[nfsv4] New wording of Security Section for Flex Files
Thomas Haynes <loghyr@primarydata.com> Tue, 25 July 2017 01:07 UTC
Return-Path: <loghyr@primarydata.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69D512702E for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 18:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.491
X-Spam-Level:
X-Spam-Status: No, score=-2.491 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=primarydata.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I00p3-HxEhzy for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 18:07:11 -0700 (PDT)
Received: from us-smtp-delivery-194.mimecast.com (us-smtp-delivery-194.mimecast.com [216.205.24.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E89C124BE8 for <nfsv4@ietf.org>; Mon, 24 Jul 2017 18:07:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=PrimaryData.onmicrosoft.com; s=selector1-primarydata-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=UL1InQNTLpJAVZ2Qz3+TNqQWrYFkqtFNCdtzHTKpyvQ=; b=OzBPO554ymdkcEAgHwui+eAJbO6jMZFjLXtzUBPrerjGLr20EPhB28D4ehtHGWSJaJD9XcAyKW9wWPDIxtmTimUuBvy06j6C8xTufRbTokUFw/ycW1ryC0EP2PW85UTkORKfUWanA5t40d8vdjfhjgDvSJgA8z8YwSvzd2o2yHw=
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03lp0017.outbound.protection.outlook.com [207.46.163.17]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-105-ImSZkgKjNY6HpXD_qsIbKg-1; Mon, 24 Jul 2017 21:07:06 -0400
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com (10.164.166.21) by BY2PR1101MB1094.namprd11.prod.outlook.com (10.164.166.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.10; Tue, 25 Jul 2017 01:07:02 +0000
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) by BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) with mapi id 15.01.1282.017; Tue, 25 Jul 2017 01:07:02 +0000
From: Thomas Haynes <loghyr@primarydata.com>
To: "nfsv4@ietf.org" <nfsv4@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Olga Kornievskaia <aglo@citi.umich.edu>
Thread-Topic: New wording of Security Section for Flex Files
Thread-Index: AQHTBOJSjJpaExLj8UGvitJ5eaVO+Q==
Date: Tue, 25 Jul 2017 01:07:02 +0000
Message-ID: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [63.157.6.18]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR1101MB1094; 20:YOaHLx9/1B6dqOzcPG9tswngT09Cr4CxujEtnBIK2Zhgfcu7vXxWMPWQyuF7pxlhutOtwVNKQlbJGzTehtAPwom6/NQODF+McvnNgqSZ8Gm1tRNOwQK3snl87FN96ULd7MTZeq+oNXIQItM1lJAoHDRtKa9uBbMdjaoF6GFT60E=
x-ms-office365-filtering-correlation-id: 339f53a0-1ace-4507-9fb6-08d4d2f97591
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR1101MB1094;
x-ms-traffictypediagnostic: BY2PR1101MB1094:
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(788757137089);
x-microsoft-antispam-prvs: <BY2PR1101MB1094FEBC5A492F0345C5D107CEB80@BY2PR1101MB1094.namprd11.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3002001)(93006095)(93001095)(10201501046)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(2016111802025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(6072148)(6043046)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR1101MB1094; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR1101MB1094;
x-forefront-prvs: 03793408BA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39410400002)(39400400002)(39830400002)(189002)(199003)(3846002)(6436002)(6116002)(77096006)(102836003)(38730400002)(101416001)(6506006)(2171002)(54356999)(2906002)(50986999)(99286003)(68736007)(6486002)(66066001)(53936002)(14454004)(6512007)(105586002)(106356001)(25786009)(478600001)(3660700001)(33656002)(3280700002)(2501003)(97736004)(2900100001)(36756003)(82746002)(83716003)(8936002)(5660300001)(189998001)(81166006)(305945005)(86362001)(15650500001)(7736002)(81156014)(8676002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR1101MB1094; H:BY2PR1101MB1093.namprd11.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <F50C0BB4387F144D8C9F57B36884C69C@namprd11.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: primarydata.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2017 01:07:02.5062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 03193ed6-8726-4bb3-a832-18ab0d28adb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR1101MB1094
X-MC-Unique: ImSZkgKjNY6HpXD_qsIbKg-1
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/O4RCUkZC5fE0RkU3HSYMc9jjgJo>
Subject: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 01:07:14 -0000
I hope the following addresses the issues brought up by Ben and Olga; First paragraph of Section 15 is replaced by: The pNFS extension partitions the NFSv4.1+ file system protocol into two parts, the control path and the data path (storage protocol). The control path contains all the new operations described by this extension; all existing NFSv4 security mechanisms and features apply to the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]). The combination of components in a pNFS system is required to preserve the security properties of NFSv4.1+ with respect to an entity accessing data via a client, including security countermeasures to defend against threats that NFSv4.1+ provides defenses for in environments where these threats are considered significant. Replace Section 15.1 with: RPCSEC_GSS version 3 (RPCSEC_GSSv3) [RFC7861] could be used to authorize the client to the storage device on behalf of the metadata server. This would require that each of the metadata server, storage device, and client would have to implement RPCSEC_GSSv3. The second requirement does not match the intent of the loosely coupled model that the storage device need not be modified. (Note that this does not preclude the use of RPCSEC_GSSv3 in a loosely coupled model.) Under this coupling model, the principal used to authenticate the metadata file is different than that used to authenticate the data file. For the metadata server, the RPC credentials would be generated by the same source as the client. For RPC credentials to the data on the storage device, the metadata server would be responsible for their generation. Such "credentials" SHOULD be limited to just the data file be accessed. Using Kerberos V5 GSS-API [RFC4121], some possible approaches would be: o a dedicated/throwaway client principal name akin to the synthetic uid/gid schemes. o authorization data in the ticket. o an out-of-band scheme between the client and metadata server. [[AI15: Editorial Note: I have *SHOULD* and not *MUST* because there might be some limit on the number of outstanding credentials due to either the number of files or the number of client. Feel free to correct me. --TH]] Depending on the implementation details, fencing would then be controlled either by expiring the credential or by modifying the synthetic uid or gid on the data file. I.e., if the credentials are at a finer granularity than the synthetic ids, it might be possible to also fence just one client from the file. Replace 15.1.2 with: With tight coupling, the principal used to access the metadata file is exactly the same as used to access the data file. The storage device can use the control protocol to validate any RPC credentials. As a result there are no security issues related to using RPCSEC_GSS with a tightly coupled system. For example, if Kerberos V5 GSS-API [RFC4121] is used as the security mechanism, then the storage device could use a control protocol to validate the RPC credentials to the metadata server.
- [nfsv4] New wording of Security Section for Flex … Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Benjamin Kaduk
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… David Noveck
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Rick Macklem
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia