Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Tue, 28 April 2020 12:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AFB713A14AF for <>; Tue, 28 Apr 2020 05:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C-xDJVOHbS-F for <>; Tue, 28 Apr 2020 05:54:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EDA9C3A14AC for <>; Tue, 28 Apr 2020 05:54:10 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id 03SCqOAh023478 for <>; Tue, 28 Apr 2020 08:54:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=iH13J1caBjBk/2ARr5e37L4NRoTka3gLwwqt3ldw8jE=; b=xdHytAvHC4G05N5M8h7W5XFHrbS7sAPX7Byv5rpmbEw0Np2n91okUNKVqvkh/EUdSaQp hv/O8WYQ1TJL/WGa3eMbtaaJh/9tMFy6+uEIwJX6W7Cop8/pDnl483M9cU5O3jMt2/TV pvoDQipuBdRm0AQtSYOMc06Fcf3PP5bNyOB64ttbA8qqpC8DhI+RdYDshuQiWODV2Jgg kJ0XdpRYPpe0qsCvYjFjpbldt6mkEZrPCrUk9gD6I1Np5QFQPc2Os5YCDlKrB1Oj8rDC bHWgbFYOMni4zQ+WcCyiHnaanhgkYwG1uZM+sb3IjNOltYNkkYwaQleQEOalqq9eLPzm ng==
Received: from ( []) by with ESMTP id 30mh7m7b9s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <>; Tue, 28 Apr 2020 08:54:10 -0400
Received: from pps.filterd ( []) by ( with SMTP id 03SCoepS089953 for <>; Tue, 28 Apr 2020 08:54:10 -0400
Received: from ( []) by with ESMTP id 30pm1crhgy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <>; Tue, 28 Apr 2020 08:54:09 -0400
X-LoopCount0: from
X-PREM-Routing: D-Outbound
X-IronPort-AV: E=Sophos;i="5.60,349,1549951200"; d="scan'208";a="1550599466"
Thread-Topic: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
Date: Tue, 28 Apr 2020 12:54:07 +0000
Message-ID: <08d31d4ddc2f42faa9ea7b5462fd7463@x13pwdurdag1001.AMER.DELL.COM>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd;; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2020-04-28T12:54:05.0149865Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_ActionId=cf3d85e5-329c-4617-8bc2-88a765d243a7; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-28_09:2020-04-28, 2020-04-28 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 bulkscore=0 impostorscore=0 mlxscore=0 spamscore=0 mlxlogscore=999 adultscore=0 phishscore=0 clxscore=1015 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004280100
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 clxscore=1015 suspectscore=0 bulkscore=0 priorityscore=1501 adultscore=0 mlxscore=0 malwarescore=0 lowpriorityscore=0 phishscore=0 mlxlogscore=999 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004280100
Archived-At: <>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 Apr 2020 12:54:13 -0000

-----Original Message-----
From: nfsv4 <> On Behalf Of Chuck Lever
Sent: Monday, April 27, 2020 5:02 PM
To: Trond Myklebust
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls


> On Apr 27, 2020, at 4:37 PM, Trond Myklebust <> wrote:
> On Mon, 27 Apr 2020 at 11:45, Chuck Lever <> wrote:
>> > On Apr 27, 2020, at 11:11 AM, Trond Myklebust <> wrote:
>> > 
>> > 
>> > 
>> > On Mon, 27 Apr 2020 at 10:21, Chuck Lever <> wrote:
>> > Hi Magnus-
>> > 
>> > > On Apr 27, 2020, at 4:47 AM, Magnus Westerlund <> wrote:
>> > > 
>> > > Hi,
>> > > 
>> > > I think that text works. However, that now recommends using a 
>> > > non-zero connection ID. From my perspective which have no 
>> > > implementation stake into this, this is fine. However, I would 
>> > > note that this backtracks on what was said just a few messages ago.
>> > 
>> > It's always possible I've gotten something wrong. However, I 
>> > realized that RPC on UDP permits an RPC server to use a different 
>> > network path to send a Reply than the path the client used to send 
>> > the matching Call. IIUC a substantial CID is needed to deal correctly with that situation.
>> > 
>> > 
>> > I don't think that matters. The server should always authenticate to the client during the D/TLS handshake, so there should be no ambiguity about the source of the replies.
>> The server is free to reply via any of its network interfaces. In 
>> other words, it can perform the handshake using one 5-tuple, then 
>> send replies via another (or send them via a mix of 5-tuples).
>> A CID is needed to handle NAT rebinding in any case. But IIUC 
>> rebinding would look like the client's 5-tuple changing, not the server's.
>> The question in mind is whether a DTLS session will be perturbed by 
>> the server's or client's 5-tuple changing. Magnus, can you elaborate 
>> on your earlier request for a clear statement about this in this 
>> section? Is this no longer a concern now that the REQUIREMENT to drop 
>> an out-of-session RPC Call?
>>   For RPC-on-DTLS, each DTLS handshake MUST include the connection_id
>>   extension described in Section 9 of [I-D.ietf-tls-dtls13].  RPC-on-
>>   DTLS peer endpoints SHOULD provide a ConnectionID with a non-zero
>>   length.  Endpoints implementing RPC programs that expect a
>>   significant number of concurrent clients should employ ConnectionIDs
>>   of at least 4 bytes in length.
>> Also, I'm not certain if SHOULD is correct here. Instead, "should" or 
>> "MUST" might be less ambiguous. However, if we all agree the 
>> statement is totally unnecessary, it can be replaced or dropped.
> I'm saying that it doesn't matter from what network interface, or indeed which breed of carrier pigeon the server chooses, The client can still authenticate the reply as being genuine from the fact that the server authenticated to it at the start of the DTLS session. As long as this is still the same session, then the client can ignore any changes to the network topology.

My reading of draft-ietf-tls-dtls-connection-id suggests that is not the case for DTLS 1.2 and later.

Abstract says:

   A CID is an identifier carried in the record layer header that gives
   the recipient additional information for selecting the appropriate
   security association.  In "classical" DTLS, selecting a security
   association of an incoming DTLS record is accomplished with the help
   of the 5-tuple.  If the source IP address and/or source port changes
   during the lifetime of an ongoing DTLS session then the receiver will
   be unable to locate the correct security context.

Further, the Introduction states:

   In the current version of DTLS, the IP address and port of the peer
   are used to identify the DTLS association.  Unfortunately, in some
   cases, such as NAT rebinding, these values are insufficient.  This is
   a particular issue in the Internet of Things when devices enter
   extended sleep periods to increase their battery lifetime.  The NAT
   rebinding leads to connection failure, with the resulting cost of a
   new handshake.

Unless I'm reading this wrong, if either peer sees a DTLS datagram from a different IP address than was used during the DTLS handshake, it's not going to be able to associate that with a previously established DTLS session... unless there's a CID.

The DTLS handshake and the subsequent DTLS record exchanges are two separate protocols. The CID is exactly the material that the peers need to determine that the remote sender is the same peer that established that DTLS session.

[sf] I reviewed the latest draft and I have some questions and concerns related to section 7.2 it is defined the TLS management on clients:
"The RPC-on-TLS protocol by itself cannot protect against exposure of a user's RPC requests to
other users on the same client.
Moreover, client implementations are free to transmit RPC requests
for more than one RPC user using the same TLS session. Depending on
the details of the client RPC implementation, this means that the
client's TLS identity material is potentially visible to every RPC
user that shares a TLS session."

I see two issues with this:
1.	If there is a compromised user running on same client it is possible that the compromised user can "see" the identity material of the legitimate users.
2.	It is possible that a compromised user initiate a DDoS attack on the server and the server will not detect the attack as it comes from a legitimate host and encrypted. This may expose a server to undetected DDoS attacks.

Also the question is do we allow a mix of users using TLS and others not using TLS on same client? I understand that we don't support multiple TLS on same connection but do we support a mix? Some explanation/clarification text will be useful.

Chuck Lever

nfsv4 mailing list