IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Trond Myklebust <trondmy@gmail.com> Mon, 20 April 2020 12:46 UTC

Return-Path: <trondmy@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 506B13A0C38 for <nfsv4@ietfa.amsl.com>; Mon, 20 Apr 2020 05:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGDy6So8Sbr1 for <nfsv4@ietfa.amsl.com>; Mon, 20 Apr 2020 05:46:17 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B70FF3A0C35 for <nfsv4@ietf.org>; Mon, 20 Apr 2020 05:46:02 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id s30so8267160qth.2 for <nfsv4@ietf.org>; Mon, 20 Apr 2020 05:46:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:in-reply-to:references :user-agent:mime-version; bh=JOZHEARp1icwK3kJocMEMEbyxiEB8IITrx2R8ENfi+k=; b=he3UNZMmccHUAgXBV292iJ2prI178exwH9bPlARs5ffLbmHle/BmThYbBe36+TI8iT ydrDLW6o4QioWqftUUs+xX7zt/qvO8vE1rwOLJCV1U9tcyoC5QdMWG1JpYIpRn0tR6kf spmO3Kjg0rCm6TUtTAql9n62m3+Fn7Yj/OoeHCgxYhzRQaqAllNm7rJjCWKkYOaxbT0M Qi94oKqxfzNPR4Jw+zjny3A6WQHBsfG+wE3dWNBeeNf9ivGaefUN18K/n1oEWKaStq37 /MMoiBB+hSWRAOLt3tLXyFTkJqRtMmE2qKXvSIPzv9le1xxeOlbXNsh/EAD2QhdjR09S TJtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version; bh=JOZHEARp1icwK3kJocMEMEbyxiEB8IITrx2R8ENfi+k=; b=abEC/iiPI7Vn44UphmAMMf2pbJdqjuqg4DioctVKtNw28O34nEqvsMxtDd3KilBEXg gxZeRgp/yhWCVBGDuH8q3Im4ZJ5niKKih/BxEWgy1mkKS88W5OnjgVjcdJWW9D7Ebyc7 ppXdduLIc61E7blc0vOgznA1BqH18cQQ6p5h2MnXpwvKa82hRxG6SM98B6mqZ6YwGOyh 7UWPBYgT/SIxE22eWNcEdldGpl7CZZ1fD+okEJMRPOFo28GAGN/p4lThps3KaWW4+Uyq DE7R/tvIWv916zNxsXBN8sL7TykOxnKbafYFYPf0zEE7zLZhQgWZm6gVxcg5nx4Cdqay KNFw==
X-Gm-Message-State: AGi0PubVpA7HdvKVKg7hs6AbYaIpAr/PHD/AOQu+FbXF7nMf3V5SHQsi wCF9GcDTpIwaB1EcqCzLEdtP0/PWVw==
X-Google-Smtp-Source: APiQypI/YJalToV4v8OnAmEXvEkImSJ3N91b7NOh8ghQJn6Evim1DesbOuPTNqV7DMQEemAOoDaewQ==
X-Received: by 2002:aed:250c:: with SMTP id v12mr15167687qtc.351.1587386761144; Mon, 20 Apr 2020 05:46:01 -0700 (PDT)
Received: from leira (c-68-36-133-222.hsd1.mi.comcast.net. [68.36.133.222]) by smtp.gmail.com with ESMTPSA id y9sm417899qtc.12.2020.04.20.05.45.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2020 05:45:59 -0700 (PDT)
Message-ID: <17d789f5353a015cd4dedfce84676a29f87272fb.camel@gmail.com>
From: Trond Myklebust <trondmy@gmail.com>
To: David Noveck <davenoveck@gmail.com>, Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Date: Mon, 20 Apr 2020 08:45:38 -0400
In-Reply-To: <CADaq8jdUtDLDPPKM8GgsNFdOOOS+eAGsjrcoA9N8s8+G7FdxRw@mail.gmail.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com> <C89BF8F3-7F65-4995-9CDB-CC1673E01463@oracle.com> <CADaq8jdUtDLDPPKM8GgsNFdOOOS+eAGsjrcoA9N8s8+G7FdxRw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="=-wx6JJvjodkBNGNTTq2/+"
User-Agent: Evolution 3.34.4 (3.34.4-1.fc31)
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/9f8E1yunIBfVjzdDGrArF3Mcths>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 12:46:22 -0000

On Mon, 2020-04-20 at 05:51 -0400, David Noveck wrote:
> On Sun, Apr 19, 2020, 11:40 AM Chuck Lever <chuck.lever@oracle.com>
> wrote:
> > > 
> > 
> > > On Tue, 2020-04-14 at 11:39 -0400, Chuck Lever wrote:
> > 
> > >>   o  If a client uses an ephemeral source port for a TCP
> > connection and
> > 
> > >>      does not present authentication material to initiate TLS
> > host
> > 
> > >>      authentication, the server MUST abort the TLS handshake
> > with a
> > 
> > >>      handshake_failure alert.
> > 
> > > 
> > 
> > 
> > 
> > I've concluded that because...
> > 
> > 
> > 
> > • It is widely recognized these days that the source port is no
> > realistic
> > 
> > indication of any degree of authority on the client,
> > 
> > • The new requirement was proposed well after the end of WGLC for
> > rpc-tls,
> > 
> > • The use of a privileged port is discussed in RFC 5531 as
> > implementation
> > 
> > guidance, not as a normative requirement,
> > 
> > • There seems to be an ongoing lack of consensus about what exactly
> > should be
> > 
> > said,
> > 
> > 
> > 
> > .... I will drop this new text entirely.
> > 
> > 
> > 
> > Dave Noveck pointed out to me that Appendix A of rpc-tls already
> > quotes the
> > 
> > final paragraph of RFC 5531 Appendix A, which suggested the use of
> > the source
> > 
> > port.
> 
> Actually, I didn't.  I got to Appendix A of 5531 directly, trying to
> understand the current role of AUTH_SYS for my slides Wednesday.
> 
> > 
> > IMHO Appendix A of rpc-tls really ought to make some kind of
> > statement about
> > 
> > how weak it is to use the client's source port, as the purpose of
> > the source
> > 
> > port test is to mitigate the weaknesses of AUTH_SYS that are
> > discussed in that
> > 
> > section. However, given how late it is, I leave that discussion to
> > subsequent
> > 
> > documents. The source port test can remain an implementation
> > quality issue for
> > 
> > the time being.
> 
> I agree but think we could non-controversially draw attention to the
> wealnesses of the existing approach by adding "(I.e. without
> transport-level encryption or client authentication)" after "by
> itself".  I think that is the kind of clarification that is
> reasonable even at this late stage.

Transport level encryption is not an indicator that this is a trusted
client, only that the transport itself is secure; I could still have
your server see a fudged client IP+port number (e.g. by routing through
a NAT).Client authentication is really the only way to ascertain that
the client is indeed the trusted entity without adding another layer of
strong authentication on top of TLS.
In short: I'd prefer dropping the 'transport-level encryption or' bit
in your proposal and just leave it as "(I.e. without client
authentication)".
> Ultimately this will need to be addressed by describing how the
> authentication material provided by the client is to be used. I had
> been thinking that would be done in NFSV4-specific documents but it
> might be possible/necessary to do some of this at the RPC level,
> given what RFC 5531 already says
> 
> 
> > --
> > 
> > Chuck Lever
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > 
> > nfsv4 mailing list
> > 
> > nfsv4@ietf.org
> > 
> > https://www.ietf.org/mailman/listinfo/nfsv4
> > 
> 
> _______________________________________________nfsv4 mailing 
> listnfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email