IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Tue, 26 March 2019 15:05 UTC

Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E50D120321 for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 08:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E7jfgEkdyITa for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 08:05:40 -0700 (PDT)
Received: from smtp-o-3.desy.de (smtp-o-3.desy.de [IPv6:2001:638:700:1038::1:9c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53230120333 for <nfsv4@ietf.org>; Tue, 26 Mar 2019 08:05:19 -0700 (PDT)
Received: from smtp-buf-2.desy.de (smtp-buf-2.desy.de [131.169.56.165]) by smtp-o-3.desy.de (DESY-O-3) with ESMTP id 16E75280B45 for <nfsv4@ietf.org>; Tue, 26 Mar 2019 16:05:17 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-3.desy.de 16E75280B45
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1553612717; bh=G2fRR2cHVweKJeZ5SI4mSu5CB3qKL0FuTRTIso8lrzg=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=RVkclrTqshcJrAfKv0GQ7bPEeUUznwvtarwzi/nA2M7XxuWr6RbmDHMVB/vnxV65T 84VlkqFuXEnfDX+ZKtPOVFgcfSEDWfsGtwVkOgY0pjqoDQDI43eeFJRwGThVMFPrCv W18s+C6kslI+l9exYKWSZFAa+lOYyxGCZ5SUnkR4=
Received: from smtp-m-2.desy.de (smtp-m-2.desy.de [131.169.56.130]) by smtp-buf-2.desy.de (Postfix) with ESMTP id 113651A00BE; Tue, 26 Mar 2019 16:05:17 +0100 (CET)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (DESY-INTRA-1) with ESMTP id B40D43E901; Tue, 26 Mar 2019 16:05:16 +0100 (MET)
Date: Tue, 26 Mar 2019 16:05:16 +0100
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Message-ID: <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de>
In-Reply-To: <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.10_GA_3781 (ZimbraWebClient - FF66 (Linux)/8.8.10_GA_3786)
Thread-Topic: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: +8S0DkOvytRNo+p7AbWcwlABoXag4A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/HlsbOcIcvoCtx2oH2jywlMQ5NVs>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 15:05:46 -0000


----- Original Message -----
> From: "Chuck Lever" <chuck.lever@oracle.com>
> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>
> Cc: "NFSv4" <nfsv4@ietf.org>
> Sent: Tuesday, March 26, 2019 2:56:10 PM
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

>> On Mar 25, 2019, at 4:44 PM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
>> 
>> 
>> 
>> ----- Original Message -----
>>> From: "Chuck Lever" <chuck.lever@oracle.com>
>>> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>
>>> Cc: "NFSv4" <nfsv4@ietf.org>
>>> Sent: Monday, March 25, 2019 2:44:32 PM
>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>> 
>>>> On Mar 25, 2019, at 4:53 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
>>>> 
>>>> 
>>>> 
>>>> Hi Chuck,
>>>> 
>>>> By working on our implementation we got a following questions:
>>>> 
>>>> what should server do when a client requests startTLS twice? Fail
>>>> with an auth error or just ignore?
>>> 
>>> I don't have a ready answer, but seems to me your TLS library
>>> might have an opinion. Can a web browser be made to generate
>>> a second STARTTLS to see what the behavior is like?
>>> 
>>> Is there any guidance in RFC 8446 or its antecedants?
>> 
>> Looks like LDAP have that case clearly specified rfc2830:
>> 
>> 2.3:
>> 
>> ...
>> 
>>   If the Start TLS extended request was not successful, the resultCode
>>   will be one of:
>> 
>>   operationsError  (operations sequencing incorrect; e.g. TLS already
>>                    established)
>> 
>> 3.1:
>> 
>> ...
>> 
>>   The client MAY send the Start TLS extended request at any time after
>>   establishing an LDAP association, except that in the following cases
>>   the client MUST NOT send a Start TLS extended request:
>> 
>>     - if TLS is currently established on the connection, or
>> 
>> You may adopt a similar wording to rpc-over-tls. However, what about UDP and
>> retransmits?
> 
> UDP will use DTLS.
> 
> My hesitance is that STARTTLS is part of the TLS protocol, and we're
> not specifying that here, we're only using it. Surely TLS has a proper
> mechanism for managing this situation.
> 
> I would like to see a recent RFC that covers your case. RFC 6614 appears
> to require TLS negotiation to occur immediately after the underlying
> transport connection is established, and never later. Is that what you
> want?

I have my doubts, that STARTTLS is a part of TLS protocol. Anyway, what I want to
see is a clear statement about what server is suppoed to do if it sees multiple
STARTTLS requests on the same connection. Our current implementation will just
ignore the second request if TLS is already enabled.

Tigran.


> 
> 
>> Tigran.
>>> 
>>> 
>>>> It would be nice if spec will
>>>> explicitly define this situation.
>>>> 
>>>> Thanks,
>>>>  Tigran.
>>>> 
>>>> ----- Original Message -----
>>>>> From: "Dave Noveck" <davenoveck@gmail.com>
>>>>> To: "Chuck Lever" <chuck.lever@oracle.com>
>>>>> Cc: "NFSv4" <nfsv4@ietf.org>
>>>>> Sent: Friday, January 4, 2019 5:25:18 PM
>>>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>>>> 
>>>>>> I've been studying RFC 8471 to understand what would be needed to support
>>>>>> TLS token binding with RPC. It appears there are two components:
>>>>> 
>>>>>> - The TLS handshake is extended to indicate support for token binding
>>>>>> and negotiate the supported version
>>>>> 
>>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
>>>>>> Binding message as the first message
>>>>> 
>>>>>> We would need to provide a mechanism for encapsulating this message in
>>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>>>>>> RPCSEC GSS could provide a mechanism for transporting this message.
>>>>> 
>>>>> As I understand things, one of the potential goals here is to satisfactorily
>>>>> authenticate the client so that AUTH_SYS can reasonably used.  For that use
>>>>> case, I'm not sure how depending on RPCSEC GSS would fit in.
>>>>> 
>>>>>> It appears to me that there is a natural boundary between what we have
>>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>>>>>> Binding, such that Token Binding could be handled by a separate document.
>>>>> 
>>>>> That makes sense.
>>>>> 
>>>>>> That would allow the quick completion
>>>>> 
>>>>> Since this is the IETF, let's just say "quicker completion".
>>>>> 
>>>>>> of rpc-tls to enable encryption by
>>>>>> default using self-signed certificates, with support for Token Binding
>>>>>> to appear later.
>>>>> 
>>>>> It depens on how much later.  I don't see how it would be necessary to get
>>>>> through the RFC process, including that rigorous search for split
>>>>> infinitives, cycles
>>>>> of discussion of RFC2119 terms before starting the follow-up work on token
>>>>> binding.   Once rpc-tls is accepted as a working group document, the group
>>>>> would
>>>>> be in a position to make plans for the follow-on  work that seems to be
>>>>> warranted.
>>>>> 
>>>>>> Thoughts, comments...
>>>>> 
>>>>> If work on client autehentication is to be punted, then the document will
>>>>> need to reflect that.
>>>>> In particular, if you, as a server, are prepared to accept an
>>>>> unauthenticatted client's user
>>>>> identifications, then your security is pretty much non-existent, despite
>>>>> the fact that
>>>>> enryption prevents eavesdropping.  In that case, it probably best to say
>>>>> nothing about use
>>>>> of AUTH_SYS.
>>>>> 
>>>>>> Am I on the wrong track?
>>>>> 
>>>>> No.
>>>>> 
>>>>> On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>>>> 
>>>>>> 
>>>>>>> On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote:
>>>>>>> 
>>>>>>> Hi Chuck
>>>>>>> 
>>>>>>> Apologies for top posting, blame MS
>>>>>>> 
>>>>>>> I was interested in the comment "We believe the combination of host
>>>>>> authentication via TLS and user authentication via RPC provides optimal
>>>>>> security, efficiency, and flexibility,". There's been a huge amount of
>>>>>> negative press for TLS client auth, but there's been a push for TLS token
>>>>>> binding as a basis for better client/server authentication. Does the
>>>>>> proposal need to consider work in this area?
>>>>>> 
>>>>>> I've been studying RFC 8471 to understand what would be needed to support
>>>>>> TLS token binding with RPC. It appears there are two components:
>>>>>> 
>>>>>> - The TLS handshake is extended to indicate support for token binding
>>>>>>  and negotiate the supported version
>>>>>> 
>>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
>>>>>>  Binding message as the first message
>>>>>> 
>>>>>> We would need to provide a mechanism for encapsulating this message in
>>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>>>>>> RPCSEC GSS could provide a mechanism for transporting this message.
>>>>>> 
>>>>>> It appears to me that there is a natural boundary between what we have
>>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>>>>>> Binding, such that Token Binding could be handled by a separate document.
>>>>>> That would allow the quick completion of rpc-tls to enable encryption by
>>>>>> default using self-signed certificates, with support for Token Binding
>>>>>> to appear later.
>>>>>> 
>>>>>> Thoughts, comments... Am I on the wrong track?
>>>>>> 
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
>>>>>>> Sent: Monday, November 19, 2018 15:56
>>>>>>> To: NFSv4 <nfsv4@ietf.org>
>>>>>>> Subject: [nfsv4] Fwd: New Version Notification for
>>>>>> draft-cel-nfsv4-rpc-tls-01.txt
>>>>>>> 
>>>>>>> 
>>>>>>> Hi-
>>>>>>> 
>>>>>>>> Begin forwarded message:
>>>>>>>> 
>>>>>>>> From: internet-drafts@ietf.org
>>>>>>>> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>>>>>>>> Date: November 19, 2018 at 10:52:07 AM EST
>>>>>>>> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles
>>>>>>>> Lever" <chuck.lever@oracle.com>, "Chuck Lever"
>>>>>>>> <chuck.lever@oracle.com>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been
>>>>>>>> successfully submitted by Charles Lever and posted to the IETF
>>>>>>>> repository.
>>>>>>>> 
>>>>>>>> Name:         draft-cel-nfsv4-rpc-tls
>>>>>>>> Revision:     01
>>>>>>>> Title:                Remote Procedure Call Encryption By Default
>>>>>>>> Document date:        2018-11-19
>>>>>>>> Group:                Individual Submission
>>>>>>>> Pages:                9
>>>>>>>> URL:
>>>>>> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt
>>>>>>>> Status:
>>>>>> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/
>>>>>>>> Htmlized:       https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01
>>>>>>>> Htmlized:
>>>>>> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls
>>>>>>>> Diff:
>>>>>> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01
>>>>>>>> 
>>>>>>>> Abstract:
>>>>>>>> This document describes a mechanism that enables encryption of in-
>>>>>>>> transit Remote Procedure Call (RPC) transactions with little
>>>>>>>> administrative overhead and full interoperation with RPC
>>>>>>>> implementations that do not support this mechanism.  This document
>>>>>>>> updates RFC 5531.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Please note that it may take a couple of minutes from the time of
>>>>>>>> submission until the htmlized version and diff are available at
>>>>>> tools.ietf.org.
>>>>>>>> 
>>>>>>>> The IETF Secretariat
>>>>>>> 
>>>>>>> Minor changes in revision 01:
>>>>>>> - Correct a legal issue reported by idnits
>>>>>>> - Clarify terminology throughout document
>>>>>>> - Add editor's note in Section 4.3 "Authentication"
>>>>>>> - Wordsmithing throughout
>>>>>>> 
>>>>>>> 
>>>>>>> The immediate question I have is whether members of WG feel this topic
>>>>>> and document are important enough to promote rpc-tls-01 to Working Group
>>>>>> document status. If yes, I can submit the next revision as
>>>>>> draft-ietf-nfsv4-rpc-tls-00.
>>>>>> 
>>>>>> --
>>>>>> Chuck Lever
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> nfsv4 mailing list
>>>>>> nfsv4@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> nfsv4 mailing list
>>>>> nfsv4@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
>>> 
>>> --
>>> Chuck Lever
> 
> --
> Chuck Lever

v2.23.0 | Report a Bug | By Email