IETF Logo Mail Archive

[nfsv4] Interim meeting agenda topics

David Noveck <davenoveck@gmail.com> Sun, 08 September 2024 16:06 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2F2C14CE39 for <nfsv4@ietfa.amsl.com>; Sun, 8 Sep 2024 09:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6aziLYga8iak for <nfsv4@ietfa.amsl.com>; Sun, 8 Sep 2024 09:06:08 -0700 (PDT)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86810C15153F for <nfsv4@ietf.org>; Sun, 8 Sep 2024 09:06:08 -0700 (PDT)
Received: by mail-qv1-xf2d.google.com with SMTP id 6a1803df08f44-6c35334dfb1so24959096d6.0 for <nfsv4@ietf.org>; Sun, 08 Sep 2024 09:06:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725811567; x=1726416367; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vg9gTiQZaaTbmSF/nzAFn4JqAiHJst9V5VePrf8S8U8=; b=F2R4vQthkoFhsaa+xdL9WtEMjpLWHnyihHwuJPO8KJfdvrW0hxTeVjN87UlntYfMGV 0ncfCOrU1543pAX/CegQYtJ+7coMY89sQTohPB9f+n+Tr1PJqmL519yqFDt2Ibp1qZpN UGNpEdrI7jVCyw1yj28b/JoupzlTSvSFlyIyKgdF3d3tyZQrf+tiIlr/HTumXsv2a7Py wsO4M4+idCLVYLJjFTjyppsnJU612sYbm3xocExikSluqWbGEUZSk8vxkeDm9cLRppsc uzzja1RaZanLDzq+3jNuXLpceGP2A7LhLKn5awqSVkSmPkm8XOL4OJ7llHx0KiFEkPK1 Dgrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725811567; x=1726416367; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vg9gTiQZaaTbmSF/nzAFn4JqAiHJst9V5VePrf8S8U8=; b=aRkX6RwDt/kAk0mMWGLRBpmYuhoDP3RGM+u/qplHG2/xWY+RbCzdrdIpJW9UK12hy0 By8nksQ055rZvvYIzt/rBnsNB2zIKBIyHq/b5AIyt1XMBtVUOWaTMRVelrnVx+V9GKQj /9msp5gEe04eIClbnU8WcOXuEP3+rX+G2Q281kSB25ri3Gb2JPid7097DgWA4OUqU5sl GVVpTJhgfy6pOKveuRabGouPqsLijPzBTGAZyUupDMNZPPNblsgQtYHB7sRRRV2dhrlX ZUIKs8wk782BPj7ZBAHHpkzCm6/whMT1HoDuMGKGlM7aIJx0Sq3QiPJJCkw28AKyy8Hf QOgA==
X-Forwarded-Encrypted: i=1; AJvYcCVLaYWybD5h8KheDnlG1+1ushfhtkUZTbVl6U4215HnrDCXG6O8oH1SQNO8s66p6f0JjlsgUg==@ietf.org
X-Gm-Message-State: AOJu0YyBWfzsXKyqNFGPH4KnKaYxbFSNhO+DSwhtDj2iNFXJGvdBIyaD mJFo1foY8g0JKfKEX2wxfMt77u3oRiLw5S8/f8XJePbdF30VPB8rHHWVl3M9+PSsu2CBX+rVPBW KzV3H/NWZPSl5DvxM/6tmBJFJZD8=
X-Google-Smtp-Source: AGHT+IGWDRAdD39LIaiRPvDPmR61gd/3PuAFbcgpr0wJo92SbftciZRMEiufiA9t0BLlkO3duetZzqvtey0xLYBhXv8=
X-Received: by 2002:a05:6214:4b09:b0:6c5:13f0:2415 with SMTP id 6a1803df08f44-6c532b2cde7mr98986966d6.40.1725811567184; Sun, 08 Sep 2024 09:06:07 -0700 (PDT)
MIME-Version: 1.0
References: <F2FA0129-5780-4257-8E18-E04865D6BCC4@cert.org> <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com>
In-Reply-To: <CAM5tNy7fhU5s+EufRS3aq2zYSdjrtD_ijj1RgHcTv0WzGcbT0Q@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Sun, 08 Sep 2024 12:05:54 -0400
Message-ID: <CADaq8jey55znu5J1amhRj6F5uwoE=hO81ghEqZtrnsVw=_N5Pw@mail.gmail.com>
To: Rick Macklem <rick.macklem@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000069534a06219dd193"
Message-ID-Hash: CBC22HC2IYE2FDCOXVVFVHUZMK7B4G3E
X-Message-ID-Hash: CBC22HC2IYE2FDCOXVVFVHUZMK7B4G3E
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Interim meeting agenda topics
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/H0vyy3uzyD2_T1m9YhH8jm8xAoo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Fri, Sep 6, 2024, 4:35 PM Rick Macklem <rick.macklem@gmail.com> wrote:

> On Fri, Sep 6, 2024 at 1:05 PM Chris Inacio <inacio@cert.org> wrote:
> >
> > All,
> >
> > What would the agenda topics for the (yet to be scheduled) interim
> meeting be?
>

Since I've published a number of post-IETF120 drafts as part of the
respecification effort, it makes to discuss these.  Of particular
importance are is the latest draft of the acl document for which I have
made considerable changes to align the acl document with the work Rick is
doing to support draft POSIX ACLs as an NFSv4.2 extension.

I expect this to take about twenty minutes.

> What is left to be resolved / is controversial on the POSIX_ACL draft?

Nothing from my point of view.  I don't know of any issues Rick has.   It
is reasonable to expect that anyone who does have issues to raise them on
the list.   We may need to confirm the non-existence of such issues at the
forthcoming interim meeting.  I think we should allocate five minutes for
this.

>
> > I would like to add an Authentication/Authorization topic.


It seems to me that you need to be somewhat clearer about what we might
discuss, so we can appropriately schedule a discussion slot.

With regard to authorization, I don't see you mention anything
authorization-related below.   Btw, the security document has made a
considerable change from rfc8881 which unfortunately took the position that
there was no essential connection between the documented authorization
decisions and the actual authorization of operations.  "Lasciate ogni
speranza voi ch'entrate"

In any case, if there are no issues with this new approach, that's good to
know.

>
Although we still need some more detail as to the topic, it appears to me
that all of your materials fit within identification/authentication.

To scope down what I would like to discuss here: I need to read RFC2203
> first.  Just from browsing the table of contents for 2203, I’m not sure
> this helps me understand what are *the protocol needs* with how a file
> system backend stores/maps the network identity of the client.
>

I don't  think it does either.  Should it?

I don't know if this will help save you some time, but here is my
> recollection of how RPCSEC_GSS/Kerberized NFS works...
> - The client translates a user identity into a Kerberos principal (a
> string like "rmacklem@MY.REALME").
>    (This is usually a trivial mapping of username and default REALM.)
>   --> The client uses the user's TGT to acquire a session ticket from the
> KDC.
> - The GSSAPI layer wraps this session ticket up in a blob they call a
> token.
> - This "token" is sent to the server via a Null RPC by RPCSEC_GSS layer.
>   --> There is a back and forth between client and server, using Null RPCs
>        in the RPCSEC_GSS layer that, if successful, authenticates the
> Kerberos
>        prinicipal name on the server and creates a shorthand for the
> Kerberos principal.
>

This is helpful material but what exactly are you proposing the working
group do with it?  I can't see that it would fit very well in the security
document, which currently focuses on RPCSEC_GSS, rather than Kerberos
proper.  Maybe we can discuss how to change things to incorporate this sort
of material

       (Translation from Kerberos principal is whatever the server
> chooses to do.
>

Implementations may differ but there have to be some rules the server has
to adhere to to make this work.  What are they?

         For POSIX like systems, it typically strips off the @REALM
> and then looks
>          name up in the password/group databases to create POSIX
> credentials

for the user.
>

I don't understand the meaning of "POSIX  credentials".  Are you really
talking about credentials here?

Also, the password/group  databases have to be correct or security is not
real.  This needs to be clarified.

         which are associated with the shorthand mentioned above.)
> --> Then the client uses the shorthand (authenticated via encryption
> using the session key
>       from the Kerberos session ticket) to identify the "user" to the
> server. That's what RPCSEC_GSS
>       is doing for non-NULL RPCs.
> (Hopefully this is close. It has been a long time since I coded this
> stuff.)
>

A lot of people never have.  The important question is whether we are
missing something that implementors need to know. I expect there are
documents that describe this that we might reference.  Ideas?

>
> In theory, other mechanisms than Kerberos can be created for
> GSSAPI/RPCSEC_GSS,
> but there has not been much done. (Long ago there was an RFC and some code
> for
> a public key system, but no one adopted it.
>

Rfc8881 suggests pretty strongly that any new mechanism be implemented
using RPCSEC_GSS.   We should consider whether that suggestion needs to be
modified given that new mechanisms do not have to deal with encryption but
only authentication/identification.


> It sounds like Tigran et al might be thinking of a new mechanism,
> although I haven't looked
> at what he has written up yet,
>

I think so but it is not clear what the working group can do with that
until there is an actual proposal.

>
> >  Please *do not* think I’m trying to standardize how that works (that is
> a server implementation choice) but what needs to be on the wire to enable
> servers do that _however they chose to do it._
>  Reading through enough of the POSIX ACLs some of the large
> differences between NFSv3 and NFSv4 become clear.
> I'm not sure if this sounds silly, but on-the-wire it is basically a
> string (owner/owner_group defines it as "user@domain",
> where the domain was never well defined.


Right.  No attempt was made to define it. I don't think we are in position
to fix that now.

>(Right now, most just handle

> one "domain".


 I don't know of any that support more than one domain.  If there are not,
we would be able to simply avoid trying to address the purely aspirational
parts of the name@domain proposal.

> I don't think there is even a well

> defined way of checking "same string".


There isn't.   I hope we don't need one.

>By this I mean, does the DNS

> case insensitive and/or puny encoded rules apply?)
>

I don't know how to deal with thise complexities and never got appropriate
help with IDNA issues.  J. Klensin's advice was to make it someone else's
problem.  In any case, if you only support one domain (Or a  very small
set), you can just insist on only using the identity mappings.  BTW, there
are a few cases in which German domains involving unlauts are supported.
These use punycode rather than the utf-8 encoded umlaut characters.  I
don't know of any support for Turkish domain names.

>
> (For authentication, it is still a string, but with something that assures
> the
> server that it is legit.
>

The following are not clear:


   - what is referrent of "it"?
   - what is the "something" you are referring to?


> rick
>
> >
> > Dave what issues (not precisely drafts) are highest on your list of
> things to get resolved for us to make progress.
>

Since you asked for it, I have to say that we need to address and correct
the breakdown  in the chair function in which when one is  asking for some
specific thing that is needed,  it is neither done promptly nor is there
any explanation for the delay.  In particular, we need to avoid repetitions
of the following sorts of events:


   - The request to move the internationalization document to WGLC was not
   followed up at all.  There was neither an announcement of the change in the
   status document or request for input leading to a decision.

We now have no idea of the status of this document.  It is not clear why
this request was not addressed immediately.


   - The adoption call for for acl, security and rfc5662bis began "at or
   before" IETF120 but still, six weeks later there is neither adoption  or an
   explanation of issues preventing adoption.

What is going on here?



   - The adoption process for security started around two years ago.


There has been ample time to correct the problem.  What is missing is
sufficient attention to the process to correct the problems that exist.


>
> >
> > Chris
> >
> > _______________________________________________
> > nfsv4 mailing list -- nfsv4@ietf.org
> > To unsubscribe send an email to nfsv4-leave@ietf.org
>
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status