IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Benjamin Kaduk <kaduk@mit.edu> Thu, 16 April 2020 22:12 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11C653A120F for <nfsv4@ietfa.amsl.com>; Thu, 16 Apr 2020 15:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3CsfGM8kXXl for <nfsv4@ietfa.amsl.com>; Thu, 16 Apr 2020 15:12:06 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EC273A120E for <nfsv4@ietf.org>; Thu, 16 Apr 2020 15:12:06 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03GMBufc032652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Apr 2020 18:11:58 -0400
Date: Thu, 16 Apr 2020 15:11:56 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Craig Everhart <cfeverhart@gmail.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>, Lars Eggert <lars@eggert.org>
Message-ID: <20200416221156.GH69353@kduck.mit.edu>
References: <93C777E4-1C58-4307-9943-680E2527A7A3@oracle.com> <750B9471-1BC2-4E18-B8D5-F4129353DC6C@gmail.com> <591EF30D-F007-4959-A935-5FA779D2D645@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <591EF30D-F007-4959-A935-5FA779D2D645@oracle.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Hp5HCa4tu7nn9cei5GfrRZQ680Y>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 22:12:08 -0000

On Thu, Apr 16, 2020 at 05:31:08PM -0400, Chuck Lever wrote:
> Following up -
> 
> > On Apr 12, 2020, at 6:30 PM, Craig Everhart <cfeverhart@gmail.com> wrote:
> > 
> > Is there a reason to require TLS 1.3?  TLS 1.2 isn’t old in many contexts.
> 
> My impression is that there are well-known security exposures with earlier versions of TLS and DTLS. Therefore new protocol specifications need to cite 1.3. I understood it to be a best security practice for protocol specifications to avoid enabling the consumption of known-to-be-insecure building blocks. I don't regard the TLS 1.3 requirement as any different from requiring SHA-256 instead of less secure ciphers.
> 
> rpc-tls has had two early SecDir reviews already, and there was no complaint about the TLS 1.3 requirement from those reviews. The one AD review comment relevant to this issue was that there should be a similar version requirement for DTLS, and so the next revision of rpc-tls will require DTLS 1.3 as well.
> 
> For those following at home, the text in question is this:
> 
> 5.  TLS Requirements
> 
>   When peers negotiate a TLS session that is to transport RPC, the
>   following restrictions apply:
> 
>   o  Implementations MUST NOT negotiate TLS versions prior to v1.3
>      ([RFC8446] or [I-D.ietf-tls-dtls13]).  Support for mandatory-to-
>      implement ciphersuites for the negotiated TLS version is REQUIRED.
> 
> How do others feel about this? Is the use of a current version of TLS merely an implementation quality issue? How have specifications of other upper layer consumers of TLS dealt with this issue?
> 
> My inclination, because we are already well-past WGLC for rpc-tls, is leave it to the IESG to adjudicate this issue.

FWIW, SAAG seems to have found a consensus position that at this point new
protocols should assume 1.3 or newer.  A properly configured TLS 1.2 is not
known to be broken (and thus probably okay to allow for existing
protocols), but improper configurations of TLS 1.2 have significant
weaknesses.  So sticking with 1.3 is quick and easy and gets to a
known-secure baseline (and, if I might add, a well-designed protocol that
benefitted from extensive review and formal analysis during its
development).

In short, I expect the text in question to sail through the IESG.

-Ben

v2.23.0 | Report a Bug | By Email