Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4-security
Thomas Haynes <loghyr@gmail.com> Fri, 14 October 2022 02:41 UTC
Return-Path: <loghyr@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA446C14CE37; Thu, 13 Oct 2022 19:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eAK11LuLhbCg; Thu, 13 Oct 2022 19:41:09 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B56FC14CF1B; Thu, 13 Oct 2022 19:41:09 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id t25so1703352qkm.2; Thu, 13 Oct 2022 19:41:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Enfy6P/tU2z/YfKgG6+8+N7B7gYQR5sUIIFacG8cfFE=; b=M/XD3RFHtgGh52ed6myhBUU/JnikV7eUbMTw+2XkfdXchL8BFaiCy46TTv7nvuI3wO 2YECz8P/idYG2QAtNb0lSDHHJZVEVUBFV7octoRiwTMmq90ksRdXGmVtmaw/reN0Rrqb bKk9l9A1GZVDaplHmCXSDUwJHVCiVlAZ8GsY59uSo+CgV0YGyqHEfvezCyHqH200deKB YAAJ1WZDrBRCdI61MqyTi0rUT4fmGTFR+fIUMDDhR3YbPW5EMbNjr7tZOKF7WY3gBaUY 2FSZArVH2hTBi0M82rF8Fpm8U7gmhkBJQx5OT5cUxPEzQNxiGT7p6mB2C4fYuAvTsYka WCaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Enfy6P/tU2z/YfKgG6+8+N7B7gYQR5sUIIFacG8cfFE=; b=sDGh1S19k226umP3v9gs4BMOj0dlvRHQya92367LFQoiLKQoYvTKnP+7MeI1BM64oe nDzEO4/HqLH9sKiTObfVbwPiWB/tsp9UDT57pLHYpczS38bOqqtchmyQUHKTiMUpcKfm ImvU0+d+R2oYd72ynNb9hgINdrqRQqntEiyK3e8XVtLnodj1XCi2xKG4HBFY6LZ8VrMr hXrzYCd4CsjKOGRHJs7Btx5tzSn/cvKiwUfHRxb6v+FEl75meURMytdkomMuvUCytVT3 DwrSkXYP7AhIbxi78xqazzjkdEBxYrvW60NEC9/+HYO/QOGRCJWSVO+c7n2PPXjkPPxR l+DA==
X-Gm-Message-State: ACrzQf3kJOW2ubNx9/vc/dlsQR89T9UMoFKVn2udzVZi33pYNwiTn6fZ d/BMiBgvRzd0PXFuNvjPIIt40HWSfek=
X-Google-Smtp-Source: AMsMyM636Ti10ez2uLPTmuxGDy9VsGRN4ytftaa6xfMxA3q1f0wULiowMpK6EsI380kRlghnOMxqRw==
X-Received: by 2002:a05:620a:2723:b0:6df:b61f:99f6 with SMTP id b35-20020a05620a272300b006dfb61f99f6mr2322804qkp.3.1665715268254; Thu, 13 Oct 2022 19:41:08 -0700 (PDT)
Received: from smtpclient.apple (107-1-192-66-ip-static.hfc.comcastbusiness.net. [107.1.192.66]) by smtp.gmail.com with ESMTPSA id bs15-20020ac86f0f000000b003972790deb9sm1167106qtb.84.2022.10.13.19.41.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Oct 2022 19:41:07 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Thomas Haynes <loghyr@gmail.com>
In-Reply-To: <CADaq8jfi1ApVZeJ6LsGSPY=kRXQ2W_NZ9ixwcOnJJ-A_RH4SPA@mail.gmail.com>
Date: Thu, 13 Oct 2022 19:41:05 -0700
Cc: NFSv4 <nfsv4@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>, nfsv4-ads@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E93D76F0-3604-41ED-A240-60D93C2FA107@gmail.com>
References: <CADaq8jfi1ApVZeJ6LsGSPY=kRXQ2W_NZ9ixwcOnJJ-A_RH4SPA@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/NDWI9CC2QtdRzWx-KRrl09qreXo>
Subject: Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4-security
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 02:41:11 -0000
> On Oct 13, 2022, at 11:07 AM, David Noveck <davenoveck@gmail.com> wrote: > > This is an adoption call for draft-dnoveck-nfsv4-security. > > This document describes nfsv4 security for all nfsv4 minor versions. It was written as part of rfc5661bis effort and is intended to result in a standards-track document. PAs stated in the abstract: First impressions: This document is huge - I thought we agreed to no longer do large WG documents? There are a log of author notes - it does not appear to be a close to finished document. Who has agreed to do the changes in their implemementations? I.e., security is important, but which vendors have agreed to make changes in their v4.0, v4.1, and v4.2 product implementations? To be fair, I would have defined the security issue with NFSv4 to be AUTH_SYS versus other models. I would not have dragged in Labeled NFS, ACLS, OPEN, etc. I might have included TLS vs Kerberos as providing over date in flight security. I would like us to focus on changes to the requirements to provide in flight security, which does not necessitate changes to the various protocols, versus new requirements which force us to change existing implemementations. > > ---- > > This document describes the core features of the NFSv4 family of protocols, applying to all minor versions. The discuss includes use of security features provided by RPC on a per-connection basis. > > The current version of the document is intended, in large part, to resulting working group discussion regarding existing NFSv4 security issues and to provide a framework for addressing these issues and obtaining working group consensus regarding necessary changes. > > When the resulting document is eventually published as an RFC, it will supersede the description of security in existing minor version specification documents such as RFC 7530 and RFC 8881. > > ---- > > The chairs would like to establish if there is interest in adopting this document by the nfsv4 working group. The call will run for two weeks until the end of day on 10/26/2022 (UTC time). Please send any objections or expressions of support for adoption to the wg mailing list. > > As stated previously, since I am the editor of this document, I will not be involved in determining whether a consensus exists. That responsibility will fall to Brian with Zahed available to fill in if Brian is unable to perform that role. > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Adoption call for draft-dnoveck-nfsv4-sec… David Noveck
- Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4… Thomas Haynes
- Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4… Chuck Lever III
- Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4… David Noveck
- Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4… Thomas Haynes
- Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4… David Noveck
- Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4… Rick Macklem
- [nfsv4] Fwd: Adoption call for draft-dnoveck-nfsv… Brian Pawlowski