Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
Rick Macklem <rmacklem@uoguelph.ca> Thu, 02 December 2021 01:44 UTC
Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB343A046E; Wed, 1 Dec 2021 17:44:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyX-EK4Of-52; Wed, 1 Dec 2021 17:44:23 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on060c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::60c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2508A3A0443; Wed, 1 Dec 2021 17:44:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lEixCR4r+ixLxm/bJo1VBrGgH4TG0nxkIQ9osq/iveAY08XcAX/XjnTPMLHRr81x9B8V1MZxYUpb2FZmWil70bg2naydOp1/E3g2GXairwr75A8qmi/U8GFCJ8T40RE7rYNzELn/kuyqbEar8TJ5RaOsBL0HtGSy6MvcNOUWWzvf4QZPzUx5KuHN8kk5L5ax9wfQ7XRn4ooJud2+pTMAcUxcY5bBT1VcKuQZ1+xZNnnnOQya3neoBxMMwgUPhgrfXCyuzgvcWR/NXIZx6LxcoW+YBEns40+8KtJoXEOavLrwnGvVRkpRVw7SAKzlBWffVqT9Jpcibz3yjF8qRLpLEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HfO0VryTSRSapuvXUCyEJ5IsYt5u0Fa0y0p+3+qiEUc=; b=c5hT1BW+q3Jx3rrTlw2W0V2pFt3tPCmMFNZ7o9ohCDFNS+NXfgOjZsaEFAC9R0jXX8vlWfJQNXU40iZ/O0ZB1qfpioZYIYAOaYgrcnlHIXfhvUKbhleQ+zdLoyUpBBbUEdDPRRuWfCkmfKV5gzS739tCW89RyR1p8hVc96rtWbK4ptaU6VWFjfM10oq5PIWuZajjPfZTgrhn05UQU0c7wYmS+DXtnokgJnyFqIud2vgH48WM0OxZ3Q2ekL+M4fBAHZLSF2WrAyWMhYAlWRUqKCXEFMSj9Uuq2RHjMLJksDrRrVqGHPHHqAuOxDqEuUUUDkI0HmAKrAjYGY7lewTwBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HfO0VryTSRSapuvXUCyEJ5IsYt5u0Fa0y0p+3+qiEUc=; b=UOt2azUmKM5LC4GnAz/GPAupnz8cwjTb0y3dQQYTQZMOZQRFxWbpGJJzaN2I7r+6hgHTo381lbRBBFUYVz6xsXCLT/CY5er1t3enwMHc+aKAzTP5OWBnkTgALa2rBz/CaZ4EaoHz8sY2xVBpJWEF4YRn3dJZnf9y2sIUeDs5oK65+6Eov5KM+vXXX+xb9UMVnKEtTmi3BpDeEgJrsNT564P5WSRSWqL/EZiqntlsod4f60JI2Cl5CpoAMGhpG1zF0DjLP+d5XI1huUybO+vdwk4FwpUxGQaX5Dy7qByHaiYjnV3A1v4gC0/TJcTttSJAlx+6QEj6LKRmbCSilwwgIw==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR01MB2357.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:42::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.15; Thu, 2 Dec 2021 01:44:13 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::e56f:b7a2:3830:5706]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::e56f:b7a2:3830:5706%3]) with mapi id 15.20.4734.024; Thu, 2 Dec 2021 01:44:13 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "J. Bruce Fields" <bfields@fieldses.org>, David Noveck <davenoveck@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>, "nfsv4-ads@ietf.org" <nfsv4-ads@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
Thread-Index: AQHX4HHNsS/W7IErZUGK3n//QZmiW6wauouAgAO73JOAAALqMQ==
Date: Thu, 02 Dec 2021 01:44:13 +0000
Message-ID: <YQXPR0101MB0968CD8D028EA4F058AB739DDD699@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <163767514326.26555.17470749244218204323@ietfa.amsl.com> <CADaq8jes2WfwbXoy7D22gRwCh9Mw-Wrkdkugc9jbp3PNjb6jYA@mail.gmail.com> <20211129162527.GB24258@fieldses.org> <YQXPR0101MB096859732928862B39144F45DD699@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YQXPR0101MB096859732928862B39144F45DD699@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: cc676215-87ad-d993-5689-28d4e01d87fe
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b4a00cb6-18a2-4312-b4f1-08d9b5353e94
x-ms-traffictypediagnostic: YQXPR01MB2357:
x-microsoft-antispam-prvs: <YQXPR01MB2357EB0C0ECD193C8F418DC9DD699@YQXPR01MB2357.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:200;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Qtq4Q6re8pzjMF4d8H/kXj8Hm8QbcC0Jt39uS0o44zYZM3SRDUEiQAZH8bylG2k8+fH9qlyGTswYEnjdMZ/2EJiK/02f7i8cEtAJbOU9QvP1CmW4SNgObzZYydAet9fYvvV0zHwbTIEBHfUZWyHd2wzPEs+0KhBOttSR5k30U4UGxuyCBx3I2Y5QY6QaPimYODggumqG7ltou+2AgcWYkHb4VBjB9GvP+3JF3b00iWRH8XBAYTn2tWhNPY2YrJgc4glSd8OgPFy/dPbnKmBoYZLGEnG12P4e+UjcoQR/YrX51M5CR5tH2iH639/iMmfLcUYkzUJwGSFGvG4DSIOELKxk65BuqkuL7GKd6LZUdohRgWDLoM4tNp3x4/3jrDx170BvzO+7+VCxBIPsk5YK+qCGGATbgFTzb0ytsMi2I7NxG/sRUmNOE5JigHbjUMyp1FYYdsV/tOKeJDsRicNJvoWMUlZ6IIs/vak3tgtniuTBTQrgRwei61C1YJAdKbglKtBebBKVLukxxqBkkvFWbs2czAMye9RUg/7ekVnrR3X/7gzMFQDAPgxigpmzonWHM1Hlu6W6UPcNZTH5HypoMc/0AqXmouLKU/BZtDSDxGg4npYcaIT1dZUtKDWgLcyHNNPzardgV06JY7X3qNJxHox3CwcNhF+kjBB++6kXbVtpUN2r9k4pqJmOPSWipZWdeWh6VDNatpoUBeTlGbzVyWk1LexvrQXKFotwfN72O43gf93ufvn9Zp/EzO01gTRsghrWpF1cyxO5l2eib3Im19IXR8yznj2wRefYrl6SEac=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(55016003)(9686003)(33656002)(64756008)(8936002)(83380400001)(8676002)(53546011)(38070700005)(6506007)(66946007)(38100700002)(76116006)(86362001)(66476007)(66556008)(91956017)(66446008)(4326008)(122000001)(54906003)(110136005)(5660300002)(52536014)(71200400001)(966005)(2906002)(2940100002)(316002)(786003)(508600001)(15650500001)(7696005)(186003)(45080400002)(4001150100001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zE6+5mzP7qGLWlPbYGGYSKLJ2gD0vdgwyt67X71etSECzae24JXRpqnV/q4G7P282KX2VPXk58u6P+ib183T+eTH0BAc299Mi1l3hqamQ/CZrXwLvC+xS9PKOfK/qaIGygpOJeVrIcMzVGo+NIHtzK/AeqJHCbl6JpV85vabcr+X6XuiPdp77Z1ODaLIFE/JRHDC3ojP4GwlzMkB0MGELXJiyIQnnUafOPn0iM9exZEysfs3njhJyJ4qdlU1xZsoLhZzAtVKZueCQ3ECYUC472MZ6w1GDKaQWWzwE/fHRoWTZcfWcEgf+775lz+vF7pZel/JsWi5wyFe0U+j9oMaAOIr6ReTyCvkFFAj7E7xGkcdRobOCCl0seUbpZXQuZVoEMMujdQfTy4VyapGB686mAZFYCPh2o9G/0HS1/Gr3elo418uEaoi92varQRSX+wWNBBI9seKpgUSymQZmkeCWBmR8Mg4XTkCJgC2Gsc0ybiZIkVXZFclps2dcNR7p4rovu6cjlls+oavmPNNbNJSLhfobclusNU/1kFkp670YktN4v/sdXGH/Ll4t1DnibVdBZG5uXGY9A+mKWB8WuPTis2IQMUM1Yln5zLRd2NO4Znz+zgn0OJoGvfrwC+V70RIQxh3zzw9wd7WAv4Pv7vN3Za9DS9rp3bJkujNDTD20b7Dv0pZHNy0c7khXVol+FKi1bwok91pqeEvi8Y6CVoDVUhRCmCC1mtHAvpd+OejwMkm7ukEwHOwRQ61npS7+3bpNn4coklxI6NdDpRXpGRbwZjvoC93TGa6o67sjknNzlKKZbvBl/smL3Mj+BL9uEHtgH4TDoUy67wyNBYZcLm/E7YccW6sR1VuGLxYgXk2NR2YP8HPRmErOVMuzFWp7cgR9Vo/D72g5ab3p9kicsJHSsjWgnQNBG5yNG7RXO40Lo4hjqeOHlQhSeZUcDA4xbXuFw2cYJzIhWI1OXFChf/mVf7WV4oIXCaXLblzEe2Pp646aAv48zAczkOCqV9JDSV8kihMbndI72fPzYEV42EpA1DiuyLsQsJ/LHesKhKkGzSAwz5OojQ4WvfhdnAEcyLdEebfY7xWKhtamPmqRpflCf9DGmphKDsTX6rb6kPUg+RIudaodQ/CJ8m/VcNN64BBZb0WmvQs1g+3N7rjFk4hLxkcQA6fJArhI+AmHH/z1xpNKBwJt4t5GsnLRLRFxPXWkPF2S7GO43ibLqL2RHejkJ3vlkStIxHBvTN9yXxTIfGXcNsnEEag+2S4g6rguzVe3oqClTYLutTbsMpYlCJYe+kzVm3Amjx5AQV7RvO4Xn7p+h4uhPTj3krvh/cupGqAYSzRBC/2NXFxCp3HHUto987xR7pt6jSjwHj3j15QnLuPpmhtWaSzvjLpdZY4Nyl19IUa/VojLBSihZ9nSBsq2Ahri4Y6IAyUWWsjj8w5TOpecGJsNwnGnmjw5BfS4cA94q4n3XV0NFSlDOUlfgFky4K8JeLJQ8eCvStWbDXC7EaObwipdKzfw+o8t8Q0ds4v05W3ntVCr+jdWT5zQCUCNmf2NE/obGVMHrLTqI7yYUjozOxMDoN1dEy07Dx9QMUom9RkzQshJXTa2WOJmazeS55NxqxffQUqj5MmNoH+T8XObNBTQuIsKk4P8oRrugeceNdNhlgDpMvMXghHVqkjwA==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b4a00cb6-18a2-4312-b4f1-08d9b5353e94
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2021 01:44:13.6743 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: x3k3fZNwIjzqZl/ZIYn13tzCW3KtY8CubJxgKx/Olnrf9iK5ClduYceSdYcfh/PigKkHmwmtVPLNKzeegCgjxw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB2357
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/CvVPst5tcJXy0REadNrlhU5HsiU>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 01:44:28 -0000
Sorry. Stupid frickin windows and outlook... I've added the rest of the text this time around ________________________________________ From: nfsv4 <nfsv4-bounces@ietf.org> on behalf of Rick Macklem <rmacklem@uoguelph.ca> Sent: Wednesday, December 1, 2021 8:36 PM To: J. Bruce Fields; David Noveck Cc: NFSv4; nfsv4-ads@ietf.org; nfsv4-chairs Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt J. Bruce Fields wrote: > On Tue, Nov 23, 2021 at 08:55:04AM -0500, David Noveck wrote: > > This is considerably different from -02 (1400 lines). Still, a diff > > between -02 and -03 is useful to see where the changes/additions are, if > > you read -02. > > 5.9: special identifiers: "when ACEs containing these who values are > encountered, the server MUST treat all requesting users as not > matching." > > So a two-ACE ACL like: > > allow read to INTERACTIVE > deny everything to EVERYONE > > would require the server to fail all NFS READs, and an ACL like: > > deny read to INTERACTIVE > allow everything to EVERYONE > > would require the server to allow all NFS READs. > > Presumably these special identifiers are mainly only there for the > multiprotocol case--the server can actually make use of them when > accessed by an SMB client, but we still want NFS clients to be able to > e.g. do ACL-preserving copies, so we want NFS clients to still see them. > > So I guess it's a sensible default to treat those special identifiers as > describing groups of which no NFS user is a member. > > Seems more like "a sensible default", though, rather than something to > be enshrined in a MUST. I could imagine server administrators wanting > the option to configure this. > > I'd rather leave this unspecified. At least, unless we can get input > from a wide range of server implementors. I agree with Bruce on this. At this time, the FreeBSD server will normally fail a Setattr of ACL if any ACE in the ACL has one of the "special who"s (except for OWNER@, GROUP@ and EVERYONE@). For full disclosure, the way the code is currently written, a sysadmin could put a "special who" in the password database and it would be recognized as that user. I suppose that could be considered a bug. However, I do think that a POSIX-like server, such as FreeBSD, could choose to implement POSIX groups that corresponded to these "special who"s, as Bruce mentioned. I don't see why that should not be allowed and think it is up to the server implementor/sysadmin. rick That goes double for ANONYMOUS and AUTHENTICATED. I don't know all the ways that export permissions and idmapping (like squashing) are implemented on different servers and I'm not sure we can reasonably come up with rules that will work for everyone. --b. > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Tue, Nov 23, 2021 at 8:45 AM > Subject: New Version Notification for draft-dnoveck-nfsv4-security-03.txt > To: David Noveck <davenoveck@gmail.com> > > > > A new version of I-D, draft-dnoveck-nfsv4-security-03.txt > has been successfully submitted by David Noveck and posted to the > IETF repository. > > Name: draft-dnoveck-nfsv4-security > Revision: 03 > Title: Security for the NFSv4 Protocols > Document date: 2021-11-23 > Group: Individual Submission > Pages: 139 > URL: > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.txt > Status: > https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/ > Html: > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security > Diff: > https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-03 > > Abstract: > This document describes the core security features of the NFSv4 > family of protocols, applying to all minor versions. The discussion > includes the use of security features provided by RPC on a per- > connection basis. > > This preliminary version of the document, is intended, in large part, > to result in working group discussion regarding existing NFSv4 > security issues and to provide a framework for addressing these > issues and obtaining working group consensus regarding necessary > changes. > > When a successor document is eventually published as an RFC, it will > supersede the description of security appearing in existing minor > version specification documents such as RFC 7530 and RFC 8881. > > > > > The IETF Secretariat > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www.ietf.org/mailman/listinfo/nfsv4 _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… J. Bruce Fields
- Re: [nfsv4] New Version Notification for draft-dn… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem