IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

Tom Talpey <ttalpey@microsoft.com> Tue, 26 March 2019 17:58 UTC

Return-Path: <ttalpey@microsoft.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7811207C2 for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 10:58:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8dHLEwwFnaG for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 10:58:53 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on072b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe49::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6128C1207C3 for <nfsv4@ietf.org>; Tue, 26 Mar 2019 10:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gPmf6E0jhcVdL2iM2GWCUFDSdP90YEF7fWRH+PO46yU=; b=Fel+W3/+O6WsLrKspRYi6gYE+U0hXCzUIHu255+aQUHzRY1MzU5h4Pq7jBmImmYONpRfFT1/dzN8ygLiPnbwTVss92zcBWvG9yyXu0ge8RF/EdS2pDYiCawAd49XBY4aoGZaggol1wIJ5HixL2xfYXqGmIMu8QO2AQtBrMpYyNY=
Received: from SN4PR2101MB0736.namprd21.prod.outlook.com (10.167.151.155) by SN4PR2101MB0877.namprd21.prod.outlook.com (10.167.133.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.4; Tue, 26 Mar 2019 17:58:36 +0000
Received: from SN4PR2101MB0736.namprd21.prod.outlook.com ([fe80::804d:6cd0:c000:791c]) by SN4PR2101MB0736.namprd21.prod.outlook.com ([fe80::804d:6cd0:c000:791c%3]) with mapi id 15.20.1771.003; Tue, 26 Mar 2019 17:58:36 +0000
From: Tom Talpey <ttalpey@microsoft.com>
To: Chuck Lever <chuck.lever@oracle.com>, Lars Eggert <lars@eggert.org>
CC: NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: AQHU4+Vn/M2YRfR8/UyeHEaGBO4iYKYeF5yAgAAD8ICAAAB/gIAAFWuAgAABC8A=
Date: Tue, 26 Mar 2019 17:58:36 +0000
Message-ID: <SN4PR2101MB0736EF7A385F5D95107D4118A05F0@SN4PR2101MB0736.namprd21.prod.outlook.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com> <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de> <CAN-5tyGggDUe2DNSjRc6vAyXgGo4LVwYVK5zmTOyr0soPFVKrQ@mail.gmail.com> <3705AA25-10DF-43BF-BE1D-B0BE27F705DE@eggert.org> <0E00BED9-74D4-4594-A7AC-FCD624461DD7@eggert.org> <880CC259-A82A-401F-A81D-5FCD6A9758B3@oracle.com>
In-Reply-To: <880CC259-A82A-401F-A81D-5FCD6A9758B3@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=ttalpey@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-26T17:58:34.6950730Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=5ed8a6e8-8b6f-4d58-a957-d59b182b6c37; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
x-originating-ip: [2601:18f:981:12f8::1003]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 06d14511-f9d2-4d92-1932-08d6b214ab9e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:SN4PR2101MB0877;
x-ms-traffictypediagnostic: SN4PR2101MB0877:
x-microsoft-antispam-prvs: <SN4PR2101MB08778AE90F1F042BF3BF8592A05F0@SN4PR2101MB0877.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 09888BC01D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(366004)(136003)(39860400002)(13464003)(189003)(199004)(9686003)(22452003)(71190400001)(6346003)(93886005)(55016002)(7736002)(86612001)(8676002)(86362001)(81166006)(81156014)(52536014)(4001150100001)(8936002)(6506007)(53936002)(53546011)(71200400001)(102836004)(97736004)(8990500004)(110136005)(68736007)(14444005)(186003)(10090500001)(6246003)(256004)(6116002)(7696005)(99286004)(76176011)(446003)(316002)(106356001)(10290500003)(15650500001)(105586002)(305945005)(2906002)(74316002)(229853002)(14454004)(486006)(46003)(6436002)(476003)(478600001)(11346002)(33656002)(5660300002)(25786009)(4326008); DIR:OUT; SFP:1102; SCL:1; SRVR:SN4PR2101MB0877; H:SN4PR2101MB0736.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ttalpey@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: cRNQhuyF+b1eH7H0u401dV8rkQ33obbdkI7iWSOUrc2S1PDXQrwumh7gQF2cYIxDipmRS21LWcPDje+x3sh/Dq2ggb0xnUBH57PtUF2EIgPSR0P3kWfv42gYXe3kjK5TsRL7PbIixD2hsIlAgNT8ESAcb+79FbokAFeQXuy4vl86sov6Q1m55Qz72pAaR4gcEkVlMyVgXbtgjLfMC2oYtG9WG1JNg+TckkVshCsT66i5ZSP1a8If7TlN+oz2Q+9FhCrTaz9MF830GUkCMBjcZywhNltCL7x2SZAfKIzh8+4QtpV/cTRNvDLLhq5zFa7X0S3O8o4yXnpUoWwjaOsd8Xx24GAU4UJXH9rMAcgUO9UGun5jzEM2X0tdnaDw5CJG6zA/X0QmQCMzm6SmkFG/YsBeNHHxVxbP/sDh3W/pcbY=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 06d14511-f9d2-4d92-1932-08d6b214ab9e
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 17:58:36.6476 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR2101MB0877
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ZN7qr_oWghfv_W1j8I4mF8IU0Qk>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 17:58:57 -0000

> -----Original Message-----
> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
> Sent: Tuesday, March 26, 2019 1:52 PM
> To: Lars Eggert <lars@eggert.org>
> Cc: NFSv4 <nfsv4@ietf.org>
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> 
> 
> 
> > On Mar 26, 2019, at 12:35 PM, Lars Eggert <lars@eggert.org> wrote:
> >
> > On 2019-3-26, at 17:33, Lars Eggert <lars@eggert.org> wrote:
> >> Also note that STARTTLS is somewhat less secure than running TLS directly.
> See for example Section 6 of RFC3207:
> >>
> >>    A man-in-the-middle attack can be launched by deleting the "250
> >>    STARTTLS" response from the server.  This would cause the client not
> >>    to try to start a TLS session.  Another man-in-the-middle attack is
> >>    to allow the server to announce its STARTTLS capability, but to alter
> >>    the client's request to start TLS and the server's response.
> >>
> >>    ...
> >
> > And RFC8314 recommends (for mail) that "implicit TLS" should be used
> instead of STARTTLS.
> 
> Perhaps that is what we should require for RPC on TLS;
> that is, "STARTTLS MUST NOT be used"?

It's a fine requirement, but there may need to be a justification for the MUST.

It's important to note that such a requirement means you'll need to allocate
a new port number for such connections. This would apply to any upper
layer using the new RPC flavor, which in turn might impact the portmapper.
Note, it may also have implications on the proposed negotiation. If TLS is
a "done deal", negotiating the auth flavor may be moot.

Tom.

v2.23.0 | Report a Bug | By Email