Re: [nfsv4] Request for WG Last Call
Olga Kornievskaia <aglo@citi.umich.edu> Mon, 24 July 2017 21:13 UTC
Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5AD4131F2B for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 14:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAp3S97PxJ0F for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 14:13:47 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCC0131F28 for <nfsv4@ietf.org>; Mon, 24 Jul 2017 14:13:47 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id t2so62940994qkc.1 for <nfsv4@ietf.org>; Mon, 24 Jul 2017 14:13:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=vsB0z9Qe483xU6TNbhNzypPxyQ0dCJADCwwW3ZdmYNc=; b=JAC677wfcLHM9T6iLehSiXjEy9SvK4EmH/R8Z6MzFPUFm+Ct1a8Q6ghSQsMhVb+To5 9Buzo6oFQ65yzhnfMVJD7Q9XfCR2VPQyJGwziLayO6h5i4xoYAwJMXNLBWgWvv2JYDl7 XxLddW9X3TbtTSV0Q/u+NELa7PrrjbfYnF0cShVkC5VVCiLzNUkE4jfd+cq4zcF4gIQc hmCI47+HFunV04U/OE1CxX5rCICpAf2TqRaBXNW+48ipu0BEfevT8djWu4lruk9cAMWb e0Fu1DvcRtWMt7H/kHYPcH2GzjGHVTsCHCx/pXEOYe7NjRwzQ6g71AG0bgHB7ncOCngS ZQbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=vsB0z9Qe483xU6TNbhNzypPxyQ0dCJADCwwW3ZdmYNc=; b=Q0Dg+UaDbXWyZMbxXkr8FARbk1IEmR9qcjp+6n3UkkmPXs9zkdekM16zwGBsNmDbUu XiqgtuQhcosAXPcCHwXs/j6Iq7qLnnxiK/1td9J0kcOIVndw2sduSYSnlNw13uw60734 KeemKnHmYG0yPRx2e0liqUi9oNYwEjR8NH6UDFhctNPoKobMpJKXoY7nD2JPitmWNe2A E1zFuMn/zeB2hSeMmSJHWT1HIrrd6HNDk2dgfrcp5rhIP46UxtY3+Oaxlx/PSf3TrNRv g0FKXk2XZ93QvQD7lIahcstz4krkYMdWQqZKZ4b5CnxLeUI52p/VV3DKlk2q2JBwIQE4 zJGw==
X-Gm-Message-State: AIVw110ZysTqT58VU7q6kzcjMKLDwD9gXVDMPsxcUqqjPJci1TMBfWJB rTbD2agspU4fgo0jncJYYx5M+2nL9A==
X-Received: by 10.55.201.202 with SMTP id m71mr22811269qkl.140.1500930826179; Mon, 24 Jul 2017 14:13:46 -0700 (PDT)
MIME-Version: 1.0
Sender: olga.kornievskaia@gmail.com
Received: by 10.12.186.159 with HTTP; Mon, 24 Jul 2017 14:13:45 -0700 (PDT)
In-Reply-To: <3D63CFB2-D6EC-4BD5-A735-724329A6252A@primarydata.com>
References: <3D63CFB2-D6EC-4BD5-A735-724329A6252A@primarydata.com>
From: Olga Kornievskaia <aglo@citi.umich.edu>
Date: Mon, 24 Jul 2017 17:13:45 -0400
X-Google-Sender-Auth: _GAIPn3kGQ4no02luesyDgpQoaw
Message-ID: <CAN-5tyFOzZqAXzCnkUeAKbxswth4GR5CH8CWL1qNtZR6y1xQ5A@mail.gmail.com>
To: Thomas Haynes <loghyr@primarydata.com>
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/LNrfD8fMhRKS5d550eqBgZPJmt0>
Subject: Re: [nfsv4] Request for WG Last Call
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 21:13:50 -0000
On Thu, Jul 20, 2017 at 7:57 AM, Thomas Haynes <loghyr@primarydata.com> wrote: > One of my AIs from the IETF meeting was to inform the WG that I wanted the > following two documents to be in WGLC: > > https://datatracker.ietf.org/doc/draft-ietf-nfsv4-flex-files/ - draft 12 Comments with respect to 15.1.1. It is not a good idea to have a file server be a KDC as well. From MIT folks: https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html warning .... "It is best to install and run KDCs on secured and dedicated hardware with limited access. If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database." 15.1.1 is too short and unclear for such a strong suggestion. Is the spec proposing to define a new kerberos realm specific for the "synthetic" users (uids)? Non-pkinit Kerberos is password based so what passwords are associated with the synthetic uids and how does the user know them? The statement controlling access by "expiring ticket" doesn't make sense. Once the Kerberos ticket is issued it's valid until it expires. You can control it by issuing extremely short-lived tickets but that would be a pain that your IO would be stopped because the lifetime of the ticket is too short. Also, if there is an assumption that MDS is the KDC and all other DSs are a part of that realm, then why can't we start with an assumption that MDS and DSs are a part of the "original" realm that user used to authenticate to the KDC. If in loosely-coupled there is no control of stateids or security, then (in my opinion) it can't use Kerberos as a security mechanism. If DSs say reside in different Kerberos realms, then there is such a thing as cross-domain Kerberos authentication and it is being used in practice. My suggestion is to scrap Kerberos from 15.1.1 loosely coupled and just leave the synthetic uids fencing.
- [nfsv4] Request for WG Last Call Thomas Haynes
- Re: [nfsv4] Request for WG Last Call Olga Kornievskaia
- Re: [nfsv4] Request for WG Last Call Thomas Haynes
- Re: [nfsv4] Request for WG Last Call Mkrtchyan, Tigran
- Re: [nfsv4] Request for WG Last Call Thomas Haynes