IETF Logo Mail Archive

Re: [nfsv4] NFSv4 on TLS

Trond Myklebust <trondmy@gmail.com> Wed, 17 October 2018 04:07 UTC

Return-Path: <trondmy@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD3A512785F for <nfsv4@ietfa.amsl.com>; Tue, 16 Oct 2018 21:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CgTao_vRJ5Gp for <nfsv4@ietfa.amsl.com>; Tue, 16 Oct 2018 21:07:40 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1B79128766 for <nfsv4@ietf.org>; Tue, 16 Oct 2018 21:07:22 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id m16-v6so17994777ioj.4 for <nfsv4@ietf.org>; Tue, 16 Oct 2018 21:07:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vtN4JFYiYy1JcIqTYnzgjv9VFb0p6A4L6e5bsYcVHjw=; b=bj4xlKNjESQmo6qPIkP8Rqax83U6mqlTp3abP75KQSqf077+qOOzSPSH94w5sU/EBG TtRIhqxdjHrLpb5Vzoj81PZ7gPFRcMK9UcVVUA27pWmlsp0xHnikriX/P93WOP1z9b9Y JFdJ2EmxIlWcHG+qiIXFE+oyWVlLjNam4Cv0ZtrV6UXsfShXcIBGnKWa80fF7RThqoAe 6duj9gCkpMCqnr/tardUvAgQrIjQ6eMtouqBFBRQhoMmwfmekTiDsXDphGVIyv4Cui0C Q4VZVDLU6PQe/HPJNzDa3UnoW6IjlkzqtCn313vrPcLoFgZD6PompTN/JXmpq7ZBnyK+ IUGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vtN4JFYiYy1JcIqTYnzgjv9VFb0p6A4L6e5bsYcVHjw=; b=s8bI072GdjgpfckJ0gKSNH0aM/qQGAs3Pf/TGd1CjNnccZFII7F6HZL8yWaAoI08kN UfBhISAKBgQBWCfEpSV6BLP/QfnFTthbJKvszLGGfanKVIMcAgbxKgqQu5EPYN+324HI YmLyesAcWUPlR9AIhDvuS1Jr4PsuBVuHkZCCLlorx+0a6IzyJU2CakzPwQQkRNUION4o 5d+5PKM7SmGxrtnU43W1jNNRTokbp/9WfGsEwvgEUuOX/F1N0KV9sCXHJRzQJo/JZ8NG /7EcwAAa6S/FYQ9BqxGJHyGYcxRaaLHd0HBlv1x6fjaM9dBc1jJo8MdW/iItY0ALxSyT 8aeg==
X-Gm-Message-State: ABuFfoiEd9pEgacaK2h99xKcOgAMvKknOaCLKQ1K0LZrHhUL9Wnq+CRq AnpOERLQFv197LPB37nd1tTvowAvtqN+JezfNw==
X-Google-Smtp-Source: ACcGV63/Tuz/nwqLikROhDegziTs6bm92mi1f2iLI9r9Ix8ETAAKUK3zoN6EaQor58FHUTv1S1gP9fsYegCvyt1owaQ=
X-Received: by 2002:a6b:b48d:: with SMTP id d135-v6mr16770432iof.166.1539749241718; Tue, 16 Oct 2018 21:07:21 -0700 (PDT)
MIME-Version: 1.0
References: <FD3EEC6C-887F-4F3A-AB9E-87AB9EE34ABD@oracle.com> <20180826214725.GA10368@localhost> <9A8DAFF1-C837-4AFA-99CB-863C09091608@oracle.com> <20180827185325.GB10368@localhost> <CADaq8jdr0w74J9db-AZTQ_dAP5ngT53R=KvLuK7xnVpptpbOCw@mail.gmail.com> <YTOPR0101MB182075AD5B7E864C48FF6324DD0A0@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM> <CAABAsM5FatQmorZpTu4MGCwZMahRSJdhJu9gEPgjDEepcjjHfQ@mail.gmail.com> <20181016200243.GX19309@kduck.kaduk.org> <CAABAsM4OazaMxkDgoJZ7vV8R1HWW=jJQHwQwSEyxCryRFJDJpw@mail.gmail.com> <20181016224053.GB19309@kduck.kaduk.org>
In-Reply-To: <20181016224053.GB19309@kduck.kaduk.org>
From: Trond Myklebust <trondmy@gmail.com>
Date: Wed, 17 Oct 2018 00:07:09 -0400
Message-ID: <CAABAsM7Mhzx-fEX1eiX6ihosWXEffwrPUMNg=QM-pV8c_o=oZA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Rick Macklem <rmacklem@uoguelph.ca>, nico@cryptonector.com, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000988e37057864ce65"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ArWaD5S4a5r0qDHzwQBwjNJHWcs>
Subject: Re: [nfsv4] NFSv4 on TLS
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 04:07:45 -0000

On Tue, 16 Oct 2018 at 18:41, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Tue, Oct 16, 2018 at 05:03:59PM -0400, Trond Myklebust wrote:
> > On Tue, 16 Oct 2018 at 16:02, Benjamin Kaduk <kaduk@mit.edu> wrote:
> >
> > > I'm not really in a position to speak of the level of demand for such a
> > > proposal, but...
> > >
> > > On Tue, Oct 16, 2018 at 03:53:32PM -0400, Trond Myklebust wrote:
> > > > So here is a quick proposal: we add a new security type AUTH_TLS,
> which
> > > can
> > > > act as the equivalent of a "STARTTLS command" to signal that we want
> to
> > > > initiate TLS security negotiation if the server supports it.
> > > >
> > > > When the client has set up the TCP connection, and is ready to
> initiate
> > > the
> > > > TLS negotiation, it pings the server with a NULL RPC request with an
> > > > auth_flavor of AUTH_TLS. If the server doesn't recognise that
> flavour,
> > > and
> > > > returns AUTH_ERROR (+AUTH_BADCRED?), then the client knows that the
> > > server
> > > > is unlikely to support stepping up to TLS on this connection.
> > > >
> > > > There should be no need for the credential to carry any form of
> > > > authentication payload, so just model it on AUTH_NONE, but have the
> > > server
> > > > return a payload of "STARTTLS" in the body of the verifier. That
> > > > differentiates it from AUTH_NONE, and allows the client to
> distinguish
> > > > servers that recognise AUTH_TLS, and servers that just ignore the
> > > > authentication header altogether in NULL RPC calls. If the payload
> > > matches,
> > > > then the client kicks off TLS negotiation before sending any further
> RPC
> > > > calls on this connection.
> > > >
> > > > If the client tries to use AUTH_TLS for anything other than a NULL
> RPC
> > > > ping, then a server would presumably be expected to return AUTH_ERROR
> > > with
> > > > AUTH_TOOWEAK.
> > > >
> > > > Once the TLS negotiation is complete, then the client and server will
> > > have
> > > > established a secure channel for communicating, and can then use the
> > >
> > > Any such document would need to discuss the client authentication
> semantics
> > > for the TLS connection, whether a single per-host client cert is used
> vs.
> > > per-user certs, etc.  BCP 195/RFC 7525 would of course play a role,
> too.
> > >
> >
> > This is transport level security, so in order to have per-user certs,
> we'd
> > presumably have to have a TCP connection per user? That is certainly not
> > something that I can envision wanting to ever implement for a kernel NFS
> > client.
>
> There are some ugly tricks that could be played, but basically your
> presumption is right.  If I may ask, though, how many concurrent NFS client
> users do you think you need to support on a single NFS client machine?
>

So that's the thing. While Linux is running on cell phones, which obviously
won't have more than 1 or 2 users, most of our NFS users tend to be running
server farms where each node can run processes on behalf of lots of
different users. A few 10s or 100s of users per node is not uncommon, with
upper bounds being on the order of 1000 or so. With server farms easily
reaching into the 10000 client range these days (because of virtualisation)
then that can run into quite a few connections per server. pNFS doesn't
really help, since all clients still need to talk to the metadata server,
and each pNFS data server will add to the number of connections that each
client needs to maintain...

So I'm asserting that the main scalability issue when using TLS with user
certificates would be on the server side due to the number of clients and
users per client, but the clients themselves would be affected too, since
they have to deal with scale out servers.

Does that make sense?


> > IOW: As far as this working group is concerned, I'd see TLS as mainly
> > practical for providing machine level authentication, not user level.
>
> I don't really expect anyone to disagree with that.
>
> > I agree that there are issues addressed by RFC7525 that we may want to
> > discuss.
> >
> >
> > >
> > > > standard security flavours on top of that channel (presumably after
> > > > negotiating down the irrelevant RPCSEC_GSS privacy and integrity
> > > mechanisms
> > > > and applying channel binding).
> > >
> > > Anyone considering GSSAPI channel binding should probably consider the
> > > issues that
> > > https://tools.ietf.org/html/draft-ietf-kitten-channel-bound-flag-03
> tries
> > > to address, and also that the tls-unique-based binding value in RFC
> 5929 is
> > > rather overtaken by events.  There would probably be a need to define
> a new
> > > TLS exporter-based value that requires the use of TLS 1.3 or
> > > extended-master-secret.
> > >
> > >
> > Is that discussion relevant to the NFSv4 working group though? NFSv4 only
> > requires servers to support RPCSEC_GSSv2 (or RPCSEC_GSSv3 for NFSv4.2).
> > Both those protocols have explicit channel binding RPC calls that return
> > success/failure, and a separate service type (rpc_gss_svc_channel_prot)
> > that as far as I can tell should meet the requirements in the above
> > document. Am I wrong?
>
> You are right -- I had forgotten that RPCSEC_GSSv2 uses a different binding
> scheme, and in fact section 5 of RFC 5403 says you SHOULD NOT use native
> GSS channel bindings.
>
> Sorry about that.
>
> -Ben
>
> >
> >
> > -Ben
> > >
> > > > Is this a proposal that might be of interest to members of this
> group,
> > > and
> > > > hence be worth documenting in an RFC?
> > > >
> > > > Cheers
> > > >   Trond
> > > >
> > > > On Tue, 28 Aug 2018 at 07:57, Rick Macklem <rmacklem@uoguelph.ca>
> wrote:
> > > >
> > > > > David Noveck wrote:
> > > > > [stuff snipped]
> > > > > >> AUTH_SYS with UIDs/GIDs is too limited.
> > > > > >
> > > > > >As far as I know, AUTH_SYS includes 32-bit UIDs/GIDs.   Those
> seemed
> > > > > ample when
> > > > > >AUTH_SYS was designed.
> > > > > >
> > > > > >It certainly is too limited now, but it is difficult to change.
> Even
> > > more
> > > > > of a
> > > > > >barrier than the existiing OTW formats, is the fact that most flle
> > > systems
> > > > > >used with NFS reserve 32 bits in the inode for each of owner and
> > > group.
> > > > > >Further complicating matters is that in-kernel VFS's and POSIX
> API's
> > > are
> > > > > >built around this very limited approach to user identity.
> > > > > >
> > > > > >> I have no objection to a mechanism like AUTH_SYS-over-TLS
> > > > > >
> > > > > >I don't know of any AUTH_SYS mechanism that uses anything other
> than
> > > > > >32-bit ids.
> > > > > >
> > > > > >> that uses name@domain to be consistent with the rest of NFSv4.
> > > > > I think he was referring to a new authentication flavour that had
> the
> > > > > "user@domain" string as the authenticator. (There is a 400byte
> limit,
> > > but
> > > > > that might be sufficient.) I might have called it AUTH_NAME or
> > > AUTH_OWNER.
> > > > >
> > > > > I'd guess that 99.9% of FreeBSD NFS usage is AUTH_SYS, although
> > > Kerberos is
> > > > > in the system. I do think a way to use TLS (or similar) to encrypt
> at
> > > the
> > > > > transport
> > > > > level would be a good thing and would get used more widely.
> > > > >
> > > > > Many of the FreeBSD sites (I won't guess the %) use AUTH_SYS but
> > > ignore the
> > > > > gid list and generate a gid list on the server from the uid. As
> such, I
> > > > > don't think
> > > > > putting gids/owner_group names in a new authentication mechanism is
> > > needed.
> > > > >
> > > > > For folks that have a 32bit uniform uid space, AUTH_SYS in
> transport
> > > > > encryption
> > > > > seems ok to me.
> > > > > For sites where the uid space isn't uniform or doesn't fit in
> 32bits, a
> > > > > "user@domaim"
> > > > > to uid/gid list mapping in the server can be done using this new
> one.
> > > > >
> > > > > >Within NFSv4 proper, you could use name@domain, but there is
> really
> > > no
> > > > > >point if you are using AUTH_SYS.    You are allowed to use
> numeric ids
> > > > > >as attributes and most people using AUTH_SYS choose to do so, to
> avoid
> > > > > >the overhead of a translation that provides no benefits.
> > > > > They could use this mapping with AUTH_OWNER when AUTH_SYS won't
> > > > > work for them.
> > > > >
> > > > > rick
> > > > > ps: I, for one, am not interested in implementing a new GSSAPI
> > > mechanism
> > > > > that
> > > > >       isn't in the open source Kerberos distros. As such, any
> > > complicated
> > > > > setup
> > > > >       involving writing of a lot of new code probably wouldn't
> make it
> > > in
> > > > > FreeBSD
> > > > >       for a long time. However, something that mostly uses the
> extant
> > > code
> > > > > for
> > > > >       supporting "https" should be doable.
> > > > > [more stuff snipped]
> > > > >
> > > > > _______________________________________________
> > > > > nfsv4 mailing list
> > > > > nfsv4@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/nfsv4
> > > > >
> > >
> > > > _______________________________________________
> > > > nfsv4 mailing list
> > > > nfsv4@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/nfsv4
> > >
> > >
>

v2.23.0 | Report a Bug | By Email