IETF Logo Mail Archive

[nfsv4] New wording of Security Section for Flex Files

Thomas Haynes <loghyr@primarydata.com> Tue, 25 July 2017 01:07 UTC

Return-Path: <loghyr@primarydata.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69D512702E for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 18:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.491
X-Spam-Level:
X-Spam-Status: No, score=-2.491 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=primarydata.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I00p3-HxEhzy for <nfsv4@ietfa.amsl.com>; Mon, 24 Jul 2017 18:07:11 -0700 (PDT)
Received: from us-smtp-delivery-194.mimecast.com (us-smtp-delivery-194.mimecast.com [216.205.24.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E89C124BE8 for <nfsv4@ietf.org>; Mon, 24 Jul 2017 18:07:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=PrimaryData.onmicrosoft.com; s=selector1-primarydata-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=UL1InQNTLpJAVZ2Qz3+TNqQWrYFkqtFNCdtzHTKpyvQ=; b=OzBPO554ymdkcEAgHwui+eAJbO6jMZFjLXtzUBPrerjGLr20EPhB28D4ehtHGWSJaJD9XcAyKW9wWPDIxtmTimUuBvy06j6C8xTufRbTokUFw/ycW1ryC0EP2PW85UTkORKfUWanA5t40d8vdjfhjgDvSJgA8z8YwSvzd2o2yHw=
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03lp0017.outbound.protection.outlook.com [207.46.163.17]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-105-ImSZkgKjNY6HpXD_qsIbKg-1; Mon, 24 Jul 2017 21:07:06 -0400
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com (10.164.166.21) by BY2PR1101MB1094.namprd11.prod.outlook.com (10.164.166.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.10; Tue, 25 Jul 2017 01:07:02 +0000
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) by BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) with mapi id 15.01.1282.017; Tue, 25 Jul 2017 01:07:02 +0000
From: Thomas Haynes <loghyr@primarydata.com>
To: "nfsv4@ietf.org" <nfsv4@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Olga Kornievskaia <aglo@citi.umich.edu>
Thread-Topic: New wording of Security Section for Flex Files
Thread-Index: AQHTBOJSjJpaExLj8UGvitJ5eaVO+Q==
Date: Tue, 25 Jul 2017 01:07:02 +0000
Message-ID: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [63.157.6.18]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR1101MB1094; 20:YOaHLx9/1B6dqOzcPG9tswngT09Cr4CxujEtnBIK2Zhgfcu7vXxWMPWQyuF7pxlhutOtwVNKQlbJGzTehtAPwom6/NQODF+McvnNgqSZ8Gm1tRNOwQK3snl87FN96ULd7MTZeq+oNXIQItM1lJAoHDRtKa9uBbMdjaoF6GFT60E=
x-ms-office365-filtering-correlation-id: 339f53a0-1ace-4507-9fb6-08d4d2f97591
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR1101MB1094;
x-ms-traffictypediagnostic: BY2PR1101MB1094:
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(788757137089);
x-microsoft-antispam-prvs: <BY2PR1101MB1094FEBC5A492F0345C5D107CEB80@BY2PR1101MB1094.namprd11.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3002001)(93006095)(93001095)(10201501046)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(2016111802025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(6072148)(6043046)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR1101MB1094; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR1101MB1094;
x-forefront-prvs: 03793408BA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39410400002)(39400400002)(39830400002)(189002)(199003)(3846002)(6436002)(6116002)(77096006)(102836003)(38730400002)(101416001)(6506006)(2171002)(54356999)(2906002)(50986999)(99286003)(68736007)(6486002)(66066001)(53936002)(14454004)(6512007)(105586002)(106356001)(25786009)(478600001)(3660700001)(33656002)(3280700002)(2501003)(97736004)(2900100001)(36756003)(82746002)(83716003)(8936002)(5660300001)(189998001)(81166006)(305945005)(86362001)(15650500001)(7736002)(81156014)(8676002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR1101MB1094; H:BY2PR1101MB1093.namprd11.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <F50C0BB4387F144D8C9F57B36884C69C@namprd11.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: primarydata.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2017 01:07:02.5062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 03193ed6-8726-4bb3-a832-18ab0d28adb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR1101MB1094
X-MC-Unique: ImSZkgKjNY6HpXD_qsIbKg-1
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/O4RCUkZC5fE0RkU3HSYMc9jjgJo>
Subject: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 01:07:14 -0000

I hope the following addresses the issues brought up by Ben and Olga;

First paragraph of Section 15 is replaced by:

   The pNFS extension partitions the NFSv4.1+ file system protocol into
   two parts, the control path and the data path (storage protocol).
   The control path contains all the new operations described by this
   extension; all existing NFSv4 security mechanisms and features apply
   to the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]).  The
   combination of components in a pNFS system is required to preserve
   the security properties of NFSv4.1+ with respect to an entity
   accessing data via a client, including security countermeasures to
   defend against threats that NFSv4.1+ provides defenses for in
   environments where these threats are considered significant.

Replace Section 15.1 with:

   RPCSEC_GSS version 3 (RPCSEC_GSSv3) [RFC7861] could be used to
   authorize the client to the storage device on behalf of the metadata
   server.  This would require that each of the metadata server, storage
   device, and client would have to implement RPCSEC_GSSv3.  The second
   requirement does not match the intent of the loosely coupled model
   that the storage device need not be modified.  (Note that this does
   not preclude the use of RPCSEC_GSSv3 in a loosely coupled model.)

   Under this coupling model, the principal used to authenticate the
   metadata file is different than that used to authenticate the data
   file.  For the metadata server, the RPC credentials would be
   generated by the same source as the client.  For RPC credentials to
   the data on the storage device, the metadata server would be
   responsible for their generation.  Such "credentials" SHOULD be
   limited to just the data file be accessed.  Using Kerberos V5 GSS-API
   [RFC4121], some possible approaches would be:

   o  a dedicated/throwaway client principal name akin to the synthetic
      uid/gid schemes.

   o  authorization data in the ticket.

   o  an out-of-band scheme between the client and metadata server.

   [[AI15: Editorial Note: I have *SHOULD* and not *MUST* because there
   might be some limit on the number of outstanding credentials due to
   either the number of files or the number of client.  Feel free to
   correct me.  --TH]]

   Depending on the implementation details, fencing would then be
   controlled either by expiring the credential or by modifying the
   synthetic uid or gid on the data file.  I.e., if the credentials are
   at a finer granularity than the synthetic ids, it might be possible
   to also fence just one client from the file.

Replace 15.1.2 with:

   With tight coupling, the principal used to access the metadata file
   is exactly the same as used to access the data file.  The storage
   device can use the control protocol to validate any RPC credentials.
   As a result there are no security issues related to using RPCSEC_GSS
   with a tightly coupled system.  For example, if Kerberos V5 GSS-API
   [RFC4121] is used as the security mechanism, then the storage device
   could use a control protocol to validate the RPC credentials to the
   metadata server.

v2.23.0 | Report a Bug | By Email