Re: [nfsv4] Erik Kline's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)

Chuck Lever <chuck.lever@oracle.com> Wed, 01 July 2020 13:57 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 853053A0B89; Wed, 1 Jul 2020 06:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kaj2xEfurWSq; Wed, 1 Jul 2020 06:56:59 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0065A3A0B68; Wed, 1 Jul 2020 06:56:58 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 061DtPck097161; Wed, 1 Jul 2020 13:56:57 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=AdJ0vd7sY83D/Qcw0wQoJbNQ3/pm0DR17jncImUKcsg=; b=LigGhLLLXFYKM/OedzfNQMRDcdvvhL4V3VYpNnyBSayRSkK1VQobox9JGctxW4C4JICY VhHn4Sbj0NsL5In5Mp89QWWe8HNdYWS9Jw9qhYKTVNrH8b827beD3tBJlLvtxXUQmPR7 yBNnT9j4U/4yktXXcuOjItGadKmRD9LFOMew+uUuk/eOAeRIMClpOeQT61CCF2KwrElA Ueqt2fkNRdC2OLrbpFCHI1cZCcq7XE4BJFidJqQ18Vx4mwVZmUtWZk+K1CbajMGFlAs+ 3jDpMdyCV6rZT5mCi8lVD72hpdBUymP/6w9Ju/vaZ2vPbZFrLPNsucAvHhlsqYPUW6Uh dA==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2120.oracle.com with ESMTP id 31xx1dyh4t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 01 Jul 2020 13:56:57 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 061DWkPg170029; Wed, 1 Jul 2020 13:56:57 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3030.oracle.com with ESMTP id 31y52kb9mp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 01 Jul 2020 13:56:56 +0000
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 061DutsH022613; Wed, 1 Jul 2020 13:56:55 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 01 Jul 2020 13:56:55 +0000
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <159349149991.12516.12036430886387047884@ietfa.amsl.com>
Date: Wed, 1 Jul 2020 09:56:53 -0400
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs@ietf.org, nfsv4@ietf.org, David Noveck <davenoveck@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FEE410F9-240F-4401-99CF-A2FC54DFE095@oracle.com>
References: <159349149991.12516.12036430886387047884@ietfa.amsl.com>
To: Erik Kline <ek.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9668 signatures=668680
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 mlxscore=0 adultscore=0 suspectscore=0 bulkscore=0 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007010100
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9668 signatures=668680
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 clxscore=1011 adultscore=0 suspectscore=0 mlxlogscore=999 cotscore=-2147483648 lowpriorityscore=0 malwarescore=0 phishscore=0 impostorscore=0 mlxscore=0 spamscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007010100
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/AQ4QJFGOfS88mfarrX6JKNzSkCE>
Subject: Re: [nfsv4] Erik Kline's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 13:57:10 -0000

Hi Erik-

Thanks for your comments!

> On Jun 30, 2020, at 12:31 AM, Erik Kline via Datatracker <noreply@ietf.org> wrote:
> 
> Erik Kline has entered the following ballot position for
> draft-ietf-nfsv4-rpc-tls-08: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> [[ questions ]]
> 
> * Can/should the same AUTH_TLS w/ NULL RPC check be done on the rpcbind
>  (portmapper) service as well?

Yes. It would work like any RPC program that uses a well-known destination
port.


> * What mechanism guarantees that (D)TLS traffic can always and easily be
>  distinguished from RPC traffic on the same port?

The document does not specify any mechanism for making that distinction
for UDP. The server would have to match ingress datagrams that appear to
be DTLS traffic to existing DTLS session state. The server treats datagrams
that fail to match as RPC messages.

For TCP, once a TLS session is established on a connection, the client is
forbidden from mixing TLS traffic with unprotected traffic on that
connection. To send unprotected traffic after establishing a session, a
client would have to establish a separate TCP connection that does not
have a TLS session.


> [[ nits ]]
> 
> [ section 5.1.1 ]
> 
> * "When operation is complete" ... In addition to a grammar tweak, you
>  might repeat a few choice words from section 7.2 about the ability to
>  send multiple requests over a connection.

I don't understand this comment. Section 7.2 is about user privilege
separation. What did you have in mind?


> [ section 7.4 ]
> 
> * s/RCPSEC_GSS/RPCSEC_GSS/

Thanks, will fix.

--
Chuck Lever