Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
Chuck Lever <chuck.lever@oracle.com> Mon, 27 April 2020 15:56 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB63F3A0DB8 for <nfsv4@ietfa.amsl.com>; Mon, 27 Apr 2020 08:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eScOzBjmyBuN for <nfsv4@ietfa.amsl.com>; Mon, 27 Apr 2020 08:56:18 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAA013A0D40 for <nfsv4@ietf.org>; Mon, 27 Apr 2020 08:56:18 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03RFrEFl073483; Mon, 27 Apr 2020 15:56:13 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=koJ0tJpclGXG2kvJhmgTiz9JEYLavwsQ0mymQm2FYqc=; b=VgOe7jyQxti3dogj1wJGqlQ2F8fRc//gYSgMBh3Jqvs3UYl1cy9IIDZcwbtenIl0oXWX eK/x9IQ2+wG/i0eEinu5m3LT6e8SATMvb4y9I5zY913FFsDsDKo4P7+UW9XNinzAxjqW OFuQ5gChofOL8tte45BntGnXgnCpJ/6+XDY0nczZKDYtLWGNtTXbThVYhiQfcF0fJhET oByoai5RLlWICeL9lygT47SjX9obK2eaw1b9WK0GDZ5TzJ6VbOmFW30PyUCnPO4PEXlw NxcUoaYekYGH01CLq3WnYbHjga4DNmv2cqlfVBg5iZW2DnfnGmPYYqK5EO3L/XCmpA/7 Yw==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by userp2130.oracle.com with ESMTP id 30p01nh106-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 27 Apr 2020 15:56:13 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03RFpwI0168228; Mon, 27 Apr 2020 15:56:13 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserp3030.oracle.com with ESMTP id 30mxrqjs35-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 27 Apr 2020 15:56:12 +0000
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 03RFuCck031873; Mon, 27 Apr 2020 15:56:12 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 27 Apr 2020 08:56:12 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <94F6D6BE-F62E-4FAA-91E4-D70C6C69C581@oracle.com>
Date: Mon, 27 Apr 2020 11:56:11 -0400
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DD398735-38EA-43E5-AEAC-81027B000617@oracle.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com> <C89BF8F3-7F65-4995-9CDB-CC1673E01463@oracle.com> <7833b21f09aaffdb35e1a578e2a07b533002d318.camel@ericsson.com> <7B26B15B-DE0C-4B6C-BBB0-D8F7B00EF328@oracle.com> <HE1PR0702MB3772D2EF118A844C6527171995D20@HE1PR0702MB3772.eurprd07.prod.outlook.com> <5CC44355-69D5-4C26-A976-FBECB182033D@oracle.com> <6f44c1ed7d6b4889cc2fdf6597fa032c32a98c75.camel@ericsson.com> <3FE13967-9805-4808-90ED-851B5FEF38DD@oracle.com> <0c882df033889200e038e068ba6d6977520072bf.camel@ericsson.com> <BB87D726-1A4C-4BAD-B67E-5869BF147646@oracle.com> <ff05325b40e8be64055af25b8dd22c8323565fd6.camel@ericsson.com> <83499FF8-BF16-46F4-9485-9694E3BB81D5@oracle.com> <CAABAsM5tUauO3tKAmSbqXKQ6zNRRMpM6Gx9BeR1WTDddHLP+og@mail.gmail.com> <94F6D6BE-F62E-4FAA-91E4-D70C6C69C581@oracle.com>
To: Trond Myklebust <trondmy@gmail.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9604 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 phishscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004270130
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9604 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 clxscore=1015 phishscore=0 mlxlogscore=999 adultscore=0 priorityscore=1501 mlxscore=0 suspectscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004270130
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/P1IvlNoEVo8VndsStSxavwpQCqA>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 15:56:26 -0000
Sorry, I'm not sure how Magnus got dropped. > On Apr 27, 2020, at 11:45 AM, Chuck Lever <chuck.lever@oracle.com> wrote: > >> On Apr 27, 2020, at 11:11 AM, Trond Myklebust <trondmy@gmail.com> wrote: >> >> On Mon, 27 Apr 2020 at 10:21, Chuck Lever <chuck.lever@oracle.com> wrote: >> Hi Magnus- >> >>> On Apr 27, 2020, at 4:47 AM, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote: >>> >>> Hi, >>> >>> I think that text works. However, that now recommends using a non-zero >>> connection ID. From my perspective which have no implementation stake into this, >>> this is fine. However, I would note that this backtracks on what was said just a >>> few messages ago. >> >> It's always possible I've gotten something wrong. However, I realized that RPC >> on UDP permits an RPC server to use a different network path to send a Reply >> than the path the client used to send the matching Call. IIUC a substantial CID >> is needed to deal correctly with that situation. >> >> >> I don't think that matters. The server should always authenticate to the client during the D/TLS handshake, so there should be no ambiguity about the source of the replies. > > The server is free to reply via any of its network interfaces. In other > words, it can perform the handshake using one 5-tuple, then send replies > via another (or send them via a mix of 5-tuples). > > A CID is needed to handle NAT rebinding in any case. But IIUC rebinding > would look like the client's 5-tuple changing, not the server's. > > The question in mind is whether a DTLS session will be perturbed by the > server's or client's 5-tuple changing. Magnus, can you elaborate on your > earlier request for a clear statement about this in this section? Is this > no longer a concern now that the REQUIREMENT to drop an out-of-session > RPC Call? "to drop an out-of-session RPC Call has been removed from this section?" > For RPC-on-DTLS, each DTLS handshake MUST include the connection_id > extension described in Section 9 of [I-D.ietf-tls-dtls13]. RPC-on- > DTLS peer endpoints SHOULD provide a ConnectionID with a non-zero > length. Endpoints implementing RPC programs that expect a > significant number of concurrent clients should employ ConnectionIDs > of at least 4 bytes in length. > > Also, I'm not certain if SHOULD is correct here. Instead, "should" or > "MUST" might be less ambiguous. However, if we all agree the statement is > totally unnecessary, it can be replaced or dropped. > > >>> I think other WG paricipants should provide input here. >> >> I agree, comments welcome. >> >> >>> Cheers >>> >>> Magnus >>> >>> On Thu, 2020-04-23 at 11:48 -0400, Chuck Lever wrote: >>>>> On Apr 23, 2020, at 3:27 AM, Magnus Westerlund < >>>>> magnus.westerlund@ericsson.com> wrote: >>>>> >>>>> Hi, >>>>> >>>>> With the additional >>>>> >>>>> On Wed, 2020-04-22 at 15:49 -0400, Chuck Lever wrote: >>>>>> After reviewing Section 9 of tls-dtls37, IMO: >>>>>> >>>>>> - the explicit reference to tls-dtls-connection-id can be removed >>>>>> - the discussion of connectionless operation should be dropped >>>>>> - the strong RECOMMENDATION to use connected operation should be dropped >>>>>> - rpc-tls should REQUIRE the use of the CID extension for RPC-on-DTLS >>>>> >>>>> To try to clarify this REQUIRE a bit. I think what you mean is that the >>>>> proposal >>>>> is: It is mandatory to implement CID. Which implies that client include the >>>>> CID >>>>> extension in the handshake. However if that indicates a CID non-zero value, >>>>> or a >>>>> zero-length value indicating support but no desire to use it in server to >>>>> client >>>>> direction is up to the client. Simular it will be up to the server to >>>>> actually >>>>> use it. >>>>> >>>>>> - rpc-tls should provide implementation guidance to RPC server >>>>>> implementers >>>>>> to use large CIDs for popular RPC services. >>>>>> >>>>>> Does that sound right? If so I will propose replacement text here on list. >>>> >>>> For completion, here is the current text of Section 5.1.2: >>>> >>>> >>>> 5.1.2. Protected Operation on UDP >>>> >>>> RPC over UDP is protected using the Datagram Transport Layer Security >>>> (DTLS) protocol [I-D.ietf-tls-dtls13]. >>>> >>>> Using DTLS does not introduce reliable or in-order semantics to RPC >>>> on UDP. Each RPC message MUST fit in a single DTLS record. DTLS >>>> encapsulation has overhead, which reduces the effective Path MTU >>>> (PMTU) and thus the maximum RPC payload size. The use of DTLS record >>>> replay protection is REQUIRED when transporting RPC traffic. >>>> >>>> As soon as a client initializes a UDP socket for use with an RPC >>>> server, it uses the mechanism described in Section 4.1 to discover >>>> DTLS support for an RPC program on a particular port. It then >>>> negotiates a DTLS session. >>>> >>>> For RPC-on-DTLS, each DTLS handshake MUST include the connection_id >>>> extension described in Section 9 of [I-D.ietf-tls-dtls13]. RPC-on- >>>> DTLS peer endpoints SHOULD provide a ConnectionID with a non-zero >>>> length. Endpoints implementing RPC programs that expect a >>>> significant number of concurrent clients should employ ConnectionIDs >>>> of at least 4 bytes in length. >>>> >>>> Sending a TLS Closure Alert terminates a DTLS session. Subsequent >>>> RPC messages exchanged between the RPC client and server are no >>>> longer protected until a new DTLS session is established. >>>> >>>> >>>> -- >>>> Chuck Lever >>>> >>>> >>>> >>> -- >>> Cheers >>> >>> Magnus Westerlund >>> >>> >>> ---------------------------------------------------------------------- >>> Networks, Ericsson Research >>> ---------------------------------------------------------------------- >>> Ericsson AB | Phone +46 10 7148287 >>> Torshamnsgatan 23 | Mobile +46 73 0949079 >>> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com >>> ---------------------------------------------------------------------- >> >> -- >> Chuck Lever > > -- > Chuck Lever > > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 -- Chuck Lever
- [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Rick Macklem
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Faibish.Sorin
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever