Re: [nfsv4] Martin Duke's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
Martin Duke <martin.h.duke@gmail.com> Mon, 29 June 2020 18:38 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBFDE3A0C33; Mon, 29 Jun 2020 11:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HC9FGFI_Sr2h; Mon, 29 Jun 2020 11:38:34 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 632A63A0C2F; Mon, 29 Jun 2020 11:38:34 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id t27so10421104ill.9; Mon, 29 Jun 2020 11:38:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z93GfFWi7yKpylbmsXPuxxhW5WQ8WED6mDfKRJTnTvQ=; b=sYGAVJSBJoc6zbKstlbpxrVRZEej21R1zfBnNO9AeVUcSUYtpxDf5c4qOoHRSSBBrB IW4gb7TzhtpeX4FmhPdQrL7CkAjYjj2QOoxScgfv5PW2ayGxbxPrfrX1Doi2QJ3oaZwm iTGRDeQk6BDyAncHZjmkqts+tDUwSefayI206BXu/urhCVmGjsoYLF7veX07Qevq5ZWm hN1+oQbDBqFuo8viQSAJ75jRSEq1KxDODfelZ/GRggRhm8JYuF4+BWk4E0qdny5Sq4tv YzxAknHsZ2GfKcdRWxP8Gvr0MUhpVzn5fVrwtWCpeMb2ndvYHf+hWyKHl1ytig9SP+bb mxkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z93GfFWi7yKpylbmsXPuxxhW5WQ8WED6mDfKRJTnTvQ=; b=Z/5+fDSMSkDqMT1B0VGpg4+UEpsySuB91vlUYCNmme5layW++afBiPITgpIp9IeT62 4uTGm6Lfw9JXqtiRxhkfqwE49piDDNo3/rgYx0v5GKd4uks2gsmXTuqWlKRlMJSbjgT9 sRWh//NM9Yxz0hesB/5XenSWs1+PwXAvrTVuAx6Pkx4Qk1+zoXpzsQ1DNFZR78Y/BEwl LUWAFQuZsM9ZQgBA6yYf14tizBAWYVI6hz+4ewBzvUfLHkyHRStVylcvWCiYR968Kx/w ZSOk8Pif7y1PrMp7ziL8LcROxvQHmBOJZX1PjLNCjEvlwC6XzBhnyCYpNZdrHKvrP6bi yp0A==
X-Gm-Message-State: AOAM533y8A6NLwt/zIXFbmbgeH4JxB+0iMvcYNgzxmuF6o0eQZ8xAy0M gN3DAcJC3/nPGkQm1KXLnJuBK4yninKUkxZNJRc=
X-Google-Smtp-Source: ABdhPJxYvI96+dexgoAYmBL5mojCnGskE0RG0G7k5O300bqiM1h+z5Tqj0oopOH99oGcxPhgy7mvHzOnNEwRlf4YxhQ=
X-Received: by 2002:a92:d6d2:: with SMTP id z18mr5963061ilp.272.1593455913551; Mon, 29 Jun 2020 11:38:33 -0700 (PDT)
MIME-Version: 1.0
References: <159311856977.23665.6882641799899154823@ietfa.amsl.com> <797483BA-93B2-45AC-B2BC-044E905F40C9@oracle.com> <CAM4esxRCvw2vMwmcDS8NrZAvsJaY5U+QFV9o0R1O2mKpABdDhA@mail.gmail.com>
In-Reply-To: <CAM4esxRCvw2vMwmcDS8NrZAvsJaY5U+QFV9o0R1O2mKpABdDhA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 29 Jun 2020 11:38:22 -0700
Message-ID: <CAM4esxTnn5HCz6XKHEE5U31VhtptoUUfX1qhEZimm=-b1puq6g@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs@ietf.org, nfsv4@ietf.org, David Noveck <davenoveck@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b14c9805a93d5ddc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Niv_QOuAmiPxJlq5EUKjuZqwLT0>
Subject: Re: [nfsv4] Martin Duke's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 18:38:37 -0000
Oops, hit send too early. In either of these modes, RPC user authentication is not affected by the use of transport layer security. When a client presents a TLS peer identity to an RPC server, the protocol extension described in the current document provides no way for the server to know whether that identity represents one RPC user on that client, or is shared amongst many RPC users. Therefore, a server that wishes to authenticate clients in accordance with Section 7 of [RFC5531] MUST use an auth_flavor other than AUTH_TLS in a call message after the TLS handshake is complete. This suggestion is meant to be helpful and is non-blocking in my review. On Mon, Jun 29, 2020 at 11:35 AM Martin Duke <martin.h.duke@gmail.com> wrote: > All of these changes are satisfactory, thanks. > > On the issue of Sec 4.2: > I am not knowledgeable about this, but how about: > OLD: > > In either of these modes, RPC user authentication is not affected by > the use of transport layer security. When a client presents a TLS > peer identity to an RPC server, the protocol extension described in > the current document provides no way for the server to know whether > that identity represents one RPC user on that client, or is shared > amongst many RPC users. Therefore, a server implementation must not > utilize the remote TLS peer identity for RPC user authentication. > > NEW: > > In either of these modes, RPC user authentication is not affected by > the use of transport layer security. When a client presents a TLS > peer identity to an RPC server, the protocol extension described in > the current document provides no way for the server to know whether > that identity represents one RPC user on that client, or is shared > amongst many RPC users. Therefore, a server that wishes to authenti > > > > > On Sat, Jun 27, 2020 at 10:29 AM Chuck Lever <chuck.lever@oracle.com> > wrote: > >> Hi Martin- >> >> Thank you for your comments. >> >> >> > On Jun 25, 2020, at 4:56 PM, Martin Duke via Datatracker < >> noreply@ietf.org> wrote: >> > >> > ---------------------------------------------------------------------- >> > DISCUSS: >> > ---------------------------------------------------------------------- >> > >> > This presumably a trivial fix but I think it's important enough to be a >> DISCUSS: >> > >> > I think the document needs some discussion of the security properties >> of TLS1.3 >> > early data over TCP, if only to refer to Section 8 of RFC 8446 (replay) >> and >> > mention that it is not forward-secure, unlike the rest of the payload. >> >> We could extend the first paragraph of Section 7, as follows: >> >> OLD: >> >> 7. Security Considerations >> >> One purpose of the mechanism described in the current document is to >> protect RPC-based applications against threats to the confidentiality >> of RPC transactions and RPC user identities. A taxonomy of these >> threats appears in Section 5 of [RFC6973]. Also, Section 6 of >> [RFC7525] contains a detailed discussion of technologies used in >> conjunction with TLS. Implementers should familiarize themselves >> with these materials. >> >> NEW: >> >> 7. Security Considerations >> >> One purpose of the mechanism described in the current document is to >> protect RPC-based applications against threats to the confidentiality >> of RPC transactions and RPC user identities. A taxonomy of these >> threats appears in Section 5 of [RFC6973]. Also, Section 6 of >> [RFC7525] contains a detailed discussion of technologies used in >> conjunction with TLS. Implementers should familiarize themselves >> with these materials. >> >> Once a TLS session is established, the RPC payload carried on TLSv1.3 >> is forward-secure. However, implementers need to be aware that replay >> attacks can occur during session establishment. Remedies for such >> attacks are discussed in detail in Section 8 of [RFC 8446]. >> >> >> > ---------------------------------------------------------------------- >> > COMMENT: >> > ---------------------------------------------------------------------- >> > >> > Thank you for this draft. I fully support bringing TLS into more use >> cases of >> > this type. >> > >> > Some comments: >> > Sec 1. >> > "Moreover, the use of AUTH_SYS remains common despite the adverse >> effects that >> > acceptance of UIDs and GIDs from unauthenticated clients brings with it. >> > Continued use is in part because: >> > >> > Per-client deployment and administrative costs are not scalable. >> Administrators >> > must provide keying material for each RPC client, including transient >> clients. >> > Host identity management and user identity management must be enforced >> in the >> > same security realm. In certain environments, different authorities >> might be >> > responsible for provisioning client systems versus provisioning new >> users." >> > >> > The text above says that something is still in use because..., and then >> > mentions two things that are bad. I think the two items are supposed to >> refer >> > to GSS? >> >> Indeed, they do. >> >> NEW: >> >> Moreover, the use of AUTH_SYS remains common despite the adverse >> effects that acceptance of UIDs and GIDs from unauthenticated clients >> brings with it. Continued use is in part because: >> >> * Per-client GSS deployment and administrative costs are not >> scalable. Administrators must provide keying material for each >> RPC client, including transient clients. >> >> * GSS host identity management and user identity management must be >> enforced in the same security realm. In certain environments, >> different authorities might be responsible for provisioning client >> systems versus provisioning new users. >> >> >> > Sec 4.2 This sure looks like normative text, so s/must not/MUST NOT "... >> > utilize the remote TLS peer identity for RPC user authentication" >> >> This paragraph formerly had MUST NOT, but was rewritten to address this >> issue: >> >> https://github.com/chucklever/i-d-rpc-tls/issues/5 >> >> There was a concern that the existing statement was not specific enough >> to make >> it a compliance requirement. In particular, some implementations do want >> to use >> the peer identity for access control decisions, though not on a per-user >> basis. >> >> I'm open to some change here, but I'd like to hear suggestions about >> wording >> to make the new compliance statement more actionable. >> >> >> > Sec 5.1.2 Similarly, s/should/SHOULD "...employ ConnectionIDs of at >> least 4 >> > bytes in length." >> >> No objection to using SHOULD. >> >> >> -- >> Chuck Lever >> >> >> >>
- [nfsv4] Martin Duke's Discuss on draft-ietf-nfsv4… Martin Duke via Datatracker
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Chuck Lever
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Martin Duke
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Martin Duke
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Chuck Lever
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Benjamin Kaduk
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Martin Duke
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Chuck Lever
- Re: [nfsv4] Martin Duke's Discuss on draft-ietf-n… Martin Duke