IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Chuck Lever <chuck.lever@oracle.com> Tue, 29 December 2020 16:41 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1B053A0C47 for <nfsv4@ietfa.amsl.com>; Tue, 29 Dec 2020 08:41:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edw5It22zOaE for <nfsv4@ietfa.amsl.com>; Tue, 29 Dec 2020 08:41:09 -0800 (PST)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 769523A0C5E for <nfsv4@ietf.org>; Tue, 29 Dec 2020 08:41:09 -0800 (PST)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 0BTGeND3128905; Tue, 29 Dec 2020 16:41:07 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=wKqN+/jxQ3L02TBd39kdlvP7PkExqm3uL+m5zs4dINQ=; b=qFNtNJOygK7LhzFMPjfQgHT0Abl2hXmsrH8Vi+dUizEhAEc/D6EN8k+bK+bMBrbWN/Nm IFmq9V2uqZ2bciQTSAaWdD19XEzI56GHIwvL7YVnd5ttEOD5xXqujqGgwOM4VA1UVF8Z MzxBSJie7tFsJAq6ZN2eHTLlzTO+hyhVyVn+7hSq8WvNdzzMg0pVKW9qT+X4Uv/bGA98 yaVjxetxJgvxmhnDJVMlInEFp2ticUjNUfqXBl9zkCWOfh+8lWvMLqyvpDxoigfeTcQX 8zqWM5d+tpi/9QZUvdwgogCVpf26d4wgBC1QKKSfKctuoShB78gOv/IF95Tfbmrts5jg gg==
Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2130.oracle.com with ESMTP id 35ntpapvpm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 29 Dec 2020 16:41:07 +0000
Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 0BTGdvxM082420; Tue, 29 Dec 2020 16:41:06 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 35pexrtbj3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 29 Dec 2020 16:41:06 +0000
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 0BTGf5ev011828; Tue, 29 Dec 2020 16:41:06 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Dec 2020 08:41:05 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Date: Tue, 29 Dec 2020 11:41:04 -0500
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <1113F47A-BDA1-4C34-95B4-1EB8076BA071@oracle.com>
References: <YQXPR0101MB0968F7BF5A6D7E97F39CC739DDC90@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <A7175D1C-BEBB-4557-8123-FA78C9393E72@oracle.com> <YQXPR0101MB096816C0EA985F65FE6562E5DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB0968AA3A97C80B8140BFC845DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <8B3A77F6-15DE-4F4B-B246-385DD447C743@oracle.com> <YQXPR0101MB09680BC1A27265F81C5B5671DDC40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <DEBCFB38-9A1A-43BB-A8DF-0C64792AF30F@oracle.com> <YQXPR0101MB09689564C0543291E25FB274DDC20@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB09687759005C97725CFC1AFCDDC10@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com> <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
To: Rick Macklem <rmacklem@uoguelph.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9849 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 spamscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012290105
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9849 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 adultscore=0 mlxscore=0 mlxlogscore=999 clxscore=1015 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012290105
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/D0JHYWv0E_rW3buVFSo16YWMBX8>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2020 16:41:11 -0000


> On Dec 23, 2020, at 7:03 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> 
>> And, we agree that securing single-user clients is an important
>> use case. (paraphrase. My stupid email system cut the text line out.)
>> 
>> I expect other implementers will find the same thing. When they
>> deal with this issue, they might see your implementation and
>> and copy it. Or they might copy it and add some variations,
>> since there is no published specification.
> Yes. As above w.r.t a TLS squashing data and distribution mechanism,
> I agree.
> 
>> And then I can see one or more of them approaching the WG and
>> asking us to either update rpc-tls or provide a specification
>> to enable proper interoperation.
>> 
>> Or, possibly, at some point in the future, the WG will be tasked
>> with updating rpc-tls to reflect implementation practice, part
>> of which might be otherName.
> And you can simply restate that you do not consider use of the
> otherName field this way as acceptable, due to conflagration
> of user and machine credentials in the certificate.

> (I suppose there is the question of whether or not the "collective"
> working group agrees with the above, but since no one else has
> commented except Ben Kaduk, we do not know the answer to
> that?)

I think we know the answer. We have a consensus that was
arrived at by the usual process. It is documented in
rpc-tls.


> Any other implementation who might choose the otherName
> approach can easily do so from the FreeBSD doc. and sources.
> (Or by simply asking me.)

My concern is that we have a spec (one that supposedly
represents a community consensus) that tells us not to mix
client and user authentication material, and yet implementers
are choosing to do this anyway.

Is the spec then wrong? If it is, the WG needs to address that.
The primary purpose of specifications is to codify the practices
where we agree, yet there is clearly a disagreement already.

If the spec is not wrong, the WG needs to consider ways to
address the need while complying with the normative
requirements in rpc-tls.

I was hoping that we could identify a compromise position, at
least, with the FreeBSD implementation. If it turns out we
cannot, then the WG needs to construct a proper response to
the single-user-per-client scenario.

In short, the WG must come to a fresh consensus that either
otherName is OK to do in this scenario, or it must provide an
acceptable alternative.


>> At that point, we have a real problem. Or maybe just me, as an
>> author of rpc-tls and possibly its descendants, has that problem.
> I do not really see the problem. No is a simple answer.

Simple, but problematic. The possible result will be the
promulgation of implementations that do not comply with our
shiny new specification. I think the IETF would view that as
very much a quality-of-specification problem. The usual redress
is to publish an updated protocol specification.


--
Chuck Lever

v2.23.0 | Report a Bug | By Email