Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-08.txt
Rick Macklem <rick.macklem@gmail.com> Tue, 19 March 2024 14:28 UTC
Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89036C14F704 for <nfsv4@ietfa.amsl.com>; Tue, 19 Mar 2024 07:28:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRHt8HfEX5pV for <nfsv4@ietfa.amsl.com>; Tue, 19 Mar 2024 07:28:07 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC8E4C14F6FC for <nfsv4@ietf.org>; Tue, 19 Mar 2024 07:28:07 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-5c66b093b86so4849426a12.0 for <nfsv4@ietf.org>; Tue, 19 Mar 2024 07:28:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710858487; x=1711463287; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=JDBe65A4E0LARa46TOSr96vGnwF0PS+3XbFApq+OrVA=; b=TDgazv/HAl5LwEDIvvE85vAxmLyNj2sM/5fWWkZvlrM/FjnZ8TbbYIxp+bl8f7TZN6 NMaCJdSfLYjlyUqLINsPcBfu4R4K45WDXpEjfSzkF616612nZRs6Y94u9qEWarA1ILjl sa4ELiByTGuethxpNAX0qJWSErkmIxWFvrZ6caoWwFKUE22z8rHYi50/CfMEwawQRr5N uQJ0XZeXZk5IhCCe0f8mGNhgVdxtSGdkixxttBsauUlNudare/kKz4fwjmnPpPsHMKVU 3bcKvu/bSfzBhBE/14u0Yidd5ajjH8u/QPOSH7b8r42hI6FUMRsykc2452nCXnGgVfoI JJkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710858487; x=1711463287; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JDBe65A4E0LARa46TOSr96vGnwF0PS+3XbFApq+OrVA=; b=jGnMlysiCU1x1lubwW9Cp1IA8yrlG/Lmi/i1ZhGiQALp01pMrIV3vuIAMK6vGKmnYX ymLg6ydWypW6ImmN6Y0f6WcN5ybUZkm7xSBqXQat0CSsJgqeAe56nrdmd0FL4eYVd0Lk o699pRKvl2Ny6T3EN7TKbzFDiowhGtS/hV1V8DOcDTDjc/F3v7zqMgzdUMJSDFv7hx4D m7kv/T+E8Gmz7TPf8i+FEbBr0v20sKFSaDlOjOlxOh8Q09g4o3QTe3sFW3Q+KDkYcEcH SmcjgOsSfIgecbA6k/UccwunP2hVcQDTGAbbsA1rf9kQkjmcGcZUdqvqdAM+ZC1C5CJr HshA==
X-Gm-Message-State: AOJu0YyzA30sCP0dh8ct5OQ6xqqR4CdRASM02OILUlZLd2SUWyCBaN2m DgtQ6kNuEHpQ3dW/+BjyqC90oBZMzLvFLy35WvSWuLFVh9BT6+v316irQK2WfxoK93u/YmxHu6y +5yOsswCK+4cNCwb+bcWWxX7Ztg==
X-Google-Smtp-Source: AGHT+IGr33DDZPnU4I7zulE80dFP1/Cd5StJTeNapJbT219/OPVrVaw2R2K8ifNLW/OvPU2xVD/O0kkCDZ6Pdh5Vd74=
X-Received: by 2002:a17:90b:1105:b0:29f:7f60:3543 with SMTP id gi5-20020a17090b110500b0029f7f603543mr3937370pjb.22.1710858486756; Tue, 19 Mar 2024 07:28:06 -0700 (PDT)
MIME-Version: 1.0
References: <170947740288.2806.283512371684207764@ietfa.amsl.com> <CADaq8jeHa0PPye1xtUyHipFa60tuCOufW_7uXmY3UV9RwuySqg@mail.gmail.com>
In-Reply-To: <CADaq8jeHa0PPye1xtUyHipFa60tuCOufW_7uXmY3UV9RwuySqg@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Tue, 19 Mar 2024 07:27:52 -0700
Message-ID: <CAM5tNy4JpwZmPAQH8SFFPvAWE3qWmxrgdDTw5+StNFxzOAcpbw@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Cc: NFSv4 <nfsv4@ietf.org>, Chuck Lever <chucklever@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/BTubpDlJyAW0lkupFZPCyRV_RWg>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-08.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 14:28:11 -0000
Further to what I mentioned w.r.t. SP4_MACH_CRED,
here is a possible cleaner way to deal with it?
- Define a new SP4_MACH_CRED_RPC (or whatever you want to call it) for NFSv4.2
that depends on the RPC layer to indicate that an RPC uses machine credentials
and for the RPC layer to provide integrity/privacy protection.
- It would use state_protect_ops4 in the same way as SP4_MACH_CRED, given
a machine credential RPC as indicated by the RPC layer.
For RPC-over-TLS, this could be implemented by...
- A non-NULL RPC request specifying AUTH_TLS in the RPC request header.
- If the client presented a verifiable X.509 certificate during TLS handshake
for the TLS session the RPC is in, this would be an RPC with
machine credential.
- If no verifiable X.509 certificate was presented during TLS handshake or
the RPC is not in a TLS session, it would fail with AUTH_WEAK.
Then there is TLS identity squashing. (Chuck just posted, reminding me
of this stuff):
This refers to using the X.509 certificate presented during TLS handshake
to define a single user that is performing RPCs on the NFSv4 server using
the TLS session. (My use case was a personal device such as a laptop,
allowing the NFSv4 server to ignore the AUTH_SYS credentials in the
RPC's request header.) Chuck came up with the name. He's much better at
naming things than I am.
- In other words, all RPCs (or at least all using AUTH_SYS) would be done on
the NFSv4 server as this user.
There are a couple of issues that this RFC could discuss/define related to this.
- Chuck and I diverged w.r.t. how to implement this.
a) I preferred putting the user name in the X.509 certificate presented during
TLS handshake.
b) Chuck preferred a database on the NFSv4 server, keyed on certificate
issuer/serial#.
(Chuck may have changed his mind, since his post was related to
implementation a).)
This can be considered just an implementation detail chosen by NFS server
implementors, but it might be nice to have some standardization (for
example, the
exact format of the field in the X.509 certificate for a)).
A more important consideration would be whether to squash all RPCs on only
RPCs with AUTH_SYS credentials in the RPC request header.
I have currently implemented a) and only AUTH_SYS.
I did only AUTH_SYS due to SP4_MACH_CRED requiring RPCSEC_GSS
credentials. If I replaced them with the "user" credential, SP4_MACH_CRED would
fail. If there was something like SP4_MACH_CRED_RPC, then this would be less of
an issue.
Since no one is using TLS identity squashing on FreeBSD at this time, I could
easily change the implementation. Over time that becomes more difficult.
These are security related things that could use specification/clarification and
make RPC-over-TLS more useful, I think?
rick
On Sun, Mar 3, 2024 at 6:53 AM David Noveck <davenoveck@gmail.com> wrote:
>
> Got this in by the deadline. Will discuss at IETF119.
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Sun, Mar 3, 2024 at 9:50 AM
> Subject: New Version Notification for draft-dnoveck-nfsv4-security-08.txt
> To: David Noveck <davenoveck@gmail.com>
>
>
> A new version of Internet-Draft draft-dnoveck-nfsv4-security-08.txt has been
> successfully submitted by David Noveck and posted to the
> IETF repository.
>
> Name: draft-dnoveck-nfsv4-security
> Revision: 08
> Title: Security for the NFSv4 Protocols
> Date: 2024-03-03
> Group: Individual Submission
> Pages: 113
> URL: https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-08.txt
> Status: https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/
> HTML: https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-08.html
> HTMLized: https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security
> Diff: https://author-tools.ietf.org/iddiff?url2=draft-dnoveck-nfsv4-security-08
>
> Abstract:
>
> This document describes the core security features of the NFSv4
> family of protocols, applying to all minor versions. The discussion
> includes the use of security features provided by RPC on a per-
> connection basis. Important aspects of the authorization model,
> related to the ACL feature, will be specified in a separate document.
>
> The current version of the document is intended, in large part, to
> result in working group discussion regarding existing NFSv4 security
> issues and to provide a framework for addressing these issues and
> obtaining working group consensus regarding necessary changes.
>
> When the resulting documents (i.e. this document and one derived from
> the separate ACL specification) are eventually published as RFCs,
> they will, by updating these documents, supersede the description of
> security appearing in existing minor version specification documents
> such as RFC 7530 and RFC 8881,
>
>
>
> The IETF Secretariat
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Brian Pawlowski
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-dn… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-dn… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-dn… Chuck Lever III