Re: [nfsv4] NFS over TLS for floating clients

"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Sat, 07 March 2020 15:56 UTC

Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D23953A1534 for <nfsv4@ietfa.amsl.com>; Sat, 7 Mar 2020 07:56:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level:
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1t5d2uhvWkP for <nfsv4@ietfa.amsl.com>; Sat, 7 Mar 2020 07:56:00 -0800 (PST)
Received: from smtp-o-2.desy.de (smtp-o-2.desy.de [131.169.56.155]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9B143A1531 for <nfsv4@ietf.org>; Sat, 7 Mar 2020 07:55:58 -0800 (PST)
Received: from smtp-buf-2.desy.de (smtp-buf-2.desy.de [131.169.56.165]) by smtp-o-2.desy.de (Postfix) with ESMTP id 9E731160642 for <nfsv4@ietf.org>; Sat, 7 Mar 2020 16:55:56 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-2.desy.de 9E731160642
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1583596556; bh=Pnk9t+Rg+MpvX/MCUCU1x5d6cUdmJHcjSJ+e2I2Rp9Q=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=rjkRD19u8zE8pe+33bXUZUXgAiEdIMjemLdK4SWEwU7uOPoAZGgWdd613xOsgci8F GUlMhqIoBg4KeXrVhw9UEN5K9goZDtBRCLZ74Wnw0kqkmrFxDC8D7x3r8pDGiWzcwo lcZFzW0H5Fg9QtZ5qSw8fVpcO8JHrforo9emwOu0=
Received: from smtp-m-2.desy.de (smtp-m-2.desy.de [131.169.56.130]) by smtp-buf-2.desy.de (Postfix) with ESMTP id 982641A008A; Sat, 7 Mar 2020 16:55:56 +0100 (CET)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-3.desy.de (Postfix) with ESMTP id 6F02B80005; Sat, 7 Mar 2020 16:55:56 +0100 (CET)
Date: Sat, 7 Mar 2020 16:55:55 +0100 (CET)
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: Chuck Lever <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Message-ID: <1516420788.3603156.1583596555938.JavaMail.zimbra@desy.de>
In-Reply-To: =?utf-8?q?=3CYTBPR01MB337492D0040004268BF41E89DDE30=40YTBPR01MB?= =?utf-8?q?3374=2ECANPRD01=2EPROD=2EOUTLOOK=2ECOM=3E?=
References: =?utf-8?q?=3CYTBPR01MB337482A9420C1AEF05466D3FDDE30=40YTBPR01MB3?= =?utf-8?q?374=2ECANPRD01=2EPROD=2EOUTLOOK=2ECOM=3E?= =?utf-8?q?=3C9A4AABCC-D41D-4E91-BF79-54108F78BB41=40oracle=2Ecom=3E_=3CYTBP?= =?utf-8?q?R01MB337492D0040004268BF41E89DDE30=40YTBPR01MB3374=2ECANPRD01=2EP?= =?utf-8?q?ROD=2EOUTLOOK=2ECOM=3E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.15_GA_3901 (ZimbraWebClient - FF73 (Linux)/8.8.15_GA_3895)
Thread-Topic: NFS over TLS for floating clients
Thread-Index: AQHV82BAxp9O6fa7qEu4EnWyACrtOKg7ymSAgABjgw/0d5NzrA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Jh8vA2zpq6ai4ub2EyjM57vtyco>
Subject: Re: [nfsv4] NFS over TLS for floating clients
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2020 15:56:02 -0000
X-List-Received-Date: Sat, 07 Mar 2020 15:56:02 -0000


----- Original Message -----
> From: "Rick Macklem" <rmacklem@uoguelph.ca>
> To: "Chuck Lever" <chuck.lever@oracle.com>
> Cc: "NFSv4" <nfsv4@ietf.org>
> Sent: Saturday, March 7, 2020 12:02:32 AM
> Subject: Re: [nfsv4] NFS over TLS for floating clients

> Chuck Lever wrote:
>>Hi Rick-
>>
>>Just a couple of observations below.
> [good stuff snipped]
>>I wrote:
>>>
>>> Acquiring a certificate from a "well known trust anchor" might be a
>>> significant effort that will discourage use of TLS. (Again, you can easily
>>> create a self-signed certificate with a couple of openssl commands.)
>>> --> Maybe this could be a recommendation instead of a MUST and
>>>       the choice of accepting a self-signed certificate be left up to the
>>>       client via configuration?
>>
>>In a Proposed Standard, IMO we want to keep very strong security
>>recommendations. An implementer or administrator is of course free
>>to ignore these requirements, at some risk to them.
> Sure, I can live with this.
> 
> My only concern is, that if it sound difficult to do, the NFS admins. won't
> bother, similar to not bothering to set up KDCs.

Running a local CA is much simpler than KDCs and there are plenty of tools, including
hard-core openssl or cfssl toolkit from cloudflare. The main different it that you never
need an additional central server, like in case of kerberos. Thus I can just create
a self-signed server and client certificates and have a secure NFS within minutes.

Regards,
   Tigran.


> 
> Thanks for the comments everyone, rick
> 
>> So, what do others think about this? rick
> 
> --
> Chuck Lever
> 
> 
> 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4