IETF Logo Mail Archive

Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)

Thomas Haynes <loghyr@gmail.com> Wed, 11 April 2018 04:20 UTC

Return-Path: <loghyr@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B311127058; Tue, 10 Apr 2018 21:20:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jnZkfSIzWT1m; Tue, 10 Apr 2018 21:20:35 -0700 (PDT)
Received: from mail-pl0-x235.google.com (mail-pl0-x235.google.com [IPv6:2607:f8b0:400e:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15F49124D68; Tue, 10 Apr 2018 21:20:35 -0700 (PDT)
Received: by mail-pl0-x235.google.com with SMTP id bj1-v6so424877plb.8; Tue, 10 Apr 2018 21:20:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WSya0COpwmti2Un1kglauL+gg4K9O70K9q4QSDsLi8w=; b=TgquM/ecRHbC2moiu8ALzFSLFqJi0ZwZIFh/FHoIjEptLRYxmCPjCDwwz55IILU2u1 crAg03+YxlrKB0WzKe2T2iSRl2cArTTdmQsVEcd1r40s4+kck6Jo7msjufBFWjhVcVUW Q9ff5LmpX+K7d17y8RbTI0bNcnmME6KRqKLshDbUT4hrLswSx55ralYqjuJfaiX4Q01q 4GmTHV62eowk+N5uDO8GkM69yTZdrciN8ubqho2nkUkdeO4fbJRQrat1G0MvhRuaf9Jt 2+k+pm9Kcf8vw5V2/0aT6QODC0+oTrpo7C7eoIP57lcFkGI2900pefUz0nKNMAP5nMxn L9DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WSya0COpwmti2Un1kglauL+gg4K9O70K9q4QSDsLi8w=; b=D9Hd2yQn9bLJBlh9h7IxdiEGIWRGRYE3JPW9wu9+PEjq5BWJAvA9IYoQu1pN7izOQo +Hux8PJH3w5yNtpAxE3J7F82x4rQMuX3Nw1OZXDTt3i2AornJdpDiW0/3Ca5iBW9AXnL ONWDvl6IFpn73AIDPqhF3bg/Sf3tQlflIGq35AobNxnnfC//pFaRhPkF8S725o4pg8ZI W0c4mJcksO4EEhAa8F1jRT+SMZn6cMocNjKk5R9I1f/tF7CbsLpDwNO6Ob0QjSfyf5EN SU9iTxJJlTcGo/VC33ZyvuBGBtMyhkrHIGH02rn8yr/ELA3u2XBoi9ifxYyKnusx4UQJ CPCg==
X-Gm-Message-State: ALQs6tDiC1K+RVl+M4qiajt5+TSakEjlkKAvxUjzOnxriAuyBPfQrPsW 136nE8xG3lwkDNwcu6qJuu0=
X-Google-Smtp-Source: AIpwx48fphm5tmDASHC/BJ/kJUSPVwjyxJgnIJvSqcCJeDXxIRcHM9mNjAIw7Oxh7KrG/N0k666nHg==
X-Received: by 2002:a17:902:ab94:: with SMTP id f20-v6mr3356492plr.375.1523420434548; Tue, 10 Apr 2018 21:20:34 -0700 (PDT)
Received: from loghyr.internal.excfb.com (c-69-181-67-218.hsd1.ca.comcast.net. [69.181.67.218]) by smtp.gmail.com with ESMTPSA id j125sm497011pfg.188.2018.04.10.21.20.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Apr 2018 21:20:33 -0700 (PDT)
From: Thomas Haynes <loghyr@gmail.com>
Message-Id: <5C013DFE-96E3-4B74-B597-5F3FE1D314C6@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F3F10634-8EE6-4579-A1EE-346B67F663CB"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 10 Apr 2018 21:20:32 -0700
In-Reply-To: <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com>
Cc: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, The IESG <iesg@ietf.org>, draft-ietf-nfsv4-flex-files@ietf.org, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
To: Eric Rescorla <ekr@rtfm.com>
References: <151683050192.22597.10931170494891133045.idtracker@ietfa.amsl.com> <9FD918F5-D08C-45FC-B6BB-30CBB3D4EC51@gmail.com> <CABcZeBPE5gV3KPpRpRxAtYRSSCZh8+3-fcf-1VsxF3AxmomnwQ@mail.gmail.com> <F2ADAD73-6AB3-45EF-B6FE-033E01F58D8E@gmail.com> <CAKKJt-e=81qyR3YXNb9imu8kzk6+nCYgMjeZqHNwt3xi4CfNxQ@mail.gmail.com> <CABcZeBPM_Rnb0QZvbvBpUCNd6yurtz0ipexUQscmnG_samb2RA@mail.gmail.com> <FD8AF7AF-632A-461C-A82A-BC0711B2F8D0@gmail.com> <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Kg-XUoO4LyjL4KgAgVsyb328Lv4>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 04:20:37 -0000

Hi Eric,

You are asking good questions, they illustrate how the community is too close to
the problem.

In the fourth paragraph of Section 15, there is the recommended case:
  
   The combination of file handle, synthetic uid, and gid in the layout
   are the way that the metadata server enforces access control to the
   data server.  The directory namespace on the storage device SHOULD
   only be accessible to the metadata server and not the clients. 
….

In that context, the client has no access to the storage device’s namespace,
and as such, cannot easily do a READDIR or LOOKUP for traversing.
It can snoop the file handles going to the storage device, but unlike a
normal server, the credentials can change underneath the client. I.e.,
they are not controlled by an app, but by the metadata server.

If we allow access to the directory namespace, as suggested by paragraph 5:



   If the configuration of the storage device is such that clients can
   access the directory namespace, then the access control degrades to
   that of a typical NFS server with exports with a security flavor of
   AUTH_SYS.  Any client which is allowed access can forge credentials
   to access any data file.  The caveat is that the rogue client might
   have no knowledge of the data file's type or position in the metadata
   directory namespace.

then we “degrade” the security back to that faced by a normal server.

The point isn’t that flex file is more secure, but that by taking care of
how exports are managed on the storage devices, admins can do a bit
better than awful.

Hope this explains it.

Thanks,
Tom


> On Apr 10, 2018, at 5:53 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Tue, Apr 10, 2018 at 5:02 PM, Tom Haynes <loghyr@gmail.com <mailto:loghyr@gmail.com>> wrote:
> No, it does not have better security than typical NFS, it has the same security.
> 
> OK, then I'm confused about "degrades to"  Can you help me with that?
> 
> 
> The synthetic IDs control access to the files and the metadata server can
> modify them to fence off a rogue client*, but in the end, the security of any
> AUTH_SYS approach is limited.
> 
> * By rogue client I do not mean malicious, I mean one which had established
> a connection with the metadata server, was handed a layout, and then when
> the layout was recalled, took over 91s to return that layout. It is probable that
> there is a network partition between the client and the metadata server and
> it is unknown if there is one between the client and the storage device. The
> fencing act causes the client to become aware that it needs to once again
> reach out to the metadata server.
> 
> The security aspect of this version of the flex file layout type is to be as secure
> as any other NFS in a data center environment.
> 
> The goal of the next version of the flex file layout type is to be as secure
> as any other NFS in the WAN. I.e., kerberized connections.
> 
> 
>> On Apr 10, 2018, at 4:25 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>> Not entirely. I'm inferring from the following text that this draft is
>> supposed to have somewhat better security than typical NFS, but it's
>> not really clear.
>> 
>> 
>>    If the configuration of the storage device is such that clients can
>>    access the directory namespace, then the access control degrades to
>>    that of a typical NFS server with exports with a security flavor of
>>    AUTH_SYS.
>> 
>> On Tue, Apr 10, 2018 at 11:43 AM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> wrote:
>> Hi, Eric,
>> 
>> On Mon, Apr 2, 2018 at 2:56 PM, Tom Haynes <loghyr@gmail.com <mailto:loghyr@gmail.com>> wrote:
>> Hi Eric,
>> 
>> Kathleen has removed her “discuss” from this document (the new version was pushed,
>> which satisfied her need for the SecDir review.
>> 
>> Could you please revisit your position on this draft?
>> 
>> I'm just following up on this one - could you take a look at whether -17 addresses your Discuss position?
>> 
>> Thanks,
>> 
>> Spencer
>> 
>> (diff from telechat version is https://tools.ietf.org/rfcdiff?url1=draft-ietf-nfsv4-flex-files-15.txt&url2=draft-ietf-nfsv4-flex-files-17.txt <https://tools.ietf.org/rfcdiff?url1=draft-ietf-nfsv4-flex-files-15.txt&url2=draft-ietf-nfsv4-flex-files-17.txt>) 
>> 
> 
>

v2.23.0 | Report a Bug | By Email