IETF Logo Mail Archive

Re: [nfsv4] WG adoption of draft-dnoveck-nfsv4-security

Brian Pawlowski <beepee@gmail.com> Tue, 27 February 2024 14:57 UTC

Return-Path: <beepee@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714AEC151535; Tue, 27 Feb 2024 06:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.215
X-Spam-Level:
X-Spam-Status: No, score=-1.215 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dsXdIo3l3nT; Tue, 27 Feb 2024 06:57:53 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44D36C151532; Tue, 27 Feb 2024 06:57:48 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-5101cd91017so6420922e87.2; Tue, 27 Feb 2024 06:57:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709045866; x=1709650666; darn=ietf.org; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:from:to:cc:subject:date :message-id:reply-to; bh=8WAAg+O1brdEuISVV7BOgRYDtvevNxP4/D3DHea8gO0=; b=Y8pS3n72VgT1GET7/Zq7EB70M600tCrFa2/7QGX6XSa8lrBvvXziX2QBiSbdoPJ8RW /VvJUwkumVCcieORXquNoSo8J+NuAcDBWaIeK7eQuRi3RnYYUIeBMrL8LHioanfPSHZ0 nJn2cO5nreI6Rb0B+2Ma9hvBiBI101dCtJQ+OPHPkPbBMsTVd9So7ARBAWGDc4h/Qvon DicDXFhCZQdL+y6E+6+E5rCW+S6k0fx8JgepD4fC+JpXJlibyPHF3zsAWnzWMkF7dwQV 2a6qSntWgVKux/vviVWCEdMpp33OP90SiNUVUe7hhnY/DuoL61HN7bM7e9Swn+kHbuxS 3Gyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709045866; x=1709650666; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8WAAg+O1brdEuISVV7BOgRYDtvevNxP4/D3DHea8gO0=; b=Giiy81RgcV2bzNaP0XzMOV4b88AoxPEeBcIO+WqPYWBdabLAkSdV83UHcVercpuXWU SYjUyOnekNaUMD7rPfU1QiMRVLUK4pflm+rJfq1P4qEr8YQglqZQus47TJtvd+ufqYaJ CStDG7Qb4lBspVTb/ZE/+Z653OgHcGxXGpYtk7MCUrwMsWGcvDWXAxwuXUXMxpep/gkH mf9vRLCqu+eXvrapJYpSHXISgpiwi5YQtGMz7EAiXcYZITR3O1r+VAxkyQZOmdrv8GyC M1LPZ5l/sOk0lnC6ChMvdbeXY5Ul51v+hDd1rMKpB4d/E6aEMoj0iEZuxnt3A+KUe1AA Rpng==
X-Forwarded-Encrypted: i=1; AJvYcCWTBrAqlGa14dRSvU6CIcq32/4anBZ3lka2MPXlX/iNPcuXptGwaY7zUXXXIQkYo0khlcliL77cAC6REiJGFvmiGtdSsKdxHtUO9Za+y/W98Og20EQi
X-Gm-Message-State: AOJu0YxoB4WdtjRgFcOWI9likfFLjFlOs1G9lCA6VOZqqaV/2E+NMaXe 5Dx6WwRninSH9iALNGh9kndj/C7a1wHCif+jF66M/jsNJsi66N97kY2KEoPL
X-Google-Smtp-Source: AGHT+IGdXyVhLlpl6E5gAt7xklc3Eq53r/DTDI2YYoyo3lVRAEAnvDT+HoNTQGJQR9yiAGkU010TAg==
X-Received: by 2002:a19:c218:0:b0:513:e21:2a64 with SMTP id l24-20020a19c218000000b005130e212a64mr1109410lfc.31.1709045865586; Tue, 27 Feb 2024 06:57:45 -0800 (PST)
Received: from smtpclient.apple (c-67-188-177-222.hsd1.ca.comcast.net. [67.188.177.222]) by smtp.gmail.com with ESMTPSA id c5-20020a056402100500b005656816d622sm832560edu.11.2024.02.27.06.57.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Feb 2024 06:57:45 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-D23AEEE1-2CFF-46CA-BAD8-0833763FC241"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Brian Pawlowski <beepee@gmail.com>
In-Reply-To: <CADaq8jcXR2-xZQ_uHPLBBa+4Q6RfvkfATzqbAzgwH1Kq1ZQZoA@mail.gmail.com>
Date: Tue, 27 Feb 2024 06:57:32 -0800
Cc: Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com>, nfsv4-chairs <nfsv4-chairs@ietf.org>, NFSv4 <nfsv4@ietf.org>
Message-Id: <75393B52-D216-40DD-983B-9F7C9456C777@gmail.com>
References: <CADaq8jcXR2-xZQ_uHPLBBa+4Q6RfvkfATzqbAzgwH1Kq1ZQZoA@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/MrqWRE_NZBrvLhFDPbKXYynSs1w>
Subject: Re: [nfsv4] WG adoption of draft-dnoveck-nfsv4-security
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 14:57:55 -0000

Okay. I’ve been thoroughly reading the security draft. 

First of all. Thanks for all the work you put into this. It helps me understand the context and extent of the work items ahead of us. 

That said, trying to figure out how to resolve and track issue resolution in an efficient way. I think Chris has an idea here. 

You seem to be saying in a separate thread that there is no over-the-wire protocol changes required by this proposal? I definitely want to verify that as in reading as far as I got (~50%) it was not clear that is true. The POSIX uid vs string representation is one area I got stuck. Also still digesting the discussion around ACL “evaluation” (for lack of a better term) as to whether it changes protocol? Or is it simply a clarification of what the protocol actually accomplishes. 

We can touch on at interim meeting. 

— beepy

On Jan 23, 2024, at 06:46, David Noveck <davenoveck@gmail.com> wrote:


As there was no response to this request from the chairs, let me provide an update.  If the chairs have some relevant input, they can add it.

Chris did not provide an update. and expressed no views about the situation.   I drew the conclusion that he is not involved in this and is assuming Brian is taking care of it.

Brian and I spoke during the official meeting time, but, since there were no other attendees, we had the opportunity to clarify some matters related to this issue.
  • Brian told me matters had been delayed by his illness (covid-19).
  • We discussed the pending documents and agreed to have a more detailed discussion later.
 At that later meeting, held on 1/19:
  • I reiterated the original request for an adoption call (originally made 12/20/2023) and Brian agreed to follow up.
  • We clarified the need for Bran to send the WG a proposed list of consensus items, taken from Appendix B of draft-dnoveck-nfsv4-security-07.  There had previously been confusion about this with Brian looking at Appendix C of draft-ietf-nfsv4-rvc5661bis and not finding those item.  I referred him to the correct appndix and stressed that the current focus needed to be on the security document, given that the original request for an adoptional call, made in 2022 jad been lost track of.
I expect Brian to  notify the WG about the adoption call in the next few days.  Once that is done, I would be able to  send out an almost complete draft of the ACL implementation report for ONTAP that I have been working on and possibly make it an agenda item, together with Brian's list of consensus items to discuss, for the next interim meeting on 1/30. 

On Mon, Jan 8, 2024 at 9:56 AM Zaheduzzaman Sarker <zahed.sarker.ietf@gmail.com> wrote:
Chairs, please response to David's request and share your views.

//Zahed

On Mon, Jan 8, 2024 at 3:53 PM David Noveck <davenoveck@gmail.com> wrote:
Although Gmail thinks that this a reply, it is actually a follow-up for my request sent on 12/20/2023. So there is no issue of me replying to myself and no issue of multiple personality syndrome to worry about :-)

I had originally hoped that the three weeks to the next wg interim meeting would give us time to complete a two-week comment period and allow us to resolve this long-deferred matter at the 1/16 interim meeting.  Given the time that has already elapsed, that no longer seems possible. Sigh!

I have received no updates regarding this request.  If there are impediments that would delay prompt work on this request, I need whoever is dealing with this request to let me know about the issue so that it can get addressed.

If that is not possible, we will have to address the matter at the 1/16 interim meeting.  Given what happened with the original request to adopt -06, I don't think that we can again simply wait passively and hope that one of the chairs is taking care of this matter.  It makes more sense for me and whichever chair takes responsibility for this to discuss the next steps at this and subsequent interim meetings, allowing us  to make sure we have process  that leads to a prompt resolution of this matter.

On Wed, Dec 20, 2023, 5:23 AM David Noveck <davenoveck@gmail.com> wrote:
I would like to formally request that the working group adopt this document, currently at its -07 draft, as a working group document.

I suggest that the working group be asked for its comments as soon as possible. Given that the next interim meeting is scheduled for 1/16, this should allow a two-week period for comments  plus time to summarise the results and present a decision at the interim meeting.  This will give us an opportunity to formulate a plan of action, whatever the decision is.  I don't think we can afford a repeat of the situation with the previous adoption call in which there was uncertainty about the precise contours of the working group's response and a consequent delay as the draft whose adoption was request ceased to be relevant.

One important point regarding the adoption call is that we need to clearly distinguish issues with the precise contents of the draft, which could be addressed after adoption from feelings, if they exist,, that the current draft is not a suitable vehicle in its current form , for the working group to address  NFSv4 security issues.  If the latter, we need to understand what changes might be required, so those changes cab made, allowing the working group to continue to make progress.

v2.23.0 | Report a Bug | By Email