[nfsv4] Going forward on the security document
David Noveck <davenoveck@gmail.com> Wed, 14 February 2024 16:07 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2895C151081 for <nfsv4@ietfa.amsl.com>; Wed, 14 Feb 2024 08:07:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8qJC87Y34WS for <nfsv4@ietfa.amsl.com>; Wed, 14 Feb 2024 08:07:53 -0800 (PST)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55D80C14F6AD for <nfsv4@ietf.org>; Wed, 14 Feb 2024 08:07:53 -0800 (PST)
Received: by mail-qv1-xf34.google.com with SMTP id 6a1803df08f44-68c431c6c91so25395236d6.0 for <nfsv4@ietf.org>; Wed, 14 Feb 2024 08:07:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707926872; x=1708531672; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=NJlPgf2bTS5+0eawnWqehh2frZ/pQQb5kLV+5kHukv0=; b=laYzP3pfZsqw6WZx3az1OdmR/SXgsqUbZA2zRGnFOnChU4CG9kkgP6Ei8wGh/IAvo1 GE+C31ko+SZU+dVEbDNSGTW+M3oaahYdPP6vKJ35ab35xO9DGJVo9DcHhoKed3SMbBJF IC2Jv899euuNq8C2eHcdYrtKxi0sZRBOIuh34fT8hvJqq/tpN7iCCbnMyAgrxb/Iw5Cj cnfrY5x8tOwphPv/bN1uPrFOiBfAz0L3l8irJM7WdhGAwYPfcpvHTp910R0gcjrfzzVW WIscwkQbz+B9bXE5fuJQXtkgt0Y2JQGUHFrSbS6zuRQUS7KZ7WdHA2BPDYOpwIC8fVuP s83A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707926872; x=1708531672; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=NJlPgf2bTS5+0eawnWqehh2frZ/pQQb5kLV+5kHukv0=; b=hgFAvpuODP/1MmlstrNx35wN6iZT7h6YJ8A6ejw9pXondaROQcGfGRTMGB7//QWPc6 MQ7bQVRMGL0pXBNLlTgxcxTF4a6TGbDt0KpzIFEhnd4plRvCyz407qYa62boWqm40K/I 129jCoM4ferkns+nVfNauunrS4TVX3yuHYZIloalpa+kZc1KH9Iq6wPc0yqD3bFUEewm ersEhDC8cPQrAz9pv50RieZjW4rM9FvAH6o/2fRXmU8UH4jXGL8fH2wh55Bdk3UCKDIV K8W700P9LPWKiDdv9AzYnzBONTZ641WdVKbWHmgolTYXpGEp9xT/efslUALaxjA5YgZy QUfA==
X-Gm-Message-State: AOJu0YzYIwHN8LhRCEHfPq+apcUemip7QRg/ZwqsChYIXoPvnMX1VBpk 5/TEhIbOkJiePXOexu+gU/icmOPDxlV7MknfMwIhJxYgt+HTIFAdHAOYXqOb3bp7jCALMO8A+Gw iKcOiwXSr8eyUgQGK+lFUJe/FLgZdpFM+zPo=
X-Google-Smtp-Source: AGHT+IHoid2i6joh13608ZcqMiGY33Q9jfRI/jlb0XrkStdi/Oi/6+nMr0O7AgX4Th7WT9X+WRgD9M99VtRH9+LrtVA=
X-Received: by 2002:ad4:576a:0:b0:68f:c57:5326 with SMTP id r10-20020ad4576a000000b0068f0c575326mr1129624qvx.31.1707926871553; Wed, 14 Feb 2024 08:07:51 -0800 (PST)
MIME-Version: 1.0
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 14 Feb 2024 11:07:39 -0500
Message-ID: <CADaq8jcFioz5XeRCaC7q6KkG6CJZaX6CYrcqk_AFAewU3-tkYw@mail.gmail.com>
To: NFSv4 <nfsv4@ietf.org>, Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000007b3b5e061159b60a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/FDWezBjoF1p3KfTaN0Px7E0fTq0>
Subject: [nfsv4] Going forward on the security document
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2024 16:07:55 -0000
This message is my attempt to summarize the results of discussion of the v4 security document that occurred at the interim meeting this afternoon. This email is my attempt to summarize the results of discussion of the security document that occurred at the 2/13 Interim Wrorking Group meeting. This document is being done as part of the rfc5661bis effort . Although I have tried to be accurate, it should be noted that I have made no attempt to coordinate with others present and that others may have different views as to what was discussed/decided. I decided to try to simplify processing, as suggested by a number of people, by splitting out the ACL-related material from the security document proper . I will then try to address the difficult issues created when ACLs were added to NFSv4 without clear semantic requirements in a separate document, devoted to ACLs As a result, the next draft of the security document, draft-dnoveck-nfsv4-security-08, will limit the discussion of acl-related issues by treating acls as an EXPERIMENTAL feature to be described in a separate document. That document, initially draft-dnoveck-nfsv4-acls-00 will explain why the experiment adopted initially in rfc3010 and propagated without major changes to rfcs 3530, 5661, 7530, and 8881 was a failure which it does not make sense to continue. Instead, I will, as I proposed at the meeting, change the focus of the focus ACL description on a simplified core baased on the withdrawn draft POSIx ACLs with provisions for extensions of that model that have actually. I will be sending out in the week, a description of ONTAP ACL support which includes a number of such extensions. This approach is the reverse of the one adopted in rfc3010 and subsequent rfcs in which ACLs including a massive set of extensions was presented as canonical, but was supplemented by some dubious material which essentially said "Oh by the way, if any of this inconvenient, feel free to ignore it. " We will be needing information about actual implementations of some of the ACL extensions discussed in existing documents and have to be prepared to simply drop material that was never implemented. In particular, as far as I know, the troublesome behavior, derived from windows acl implementation, mentioned in the meeting in which deny ACL are scanned and effected after all requested permissions was never described in NFSv4 and probably never implemented. As a result, it is likely that concern about its effect on the specification of NFSv4 ACLs was misplaced. There are also a number of related matters that were discussed without resulting in any agreement. The following uissues will need to be addressed on the wg list and in subsequent meetings: - Chris I. raised what he described as a set of problems with NFSv4's handling of "identity". The ensuing discussion led me to conclude that he was referring to two different issues: - The lack of clarity about mapping between uid/gid values and the strings used to represent users and groups. With regard to this issue, I tend to agree with Brian P.'s point that these are properly treated as implementation matters. I will try to make this clearer in forthcoming drafts. - At a later point in the discussion, it appeared that many of Chris's concerns were prompted by the disturbing ease with which a client might represent himself as a given named user. While it is possible that such impersonation might be made more likely by flaws in the mappings between names and numeric ids, the fundamental issue here is inherited from NFSv2 and NFSv3 implementations, in which AUTH_SYS is used, allowing unauthenticated requests to be executed, given the common use of AUTH_SYS and the lack of facilities for client peer authentication. The material in -08 will address this issue pretty much as was done in -07, pointing out the security problem involved in use of AUTH_SYS, without going so far forbidding its use or formally RECOMMENDING against it. While we may not have reached consensus on this, I don't see any obstacles to it. Although I feel that the shift from numeric ids to strings made between v3 and v4 was, like the inclusion of ACLs without a clear semantics model for their use, a mistake, it is not possible for us to undo that mistake. I think it will be possible to clarify the role of name mapping by not requiring the mapping of ids to names when AUTH_SYS is used, although the numeric ids need to (trivially) mapped to strings. I will try to see what can be done in that regard in -08, without crossing any red lines. - Tom H. raised issues regarding potential XDR changes which he found troubling. Chris agreed to post the diffs between RFC5662 and the most recent draft of rfc5662bis. While Tom never wavered from his position that any such differences were inherently impermissible, I need to point out that these changes which reorganized the typedefs while keeping what is sent OTW as formally opaque are analogous to the xdr changes made between rfc 3531 and 7531 and are not a problem. The working group will have to discuss this issue further but I think consensus is achievable. - The repeated suggestions by Brian that the NFSv4 server could be defined as an "interpreter" depending on the server fs's choice of semantics have never been addressed. In my view, the working group needs to seriously consider this possibility and clearly reject it. I don't think we can publish a purported *Proposed Standard* that leaves so much material unspecified, even if the IETF/IESG could somehow be convinced to accept it.
- [nfsv4] Going forward on the security document David Noveck
- Re: [nfsv4] Going forward on the security document Jeff Layton
- Re: [nfsv4] Going forward on the security document Frank Filz
- Re: [nfsv4] Going forward on the security document Rob Thurlow
- Re: [nfsv4] Going forward on the security document Rick Macklem
- Re: [nfsv4] Going forward on the security document Brian Pawlowski
- Re: [nfsv4] Going forward on the security document Rick Macklem