IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 06 April 2020 13:24 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E97F13A1098 for <nfsv4@ietfa.amsl.com>; Mon, 6 Apr 2020 06:24:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.258
X-Spam-Level:
X-Spam-Status: No, score=-2.258 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnIuKSboiyUp for <nfsv4@ietfa.amsl.com>; Mon, 6 Apr 2020 06:23:53 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2067.outbound.protection.outlook.com [40.107.22.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201613A10AA for <nfsv4@ietf.org>; Mon, 6 Apr 2020 06:08:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jXCNH34ULm4gS4CiF+bxwLpEcrHc79aGQHJNefrFDIGWUUAPZJCbKQ+aT1xEeGYxxyV4nx/DRUg5nXOX2qGgoZOJrBiOkUhtTH00WK0rm5zc6YnVOlZDlUsS3lYuzTg9UmcaurAlWIhjGPgJLUzQ0wL3V9381zv85keOv+MBu03NmnzmH7lzNpvUVBxI5HI4Ba+a0TmGAiOXqUfSrctmiIxhbuqQQ4HuYZyBC4BHxrpvaGTCio2tpcx3Myr6aDtFhs352XTgqHtC1gz2aP4vcbvpZazfAqWA0WZwpqYK3It/S9+cljukaJaUvT44dQf4D5uHJUpMV23K+OC+ADFvfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FaFtFZoBwtBtfyDF2XAYDOacIUaaZ0Sa1wwuQLmMSuo=; b=I5qjt+os5DR9w8sjCpJjPpyWENfxLf3kWLUTAGelBbZsJ53WU3Or/EtiJ5lZ0Lb5tq3CAeIy5LJgyPjVLjZOi2bQtfsJU7v2XIwCKt30l8bht2IAWf73Vxv9WpNeVN+5yEuB7P77D9KvV/i+GUV5LbEdPjP7ggYoq+BeWeROd2/qFteor3R2yIwQEwaT/yn1HYjhk76vOLLNN5s3d8DUbS5/rpN2nEDa0SrcuyDaVMa9x3pwbRv2qmmvPA9LWqYXg+oB5XiYmg4aVjctLyimvsUwcYagUenWS6G1/Jmqm3/03tL90sayTiTW3ef4jzSr82Hj0H8YidSkyxD+MVBEgA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FaFtFZoBwtBtfyDF2XAYDOacIUaaZ0Sa1wwuQLmMSuo=; b=bE+4c4DSmHFtt/henOV9UqEfWJ4DLBMop29UbEz+cufbcijbh9B8gq0n49Q1oFy2wbRnyWrNjwdbTZQnsqC1L9fwyabyZ47JM99PeTOciq3LU+N/AJ0Kpk3xy38Otycdhq0TwJBMEESNp/59s5p0Aexl6+i7vYulZ0IvRuNDOe4=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (52.133.7.14) by HE1PR0702MB3770.eurprd07.prod.outlook.com (10.167.126.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.13; Mon, 6 Apr 2020 13:08:10 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a%2]) with mapi id 15.20.2900.012; Mon, 6 Apr 2020 13:08:10 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "chuck.lever@oracle.com" <chuck.lever@oracle.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: AD review of draft-ietf-nfsv4-rpc-tls
Thread-Index: AdYH+TZCYEUSPG/KThqZ8Tp9CcZenQDepCgAACgo6AA=
Date: Mon, 06 Apr 2020 13:08:10 +0000
Message-ID: <fd93517045dfa60c3145e0d9e9f2c89fbedaf49b.camel@ericsson.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <6E2BF0D5-821A-4AA1-9F72-ADDD45AFFE0E@oracle.com>
In-Reply-To: <6E2BF0D5-821A-4AA1-9F72-ADDD45AFFE0E@oracle.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [192.176.1.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 26a459a2-a4a3-4db3-2e6b-08d7da2b8e67
x-ms-traffictypediagnostic: HE1PR0702MB3770:
x-microsoft-antispam-prvs: <HE1PR0702MB377008BD94B37EF590A0A04E95C20@HE1PR0702MB3770.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0365C0E14B
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(136003)(39860400002)(376002)(396003)(366004)(346002)(478600001)(2616005)(44832011)(186003)(5660300002)(64756008)(66556008)(66476007)(66616009)(76116006)(26005)(2906002)(36756003)(8676002)(81156014)(66446008)(8936002)(81166006)(66946007)(6512007)(53546011)(6916009)(316002)(86362001)(71200400001)(6486002)(4326008)(99936003)(6506007)(99106002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KBwDbsUK4daCzdc6oSE0DXP9/PBvOFf4g7zjJzWmylJeAj4QWxh+tL0O2pnlLvxiW+DDk0Wmh3NJEM9AoGamJyjjNEfqPUx8bA2Q4WosP6JEd6Q7WiympOwsoE7XBcvgMoQX5BE7BBO9i4PDqE4MboLVjRpT+0p17mF1scqmSrAvbO17FtpntRm2cFVrI/i7BE/kkSLPklGWWhepbsqqAlSNEir1v9tlAeEvVcBwJd6Ar8e6Eqo91xWodJXZevu0FtkyFZv08HfA4Y+ZuOAXgr9Nk/KGaQ2lUDSiAgADTkfR4Fef3oOq3O/945/vswwhRebQ6ZVr4EWWy2yAbskOySO7C30I3EVHxzmZTq+i8lBSNqSXhXT+ewEgLV91e9MLA42SnIa/gqLSoSZPkc7Vd1Lt9+2rIlfthFjhyKhlkud8vg6r0s4f0loCY1ZLFqHRqMiteKviHAEUQglYUK+/3ntOoPrN0u2hi5/RUwJoB84bFY7FjHND0zkpPhSvwZ+r
x-ms-exchange-antispam-messagedata: rMrmdfZTSyhh9IDzyhSNUz2rhHniLQw515jorXRxZ+ZORQYLZ/Q9hWLhfIHRzG0VFMvc+tP2Id7MWN/3ZIr87GNlJFoSTWY4pIJ8+aeYGwFcfHmqBnyjquyI8bcu2rAJfGR91e3YoDyTS74MmYIw1Q==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-N1YGApyG3DZMXHKzZWzU"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 26a459a2-a4a3-4db3-2e6b-08d7da2b8e67
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Apr 2020 13:08:10.2331 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1/5E3gNpL01jMyMfvP3mDDRc54oV/OQXF3lgrz714qza6PDVDQtkm47iedwPUToAAVsO4rZTvzP/HjaP5vvfxF7WlgB1AJhwKS8p8m3aIFo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3770
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/NIf1gyfrnt8573XeWu2cZ2ATtbs>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 13:24:40 -0000

Hi Chuck,

So this document is clearly an opportunistic mechanism. And I am not trying to
push things beyond this in this document. However, I need to understand the
answers to certain questions that are likely to arise in the IETF last call and
IESG evaluation. 

Thanks for clarifying that due to layering, it would be a bad idea for this
document to demand anything from NFS implementation. The NFS specificaiton
extension/updates will have to make such requirement. I am fine with conveying
that message to anyone raising this as an issue. 

Even on the RPC level, I do think the document can become clearer in that this
document's solution is strongly recommended to be implemented to improve
security. It is good that the document do dicsuss how policies can be
established to move this mechanism beyond just opportunistic. Hinting on the
likelihood that you will soon be required to support it. 

Thus, can one in introduce any RECOMMENDED/SHOULD writings on implementation of
this mechanism for RPC implementors? 

Second are there aspect of the non-normative text that can be improved? 

Cheers

Magnus




On Sun, 2020-04-05 at 13:58 -0400, Chuck Lever wrote:
> Going back to Magnus' original concern:
> 
> > On Apr 1, 2020, at 4:27 AM, Magnus Westerlund <
> > magnus.westerlund@ericsson.com> wrote:
> > 
> > 13. Requirement on implementation
> >  
> > Should this document actually update any or all of the versions of NFS 4 to
> > mandate implementation support?
> 
> IMO the proper place to make fresh requirements on NFSv4 implementations is
> in NFSv4-specific documents. I would rather not focus this document any more
> on NFS than it already is. And we have a plan to author and publish one or
> more NFSv4-specific documents regarding NFS-on-TLS (which will be covered
> to some extent during our interim meeting).
> 
> So, I vote that this document should not update any NFSv4 standards-track
> documents.
> 
> 
> > From the WG's perspective doesn't it make sense to start demand
> > implementation support. The mechanism is clearly opportunistic in its
> > establishment, however the goal here needs to be to get support in as many
> > places is as possible.
> 
> Agreed, but practically speaking, the WG is not in control of
> implementations.
> 
> With the rpc-tls proposal IMO we are trying to walk a very fine line
> between limiting protocol changes for existing implementations and
> meeting a critical security need. The opportunistic behavior of this
> mechanism is a key part of this proposal. And the document describes
> clearly ways that implementations can make the force the use of TLS.
> 
> In other words, I'm hoping rpc-tls provides an easy step forward
> towards "support in as many places as possible".
> 
> 
> > Thus, sending a clearer signal that NFS 4.x servers and client are expected
> > to support this should be sent. If not can you clarify what the concerns
> > are? Because we are going to get this question again in the IESG evaluation.
> 
> We've placed early versions of this document in front of members of the
> IETF's Security Directorate. They immediately recognized that an
> opportunistic tactic such as the one we propose in rpc-tls is a well-
> understand and practical way to improve security of legacy protocols
> such as NFS. I don't expect that they will object to the opportunistic
> nature of the proposal.
> 
> However, more context (like a security strategy statement) could be
> helpful. Dave was working on a document like that, but I don't know
> what state is is currently in. I don't see it in the personal drafts
> section of the nfsv4 document datatracker.
> 
> Alternately we could introduce some security-related text to the
> WG's charter that outlines NFSv4 security strategy.
> 
> 
> > To me the reasonable plan towards always used transport security (something
> > I expect the full updates, for example of NFS v4.1 to require) is to require
> > implementation but not usage now. Then next step to require its usage.
> 
> That seems like jumping ahead of the gun. We have to get the new
> mechanism out there first. Then a subsequent NFS-on-RPC-on-TLS I-D can
> address the specifics of how NFSv4 will operate on TLS-protected
> transports. As recent nfsv4@ threads show, there are crucial NFS-
> specific details that need to be resolved before a requirement that
> is practical for NFS implementations can be made.
> 
> IMO we are on a path towards requiring NFS with TLS. This document
> is but the initial step.
> 
> 
> --
> Chuck Lever
> 
> 
> 
-- 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email