Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2018 00:14 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97129124BAC for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 17:14:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Tc4uBovGVo4 for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 17:13:59 -0700 (PDT)
Received: from mail-ot0-x243.google.com (mail-ot0-x243.google.com [IPv6:2607:f8b0:4003:c0f::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C863212D86E for <nfsv4@ietf.org>; Thu, 3 May 2018 17:13:58 -0700 (PDT)
Received: by mail-ot0-x243.google.com with SMTP id 15-v6so7853803otn.12 for <nfsv4@ietf.org>; Thu, 03 May 2018 17:13:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7ITp4t1Jzco2GKcBcjklEGgH9vWWlD+c/sUEKf5fruY=; b=VX531/pOWVST0RDYyKxkVF7NgBLyhcmXohZlZdyRgJx7soCERuN2HdqYCo8LrjE6vc sM/aSHfk8kXwem+DEGnNOQUuXCV/6Wd7LWSR0RSm4lgSjlbvmMNaoIqR3Bs3D8SXqbdu FXzNOeuMy8CdWAkGzvkqYnjLTw0fHXDDE7l43qii39Dr2N3taH+lgaEt8uDwGIusdm1I cFU386Y4FQ94wFuxXikdpZ1dfHjJiRKYU4Bu9uJBrxTy3b/fxsGdPxQ5xY8d0SCvASN0 OWOEuMDQEtDH+JyEc7tXjjyx42AA8paPkriTsR0F2VSiosD7/JKLI4HK1wM3HNJZqndF fiwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7ITp4t1Jzco2GKcBcjklEGgH9vWWlD+c/sUEKf5fruY=; b=onNceevU/9dOmq9GmnwNkcYLLROQ4uudxicFdpMX+NknhNkebxkHDGcKu34X8s+nYD 9byH2LuCQdH3R9KzBLN6ZecFRNOyhSabIpulmGfSOTKKie33JyrMXbnUcHIESjUXjVRJ 22t3n2O92EVy1XMDE1B+g27Q8PZ1F5RKD9ZgHPMs7xMQahcspu/BuMr2TFl99IXbaHK9 KXEEW4UYVW9LG5sdhCzMyl3TPawbL0tcHb1R8+iwbieE6yQuTZtfpjgA30/Ph1n8S0CH KVzOh3P6DNN6exX6asmfhAkug6NFtm66pzXRo1mHMwIBKuipOrEbKkddFQBziBfzjqqa PNww==
X-Gm-Message-State: ALQs6tC/jEcG2eOWqSTtAXhHBGqjNNetYIa+h2IaftlAykrf/WZDEVsk rcvuduYl0FUwjcxM7Y+FGsGQumxyiVZGoMrMollvUg==
X-Google-Smtp-Source: AB8JxZpWuIrIypsZu7tBpXZ2DQjjITY4aK+4mbKMmpeShi2U2iiDEoIz7V8PEsYrJFgATPwnfLp4rU9Ruvr6wmBTgN8=
X-Received: by 2002:a9d:72c6:: with SMTP id d6-v6mr5114044otk.392.1525392838141; Thu, 03 May 2018 17:13:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 3 May 2018 17:13:17 -0700 (PDT)
In-Reply-To: <9A3E372B-809E-4DA6-81FE-6ABBFC8E8DB6@gmail.com>
References: <151683050192.22597.10931170494891133045.idtracker@ietfa.amsl.com> <9FD918F5-D08C-45FC-B6BB-30CBB3D4EC51@gmail.com> <CABcZeBPE5gV3KPpRpRxAtYRSSCZh8+3-fcf-1VsxF3AxmomnwQ@mail.gmail.com> <F2ADAD73-6AB3-45EF-B6FE-033E01F58D8E@gmail.com> <CAKKJt-e=81qyR3YXNb9imu8kzk6+nCYgMjeZqHNwt3xi4CfNxQ@mail.gmail.com> <CABcZeBPM_Rnb0QZvbvBpUCNd6yurtz0ipexUQscmnG_samb2RA@mail.gmail.com> <FD8AF7AF-632A-461C-A82A-BC0711B2F8D0@gmail.com> <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com> <5C013DFE-96E3-4B74-B597-5F3FE1D314C6@gmail.com> <CAKKJt-deRBop1n8sv6dNaqUL_RUWxWMELutWubRdTOovKXEHwg@mail.gmail.com> <3670A5DF-4E11-4848-AE28-354F45F50D2B@gmail.com> <CAKKJt-dmcqLULhe_92wwOqVTcxKweB4YqiPKxoePRZAiQfv-Mg@mail.gmail.com> <CABcZeBMNQKV8m3Z46rsMKjraaHH5zCcKEe-Vo-b+Yo2SRQjTYg@mail.gmail.com> <897972F7-E7B8-4C6D-9470-CBD44B229CE7@gmail.com> <D64530FC-0FA1-4955-AA8A-31CEB32703BA@gmail.com> <CABcZeBNu+V+qTcw3FB=vDijN3-G-5w17rnDy5xSuativiXpU7g@mail.gmail.com> <9A3E372B-809E-4DA6-81FE-6ABBFC8E8DB6@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 May 2018 17:13:17 -0700
Message-ID: <CABcZeBNfqyNMvx7h+1_zrM6QoL3-YS=4-3rc80khs-PZBj3D9g@mail.gmail.com>
To: Tom Haynes <loghyr@gmail.com>
Cc: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, draft-ietf-nfsv4-flex-files@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
Content-Type: multipart/alternative; boundary="00000000000042ba94056b5632b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/LYNtV45IKUChvhZZR6xya56dIuM>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 00:14:01 -0000

LGTM

On Thu, May 3, 2018 at 4:50 PM, Tom Haynes <loghyr@gmail.com> wrote:

> More in line?
>
>
>     The combination of components in a pNFS system is required to
>     preserve the security properties of NFSv4.1+ with respect to
>     an entity accessing data via a client.  The pNFS feature
>     partitions the NFSv4.1+ file system protocol into two parts,
>     the control protocol and the data protocol.  As the control
>     protocol in this document is NFS, the security properties are
>     equivalent to that version of NFS.  The Flexible File
>     Layout further divides the data protocol into metadata and data
>     paths. The security properties of the metadata path are equivalent
>     to those of NFSv4.1x (see Sections 1.7.1 and 2.2.1 of
>     [RFC5661]).  And the security properties of the data
>     path are equivalent to those of the version of NFS used to
>     access the storage device, with the provision that the metadata
>     server is responsible for authenticating client access to the
>     data file.  The metadata server provides appropriate credentials
>     to the client to access data files on the storage device.  It
>     is also responsible for revoking access for a client to the
>     storage device.
>
>
> On May 3, 2018, at 3:45 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> I'm sorry, but I still find this really opaque.
>
> What I'm looking for is a simple statement. Either "The security
> properties of the protocol described in this document are equivalent to
> those of NFS vX"
> or "The security properties of the protocol described in this document are
> equivalent to those of NFS vX if you do X, Y, and Z" or
> "The security properties of the protocol described in this document are
> different from those of NFS vX in the following ways"
>
> -Ekr
>
>
>
> On Wed, May 2, 2018 at 1:43 PM, Tom Haynes <loghyr@gmail.com> wrote:
>
>> Hi Eric,
>>
>> I haven’t seen a reply to this one.
>>
>> The current draft-18 has the changes mentioned in this thread.
>>
>> It has:
>>
>>
>>    The pNFS feature partitions the NFSv4.1+ file system protocol into
>>    two parts, the control path and the data path (storage protocol).
>>    The control path contains all the new operations described by this
>>    feature; all existing NFSv4 security mechanisms and features apply to
>>    the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]).  The
>>    combination of components in a pNFS system is required to preserve
>>    the security properties of NFSv4.1+ with respect to an entity
>>    accessing data via a client, including security countermeasures to
>>    defend against threats that NFSv4.1+ provides defenses for in
>>    environments where these threats are considered significant.
>>
>>    The metadata server is primarily responsible for securing the data
>>    path.  It has to authenticate the client access and provide
>>    appropriate credentials to the client to access data files on the
>>    storage device.  Finally, it is responsible for revoking access for a
>>    client to the storage device.
>>
>> Would having something like:
>>
>>    The pNFS feature partitions the NFSv4.1+ file system protocol into
>>    two parts, the control path and the data path (storage protocol).
>>    The control path contains all the new operations described by this
>>    feature; all existing NFSv4 security mechanisms and features apply to
>>    the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]).  The
>>    combination of components in a pNFS system is required to preserve
>>    the security properties of NFSv4.1+ with respect to an entity
>>    accessing data via a client, including security countermeasures to
>>    defend against threats that NFSv4.1+ provides defenses for in
>>    environments where these threats are considered significant.
>>
>>    The data path is also constrained to security mechanisms of the
>>    NFS version being used between the client and the storage
>>    device. The metadata server authenticates the client access and
>> provides
>>    appropriate credentials to the client to access data files on the
>>    storage device.  Finally, it is responsible for revoking access for a
>>    client to the storage device.
>>
>> be better for you?
>>
>> Thanks,
>> Tom
>>
>> On Apr 11, 2018, at 2:25 PM, Tom Haynes <loghyr@gmail.com> wrote:
>>
>> Hi Eric,
>>
>> It is the same.
>>
>> Section 2.2:
>>
>>    It is RECOMMENDED to implement common access control methods at the
>>    storage device filesystem to allow only the metadata server root
>>    (super user) access to the storage device, and to set the owner of
>>    all directories holding data files to the root user.  This approach
>>    provides a practical model to enforce access control and fence off
>>    cooperative clients, but it can not protect against malicious
>>    clients; hence it provides a level of security equivalent to
>>    AUTH_SYS.  It is RECOMMENDED that the communication between the
>>    metadata server and storage device be secure from eavesdroppers and
>>    man-in-the-middle protocol tampering.  The security measure could be
>>    due to physical security (e.g., the servers are co-located in a
>>    physically secure area), from encrypted communications, or some other
>>    technique.
>>
>> (By the way, this contradicts the original text in my first paragraph
>> below
>> and is why we needed a change.)
>>
>> And as for why, Section 15.1.1 discusses why RPCSEC_GSS is not
>> provided in this version of the Flex File Layout Type.
>>
>> Thanks,
>> Tom
>>
>> On Apr 11, 2018, at 1:52 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>> Hi Tom.
>>
>> This text is clear, but I fear it doesn't answer the question I asked in
>> my discuss: how does the security here compare to ordinary NFS and why.
>>
>> -Ekr
>>
>>
>> On Wed, Apr 11, 2018 at 11:08 AM, Spencer Dawkins at IETF <
>> spencerdawkins.ietf@gmail.com> wrote:
>>
>>> Hi, Tom,
>>>
>>> On Wed, Apr 11, 2018 at 12:38 PM, Tom Haynes <loghyr@gmail.com> wrote:
>>>
>>>> So actually, after thinking about, the discussion about securing the
>>>> namespace on
>>>> the storage device is wrong.
>>>>
>>>> The current text is:
>>>>
>>>>
>>>>    The combination of file handle, synthetic uid, and gid in the layout
>>>>    are the way that the metadata server enforces access control to the
>>>>    data server.  The directory namespace on the storage device SHOULD
>>>>    only be accessible to the metadata server and not the clients.  In
>>>>    that case, the client only has access to file handles of file objects
>>>>    and not directory objects.  Thus, given a file handle in a layout, it
>>>>    is not possible to guess the parent directory file handle.  Further,
>>>>    as the data file permissions only allow the given synthetic uid read/
>>>>    write permission and the given synthetic gid read permission, knowing
>>>>    the synthetic ids of one file does not necessarily allow access to
>>>>    any other data file on the storage device.
>>>>
>>>>    The metadata server can also deny access at any time by fencing the
>>>>    data file, which means changing the synthetic ids.  In turn, that
>>>>    forces the client to return its current layout and get a new layout
>>>>    if it wants to continue IO to the data file.
>>>>
>>>>    If the configuration of the storage device is such that clients can
>>>>    access the directory namespace, then the access control degrades to
>>>>    that of a typical NFS server with exports with a security flavor of
>>>>    AUTH_SYS.  Any client which is allowed access can forge credentials
>>>>    to access any data file.  The caveat is that the rogue client might
>>>>    have no knowledge of the data file's type or position in the metadata
>>>>    directory namespace.
>>>>
>>>> My replacement would be:
>>>>
>>>>    The combination of file handle, synthetic uid, and gid in the layout
>>>>    are the way that the metadata server enforces access control to the
>>>>    data server.  The client only has access to file handles of file
>>>>    objects and not directory objects.  Thus, given a file handle in a
>>>>    layout, it is not possible to guess the parent directory file handle.
>>>>    Further, as the data file permissions only allow the given synthetic
>>>>    uid read/write permission and the given synthetic gid read
>>>>    permission, knowing the synthetic ids of one file does not
>>>>    necessarily allow access to any other data file on the storage
>>>>    device.
>>>>
>>>>    The metadata server can also deny access at any time by fencing the
>>>>    data file, which means changing the synthetic ids.  In turn, that
>>>>    forces the client to return its current layout and get a new layout
>>>>    if it wants to continue IO to the data file.
>>>>
>>>
>>> Thanks for proposing new text here.
>>>
>>> Spencer (S) as shepherd and WG co-chair, does this look like something
>>> that would come as a surprise to the working group?
>>>
>>> Spencer (D) as AD
>>>
>>
>>
>>
>>
>
>