IETF Logo Mail Archive

Re: [nfsv4] New wording of Security Section for Flex Files

Olga Kornievskaia <aglo@citi.umich.edu> Tue, 01 August 2017 17:29 UTC

Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 338471321CF for <nfsv4@ietfa.amsl.com>; Tue, 1 Aug 2017 10:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hl6PHAEG62r0 for <nfsv4@ietfa.amsl.com>; Tue, 1 Aug 2017 10:29:36 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F2491321CB for <nfsv4@ietf.org>; Tue, 1 Aug 2017 10:29:36 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id v29so13202817qtv.3 for <nfsv4@ietf.org>; Tue, 01 Aug 2017 10:29:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=X7LBEpaE80hvBD6JYRFQQTvTZt9fW3D9Jn6DJqY8tHY=; b=GQdIHaOvSWj0tbK7GWXRtwpJmWi4kKdjtcS+dyco6NUA4u/ux99+jUSUop7apZSSI7 VdThYGP6TSMqdP3jsSjKUwwU4I7Y8M8OCANadYcEufAQssmgn727egJfH4i3IMwVsFh+ ia5QgFIf1ZwQefFilZKy9s3ADSkmhKS58pqw30eHYlb/AHZDoGw1zegGzaP1J1XiROgn rduruYVwbgDkwX4K80pOd8Ln1l/ym8Z5Sxt7L4ilcT0xKlGyyeh5WGTpu9nUQcTM48Hk F2VV1NSLGGwTuR6QNM4MEL6f7Km25ZJ1qffTWPcXjbTNuIXJupcB3esdiTM4d7nHnM2c rKnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=X7LBEpaE80hvBD6JYRFQQTvTZt9fW3D9Jn6DJqY8tHY=; b=ACjXqasQCGS8b71EQRujj7yzCYTEr2NuG4BbhXpWKS583K5lFC/sgzb+3PKTIW78jK 0nERa++n2s0IpCdojoXfZnGNiofhShDAMByNFf3UyB5TWvMHMGZxFEqHKGxz7Gtu2uPG JNTtjhsm2CNqWU9ldEAQIuiBK+c83RUkIQeb9gsKr6uqXF8HJntHbw2uGRVgiKsRVT32 P3u79fJKYbqDWOJaZ+/XjqzVFunQOJvTPl0frtUMpRuqAtT2OosbPIrWPO/fKgrF1UEH +z2k2e4VFIwTM4/+KlvKy22yhFco6oD6JGxARuRRoKGARjclwezrKUsKTwHjxSNm3SyX TcsA==
X-Gm-Message-State: AIVw111ftU3WNERwyovklU7N1OCCQAzGnSAk7+eaheGb7/4IRkW0nlkV ormF3cq2DBFnZtglAaBWn5dHVgZJjPM6
X-Received: by 10.237.43.197 with SMTP id e63mr17482236qtd.86.1501608575631; Tue, 01 Aug 2017 10:29:35 -0700 (PDT)
MIME-Version: 1.0
Sender: olga.kornievskaia@gmail.com
Received: by 10.12.186.159 with HTTP; Tue, 1 Aug 2017 10:29:34 -0700 (PDT)
In-Reply-To: <20170728022333.GI58771@kduck.kaduk.org>
References: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com> <20170728022333.GI58771@kduck.kaduk.org>
From: Olga Kornievskaia <aglo@citi.umich.edu>
Date: Tue, 01 Aug 2017 13:29:34 -0400
X-Google-Sender-Auth: aNMrIljfQ6qiQiWNCXAOw1bDz08
Message-ID: <CAN-5tyG9cE9JhccW7Fnho10jVE-5YnpoArZ=3DZuz79dFFD9sQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Thomas Haynes <loghyr@primarydata.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/PzS3lkUzuI76MTgNsfoscIVG9f0>
Subject: Re: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 17:29:38 -0000

For some reason I didn't not receive the Tom's original email that
addressed the comments so I'm replying within Ben's reply.

On Thu, Jul 27, 2017 at 10:23 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> On Tue, Jul 25, 2017 at 01:07:02AM +0000, Thomas Haynes wrote:
>> I hope the following addresses the issues brought up by Ben and Olga;

I'd like the say the new wording is more specific but I still think
the proposal tries to fit Kerberos security where it doesn't fit.

> I think it does, thanks.  A couple notes inline.
>
>> First paragraph of Section 15 is replaced by:
>>
>>    The pNFS extension partitions the NFSv4.1+ file system protocol into
>>    two parts, the control path and the data path (storage protocol).
>>    The control path contains all the new operations described by this
>>    extension; all existing NFSv4 security mechanisms and features apply
>>    to the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]).  The
>>    combination of components in a pNFS system is required to preserve
>>    the security properties of NFSv4.1+ with respect to an entity
>>    accessing data via a client, including security countermeasures to
>>    defend against threats that NFSv4.1+ provides defenses for in
>>    environments where these threats are considered significant.
>>
>> Replace Section 15.1 with:
>>
>>    RPCSEC_GSS version 3 (RPCSEC_GSSv3) [RFC7861] could be used to
>>    authorize the client to the storage device on behalf of the metadata
>>    server.  This would require that each of the metadata server, storage
>>    device, and client would have to implement RPCSEC_GSSv3.  The second
>>    requirement does not match the intent of the loosely coupled model
>>    that the storage device need not be modified.  (Note that this does
>>    not preclude the use of RPCSEC_GSSv3 in a loosely coupled model.)
>>
>>    Under this coupling model, the principal used to authenticate the
>>    metadata file is different than that used to authenticate the data
>>    file.  For the metadata server, the RPC credentials would be
>>    generated by the same source as the client.  For RPC credentials to
>
> "by the same source as" feels like a slightly awkward phrasing that leaves
> me wondering if I don't quite properly understand the intended sentiment.
> Isn't it basically required that the client has RPC credentials to talk
> to the metadata server in order to do anything?
>
>>    the data on the storage device, the metadata server would be
>>    responsible for their generation.  Such "credentials" SHOULD be
>>    limited to just the data file be accessed.  Using Kerberos V5 GSS-API
>>    [RFC4121], some possible approaches would be:
>>
>>    o  a dedicated/throwaway client principal name akin to the synthetic
>>       uid/gid schemes.

If the identity is a throwaway, I don't see how this would work in
practice (how would the user be informed of the passwords that go
together with the throwaway identity to be used by NFS)? It just
doesn't seem like a practical scheme to suggest.

>>    o  authorization data in the ticket.
>>    o  an out-of-band scheme between the client and metadata server.

Is this meant to be an "out-of-band security scheme" not necessary
Kerberos or GSS. That's something I would agree with. However, what's
worse suggesting that GSSv3 should be implemented by the model vs just
stating that some out of band scheme is used. Earlier in the spec, it
says that "With a loose coupling, the only control protocol might be a
version of NFS.  As such, semantics for managing security, state, and
locking models MUST be defined." Is stating that an out-of-band scheme
is used satisfies the "MUST" of semantics for managing security?

> Now I feel like I should have spent more time to carefully word the listing
> in my original email :)
> Though I think this text is fine to convey the needed information, at least.
>
>
>>    [[AI15: Editorial Note: I have *SHOULD* and not *MUST* because there
>>    might be some limit on the number of outstanding credentials due to
>>    either the number of files or the number of client.  Feel free to
>>    correct me.  --TH]]
>
> I can think of schemes where there are no limits, but I am not prepared
> to guarantee that all schemes one might want to use would be free of limits.
> So the SHOULD seems fine to me.
>
> Semi-relatedly, I forget exactly how much trust/coupling there is supposed
> to be between the data and metadata servers/operators in this scheme.
> In particular, if the metadata server is sufficiently trusted that it can
> have a copy of the data server's kerberos credentials (the nfs/ keytab),
> then there is quite a lot of flexibility, since the metadata server can
> literally construct an arbitrary ticket and encrypt it to "itself" (i.e.,
> the data server's keytab).  But I don't know whether it's appropriate
> to mention this example in the document or not.
>
>>    Depending on the implementation details, fencing would then be
>>    controlled either by expiring the credential or by modifying the
>
> Kerberos doesn't have a revocation (expiry prior to the original expiry)
> story at all.  But since we are talking about RPCSEC_GSS, this text
> is fine, since other GSS mechanisms might allow it :)
>
> -Ben
>
>>    synthetic uid or gid on the data file.  I.e., if the credentials are
>>    at a finer granularity than the synthetic ids, it might be possible
>>    to also fence just one client from the file.
>>
>> Replace 15.1.2 with:
>>
>>    With tight coupling, the principal used to access the metadata file
>>    is exactly the same as used to access the data file.  The storage
>>    device can use the control protocol to validate any RPC credentials.
>>    As a result there are no security issues related to using RPCSEC_GSS
>>    with a tightly coupled system.  For example, if Kerberos V5 GSS-API
>>    [RFC4121] is used as the security mechanism, then the storage device
>>    could use a control protocol to validate the RPC credentials to the
>>    metadata server.
>>

v2.23.0 | Report a Bug | By Email