IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 26 January 2021 17:15 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D42973A0B59 for <nfsv4@ietfa.amsl.com>; Tue, 26 Jan 2021 09:15:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.45
X-Spam-Level:
X-Spam-Status: No, score=-0.45 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SF2vWKTReYlo for <nfsv4@ietfa.amsl.com>; Tue, 26 Jan 2021 09:15:03 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2060a.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::60a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FD313A0B63 for <nfsv4@ietf.org>; Tue, 26 Jan 2021 09:15:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G+Btt0NuIb2Gl13uItrgRxj1fkj7uqoH/l65zSh0iMdbvkNYqkeYC3OH1TDWEZdMqXHHXykALdEkzSacbOm6gwgSTYWhP5cMqyXcMgQS1e9Hn8GW9OAn++xVUP/ESpwBkoe5LvUsq8BFNUrL8KLJC5aVU+CkYgP9L4f8hPZ/qKVB7/zCBBT/WBqgouy94q1K5yF9Iy0yA9f+Y6cEcXLXodzA/zCJSITW3W7oTamN72+Na9sWq9VgbbO5cJSvPWQ8eyFY52dihouki9T90cKbjdN8ERnL6RVo745yd1gDj8T3FzIkGmbZ4W8eHA0964MXf2vocq5IOD69gk8rGYs59w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jGWpsghw5IQZKYki54yEtrrN/SMpPz7eQnkem2dYiA0=; b=PZonxwoBkjVZHIdgkM0NoNhJikjwY0ygETko9OO/loEQtfRCbAfjhWNe2HUusm7putmDkA6ZdsH2O/eSLyyWav312vGMYCqWuqtp/Cbh98WMIfBxiCRNhK8HfVtfpGRZT1MPDmpyGv1FLso8BsfTMhW0HMpq4IHp2/megxhX2seh8L+3/IH963IHjQLC8edxXXAyVVgecjALzeoTpKHG/84bCrqdkMWTuvUZJoNWuuuFXdqcBs0Bt9e1vb8nhvqt9F1TsN/b/OJVcGcS6QbudmGbKnzPmodHYHY5xEzmuHj9Bhf3ONfjiYk2+NrOsiie0h+1qbmWNAIbtq9zV0O11w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jGWpsghw5IQZKYki54yEtrrN/SMpPz7eQnkem2dYiA0=; b=qSSa/cgxZVN1+kwxDpmmO0ibtRc6n+WSLQXPZ9NjmWsDa6LKRv3kxFoG1x4XSWf71Cudfr8enMI7nAb3cMzzS3WcpvVGw2xMe1BePJjTQ00J5a7jUnAwMu/qXOMAx2XVP0zAY1K0jHyOdECnOOoIyKUY0nYOSFAmcnvY9n3+XYI=
Received: from (2603:10a6:7:8e::14) by HE1PR0701MB2153.eurprd07.prod.outlook.com (2603:10a6:3:2c::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.6; Tue, 26 Jan 2021 17:14:55 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace%6]) with mapi id 15.20.3784.010; Tue, 26 Jan 2021 17:14:55 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "davenoveck@gmail.com" <davenoveck@gmail.com>, "chuck.lever@oracle.com" <chuck.lever@oracle.com>, "rmacklem@uoguelph.ca" <rmacklem@uoguelph.ca>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] NFS over TLS for laptops
Thread-Index: AQHW0NppAc3uZqIjgEq2ArIQwELbLqn2yyYAgACS67yAAO+9eYAAHOsAgAN9YtuAAviagIAAMFYUgAGN13OAATNIAIADjnFRgAkAewCAACjPgIABYW2AgAGUuQqAAOSEAIABMIxxgAC1MYCAJiGEgA==
Date: Tue, 26 Jan 2021 17:14:55 +0000
Message-ID: <82d63791181597be36e1a1c208d6a5c0616b5092.camel@ericsson.com>
References: <YQXPR0101MB09680BC1A27265F81C5B5671DDC40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <DEBCFB38-9A1A-43BB-A8DF-0C64792AF30F@oracle.com> <YQXPR0101MB09689564C0543291E25FB274DDC20@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB09687759005C97725CFC1AFCDDC10@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com> <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <1113F47A-BDA1-4C34-95B4-1EB8076BA071@oracle.com> <20201229190707.GB89068@kduck.mit.edu> <0D8595B7-4636-4E6A-A5C1-E0FE85D820D0@oracle.com> <YQXPR0101MB096833395FEE6E63590BE7B5DDD60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <20210101055832.GK93151@kduck.mit.edu> <YQXPR0101MB09684118744ED0EA876DCE02DDD40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jfxsLcTHQrtSF3GZ04+tmcjPg_KK5kHFaD1N9T00pH6sg@mail.gmail.com>
In-Reply-To: <CADaq8jfxsLcTHQrtSF3GZ04+tmcjPg_KK5kHFaD1N9T00pH6sg@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 74549a46-1d9d-4034-918c-08d8c21de6a7
x-ms-traffictypediagnostic: HE1PR0701MB2153:
x-microsoft-antispam-prvs: <HE1PR0701MB21537FD84DBC12660EE58FF295BC0@HE1PR0701MB2153.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: u2/6YPi8UALw+C2J1fJ/YN4G0AzbLjRsdB69p7b+M7EJDas0TT5OQn2nFvzpXdCw/Xi/d6qd6eJmSNboa0RFu9teLvqJHVQqCceSkZXd9I7oSdVYLYCmgprH2fuDOGvkkJvI1pYD0nn7B9fhsh84m237FA00M4eVhh1rm0KPVSRUfSidiMa3Vo676WYzyxBzxp646mNPWWOiiHYwW3MQzxt2BHixBYWtnYHQAOzQT/nRAf1xp2Az9HTQ+rUIi+KdXiVCRBXSllb6t9UMAfSaqgGms6pwTO2O7Wd/FlSD29+M9is6FRoujxpI1hJJb73e+ZOOpVlYOnh31HM/Obxj8l28Gm1Lq1x78H3sTGhVAeco7XwjRH5MTyj+g038i2hRxtt7jo/j4iJkPmB9w8Q3ZNLbN+0V/jJ9CcS48WTs0mVYkrj0oGVzMMrtT1TOXKPUDknHsmaY1yymBAhciMBlA7hcLk1JSJKLXSzwAdQkocfX4Vhv1ZDSWB+tehr9jCJ43fefiG/0ifv26S7shslzqQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(376002)(366004)(39860400002)(4326008)(6512007)(5660300002)(186003)(2616005)(36756003)(316002)(110136005)(8936002)(86362001)(83380400001)(26005)(66556008)(64756008)(66616009)(478600001)(6506007)(66446008)(6486002)(66476007)(8676002)(44832011)(71200400001)(76116006)(66946007)(99936003)(966005)(2906002)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: XY9EIj1RAj1YQGufMB6Yl0p+zIsMWIM6T1HfvclxKqkr2u/hGeDGAsl1BGVuOfqGoKYJSpKUeihNkmqS/4iQuudBDZjdkA1MFubWnB9kddDk43FU8hzi0UM+n8VY0sr5Y5Ug2I8+OpOuvtrPpzc8hacXPeVAqhyWDKpdq4Fu6WmtUnGOFOrlxvE/k+0emjNBjou3q6dfdK5Bdnqn0wosksYi6meGmpQRZOldpwadOdi0bpZaTHFIJsuNGD1Sulj4OXnkH4nx6UPt1JN0Z3umKoyuJqJdTyy5xVF7Q/nuOSGdmvykd3+uGgkkdZCKCIPVUWqO+fKKClFCjPszv7JKQ4AkgVVm7E0Qr4DcGFRGg21WxqTKf5XRlbSts380iDuY4mEG3R5OCSbXZK03wnj9iXATzNLcAGVNZy6JlXixQX8370Q/Qi3Oz3QwaryBnJj3Hf9XsbK85iH7yxTgBUJcSCerzpIVyXl2OdWeSL3kzGsoheyD2HPX+9RldCpUdA8k39+ygjSUHh+TvMeMCAD1fNri5pyStzpYO4LdOybJWpWH8T7jGdZG1/cLD4CuZxuOHHN9UIXodxDCzhHMqAF0eYY0//JPWy7AnvcM+kGroBAUh1YamnufOeqRTSeS4le1rhSiY/hdgJyX77ZgprhTs7QwlljGJk1XqRIPe8+2tcguIHAyMun7SLcmQqW8H30myHGAwJSAk2bHYX/RBmRnzLhAyFRyMQl0zTq2XHog303CcuIgDcj4XjVXwt23mEAo1swqspkMErn2E2jL6EOHExX1ni//awFcQlW5rf5blK2ncZMm0EySA2ehuK57JGURuv6EsBGLJ6ciFkjaeYkKcnW6ASszIcJHug7mhMbe345XYkW/KD447lLbyGpo/6e7xaafEVgsrO0NofYdSZfvjK+eR6C+F4lSLAzYZko1olz/5Irluwo75zfhPPGRh9ASKMXwI008sTGPn+SfFNHPs/SeMDA67BH7FkR7KSkwqzLGk3oxu2FDVAWZhpaPrW6Jx4uWVV5H3ljs7xR9/DGVoIRo63d8I2pTIdV6Sm4SxG9Qnjco1VWvV0qnRHe4Od6PHbm6O9WBhP2UskTvyn8FTw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-jgA2ZVpq36TH/jH/o84K"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 74549a46-1d9d-4034-918c-08d8c21de6a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jan 2021 17:14:55.1377 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 44j9lEE14egRvRuyZ/Fdyk8Nzxzaa/3XoLyqULhFM6V9+kMl9pFSO/ct3KhPWA3j7h0+Q7d7rkruH6Jig/STNPStuNeZM0R8NnZCtnKUwCM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2153
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/D6laZ_lynhnAGtmfWLQWAvaBb6c>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 17:15:05 -0000

Hi,

I intended in the Interim to ask for a clarificaiton if any in this thread
affects the approved draft? In other words, do we need to run through a process
of getting consensus any changes to 
https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/ ?

Cheers

Magnus

On Sat, 2021-01-02 at 05:57 -0500, David Noveck wrote:
> 
> 
> On Fri, Jan 1, 2021, 7:28 PM Rick Macklem <rmacklem@uoguelph.ca> wrote:
> > >From: Benjamin Kaduk <kaduk@mit.edu> wrote:
> > >On Thu, Dec 31, 2020 at 04:53:04PM +0000, Rick Macklem wrote:
> > >> Chuck Lever wrote:
> > >> > Ben Kaduk wrote:
> > >> >>
> > >> >> I suspect that we can find a compromise position, yes.
> > >> >> The certificate still authenticates the client (not the user), and the
> > >> >> client uses AUTH_SYS to claim what user is performing operations.  But
> > the
> > >> >> server uses the client's authenticated identity to restrict, by
> > policy,
> > >> >> what user identities the client is allowed to claim via AUTH_SYS.  In
> > the
> > >> >> degenerate case there is an otherName in the certificate that
> > corresponds
> > >> >> to a single user and the client can only claim that one user, which
> > looks
> > >> >> very similar to just authenticating the user, but we can say that the
> > >> >> relevant policy logic is located in the server as part of its internal
> > >> >> implementation choices.
> > >> >
> > >> >An NFS client might send legitimate operations as UID 0 too
> > >> >(e.g., lease management). Those cannot be rejected. Perhaps
> > >> >we need to specify that the client has to perform _all_
> > >> >operations as the squashed user.
> > >> Yes. I agree with this.
> > >> My current implementation simply ignores the AUTH_SYS RPC
> > >> credential when TLS squashing is enabled.
> > >
> > >Hmm, that may not be as robust as you want, since a certificate is allowed
> > >to have more than one SAN of any given type.  I think that if we do write
> > >up something like this we should be sure to define behavior when multiple
> > >names are present in the certificate.
> > Good point. I assumed there would only be one "user@domain" entry.
> > I can see a couple of alternatives for this:
> > 1 - Only allow one and reply AUTH_ERR if there is more than one.
> > 2 - Allow more than one, but require that they all have different
> >   "domain" fields. The server would use the one for the "domain"
> >   that the server supports. The NFS server would reply AUTH_ERR
> >   if none of the domain names match one the server supports.
> >   If the server supports more than one of the domains in the set
> >   of names, it could be required that the server reply AUTH_ERR
> >   or leave it up to the server implementor?
> >   This would allow the certificate to work for multiple NFS servers
> >   with different username domains.
> > Personally, I prefer #2.
> > 
> > As an aside, I think that an NFSv4 server can support multiple
> > username domains.
> 
> It's certainly allowed by the spec.  If it were not, there would be no point
> in including "@domain" in each user and group name.
> 
> > Howeverrr I am not aware of any NFSv4 server
> > implementations that handle more than one username domain
> > in Owner and Owner_Group names at this time.
> 
> This topic is discussed in some detail in RFC 8000. The motivation was FedFs
> deployments.
> 
> > Are there any?
> 
> I don't know of any.
> 
> > rick
> > 
> > -Ben
> > 
> > 
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email