IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-dnoveck-nfsv4-security-08.txt

Rick Macklem <rick.macklem@gmail.com> Sat, 23 March 2024 00:18 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17F31C14F696 for <nfsv4@ietfa.amsl.com>; Fri, 22 Mar 2024 17:18:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBq4k7OmZ5Qm for <nfsv4@ietfa.amsl.com>; Fri, 22 Mar 2024 17:18:16 -0700 (PDT)
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2432C14F616 for <nfsv4@ietf.org>; Fri, 22 Mar 2024 17:18:16 -0700 (PDT)
Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-29dd91f3aaeso1909230a91.3 for <nfsv4@ietf.org>; Fri, 22 Mar 2024 17:18:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711153096; x=1711757896; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=iLKC7GaJl+bnApPTQ024rT6Suews7g1ckFECjmiDhhs=; b=k5xCbJs+tHW3Lpq9MWazsliAPpugl9Kz9xXciRJ7mqRMI1IMBS5+2C4AjtREZMXaSh F3IJhQy+txinf+27QRW/OSwNKSSPp3C1USZMZE7QlwwWpD1kVLKkzYOWpIlX6Uhaq+rs 5oW2DKtrMN+QYqtX/k20q9xgbRXYs81OoorQ+oXQhottSLf7E8oV9ZA8CNttjSnDAtaa abtFTV78yfR7YgQDr2jXO8cdOxD8ZdV//35CNdEYDrDvWR3WYNIfQfoHdVnoOuMKXV0o wZldvKHB0rHHZzn67hf5Bt2dOUNUDh75ZAQZJOdrzdY+c0P77tZww4O68TXYmTBBJ5MI yGjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711153096; x=1711757896; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iLKC7GaJl+bnApPTQ024rT6Suews7g1ckFECjmiDhhs=; b=qqIlWR6noWfqtB1gM2NC+J3HvhQp72300UN8ZBDWF1IITA14pgPdQLGE5hXTUJESKt P/4sS3ZMaVkcSkgUj4xpCPWVKJ/+o8+brkGM3n5opzt1DnvoAH6Uy7Z/7muO7IIBuXO+ XfpMJLaHHwo8RM8hvKqyPmgXxE6QpuEB92VCyV/vx+9o4WHVbC5zPq2nbA6HQTaWJ5A9 rsrB9iR2DB/KmiMUt+4foP9wJrqOe+k9YxmFuLxbHAHzZqVsOtRKM53oN6SakTXPnKBd c2ljPu7DKHacSf6RmptxAG4TX67I8TjCU5lwmso35vXjNFOabJG5mA3fcvf/4qFHWbo2 EvuQ==
X-Forwarded-Encrypted: i=1; AJvYcCUBSbrL7bC19c9+7ppwjRaElpeWFH+6AuhJmgwjomUPISyEUR6qmpniGxdNgHY5bwpyXR7KrskkvhRCRmUBiw==
X-Gm-Message-State: AOJu0YzbppflDBBw/6DzY7VMBnOj5sb/BhLlza6s02mBHOpbTHF6iYXv exsl1ImmISa31Zz1emqgQgtIfKSss8jJIvLsCdwyfmqmTBt2mtSCudYyHgQo6G7PVqjxgEolvAZ jy+qOXQnZVLlawVKpOENMLJDfDg==
X-Google-Smtp-Source: AGHT+IEmfp+sYQbYfvC92LtHmcIMR3qm1TzAD9pMoVjg6Ya4fYSDgDKMODGphp5qBEfPik+TDSHBO2yqpnHtmIUs80I=
X-Received: by 2002:a17:90a:f518:b0:29b:c34b:7e6b with SMTP id cs24-20020a17090af51800b0029bc34b7e6bmr1083399pjb.32.1711153095883; Fri, 22 Mar 2024 17:18:15 -0700 (PDT)
MIME-Version: 1.0
References: <170947740288.2806.283512371684207764@ietfa.amsl.com> <CADaq8jeHa0PPye1xtUyHipFa60tuCOufW_7uXmY3UV9RwuySqg@mail.gmail.com> <CAM5tNy4JpwZmPAQH8SFFPvAWE3qWmxrgdDTw5+StNFxzOAcpbw@mail.gmail.com> <9DBE4C96-42B7-43E7-8430-D87FC337CDA3@oracle.com>
In-Reply-To: <9DBE4C96-42B7-43E7-8430-D87FC337CDA3@oracle.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 22 Mar 2024 17:17:58 -0700
Message-ID: <CAM5tNy4JhjdxbT1ZK=dXE82=6P9jrY=ARoMc9DQ6Jd2dhx3xqw@mail.gmail.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: David Noveck <davenoveck@gmail.com>, NFSv4 <nfsv4@ietf.org>, Chuck Lever <chucklever@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/CvusKFGgCBKd3sJK2UTbPbtzAHY>
Subject: Re: [nfsv4] New Version Notification for draft-dnoveck-nfsv4-security-08.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 00:18:17 -0000

On Tue, Mar 19, 2024 at 7:38 AM Chuck Lever III <chuck.lever@oracle.com> wrote:
>
>
>
> > On Mar 19, 2024, at 10:27 AM, Rick Macklem <rick.macklem@gmail.com> wrote:
> >
> > There are a couple of issues that this RFC could discuss/define related to this.
> > - Chuck and I diverged w.r.t. how to implement this.
> >  a) I preferred putting the user name in the X.509 certificate presented during
> >       TLS handshake.
> >  b) Chuck preferred a database on the NFSv4 server, keyed on certificate
> >      issuer/serial#.
> > (Chuck may have changed his mind, since his post was related to
> > implementation a).)
> > This can be considered just an implementation detail chosen by NFS server
> > implementors, but it might be nice to have some standardization (for
> > example, the
> > exact format of the field in the X.509 certificate for a)).
>
> IMO this falls in the category of server implementation detail.
> I don't recall saying a serial# database should be required.
>
> But, not something that goes on the wire, certainly, and
> therefore outside the purview of the IETF.
Wel, I said "maybe" and I'm still a "maybe".
The working group has been very good at underspecifying things
in the past and they still cause problems.
For example, take the case of the domain component of Owner and
Owner_group strings. What are they?
I honestly do not know.
I believe David does discuss this in his security draft.

Suppose Linux implements the "imbed a username in the X.509 certificate
for TLS identity squashing", but at some point it is decided that Linux should
not use a FreeBSD OID and chooses to use a different OID.
(I used a FreeBSD OID, since I did not know how to acquire anything else and
used the otherName componenent of SubjectAltName at the suggestion of
Ben Kaduk.)
Then you end up with a similar but non-identical way of doing it and sysadmins
have to deal with potentially N different ways to create X.509 certs for clients
to use with different servers. (These X.509 certs do go on the wire.)

Now, if by "server implementation detail" you were simply referring to choosing
a) versus b), then I would agree.

I'll admit I have not explored standardization of the way to insert a
username in
a X.509 certificate.

However, I agree that resolving what to do with SP4_MACH_CRED is more
important.
I'd like to see either:
- SP4_MACH_CRED extended to support any appropriate RPC layer
  machine credential and any appropriate integrity/privacy provision
  instead of the RPCSEC_GSS specific requirement in RFC8881.
OR
- A new SP4_MACH_CRED like variant for the above as an extension
  to NFSv4.2.
Then, along with the above, a specification for doing this for RPC-over-TLS.

rick
>
> --
> Chuck Lever
>
>

v2.23.0 | Report a Bug | By Email