IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 17 April 2020 17:07 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A81D3A092A for <nfsv4@ietfa.amsl.com>; Fri, 17 Apr 2020 10:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n4GdPQHE1wnf for <nfsv4@ietfa.amsl.com>; Fri, 17 Apr 2020 10:07:50 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20050.outbound.protection.outlook.com [40.107.2.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6B0E3A08EA for <nfsv4@ietf.org>; Fri, 17 Apr 2020 10:07:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jGBlxY3/QztGCdRomwMKk0cP3e4/M1vr6HrmK4bP6TDFqgF9LFisu22kC5X0enJT2et6ljR5GrhFbvRt1r44W4K160EJiFvUKmH8yCAK35FRnSNBvpztlaZyeJ74AW7Lx00XnJ915kFJ1x1BWeBZPMaegffmgRhdwM5i2/jeuR/HLs45/om0MQ4UUQA89EvYWvRxF5BNnUKxJgQSFxS2gNK7J45Rnkw00JbjT6vLZyQTMzL4NpJ2m+S5roVE3x/9WO6toeNRRlyTAdWjVKwpsWq0WomHZ+cJLCUTxD1KV4swU0P06mZ+OFxzdx13XGFEBx6rkcLn2GQFXHy5ZqQxGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2w9IY6TrCtnrLyeZBPIbuPyyK3/eFPPEwgOmxpYYo4I=; b=kM6a7YXEXNwGvY5vgkresPCMg5BoJX7vHAZhKraxobrMI3gBpATrjnsrHL3SnXjcZqu+0fU9bahKCRgAcls6ktikuvH7PaeVN1tfDqquiAErjCOYuhaSlFi8DGcJwWXhfh8JAUlQmz4SIjK0B1c2D7o8OfvOZSUv4TRjO5d75UllFLrxsj59ouy+aYUI1E9dkRy1l2r42YboppRhNbcYBax+aqTN7dKlPdosYwgAAfGMr7+XZ06VoSD8MpiGZzUq/b6tqPojPOOdpx3rs6ze9gRk74QQt5ECuF/MYFq4qPm9NtlRuiszI18uW+/JNWKxAJrmgVdVqXegk9L8VUqyGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2w9IY6TrCtnrLyeZBPIbuPyyK3/eFPPEwgOmxpYYo4I=; b=FsjyoM1loJGeI5YCUQstbT9zR+WSjggX+49ESy9cGRCStw/6FJUnyqYplkhsJ9tiZwEIxpVMC2XLe70yjOd2dwWW+Ia5C4wN/Drrg8COJSwxlLGjC08w5G1MT+0S7uTYTTCe6kX0LLkPxC4VV9xfhvJOzw8CrgvWJ3OZIa9MmRI=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3753.eurprd07.prod.outlook.com (2603:10a6:7:84::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.9; Fri, 17 Apr 2020 17:07:35 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a%2]) with mapi id 15.20.2921.027; Fri, 17 Apr 2020 17:07:35 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "chuck.lever@oracle.com" <chuck.lever@oracle.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
Thread-Index: AdYH+TZCYEUSPG/KThqZ8Tp9CcZenQGq9Z4AAAL5cwAAAEtAgAABZXsAAACq6oAAAcUlAADsXEAAAG67FAAAAKhiAAAg8N0AAAmd+QA=
Date: Fri, 17 Apr 2020 17:07:35 +0000
Message-ID: <be55b57182837f43f5d8c5d66a90e2a7e2596b3a.camel@ericsson.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com> <D807E24F-6770-4564-B3CC-EDA86B2E0F3B@oracle.com> <8B6E937E-1946-4E26-9CA0-2B7CADD9EF5E@oracle.com>
In-Reply-To: <8B6E937E-1946-4E26-9CA0-2B7CADD9EF5E@oracle.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [98.128.243.69]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7487c9b5-eca1-4240-f1da-08d7e2f1d36e
x-ms-traffictypediagnostic: HE1PR0702MB3753:
x-microsoft-antispam-prvs: <HE1PR0702MB3753B4F3F7C42811108A213195D90@HE1PR0702MB3753.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0376ECF4DD
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(396003)(39860400002)(366004)(136003)(99936003)(86362001)(316002)(8936002)(6512007)(6486002)(8676002)(5660300002)(2616005)(6916009)(71200400001)(66616009)(186003)(26005)(53546011)(6506007)(81156014)(2906002)(64756008)(66556008)(76116006)(66476007)(66946007)(44832011)(478600001)(4326008)(36756003)(66446008)(99106002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MpMGipN4hyYIns/IUY/oAAHwW5RJf3vGyvbgHAWmKWvmHCE4nxyvWi4m08pb5lC4vVcF+YZOsemb5cs0C1K29D5L4qkJLCg6ApZUU0vI21XH2EHgZdoiAXaXWuDWo9r0/FMmAAVGK173V2PRc+fQHdM24NdmxyX/3cnoQKP4GXw1ljkj4jmwp6/+25ch05Ac2dR2u0N6vV5rsA5tveC7JOX6grsSJZGC+HQ3uvf5wUgmR7C6Xem4QqLYm67hg+EuGbHdKUUbN4SAs5I2iYfFw3PQSYOc04cdvj0ThmN0fTo4qAx0/HU5tE1d4Olqhv5/xfeucHT3+OfLVh6RtGPSU/yw4stErH+URv8Vqnmzx6X9GHs78OmDlzDKrSfkm0NPsxYmvldQl9sNlR3fQQsDPpB/U3le569nTuN7mLKDd74VRWrHm9wotiKdeSU3/7GG8OmqLaodMIBbJucJwn6uqoHzKQiIKXdBhWy6tWBMnH1Uv5WGYsewR2ZImmcgPdxS
x-ms-exchange-antispam-messagedata: QkFIpRPYHxAJNr0mlVFIlzLMOlZbRu/NKkfDvxrfSsE67PumqBFy4mXUYhzvHw6WYR7gLGTW3WN7HfcZ4pX4EvSwPzpW1KcLEoESgVW80dNkPO0wkhqnx9pRYOgFbzutaSuaG1gwJ8w3qUbkSGKnCg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-uyFuQKKuQ1/KyMugsqiy"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7487c9b5-eca1-4240-f1da-08d7e2f1d36e
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2020 17:07:35.6974 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SHQrw0O/KKyQSh7LX/PYO9qz9pE4+2ibT15mJaLccJjBLslm1cXO+j6gez6sjsuzbOieAvWCz3fef1cFRFoYJDxSwJljLhO0aNtCAfSwAbw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3753
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/M6XkH5ZenbcLmvMrhonfooeg7UA>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 17:08:01 -0000

On Fri, 2020-04-17 at 08:32 -0400, Chuck Lever wrote:
> > On Apr 16, 2020, at 4:49 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
> > 
> > 
> > 
> > > On Apr 16, 2020, at 4:30 PM, Magnus Westerlund <
> > > magnus.westerlund@ericsson.com> wrote:
> > > 
> > > Hi, 
> > > 
> > > I have reviewed the text proposal and have this comment. 
> > > 
> > > On Tue, 2020-04-14 at 11:39 -0400, Chuck Lever wrote:
> > > >  o  If a client uses an ephemeral source port for a TCP connection and
> > > >     does not present authentication material to initiate TLS host
> > > >     authentication, the server MUST abort the TLS handshake with a
> > > >     handshake_failure alert.
> > > 
> > > So what is this paragraph trying to say really. Is this a mix of OS/Socket
> > > level
> > > concerns with the transport protocol level.
> > 
> > NFS server implementations have traditionally required clients to use a
> > privileged source port when using weak authentication like AUTH_SYS.
> > When a client uses a flavor like krb5 that provides strong host
> > authentication, the privileged source port requirement is waived.
> > 
> > This bullet simply states that the server does not have to require a
> > privileged source port when using TLS, just like with krb5/i/p. So
> > a client using AUTH_SYS with TLS would be permitted to use an ephemeral
> > source port, which is a much less rare resource than a privileged source
> > port.
> > 
> > We could leave this statement for a subsequent NFS-specific document
> > but there are some non-NFS user space RPC implementations that have
> > the same requirement.
> > 
> > Or, I could move this bullet to the Security Considerations section.
> 
> The mind wandered last night, and I realized that the privileged port
> requirement applies in the connectionless case as well. I will move
> this text somewhere that is appropriate for both transport types.

I think it is fine to include. Howver, I was missing context for this. So I
think if you provide slightly more context to the statement it will avoid
confusion from the future reviewers. 
 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email