IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Rick Macklem <rmacklem@uoguelph.ca> Thu, 31 December 2020 16:53 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A198D3A0DC4 for <nfsv4@ietfa.amsl.com>; Thu, 31 Dec 2020 08:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKWD6IJI_8qJ for <nfsv4@ietfa.amsl.com>; Thu, 31 Dec 2020 08:53:11 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660060.outbound.protection.outlook.com [40.107.66.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104343A0DC2 for <nfsv4@ietf.org>; Thu, 31 Dec 2020 08:53:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a3Ztz9DpJkEnRPGzkDiEZiv54j6z80YooWRpLZr5V7JRKaNb/bTBeLes0LcyZl8e/4gSsVC2rCVUgwl1+3yk8NBf+UInXohqmBzNCekt8cAeDl4nXrxa5CVYgsVMrdtvlKexItzTyOeaWc9Hu6yllL4FshYFJg2qlXQ5GWzdYLTrBLkhd6iPEft5L81VC9vh8Jtx/Bl0rXTy1FON7Iqj6LC4/SrSDF/j2T9+Idffdcx+1I5fipe9Xpg+MLYyaDK5wt9AY3efpwAGCKzX3fSEaR4nvEQavgFtGf1Z7ht51Oe2HPRe7zuV6PQoso50Vhknjh6tFF767L2VaQBbnNqS1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O8NJdi92YPuEoOhjn29vSHQt89BNh3Azgflz39+XWM8=; b=Q6tVVfthaRG40quGTcL4XNR1mzu4cFSoo2lEEJnrACKVkaDeYDo/kBvShbNpSGFu1lET/wvbCQa1490ovJd+OBVcXuDF26qsUsquRRlQyVUKyGDH1LjdqTFbauWGXmdt+Hx4ie1Wu3V2HNSMmvGSSvT4byNmsgfoJ+hkN89yXv3Is09M/Jj3Nusk6cpKoOjwlBuLMD3auC2ruiASiGFHde/RXGrZ/T0e/qq24RoGupRO/tfc5b4SDRiVk/qWmqpYxrogKTICFAYE3h9TrkDs8Xxay2smFqozHkPR4yN03VLNbXyBfQixxun0vYsgATS/CYIKxYG4mcvVRYAp+o2y4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O8NJdi92YPuEoOhjn29vSHQt89BNh3Azgflz39+XWM8=; b=QgbcXntGWfv4fTzaQJ00fhYUtUlKj3W1V8VizSgbauncvE4u0ljkk5yDjNlJrzN6Igym249GzZF51VJZjjfFF9hz97lT+e2xvxv05R5PFNpFpkTd1ttMrAiI5kEZn7qcTcjABf4hSO1yNlP8VE6adSrcIXv/cK7lXwOwubAalZxIXZUPMrShDkm3A+2GAfC8n50GZTugPFP4G8mKp0OiI6osD9L9DyfRUGG6mbt16ilwkXATmvHRnryOhH0IBkUDCOLG6rlyoySQ23OclavMDd3JcLTDNVicsIPtIRl65hNp2czjutyovYBhilIc3iGrgFaRCa45zIzURMsH2yeaPQ==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR01MB3430.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:4d::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.20; Thu, 31 Dec 2020 16:53:04 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::3d86:c7f9:bc4c:40c0]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::3d86:c7f9:bc4c:40c0%6]) with mapi id 15.20.3721.020; Thu, 31 Dec 2020 16:53:04 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Chuck Lever <chuck.lever@oracle.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] NFS over TLS for laptops
Thread-Index: AQHW0NppAc3uZqIjgEq2ArIQwELbLqn2yyYAgACS67yAAO+9eYAAHOsAgAN9YtuAAviagIAAMFYUgAGN13OAATNIAIADjnFRgAkAewCAACjPgIABYW2AgAGUuQo=
Date: Thu, 31 Dec 2020 16:53:04 +0000
Message-ID: <YQXPR0101MB096833395FEE6E63590BE7B5DDD60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <YQXPR0101MB096816C0EA985F65FE6562E5DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB0968AA3A97C80B8140BFC845DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <8B3A77F6-15DE-4F4B-B246-385DD447C743@oracle.com> <YQXPR0101MB09680BC1A27265F81C5B5671DDC40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <DEBCFB38-9A1A-43BB-A8DF-0C64792AF30F@oracle.com> <YQXPR0101MB09689564C0543291E25FB274DDC20@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB09687759005C97725CFC1AFCDDC10@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com> <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <1113F47A-BDA1-4C34-95B4-1EB8076BA071@oracle.com> <20201229190707.GB89068@kduck.mit.edu>, <0D8595B7-4636-4E6A-A5C1-E0FE85D820D0@oracle.com>
In-Reply-To: <0D8595B7-4636-4E6A-A5C1-E0FE85D820D0@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 005249d0-d696-4d6b-9fd2-08d8adac8aa7
x-ms-traffictypediagnostic: YQXPR01MB3430:
x-microsoft-antispam-prvs: <YQXPR01MB3430DF11A8E8B3AA3AC78BD0DDD60@YQXPR01MB3430.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: m6K6jzseNMCZRjpZKeiOcbEpamaIcto+ZQwCRC2R4rasNV7/ikoiPQPFuSowYjJgU3dsEjlVgHrcer3YaIepmJcR8mczmGi4QaiJ9XA9BfXhfYBEquQPvbxoyIxRfGhYm4+TgOWSsD0or3Z1o1yAja16wbFqsnFmlF0+DL9/ctxvUPCP3CwvS/O6s2EaWcYLGL1dorkFK7MESW6pXewN7bhwfcUxZ/e/mkHR12asOfRdv7X/hUkNaQ52pdSS3I7af61zJQxnbeORiRBPiCZm7iHqF65nhft0fLVD4JdtPBW4C9GCEnwu2F0l/cq+as4+ne/dhhVaAJR/s+drM6wQ2mF7KZD3fy7PIKNr8NDbG1bqeV+iYyo9VapOlIdnPUo3uRXvdnGqp4duaXabURxfog==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(136003)(396003)(366004)(376002)(39860400002)(346002)(5660300002)(52536014)(66446008)(64756008)(110136005)(91956017)(66946007)(2906002)(76116006)(6506007)(7696005)(66476007)(86362001)(8936002)(786003)(66556008)(316002)(26005)(186003)(8676002)(9686003)(55016002)(33656002)(478600001)(4326008)(71200400001)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: GMHv2HGAM+Cvz2CTkZq5S8uGwdyxg/mPZvw6ul6ZvpxhLwGc5ytT4VUN6LeFO8CgJBaOVsmWunPBbTUddfc3hcSnCHTW7266mhDMQs2e7UowdFWBMySU4qNwhwIH9id4nttKgQIvosuZbpQ2j73NdZogunmMnq1lMLIQgBtUySj26LbTMAAnygu8wIIRHQJ1yz2QXev1VeMJeDq1xnOHxscQhJX9J+qipjUJFYmGvxuDoCCapuH9ZaJsf+HL2yx8r3L4iQLsSHqbgqvXY/pLpfGscDYsslbXDTFSht7uN7+ZyR2ElxvHUKOK9mfwpbwhRIy6/j1Ots9cC1TvA47ROUKqTX8Pnt1rm1Di1q0lp62ErkIGeR/uDlEX5WNPqFp5z4BcV80aFoA4OPLwrIaQ8Co3hgppTWnppIO8D1Zut1ccqX/nWH/tgAwVCSrFOt09lj4V0WRvmKBEMgtYw4oc2+2U41USkIYd8BM5jbPd8MCWxnRSuOfDbtkFzb7IdmW9mI0PWRElK07Z4/ltpWMDsHHeANUjJ+oVyzYmpn/yEyxR9jfE49PSYZhem4KriGR9lmtZGAQ8KuUZLPiK/hcp43UFVZLcKKBcE6/Ed6hJw9u2iW2Sh9ckOGIM2ZLDINIS209zEAiS2St0jPm6V8DR530P2a9pVrz6LIYm66L+EFgLAI2B2yXiK7zThZJyXOj/E4h1Em5PQZiGJGR+SXdSyqgscbX24NY0Wh6N/6uYkafZ6wluq2SO1xYX8oraxAtm9rSxKqopfQkMMAhmDJeLbXYw2Y6mO9DPQAd5xp0E335OmFqstgFCO036OgJ4fkP9gVcaawDQ/iTh8sT8sSW6NyvrXvMSwvA4hyzR/TGZ0rp65RfgG8spatM5Pnl+kZna9r8CiaElU9brDLrYj6AkEdenxAgDwIb/3xDh1/Z9o2I9h5H1WbvD6HDxE+j3YUA58x0UpMhOnn7dyC79PFln6ZlGXe9XrC7tkNdYq5oGJzI=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 005249d0-d696-4d6b-9fd2-08d8adac8aa7
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Dec 2020 16:53:04.4636 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qYxUpRS9+WWW6uCPUvZoj4e2Bs3FpKqHZbW7pQ3wDLO9Vo3bYlFH5pJ4nmpz9TgP+/++okm81aHnozLhmdgB+g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB3430
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/sq2WbS-OyPKUOcO6ytPlG9BCvr8>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2020 16:53:13 -0000

Chuck Lever wrote:
> Ben Kaduk wrote:
>>
>> I suspect that we can find a compromise position, yes.
>> The certificate still authenticates the client (not the user), and the
>> client uses AUTH_SYS to claim what user is performing operations.  But the
>> server uses the client's authenticated identity to restrict, by policy,
>> what user identities the client is allowed to claim via AUTH_SYS.  In the
>> degenerate case there is an otherName in the certificate that corresponds
>> to a single user and the client can only claim that one user, which looks
>> very similar to just authenticating the user, but we can say that the
>> relevant policy logic is located in the server as part of its internal
>> implementation choices.
>
>An NFS client might send legitimate operations as UID 0 too
>(e.g., lease management). Those cannot be rejected. Perhaps
>we need to specify that the client has to perform _all_
>operations as the squashed user.
Yes. I agree with this.
My current implementation simply ignores the AUTH_SYS RPC
credential when TLS squashing is enabled.

>As a process note, I'm thinking this explanation, a description
>of the use of otherName, and a summary of the security discussion
>in this thread ought to go in whichever document discusses how
>NFS operates on RPC-over-TLS. It seems to be NFS-specific access
>control behavior.
My implementation is done in the RPC layer.
However, since NFS is the main/only Sun RPC consumer and NFS
is what we do, an NFS specific document seems appropriate to me.

I do think that TLS squashing done via a database keyed on
issuer+serial could be a useful alternative (for larger deployments or ...).
I also think the database structure/access should be specified in detail,
so that all server implementations can use the same database deployment.
--> Possibly use secure LDAP?
       I do not know how to specify LDAP data, but there must
       be a way?
I could easily implement that as an optional alternative to otherName
in the FreeBSD daemon that does the TLS handshake.

>The alternative is publishing an update to rpc-tls...
>
>
>> (There might be some divergence from what Rick has
>> done for the FreeBSD implementation in terms of the behavior when a client
>> does try to send some other user information via AUTH_SYS, in terms of
>> getting "squashed" vs getting rejected, but I suspect that Rick is amenable
>> to changing that behavior if we come up with some reasoning for why it
>> makes sense.)
>>
I think the "squash everything" will work best and that already appears to
be a concensus.

rick

> -Ben
>
>> In short, the WG must come to a fresh consensus that either
>> otherName is OK to do in this scenario, or it must provide an
>> acceptable alternative.
>>
>>
>>>> At that point, we have a real problem. Or maybe just me, as an
>>>> author of rpc-tls and possibly its descendants, has that problem.
>>> I do not really see the problem. No is a simple answer.
>>
>> Simple, but problematic. The possible result will be the
>> promulgation of implementations that do not comply with our
>> shiny new specification. I think the IETF would view that as
>> very much a quality-of-specification problem. The usual redress
>> is to publish an updated protocol specification.

--
Chuck Lever

v2.23.0 | Report a Bug | By Email