IETF Logo Mail Archive

Re: [nfsv4] Genart last call review of draft-ietf-nfsv4-rpc-tls-07

Trond Myklebust <trondmy@hammerspace.com> Mon, 25 May 2020 12:04 UTC

Return-Path: <trondmy@hammerspace.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A043A0A6A; Mon, 25 May 2020 05:04:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_PDS_OTHER_BAD_TLD=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hammerspace.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7eX7h6rMptnc; Mon, 25 May 2020 05:04:07 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2118.outbound.protection.outlook.com [40.107.243.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B3F93A0A92; Mon, 25 May 2020 05:04:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GJ0ZfSDqGsC65leh//zfTG08L8UDGeL+CCM67JlCLq9raApocC2uXPUPmbKqtN5Q8k/77sIIoOer3KN1yqePkwR0rop28g1njvLumEl747alH1WFM5vsBcv6dHnTXIABGDjosTTBAJ4M97q6EIhByUppQ32YXDR+lq/avFgTEAtthZMCVek4Se+AM0/UNoeOM1JOMIgA1sFsd/y+GD8YLTExVY58SNWRHYrbIqIFr28ZnigRnAjobFzuFr9oA9evWWlQNPD/1Ck/9aNKEI1lNMcLT9m8YDy+MPT1yexFGQL+eOAggc7OPsyXu5f0B53yUxZb0AbkefmARNErYUInQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MyRx2HbNhx11YRB272SLEr1ZOXm3Sqsv2sxBCFVLmTQ=; b=Gd7Bv23s3wk1CpRVUoQQA8Nd5UL60lkrWj0iqsXDY5ymztvssxIp+wo5OCRf8mreqWZxGGuxx+uGz4EMZVIQQtr6+LAl2FlxEId1z2ykz+cExiCin1kTSH9g2QegP9BTi1vRFiCQ4/WeyLv8q/H0qF9SBmGeD9+ljHSE3ADTMqzgpAKQ5f9Z+0Z84SEJkJYaXQuTKx67sbq9RJ+k2FXORVZcT2+yOichEaxU6Eiw07qdV5+AczGCc/0Q4/vfm5P5xUR402jpk3ObhrGG4fthhIQ4BMdONFtoiHp0KzjEDFvZg+JKtpmm9Uk4dCVUE+GHd9fnJJO0jzhqJgfnVUJeqA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hammerspace.com; dmarc=pass action=none header.from=hammerspace.com; dkim=pass header.d=hammerspace.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hammerspace.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MyRx2HbNhx11YRB272SLEr1ZOXm3Sqsv2sxBCFVLmTQ=; b=CQs7b1DQcfBGnule5QnBbMWm++STEoZOPjdtWU5Lyk1hzHR1F1QA/nFJsRTgo69fSld3vhO/KJ0JhdG9Gxix4qCXpmY0Dx19WDmR6P7VVP6o93BgclvhnOH3tZNkUmVpUDAbVp1esa5Z7VAENAOiQPz9NyBGVu/3l8GONQnsqHA=
Received: from CH2PR13MB3398.namprd13.prod.outlook.com (2603:10b6:610:2a::33) by CH2PR13MB3670.namprd13.prod.outlook.com (2603:10b6:610:9c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.8; Mon, 25 May 2020 12:04:00 +0000
Received: from CH2PR13MB3398.namprd13.prod.outlook.com ([fe80::49f6:ce9b:9803:2493]) by CH2PR13MB3398.namprd13.prod.outlook.com ([fe80::49f6:ce9b:9803:2493%6]) with mapi id 15.20.3045.009; Mon, 25 May 2020 12:04:00 +0000
From: Trond Myklebust <trondmy@hammerspace.com>
To: "davenoveck@gmail.com" <davenoveck@gmail.com>, "chuck.lever@oracle.com" <chuck.lever@oracle.com>
CC: "worley@ariadne.com" <worley@ariadne.com>, "gen-art@ietf.org" <gen-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-nfsv4-rpc-tls.all@ietf.org" <draft-ietf-nfsv4-rpc-tls.all@ietf.org>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] Genart last call review of draft-ietf-nfsv4-rpc-tls-07
Thread-Index: AQHWMgz8nHZZdJEBmkaIDjtzs0o53ai3yBUAgADoCICAAATsAA==
Date: Mon, 25 May 2020 12:04:00 +0000
Message-ID: <4023079b7f3a826c163ad35ee00c4bcffb8b2d56.camel@hammerspace.com>
References: <159035343255.29687.817580247496478154@ietfa.amsl.com> <9DE0A0E7-46BB-4C4F-9AFC-D7BD0645A0A7@oracle.com> <CADaq8jcqKB8KMFL2=LqL_g64Wm6TWZJad-qq_bW0vxo7Joq0LA@mail.gmail.com>
In-Reply-To: <CADaq8jcqKB8KMFL2=LqL_g64Wm6TWZJad-qq_bW0vxo7Joq0LA@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=hammerspace.com;
x-originating-ip: [68.36.133.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ab46c9d1-396c-4c26-5ff4-08d800a3b5cc
x-ms-traffictypediagnostic: CH2PR13MB3670:
x-microsoft-antispam-prvs: <CH2PR13MB36703EED79D9911D50DBB9ECB8B30@CH2PR13MB3670.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0414DF926F
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f0zEKHp/eSmjmrt1gbteB18eKX650ch63EP1uGj+ftsQPuFIBTTs0qwmRmriGIeTlufUWNqRnTdlGQ9MKakltUb7hcECKgInnutg5a4I1TffQ0EBnEdMQFYSljZhYDuQp/I3QURR0z8ZOIkzn/cDVzuaOXEzADu/Gs1scT8b7Pp/8W0k79RqcrCqMNoSShBOYT4usBJFEWEyYyOhZ9gSDs6AT4OQV3AJY2OsZJFSBg0YDOGSnOvYdSARGVuRlyuNaM7/qOz3vHWfBisr0Hi3pFaNLnAhXZ3Zj5qbFzA8dD9ZFT2pxwhTKYEC9GuU2Wsmnpm1Li/hEo0ltKKOL/hbiMPyFYV2FRGx3gTuB/4Kb6fFxZcbl8t1gpubAE3yuCCZRiLnJ/0iUaYYSIa2+++l6Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR13MB3398.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(396003)(39830400003)(136003)(366004)(376002)(346002)(26005)(186003)(66616009)(6506007)(53546011)(66946007)(64756008)(66446008)(76116006)(66556008)(166002)(66476007)(2616005)(2906002)(71200400001)(83080400001)(478600001)(5660300002)(110136005)(316002)(6512007)(6486002)(54906003)(36756003)(8936002)(86362001)(99936003)(4326008)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: A4RpASYWLIBGzDcE/d3CBPpZFkFRQn6mBdbPIS1vF904fDc0l7oBkqL54y4TTGdgxQQAxhGoH6OxwbgSDfzJ5GUuLOxu9d9Iyl28IwHvaei3H01g8fSo9ku/D3tp3i0GU/mDj/qBw02k4B1lW6aNlgSVx2de1Z8U5cVRJIWrZZisEW5flMYT/Afr4/eIsm4RRNyij1xFIsHc/HJeOuXIAueik9IGyLAmmzRUeDxB2Qf/i4MbzyJ/J+uJ1OOGdDXIaEc8+ze5ApmMKNoHLe9MJHn/YbcrzgUuq2ZW7SO1Ws6houuHHAY5qeAuNmRrDRaQmBbspaJNwpNX/asmWnLCOOoWwsH7j+XEFri/cj73Icjlyqr5bU/mXc14S66U/EFahI4Covi7Cj/6mSDX8YWSQ/EhSFhLgeU4nkYiMgnxycOMMaZBGP8wEj+C5BuvIALsw2tpKeSHMyEuWUQyibROadwBSdqrFuJa1ZujYzcPrpo=
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_4023079b7f3a826c163ad35ee00c4bcffb8b2d56camelhammerspac_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: hammerspace.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ab46c9d1-396c-4c26-5ff4-08d800a3b5cc
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2020 12:04:00.1655 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4fed5c-3a70-46fe-9430-ece41741f59e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PVkCODZcQC7BBNeTcaAaAAMDwZ5DI33YY9QOjDJe0ztAbduswvmCivqb4UIkDK+LPo9EcZIzfiUTG9iYMJfHdQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR13MB3670
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/MTKgkptbbDTkWr6yUCoORWndXwk>
Subject: Re: [nfsv4] Genart last call review of draft-ietf-nfsv4-rpc-tls-07
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2020 12:04:11 -0000

On Mon, 2020-05-25 at 07:46 -0400, David Noveck wrote:
> There doesn't seem to be any adequate explanation for backchannel
> operation in documents prior to RFC 8167, which explains reverse-
> direction RPC operation over an RDMA transport.

The term is introduced in RFC5661.   Not sure what you consider an adequate explanation, but this would be a relevant reference that also might be cited.

> Perhaps the best I can do here is add a paragraph introducing the
> concept, and use the RFC 8167 terminology instead of
> "backchannel"?

This concept does need to be introduced at the RPC-level and rpc-tls, which is to update RFC5531, is a good place to do it.   I think it would be best to explain the connections between the RFC5661 and RFC8167 terminologies
Let me review RFC 8167 and see if I can reference it sensibly in
the context of RPC on TCP.

There really is no mention in RFC5531 of RPC being unidirectional either. It does describe a client-server model, but imposes no limitations on the number of services a single transport can support, or on directionality of the calls. Ultimately, the only special thing about a backchannel is that it is a service on one side of the transport that is associated with a different service on the other side of the channel.

Is that really a nuance that needs to be explained in this document? We've already determined the TLS behaviour when a transport supports multiple services.


On Sun, May 24, 2020 at 5:58 PM Chuck Lever <chuck.lever@oracle.com<mailto:chuck.lever@oracle.com>> wrote:


> On May 24, 2020, at 4:50 PM, Dale Worley via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
>
> Reviewer: Dale Worley
> Review result: Ready with Nits
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
>
> For more information, please see the FAQ at
>
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
>
> Document:  draft-ietf-nfsv4-rpc-tls-07
> Reviewer:  Dale R. Worley
> Review Date:  2020-05-24
> IETF LC End Date:  2020-05-27
> IESG Telechat date:  unknown
>
> Summary:
>
> Note that I am not familiar with the operations of TLS, so I have not
> reviewed issues that are specific to security implementations.  I
> assume the SECDIR review has adequately covered those.
>
> This draft is quite solid and nearly ready for publication, but has
> nits that should be fixed before publication.

Thank you, Dale, for the detailed feedback. I will reply to this
e-mail thread with specific text corrections in the next few days.

I do have a few initial reactions/follow-ups for you that appear
inline below.


> Nits:
>
> 4.1.  Discovering Server-side TLS Support
>
> Somewhere in this section you need to specify the semi-obvious:
>
>   In principle, RPC is transport-agnostic.  In the context of
>   RPC-Over-TLS, the initial request MUST be sent using either TCP or
>   UDP.  If an initial TCP request is successful, a TLS connection is
>   established.  If an initial UDP request is successful, a DTLS
>   association is established.

I can add something like this in Section 4.1, but note that Sections
5.1.1 and 5.1.2 already explain the relationships between TCP/UDP
and TLS/DTLS, respectively.


> 5.1.1.  Protected Operation on TCP
>
>   The server does not attempt to establish a TLS session
>   on a TCP connection for backchannel operation.
>
> I think "... does not attempt to establish a separate TLS session ..."
> is clearer.
>
> I can't find any discussion of "backchannel operation" in RFC 5531.
> Might this need an additional reference?

I agree that a deeper introduction of "backchannel operation" would
be helpful in this section.

There doesn't seem to be any adequate explanation for backchannel
operation in documents prior to RFC 8167, which explains reverse-
direction RPC operation over an RDMA transport.

Perhaps the best I can do here is add a paragraph introducing the
concept, and use the RFC 8167 terminology instead of "backchannel"?
Let me review RFC 8167 and see if I can reference it sensibly in
the context of RPC on TCP.


> 5.2.1.  X.509 Certificates Using PKIX trust
>
>   o  For services accessed by their network identifiers (netids) and
>      universal network addresses (uaddr), the iPAddress subjectAltName
>      SHOULD be present in the certificate and must exactly match the
>      address represented by universal address.
>
> I suspect that "iPAddress" is not capitalized correctly.

This is the capitalization used in RFC 6125, which is cited nearby
this text.


--
Chuck Lever




--

Trond Myklebust
CTO, Hammerspace Inc
4984 El Camino Real, Suite 208
Los Altos, CA 94022
[cid:308992b17886b4f9a6c33eb35b095c5cfbc0db11.camel@hammerspace.com]
www.hammer.space<http://www.hammer.space>

v2.23.0 | Report a Bug | By Email