wx6JJvjodkBNGNTTq2/+"
User-Agent: Evolution 3.34.4 (3.34.4-1.fc31)
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/9f8E1yunIBfVjzdDGrArF3Mcths>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 12:46:22 -0000
On Mon, 2020-04-20 at 05:51 -0400, David Noveck wrote: > On Sun, Apr 19, 2020, 11:40 AM Chuck Lever <chuck.lever@oracle.com> > wrote: > > > > > > > > On Tue, 2020-04-14 at 11:39 -0400, Chuck Lever wrote: > > > > >> o If a client uses an ephemeral source port for a TCP > > connection and > > > > >> does not present authentication material to initiate TLS > > host > > > > >> authentication, the server MUST abort the TLS handshake > > with a > > > > >> handshake_failure alert. > > > > > > > > > > > > > I've concluded that because... > > > > > > > > • It is widely recognized these days that the source port is no > > realistic > > > > indication of any degree of authority on the client, > > > > • The new requirement was proposed well after the end of WGLC for > > rpc-tls, > > > > • The use of a privileged port is discussed in RFC 5531 as > > implementation > > > > guidance, not as a normative requirement, > > > > • There seems to be an ongoing lack of consensus about what exactly > > should be > > > > said, > > > > > > > > .... I will drop this new text entirely. > > > > > > > > Dave Noveck pointed out to me that Appendix A of rpc-tls already > > quotes the > > > > final paragraph of RFC 5531 Appendix A, which suggested the use of > > the source > > > > port. > > Actually, I didn't. I got to Appendix A of 5531 directly, trying to > understand the current role of AUTH_SYS for my slides Wednesday. > > > > > IMHO Appendix A of rpc-tls really ought to make some kind of > > statement about > > > > how weak it is to use the client's source port, as the purpose of > > the source > > > > port test is to mitigate the weaknesses of AUTH_SYS that are > > discussed in that > > > > section. However, given how late it is, I leave that discussion to > > subsequent > > > > documents. The source port test can remain an implementation > > quality issue for > > > > the time being. > > I agree but think we could non-controversially draw attention to the > wealnesses of the existing approach by adding "(I.e. without > transport-level encryption or client authentication)" after "by > itself". I think that is the kind of clarification that is > reasonable even at this late stage. Transport level encryption is not an indicator that this is a trusted client, only that the transport itself is secure; I could still have your server see a fudged client IP+port number (e.g. by routing through a NAT).Client authentication is really the only way to ascertain that the client is indeed the trusted entity without adding another layer of strong authentication on top of TLS. In short: I'd prefer dropping the 'transport-level encryption or' bit in your proposal and just leave it as "(I.e. without client authentication)". > Ultimately this will need to be addressed by describing how the > authentication material provided by the client is to be used. I had > been thinking that would be done in NFSV4-specific documents but it > might be possible/necessary to do some of this at the RPC level, > given what RFC 5531 already says > > > > -- > > > > Chuck Lever > > > > > > > > > > > > > > > > _______________________________________________ > > > > nfsv4 mailing list > > > > nfsv4@ietf.org > > > > https://www.ietf.org/mailman/listinfo/nfsv4 > > > > _______________________________________________nfsv4 mailing > listnfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Rick Macklem
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Faibish.Sorin
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever