IETF Logo Mail Archive

[nfsv4] Going forward on the security document

David Noveck <davenoveck@gmail.com> Wed, 14 February 2024 16:07 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2895C151081 for <nfsv4@ietfa.amsl.com>; Wed, 14 Feb 2024 08:07:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8qJC87Y34WS for <nfsv4@ietfa.amsl.com>; Wed, 14 Feb 2024 08:07:53 -0800 (PST)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55D80C14F6AD for <nfsv4@ietf.org>; Wed, 14 Feb 2024 08:07:53 -0800 (PST)
Received: by mail-qv1-xf34.google.com with SMTP id 6a1803df08f44-68c431c6c91so25395236d6.0 for <nfsv4@ietf.org>; Wed, 14 Feb 2024 08:07:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707926872; x=1708531672; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=NJlPgf2bTS5+0eawnWqehh2frZ/pQQb5kLV+5kHukv0=; b=laYzP3pfZsqw6WZx3az1OdmR/SXgsqUbZA2zRGnFOnChU4CG9kkgP6Ei8wGh/IAvo1 GE+C31ko+SZU+dVEbDNSGTW+M3oaahYdPP6vKJ35ab35xO9DGJVo9DcHhoKed3SMbBJF IC2Jv899euuNq8C2eHcdYrtKxi0sZRBOIuh34fT8hvJqq/tpN7iCCbnMyAgrxb/Iw5Cj cnfrY5x8tOwphPv/bN1uPrFOiBfAz0L3l8irJM7WdhGAwYPfcpvHTp910R0gcjrfzzVW WIscwkQbz+B9bXE5fuJQXtkgt0Y2JQGUHFrSbS6zuRQUS7KZ7WdHA2BPDYOpwIC8fVuP s83A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707926872; x=1708531672; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=NJlPgf2bTS5+0eawnWqehh2frZ/pQQb5kLV+5kHukv0=; b=hgFAvpuODP/1MmlstrNx35wN6iZT7h6YJ8A6ejw9pXondaROQcGfGRTMGB7//QWPc6 MQ7bQVRMGL0pXBNLlTgxcxTF4a6TGbDt0KpzIFEhnd4plRvCyz407qYa62boWqm40K/I 129jCoM4ferkns+nVfNauunrS4TVX3yuHYZIloalpa+kZc1KH9Iq6wPc0yqD3bFUEewm ersEhDC8cPQrAz9pv50RieZjW4rM9FvAH6o/2fRXmU8UH4jXGL8fH2wh55Bdk3UCKDIV K8W700P9LPWKiDdv9AzYnzBONTZ641WdVKbWHmgolTYXpGEp9xT/efslUALaxjA5YgZy QUfA==
X-Gm-Message-State: AOJu0YzYIwHN8LhRCEHfPq+apcUemip7QRg/ZwqsChYIXoPvnMX1VBpk 5/TEhIbOkJiePXOexu+gU/icmOPDxlV7MknfMwIhJxYgt+HTIFAdHAOYXqOb3bp7jCALMO8A+Gw iKcOiwXSr8eyUgQGK+lFUJe/FLgZdpFM+zPo=
X-Google-Smtp-Source: AGHT+IHoid2i6joh13608ZcqMiGY33Q9jfRI/jlb0XrkStdi/Oi/6+nMr0O7AgX4Th7WT9X+WRgD9M99VtRH9+LrtVA=
X-Received: by 2002:ad4:576a:0:b0:68f:c57:5326 with SMTP id r10-20020ad4576a000000b0068f0c575326mr1129624qvx.31.1707926871553; Wed, 14 Feb 2024 08:07:51 -0800 (PST)
MIME-Version: 1.0
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 14 Feb 2024 11:07:39 -0500
Message-ID: <CADaq8jcFioz5XeRCaC7q6KkG6CJZaX6CYrcqk_AFAewU3-tkYw@mail.gmail.com>
To: NFSv4 <nfsv4@ietf.org>, Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000007b3b5e061159b60a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/FDWezBjoF1p3KfTaN0Px7E0fTq0>
Subject: [nfsv4] Going forward on the security document
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2024 16:07:55 -0000

This message is my attempt to summarize the results of discussion of the v4
security document that occurred at the interim meeting this afternoon.

This email is  my attempt to summarize  the results of discussion of the
security document that occurred at the 2/13 Interim Wrorking Group
meeting.   This document is being done as part of the rfc5661bis effort .


Although I have tried to be accurate, it should be noted that I have made
no attempt to coordinate with others present and that others may have
different views as to what was discussed/decided.



I decided to try to simplify processing, as suggested by a number of
people, by splitting out the ACL-related material from the security
document proper .  I will then try to address the difficult issues created
when ACLs were added to NFSv4 without clear semantic requirements in a
separate document, devoted to ACLs



As a result, the next draft of the security document,
draft-dnoveck-nfsv4-security-08, will limit the discussion of acl-related
issues by treating acls as an EXPERIMENTAL feature to be described in a
separate document.



That document, initially draft-dnoveck-nfsv4-acls-00 will explain why the
experiment adopted initially in rfc3010 and propagated without major
changes to rfcs 3530, 5661, 7530, and 8881 was a failure which it does not
make sense to continue.  Instead, I will, as I proposed at the meeting,
change the focus of the focus ACL description on a simplified core
baased on the withdrawn draft POSIx ACLs with provisions for extensions of
that model that have actually.   I will be sending out in the week, a
description of ONTAP ACL support  which includes a number of such
extensions.


This approach is the reverse of the one adopted in rfc3010 and subsequent
rfcs in which ACLs including a massive set of extensions was presented as
canonical, but was supplemented by some dubious material which essentially
said "Oh by the way, if any of this inconvenient, feel free to ignore it. "


We will be needing information about actual implementations of some of the
ACL extensions discussed in existing documents and have to be prepared to
simply drop material that was never implemented.  In particular,  as far as
I know, the troublesome behavior, derived from windows acl implementation,
mentioned in the meeting in which deny ACL are scanned and effected after
all requested permissions was never described in NFSv4 and probably never
implemented.   As a result, it is likely that concern about its effect on
the specification of NFSv4 ACLs was misplaced.


There are also a number of related matters that were discussed without
resulting in any agreement.   The following uissues will need to be
addressed on the wg list and in subsequent meetings:


   - Chris I. raised what he described as a set of  problems with NFSv4's
   handling of "identity".   The ensuing discussion led me to conclude that he
   was referring to two different issues:
      - The lack of clarity about mapping between uid/gid values and the
      strings used to represent users and groups.   With regard to
this issue, I
      tend to agree with Brian P.'s point that these are properly treated as
      implementation matters.   I will try to make this clearer in forthcoming
      drafts.
      - At a later point in the discussion, it appeared that many of
      Chris's concerns were prompted by the disturbing ease with which a client
      might represent himself as a given named user.  While it is possible that
      such impersonation might be made more likely by flaws in the mappings
      between names and numeric ids, the fundamental issue here is
inherited from
      NFSv2 and NFSv3 implementations, in which AUTH_SYS is used, allowing
      unauthenticated requests to be executed, given the common use of AUTH_SYS
      and the lack of facilities for client peer authentication.

 The material in -08 will address this issue pretty much as was done in
-07, pointing out the security problem involved in use of AUTH_SYS, without
going so far forbidding its use or formally RECOMMENDING against it.
 While we may not have reached consensus on this, I don't see any obstacles
to it.

Although I feel that the shift from numeric ids to strings made between v3
and v4 was, like the inclusion of ACLs without a clear semantics model for
their use, a mistake, it is not possible for  us to undo that mistake.   I
think it will be possible to clarify the role of name mapping by not
requiring the mapping of ids to names when AUTH_SYS is used, although the
numeric ids need to (trivially) mapped to strings.  I will try to see what
can be done in that regard in -08, without crossing any red lines.


   - Tom H.  raised issues regarding potential XDR changes which he found
   troubling.   Chris agreed to post the diffs between RFC5662 and the most
   recent draft of rfc5662bis.  While Tom never wavered from his position that
   any such differences were inherently impermissible, I need to point out
   that these changes which reorganized the typedefs while keeping what is
   sent  OTW as formally opaque are analogous to the xdr changes made between
   rfc 3531 and 7531 and are not a problem.  The working group will have to
   discuss this issue further but I think consensus is achievable.
   - The repeated suggestions by Brian that the NFSv4 server could be
   defined  as an "interpreter" depending on the server fs's choice of
   semantics have never been addressed.  In my view, the working group needs
   to seriously consider this possibility and clearly reject it.  I don't
   think we can publish a purported *Proposed Standard* that leaves so much
   material unspecified, even if the IETF/IESG could somehow be convinced to
   accept it.

v2.23.0 | Report a Bug | By Email