Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2018 00:14 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97129124BAC for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 17:14:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Tc4uBovGVo4 for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 17:13:59 -0700 (PDT)
Received: from mail-ot0-x243.google.com (mail-ot0-x243.google.com [IPv6:2607:f8b0:4003:c0f::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C863212D86E for <nfsv4@ietf.org>; Thu, 3 May 2018 17:13:58 -0700 (PDT)
Received: by mail-ot0-x243.google.com with SMTP id 15-v6so7853803otn.12 for <nfsv4@ietf.org>; Thu, 03 May 2018 17:13:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7ITp4t1Jzco2GKcBcjklEGgH9vWWlD+c/sUEKf5fruY=; b=VX531/pOWVST0RDYyKxkVF7NgBLyhcmXohZlZdyRgJx7soCERuN2HdqYCo8LrjE6vc sM/aSHfk8kXwem+DEGnNOQUuXCV/6Wd7LWSR0RSm4lgSjlbvmMNaoIqR3Bs3D8SXqbdu FXzNOeuMy8CdWAkGzvkqYnjLTw0fHXDDE7l43qii39Dr2N3taH+lgaEt8uDwGIusdm1I cFU386Y4FQ94wFuxXikdpZ1dfHjJiRKYU4Bu9uJBrxTy3b/fxsGdPxQ5xY8d0SCvASN0 OWOEuMDQEtDH+JyEc7tXjjyx42AA8paPkriTsR0F2VSiosD7/JKLI4HK1wM3HNJZqndF fiwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7ITp4t1Jzco2GKcBcjklEGgH9vWWlD+c/sUEKf5fruY=; b=onNceevU/9dOmq9GmnwNkcYLLROQ4uudxicFdpMX+NknhNkebxkHDGcKu34X8s+nYD 9byH2LuCQdH3R9KzBLN6ZecFRNOyhSabIpulmGfSOTKKie33JyrMXbnUcHIESjUXjVRJ 22t3n2O92EVy1XMDE1B+g27Q8PZ1F5RKD9ZgHPMs7xMQahcspu/BuMr2TFl99IXbaHK9 KXEEW4UYVW9LG5sdhCzMyl3TPawbL0tcHb1R8+iwbieE6yQuTZtfpjgA30/Ph1n8S0CH KVzOh3P6DNN6exX6asmfhAkug6NFtm66pzXRo1mHMwIBKuipOrEbKkddFQBziBfzjqqa PNww==
X-Gm-Message-State: ALQs6tC/jEcG2eOWqSTtAXhHBGqjNNetYIa+h2IaftlAykrf/WZDEVsk rcvuduYl0FUwjcxM7Y+FGsGQumxyiVZGoMrMollvUg==
X-Google-Smtp-Source: AB8JxZpWuIrIypsZu7tBpXZ2DQjjITY4aK+4mbKMmpeShi2U2iiDEoIz7V8PEsYrJFgATPwnfLp4rU9Ruvr6wmBTgN8=
X-Received: by 2002:a9d:72c6:: with SMTP id d6-v6mr5114044otk.392.1525392838141; Thu, 03 May 2018 17:13:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 3 May 2018 17:13:17 -0700 (PDT)
In-Reply-To: <9A3E372B-809E-4DA6-81FE-6ABBFC8E8DB6@gmail.com>
References: <151683050192.22597.10931170494891133045.idtracker@ietfa.amsl.com> <9FD918F5-D08C-45FC-B6BB-30CBB3D4EC51@gmail.com> <CABcZeBPE5gV3KPpRpRxAtYRSSCZh8+3-fcf-1VsxF3AxmomnwQ@mail.gmail.com> <F2ADAD73-6AB3-45EF-B6FE-033E01F58D8E@gmail.com> <CAKKJt-e=81qyR3YXNb9imu8kzk6+nCYgMjeZqHNwt3xi4CfNxQ@mail.gmail.com> <CABcZeBPM_Rnb0QZvbvBpUCNd6yurtz0ipexUQscmnG_samb2RA@mail.gmail.com> <FD8AF7AF-632A-461C-A82A-BC0711B2F8D0@gmail.com> <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com> <5C013DFE-96E3-4B74-B597-5F3FE1D314C6@gmail.com> <CAKKJt-deRBop1n8sv6dNaqUL_RUWxWMELutWubRdTOovKXEHwg@mail.gmail.com> <3670A5DF-4E11-4848-AE28-354F45F50D2B@gmail.com> <CAKKJt-dmcqLULhe_92wwOqVTcxKweB4YqiPKxoePRZAiQfv-Mg@mail.gmail.com> <CABcZeBMNQKV8m3Z46rsMKjraaHH5zCcKEe-Vo-b+Yo2SRQjTYg@mail.gmail.com> <897972F7-E7B8-4C6D-9470-CBD44B229CE7@gmail.com> <D64530FC-0FA1-4955-AA8A-31CEB32703BA@gmail.com> <CABcZeBNu+V+qTcw3FB=vDijN3-G-5w17rnDy5xSuativiXpU7g@mail.gmail.com> <9A3E372B-809E-4DA6-81FE-6ABBFC8E8DB6@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 May 2018 17:13:17 -0700
Message-ID: <CABcZeBNfqyNMvx7h+1_zrM6QoL3-YS=4-3rc80khs-PZBj3D9g@mail.gmail.com>
To: Tom Haynes <loghyr@gmail.com>
Cc: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, draft-ietf-nfsv4-flex-files@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
Content-Type: multipart/alternative; boundary="00000000000042ba94056b5632b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/LYNtV45IKUChvhZZR6xya56dIuM>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 00:14:01 -0000
LGTM On Thu, May 3, 2018 at 4:50 PM, Tom Haynes <loghyr@gmail.com> wrote: > More in line? > > > The combination of components in a pNFS system is required to > preserve the security properties of NFSv4.1+ with respect to > an entity accessing data via a client. The pNFS feature > partitions the NFSv4.1+ file system protocol into two parts, > the control protocol and the data protocol. As the control > protocol in this document is NFS, the security properties are > equivalent to that version of NFS. The Flexible File > Layout further divides the data protocol into metadata and data > paths. The security properties of the metadata path are equivalent > to those of NFSv4.1x (see Sections 1.7.1 and 2.2.1 of > [RFC5661]). And the security properties of the data > path are equivalent to those of the version of NFS used to > access the storage device, with the provision that the metadata > server is responsible for authenticating client access to the > data file. The metadata server provides appropriate credentials > to the client to access data files on the storage device. It > is also responsible for revoking access for a client to the > storage device. > > > On May 3, 2018, at 3:45 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > I'm sorry, but I still find this really opaque. > > What I'm looking for is a simple statement. Either "The security > properties of the protocol described in this document are equivalent to > those of NFS vX" > or "The security properties of the protocol described in this document are > equivalent to those of NFS vX if you do X, Y, and Z" or > "The security properties of the protocol described in this document are > different from those of NFS vX in the following ways" > > -Ekr > > > > On Wed, May 2, 2018 at 1:43 PM, Tom Haynes <loghyr@gmail.com> wrote: > >> Hi Eric, >> >> I haven’t seen a reply to this one. >> >> The current draft-18 has the changes mentioned in this thread. >> >> It has: >> >> >> The pNFS feature partitions the NFSv4.1+ file system protocol into >> two parts, the control path and the data path (storage protocol). >> The control path contains all the new operations described by this >> feature; all existing NFSv4 security mechanisms and features apply to >> the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]). The >> combination of components in a pNFS system is required to preserve >> the security properties of NFSv4.1+ with respect to an entity >> accessing data via a client, including security countermeasures to >> defend against threats that NFSv4.1+ provides defenses for in >> environments where these threats are considered significant. >> >> The metadata server is primarily responsible for securing the data >> path. It has to authenticate the client access and provide >> appropriate credentials to the client to access data files on the >> storage device. Finally, it is responsible for revoking access for a >> client to the storage device. >> >> Would having something like: >> >> The pNFS feature partitions the NFSv4.1+ file system protocol into >> two parts, the control path and the data path (storage protocol). >> The control path contains all the new operations described by this >> feature; all existing NFSv4 security mechanisms and features apply to >> the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]). The >> combination of components in a pNFS system is required to preserve >> the security properties of NFSv4.1+ with respect to an entity >> accessing data via a client, including security countermeasures to >> defend against threats that NFSv4.1+ provides defenses for in >> environments where these threats are considered significant. >> >> The data path is also constrained to security mechanisms of the >> NFS version being used between the client and the storage >> device. The metadata server authenticates the client access and >> provides >> appropriate credentials to the client to access data files on the >> storage device. Finally, it is responsible for revoking access for a >> client to the storage device. >> >> be better for you? >> >> Thanks, >> Tom >> >> On Apr 11, 2018, at 2:25 PM, Tom Haynes <loghyr@gmail.com> wrote: >> >> Hi Eric, >> >> It is the same. >> >> Section 2.2: >> >> It is RECOMMENDED to implement common access control methods at the >> storage device filesystem to allow only the metadata server root >> (super user) access to the storage device, and to set the owner of >> all directories holding data files to the root user. This approach >> provides a practical model to enforce access control and fence off >> cooperative clients, but it can not protect against malicious >> clients; hence it provides a level of security equivalent to >> AUTH_SYS. It is RECOMMENDED that the communication between the >> metadata server and storage device be secure from eavesdroppers and >> man-in-the-middle protocol tampering. The security measure could be >> due to physical security (e.g., the servers are co-located in a >> physically secure area), from encrypted communications, or some other >> technique. >> >> (By the way, this contradicts the original text in my first paragraph >> below >> and is why we needed a change.) >> >> And as for why, Section 15.1.1 discusses why RPCSEC_GSS is not >> provided in this version of the Flex File Layout Type. >> >> Thanks, >> Tom >> >> On Apr 11, 2018, at 1:52 PM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> Hi Tom. >> >> This text is clear, but I fear it doesn't answer the question I asked in >> my discuss: how does the security here compare to ordinary NFS and why. >> >> -Ekr >> >> >> On Wed, Apr 11, 2018 at 11:08 AM, Spencer Dawkins at IETF < >> spencerdawkins.ietf@gmail.com> wrote: >> >>> Hi, Tom, >>> >>> On Wed, Apr 11, 2018 at 12:38 PM, Tom Haynes <loghyr@gmail.com> wrote: >>> >>>> So actually, after thinking about, the discussion about securing the >>>> namespace on >>>> the storage device is wrong. >>>> >>>> The current text is: >>>> >>>> >>>> The combination of file handle, synthetic uid, and gid in the layout >>>> are the way that the metadata server enforces access control to the >>>> data server. The directory namespace on the storage device SHOULD >>>> only be accessible to the metadata server and not the clients. In >>>> that case, the client only has access to file handles of file objects >>>> and not directory objects. Thus, given a file handle in a layout, it >>>> is not possible to guess the parent directory file handle. Further, >>>> as the data file permissions only allow the given synthetic uid read/ >>>> write permission and the given synthetic gid read permission, knowing >>>> the synthetic ids of one file does not necessarily allow access to >>>> any other data file on the storage device. >>>> >>>> The metadata server can also deny access at any time by fencing the >>>> data file, which means changing the synthetic ids. In turn, that >>>> forces the client to return its current layout and get a new layout >>>> if it wants to continue IO to the data file. >>>> >>>> If the configuration of the storage device is such that clients can >>>> access the directory namespace, then the access control degrades to >>>> that of a typical NFS server with exports with a security flavor of >>>> AUTH_SYS. Any client which is allowed access can forge credentials >>>> to access any data file. The caveat is that the rogue client might >>>> have no knowledge of the data file's type or position in the metadata >>>> directory namespace. >>>> >>>> My replacement would be: >>>> >>>> The combination of file handle, synthetic uid, and gid in the layout >>>> are the way that the metadata server enforces access control to the >>>> data server. The client only has access to file handles of file >>>> objects and not directory objects. Thus, given a file handle in a >>>> layout, it is not possible to guess the parent directory file handle. >>>> Further, as the data file permissions only allow the given synthetic >>>> uid read/write permission and the given synthetic gid read >>>> permission, knowing the synthetic ids of one file does not >>>> necessarily allow access to any other data file on the storage >>>> device. >>>> >>>> The metadata server can also deny access at any time by fencing the >>>> data file, which means changing the synthetic ids. In turn, that >>>> forces the client to return its current layout and get a new layout >>>> if it wants to continue IO to the data file. >>>> >>> >>> Thanks for proposing new text here. >>> >>> Spencer (S) as shepherd and WG co-chair, does this look like something >>> that would come as a surprise to the working group? >>> >>> Spencer (D) as AD >>> >> >> >> >> > >
- [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfs… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Thomas Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… spencer shepler
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla