IETF Logo Mail Archive

Re: [nfsv4] NFSv4 on TLS

Benjamin Kaduk <kaduk@mit.edu> Sun, 26 August 2018 19:49 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECDF0130E26 for <nfsv4@ietfa.amsl.com>; Sun, 26 Aug 2018 12:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UEro-ajV4w0Q for <nfsv4@ietfa.amsl.com>; Sun, 26 Aug 2018 12:49:04 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E6C5130DD3 for <nfsv4@ietf.org>; Sun, 26 Aug 2018 12:49:04 -0700 (PDT)
X-AuditID: 12074425-b1fff700000036d5-14-5b83042ddb6f
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 3A.27.14037.E24038B5; Sun, 26 Aug 2018 15:49:02 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w7QJn0Ql006267; Sun, 26 Aug 2018 15:49:00 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w7QJmujc016025 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 26 Aug 2018 15:48:58 -0400
Date: Sun, 26 Aug 2018 14:48:56 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Chuck Lever <chucklever@gmail.com>
Cc: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>, NFSv4 <nfsv4@ietf.org>
Message-ID: <20180826194855.GQ59914@kduck.kaduk.org>
References: <FD3EEC6C-887F-4F3A-AB9E-87AB9EE34ABD@oracle.com> <20180813174925.GT40887@kduck.kaduk.org> <16B93CCC-59D7-499D-A119-DF93EAA6F693@oracle.com> <74511756.34401856.1534188782924.JavaMail.zimbra@desy.de> <20180814013441.GU40887@kduck.kaduk.org> <1ED079F3-8AB7-4E05-BE2A-5862891E0C14@gmail.com> <1767009777.34781869.1534282545712.JavaMail.zimbra@desy.de> <904326F7-41BB-45FB-8269-E5E477509581@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <904326F7-41BB-45FB-8269-E5E477509581@gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IR4hRV1tVjaY42+NEpa3FgxUFWi9nvH7Fa TDj2lM2B2eNm/242j52z7rJ7LFnykymAOYrLJiU1J7MstUjfLoErY/KyW+wFFzkrmn8uZm5g fMzexcjJISFgInHy3RTWLkYuDiGBxUwSf35NYIZwNjJKNLe/ZoJwrjJJ7Li2DayFRUBV4uSq ZywgNpuAikRD92VmEFtEQE2ic+9WsDizgJfE5r9rGEFsYQFFib3Hj4HV8AKte//zGzvE0OXM EnP/LGSBSAhKnJz5BKpZS+LGv5dAmzmAbGmJ5f84QMKcArYSzTM6wWaKCihL7O07xD6BUWAW ku5ZSLpnIXQvYGRexSibklulm5uYmVOcmqxbnJyYl5dapGuhl5tZopeaUrqJERS87C6qOxjn /PU6xCjAwajEwxvwvilaiDWxrLgy9xCjJAeTkijvIyugEF9SfkplRmJxRnxRaU5q8SFGCQ5m JRHeM58bo4V4UxIrq1KL8mFS0hwsSuK892vCo4UE0hNLUrNTUwtSi2CyMhwcShK8i5mao4UE i1LTUyvSMnNKENJMHJwgw3mAhn8EqeEtLkjMLc5Mh8ifYtTl+PN+6iRmIZa8/LxUKXFeV5Ai AZCijNI8uDmgpCORvb/mFaM40FvCvGzMQFU8wIQFN+kV0BImoCUzXjWALClJREhJNTAyLOh2 9vvBqRvhrlkj5fw38tGNGYrd6oXHUqtzLIT+u9eHmDaon9wzcdHSpoVPi/5a1lbZC+5bp/VE +nv3usTi8ozSOUJf4+YsqBO1d161n2+dk3My+55Vuku2P526zGyLTQlPUtyPkpXRE0Oz1/78 FttqHX9n+n/VZQq2vFofLx44JbhZlFOJpTgj0VCLuag4EQAbSGN8FQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/GqGP1PW9mGk0NC8nY6WWleRsJaI>
Subject: Re: [nfsv4] NFSv4 on TLS
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Aug 2018 19:49:06 -0000

On Thu, Aug 23, 2018 at 01:49:12PM -0400, Chuck Lever wrote:
> 
> 
> > On Aug 14, 2018, at 5:35 PM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
> > 
> > Hi Chuck, Ben,
> > 
> > probably decoupling security layer from identity information is not a bad idea.
> > At least for those who needs only data integrity and protection. And I agree,
> > that TLS is widely used, thus good optimized by many people. Mot of the penalty
> > is the initial handshake, which is ok for NFS.
> 
> For example:
> 
> https://tools.ietf.org/html/draft-ietf-mls-architecture-00
> 
> The architectural trend appears to be towards separating
> authentication and transport security.

(For background, I'm the responsible AD for the MLS WG.)  I don't think
MLS's discussions about how to apply per-message protection are as cut and
dried as that architecture document might make it seem, but you're right
that there are pressures from the IETF security community to reuse
well-established building blocks for transport security.  With my own
personal background I would also call GSS-API wrap tokens "well-established
building blocks", but I do acknowledge that they leave more metadata
unencrypted than TLS would.

-Ben

v2.23.0 | Report a Bug | By Email