IETF Logo Mail Archive

Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)

spencer shepler <spencer.shepler@gmail.com> Wed, 11 April 2018 23:45 UTC

Return-Path: <spencer.shepler@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D5E712D810; Wed, 11 Apr 2018 16:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id evF1YJ_jtBRx; Wed, 11 Apr 2018 16:45:23 -0700 (PDT)
Received: from mail-ot0-x231.google.com (mail-ot0-x231.google.com [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0D4E12D7F8; Wed, 11 Apr 2018 16:45:22 -0700 (PDT)
Received: by mail-ot0-x231.google.com with SMTP id d9-v6so3979165oth.10; Wed, 11 Apr 2018 16:45:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rQKAQzzQ1A02iNUYdvWJFRYBj5ytJ6n4WjmcSUtNHqM=; b=YJ3p47QXpUco01cEZFO57YtEuNGq3vApQm6N4OuZ4AvDbyWuB6HaJ1Uam8muyL9D9i cAdmoNdGX6dB/LitFDdDi7J90WfTrJ75JtLU9jUW83RxeITM0qoAnFHX/Dg5OxtFGd73 7KW74iIf4OYidyJ47UWvvbvEOxtGy4QN5oRNuWcSZ1gUb5pfScfLQmwBHNAmkAHMPYoz rUTt8nVwXBt8B7RDlNx0IBqVoxvLPnZ9sRPR+/zVKZuDuV5b/1Hy4ZctdHOEqKslMy5j JJLWSnRDZJsNjGEMcjYLzJsL5QVkmNSb6pKqfTHx7goug7IritFYzIxAxzdXKQj9d5qR WIag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rQKAQzzQ1A02iNUYdvWJFRYBj5ytJ6n4WjmcSUtNHqM=; b=Weq9iP4swkG0iFy+71RfZJ6SxtB2ozDxb2OyYnektPCxy3yZ5vOdui9CIrIUYA9okK GRcwl/oqSzDUFiAF0EZp6ZEngY6CL5tvYdX6f9XSoJBJdrajs5sf5NtTQTUuhVPUKC8e e248+ROw1Im9l00qI/bTSkMavzDq4/gYhqhxhNzcsWzx5yn3BWndNfH/MaeFInPvdrhg JH+wsaFhw9JW1HxdLABkdDZ/SdALJGxmV28VJ25Q7tinQiH3ZcnaHYADtBABLAuEtbvs EJFfyif4OgDWh3n7dbcHbnL7l5442GiCYh6u1GuA9u2CeeekFxjSmbP5PCkzYBhdZ7Fo 3qww==
X-Gm-Message-State: ALQs6tCJ4JssMwMTmnJxXRNTWjfLmrd6ZH6HBkJFF3y1M9S5ql9uB1Hn 7OvaAYpAAadOEY1CWtuUvxpY2qY/xHNqB/xPQ+g=
X-Google-Smtp-Source: AIpwx4+b9j5IfH0V/Y750nhBxTAb6/8tfflT3rSpH56fxlCWmEwGJzmUvuqVqzm/G5QIHjOr9OvgVt2DmrOby/l7nmk=
X-Received: by 2002:a9d:4389:: with SMTP id t9-v6mr3580659ote.262.1523490322269; Wed, 11 Apr 2018 16:45:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.19.69 with HTTP; Wed, 11 Apr 2018 16:45:21 -0700 (PDT)
In-Reply-To: <897972F7-E7B8-4C6D-9470-CBD44B229CE7@gmail.com>
References: <151683050192.22597.10931170494891133045.idtracker@ietfa.amsl.com> <9FD918F5-D08C-45FC-B6BB-30CBB3D4EC51@gmail.com> <CABcZeBPE5gV3KPpRpRxAtYRSSCZh8+3-fcf-1VsxF3AxmomnwQ@mail.gmail.com> <F2ADAD73-6AB3-45EF-B6FE-033E01F58D8E@gmail.com> <CAKKJt-e=81qyR3YXNb9imu8kzk6+nCYgMjeZqHNwt3xi4CfNxQ@mail.gmail.com> <CABcZeBPM_Rnb0QZvbvBpUCNd6yurtz0ipexUQscmnG_samb2RA@mail.gmail.com> <FD8AF7AF-632A-461C-A82A-BC0711B2F8D0@gmail.com> <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com> <5C013DFE-96E3-4B74-B597-5F3FE1D314C6@gmail.com> <CAKKJt-deRBop1n8sv6dNaqUL_RUWxWMELutWubRdTOovKXEHwg@mail.gmail.com> <3670A5DF-4E11-4848-AE28-354F45F50D2B@gmail.com> <CAKKJt-dmcqLULhe_92wwOqVTcxKweB4YqiPKxoePRZAiQfv-Mg@mail.gmail.com> <CABcZeBMNQKV8m3Z46rsMKjraaHH5zCcKEe-Vo-b+Yo2SRQjTYg@mail.gmail.com> <897972F7-E7B8-4C6D-9470-CBD44B229CE7@gmail.com>
From: spencer shepler <spencer.shepler@gmail.com>
Date: Wed, 11 Apr 2018 16:45:21 -0700
Message-ID: <CAFt6BamJhdjq6M07LKkg_0FKgPiSNkQMFVuVvmma_SGpCDdbEg@mail.gmail.com>
To: Tom Haynes <loghyr@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Spencer Dawkins <spencerdawkins.ietf@gmail.com>, draft-ietf-nfsv4-flex-files@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007a6f8a05699b3b57"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/NjlBA4AnrIy0qbag9X6JI-eH0nA>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 23:45:25 -0000

Spencer D. asked a question about working group surprise....

Given that the WG is cc'd here and IMO, Tom is addressing the questions
effectively, I think we can move forward with Tom's suggested text and ask
the WG to comment if there are any concerns.

So, WG, please express any concerns that may exist.

Thanks,
Spencer S.


On Wed, Apr 11, 2018 at 2:25 PM, Tom Haynes <loghyr@gmail.com> wrote:

> Hi Eric,
>
> It is the same.
>
> Section 2.2:
>
>    It is RECOMMENDED to implement common access control methods at the
>    storage device filesystem to allow only the metadata server root
>    (super user) access to the storage device, and to set the owner of
>    all directories holding data files to the root user.  This approach
>    provides a practical model to enforce access control and fence off
>    cooperative clients, but it can not protect against malicious
>    clients; hence it provides a level of security equivalent to
>    AUTH_SYS.  It is RECOMMENDED that the communication between the
>    metadata server and storage device be secure from eavesdroppers and
>    man-in-the-middle protocol tampering.  The security measure could be
>    due to physical security (e.g., the servers are co-located in a
>    physically secure area), from encrypted communications, or some other
>    technique.
>
> (By the way, this contradicts the original text in my first paragraph below
> and is why we needed a change.)
>
> And as for why, Section 15.1.1 discusses why RPCSEC_GSS is not
> provided in this version of the Flex File Layout Type.
>
> Thanks,
> Tom
>
> On Apr 11, 2018, at 1:52 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> Hi Tom.
>
> This text is clear, but I fear it doesn't answer the question I asked in
> my discuss: how does the security here compare to ordinary NFS and why.
>
> -Ekr
>
>
> On Wed, Apr 11, 2018 at 11:08 AM, Spencer Dawkins at IETF <
> spencerdawkins.ietf@gmail.com> wrote:
>
>> Hi, Tom,
>>
>> On Wed, Apr 11, 2018 at 12:38 PM, Tom Haynes <loghyr@gmail.com> wrote:
>>
>>> So actually, after thinking about, the discussion about securing the
>>> namespace on
>>> the storage device is wrong.
>>>
>>> The current text is:
>>>
>>>
>>>    The combination of file handle, synthetic uid, and gid in the layout
>>>    are the way that the metadata server enforces access control to the
>>>    data server.  The directory namespace on the storage device SHOULD
>>>    only be accessible to the metadata server and not the clients.  In
>>>    that case, the client only has access to file handles of file objects
>>>    and not directory objects.  Thus, given a file handle in a layout, it
>>>    is not possible to guess the parent directory file handle.  Further,
>>>    as the data file permissions only allow the given synthetic uid read/
>>>    write permission and the given synthetic gid read permission, knowing
>>>    the synthetic ids of one file does not necessarily allow access to
>>>    any other data file on the storage device.
>>>
>>>    The metadata server can also deny access at any time by fencing the
>>>    data file, which means changing the synthetic ids.  In turn, that
>>>    forces the client to return its current layout and get a new layout
>>>    if it wants to continue IO to the data file.
>>>
>>>    If the configuration of the storage device is such that clients can
>>>    access the directory namespace, then the access control degrades to
>>>    that of a typical NFS server with exports with a security flavor of
>>>    AUTH_SYS.  Any client which is allowed access can forge credentials
>>>    to access any data file.  The caveat is that the rogue client might
>>>    have no knowledge of the data file's type or position in the metadata
>>>    directory namespace.
>>>
>>> My replacement would be:
>>>
>>>    The combination of file handle, synthetic uid, and gid in the layout
>>>    are the way that the metadata server enforces access control to the
>>>    data server.  The client only has access to file handles of file
>>>    objects and not directory objects.  Thus, given a file handle in a
>>>    layout, it is not possible to guess the parent directory file handle.
>>>    Further, as the data file permissions only allow the given synthetic
>>>    uid read/write permission and the given synthetic gid read
>>>    permission, knowing the synthetic ids of one file does not
>>>    necessarily allow access to any other data file on the storage
>>>    device.
>>>
>>>    The metadata server can also deny access at any time by fencing the
>>>    data file, which means changing the synthetic ids.  In turn, that
>>>    forces the client to return its current layout and get a new layout
>>>    if it wants to continue IO to the data file.
>>>
>>
>> Thanks for proposing new text here.
>>
>> Spencer (S) as shepherd and WG co-chair, does this look like something
>> that would come as a surprise to the working group?
>>
>> Spencer (D) as AD
>>
>
>
>

v2.23.0 | Report a Bug | By Email