IETF Logo Mail Archive

Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt

David Noveck <davenoveck@gmail.com> Wed, 24 April 2019 19:41 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D9841201F8 for <nfsv4@ietfa.amsl.com>; Wed, 24 Apr 2019 12:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCEUQ5lwjzST for <nfsv4@ietfa.amsl.com>; Wed, 24 Apr 2019 12:41:13 -0700 (PDT)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2119120167 for <nfsv4@ietf.org>; Wed, 24 Apr 2019 12:41:13 -0700 (PDT)
Received: by mail-ot1-x336.google.com with SMTP id j10so17266073otq.0 for <nfsv4@ietf.org>; Wed, 24 Apr 2019 12:41:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CvkVfry1YUXIkSk3yd8kdS7q9AnMMxjUHC6OAvmXFaI=; b=c0Q0G2A8dWU7hcYd4UuXxj1nRTd5oh7BS0MXugYpzblGrlGNobOR2NbD9Y+lDfiQij vM5kAYYYBdP0jw9X+YXp2f4Z6VXFy5xSk1oqqW4etWWXzXax23Aw3fxwf2wBK63SO/yV zzWxlVUIlzxLZiSOt0Wd/o5P6e1Jrjg0iBV/xJUHFFqPYlzpFaThWD/qWFu9GwyODBx3 sMXhtJYii1+Ch8nc8TeHoyzZ29qk70xNgdWtVe8ss2N6sEdUZzrtm6Xj95HWrf9C1p0j qvSXt+GLN5q57wVwCCmFHoMM8Yf2wlro8ssOBlLHfzzq7LH9EuPJ9TIQFD3HCQeCwBdl yOpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CvkVfry1YUXIkSk3yd8kdS7q9AnMMxjUHC6OAvmXFaI=; b=a1TQLHNCY6Iv6A+3KRN3MfXRfPewadfWL+EQ2bGDERuIs/CzQBy8IzBADn766EaJnE S4lC6sJ1w7DXPTPcrHJzenk4nx4nfKkLqSECsQ+rrSxdWyCLy8BUfAr+nBWoMcIcm5TX 53wzjupwgvc980GiBDxphnQBKYPTasSG3fJwvHjStl6NtwMpynX/1oP0oLSSwk3iZXsd F5p2hA+/hjSgQ3fx8l+ncnpCO5TMA6UJyXf80EgNN6gONckfy6MZ3UY309Jk6C+fJqxS Dkj0FG10tT21ZlGX2Ex3x7wSNQAs0DLWzv52NsyxS+7ydx3cSpFI4fulSdYuOioAtHL9 MPNg==
X-Gm-Message-State: APjAAAUFgeRYtTARlvFUA/KAxk8NVIvdRpsfOtL8UJ9EasIj8ZLrNWWl nlnTHxiBXIyBzB2TbBcLhVgP22zTI1ymUgCKmwo=
X-Google-Smtp-Source: APXvYqzK+K8x3Mkf3alNOdCQ1mhnrpSuXpXGYbpYAWqbvFikgffyXU+cx8yI5kEENlJpI9VqargewEevNwF2vdFhXxc=
X-Received: by 2002:a9d:63d2:: with SMTP id e18mr4800685otl.20.1556134872610; Wed, 24 Apr 2019 12:41:12 -0700 (PDT)
MIME-Version: 1.0
References: <155535049832.10773.1565621811584007627@ietfa.amsl.com> <CADaq8jcCB9g9v=h4iXu1f6=cAsU7wMdmfh31gCQKvEFw2eG=rA@mail.gmail.com> <804CB622-D696-4FAA-8040-993CB4029508@oracle.com> <20190422154814.GH72232@kduck.mit.edu> <2664782D-629E-4AA7-991D-76BAC465686D@oracle.com> <CADaq8jciwJanPJ09p95c5WR3QsBcmH6Z6Px4QbkG9_NTfUoJEA@mail.gmail.com> <66F78DBB-5D22-4FC2-A3C3-E69DBF87E4DB@oracle.com>
In-Reply-To: <66F78DBB-5D22-4FC2-A3C3-E69DBF87E4DB@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 24 Apr 2019 15:41:01 -0400
Message-ID: <CADaq8jd8Vbia+i5svQSzhBbOy_PF-qa+ZQ7uGE1NTnFvpatcuQ@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004dfbfe05874be241"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/LayxbSZPO0UUTYD5Z8bLNkDAM3I>
Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 19:41:19 -0000

> The opportunistic approach is meant to be a step up, not
> a full solution.

OK, but the question at hand is whether rpc-tls (or the RFC that results
from it) is to be limited to the opportunistic approach.   I'm arguing that
it should not, and much of what you say below seems to indicate
that you agree.

However, other things you say lead me to a contrary conclusion, so it
would be best if we got a clear answer on this point.

> We are bridging a gap here, and I think
> we all expect/hope to have deeper solutions in the future.

To get those, I think we need do more than expect/hope for them.   I think
we need to plan for them.   One way to do that is to allow rpc-tls to be
used either opprtunistically or non-oportunistically. rather than
restructing it to opprtuunistic use and expect something else to
provide support for the non-opportunistic case.

> For instance, we could define an RPC on QUIC transport
> type that requires host authentication and encryption from
> the get-go.

I've heard some rumblings about QUIC and would like to see an RPC
transport type defined.   However, we haven't yet seen even a
fragmentary individual submission on this topic.   Yes, we could
do this in the future, but it is unwise to count on it any time soon/

> The current rpc-tls document now RECOMMENDS that an RPC
> client's security policy insists on the use of TLS (ie,
> that they will immediately close a connection to a server
> that does not support TLS).

If it does, then it is not opportunistic and there is a conflict with
the abstract which says "opportunistically".

I've been unable to see where it says that.  I've searched the document
for "RECOMMEND".  Also:

It does  say the following which seems to contradict it:

The mechanism described in this document interoperates fully with RPC
implementations that do not support TLS.  The use of TLS is
automatically disabled in these cases.

Tigran is looking for a discussion of this case and can't find it, so, in
any case, it is not just me who isn't able to see this.

> That is a reasonable way to
> address active attackers while there is still a large fleet
> of RPC implementations without TLS support.

I don't see that you can RECOMMEND that unconditionally,
especially in an RPC-generic document.   When there are
a large set   of RPC implementations without TLS support,
is precisely when the alternative (i.e. opportunistic) approach
has its greatest value.

> We could also strongly RECOMMEND the use of authentication.

I don't think we should do that in the context of an RPC-generic
document.  Each protocol might reasonbly have its own needs and
policies.

The decision to proceed with an rpc-generic document was intended to
accellerate development of rpc-tls.  That's worked so far but I think that
to
maintain progress we have to avoid the temptation to put protocol-
specific material (most likely for NFSv4) into what should be an rpc-
generic document.   That would essentially undo the decision to make
this an rpc-generic document.

I've thought about something like this for v4-oriented document but
I think that there the need/requirement for authentication of the client
is best tied to use of AUTH_SYS.    If you are using RPCSEC GSS and
have an encrypted channel, you would have adequate NFSv4 security, even
in an internet environment. :-). At that point, client authentication, which
might be work to add to the work already done to implement RPCSEC GSS,
is better seen as OPTIONAL.

On Wed, Apr 24, 2019 at 10:55 AM Chuck Lever <chuck.lever@oracle.com> wrote:

>
>
> > On Apr 24, 2019, at 10:48 AM, David Noveck <davenoveck@gmail.com> wrote:
> >
> > >> The summary of the reasoning for the use of this term is basically
> that it
> > >> does not provide protection in the face of an *active* attacker (that
> can
> > >> force downgrade to the previous/insecure technology), but does protect
> > >> against passive observation.
> >
> > > Indeed, this looks directly on point.
> >
> > It does but having read this document and considering Ben's statement
> > that "it :does not provide protection in the face of an 'active'
> attacker, I'm
> > wondering if the 'opportunistic" nature of this approach should be
> mentioned
> > quite as prominently as it is in -01.
> >
> > For example, Tigran is basically asking for a description of how this
> mechanism
> > would be used non-opprtunistically and it seems clear to me that
> eventually
> > there will be a need such deployments.   If and when this mechanism is
> widely
> > deployed the failure to establish an encrypted connection is more likely
> to be
> > due to an active attacker rather than a non-rpc-tls-supporting server.
> >
> > It is not clear to me why, in that event the client should behave
> passively in the
> > face of an active attack.   As i understand it, an eventual Security
> Consideraations
> > is going to have to consider all possible attacks and we want to avoid a
> situation
> > in which an accurate Security Consideration would need to say, in
> essence, "omigod,
> > it's hopeless". :-(
>
> The opportunistic approach is meant to be a step up, not
> a full solution. We are bridging a gap here, and I think
> we all expect/hope to have deeper solutions in the future.
>
> For instance, we could define an RPC on QUIC transport
> type that requires host authentication and encryption from
> the get-go.
>
>
> The current rpc-tls document now RECOMMENDS that an RPC
> client's security policy insists on the use of TLS (ie,
> that they will immediately close a connection to a server
> that does not support TLS). That is a reasonable way to
> address active attackers while there is still a large fleet
> of RPC implementations without TLS support.
>
> We could also strongly RECOMMEND the use of authentication.
>
>
> > On Wed, Apr 24, 2019 at 9:53 AM Chuck Lever <chuck.lever@oracle.com>
> wrote:
> >
> >
> > > On Apr 22, 2019, at 11:48 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> > >
> > > On Tue, Apr 16, 2019 at 01:11:54PM -0400, Chuck Lever wrote:
> > >>
> > >>> On Apr 16, 2019, at 1:09 PM, David Noveck <davenoveck@gmail.com>
> wrote:
> > >>>
> > >>> I'm confused by the addition of the word "opportunistically" in the
> abstract.   This document defines an important way of providing security to
> RPC-based protocols such as NFSv4, so as to deal with the very real
> security problemms that these protocols have.    While these facilities can
> only be used when both client and the server provides support, I don't
> think that fact alone make the use of these facilties "opportunistic".
> What exactlty is this word intended to imply?
> > >>
> > >> "Opportunistic" is a term of art. See:
> > >>
> > >> https://en.wikipedia.org/wiki/Opportunistic_TLS
> > >
> > > RFC 7435 is also a good reference for this topic (and one that has IETF
> > > consensus, FWIW).
> > >
> > > The summary of the reasoning for the use of this term is basically
> that it
> > > does not provide protection in the face of an *active* attacker (that
> can
> > > force downgrade to the previous/insecure technology), but does protect
> > > against passive observation.
> >
> > Indeed, this looks directly on point.
> >
> > --
> > Chuck Lever
> >
> >
> >
>
> --
> Chuck Lever
>
>
>
>

v2.23.0 | Report a Bug | By Email