Re: [nfsv4] binding user credentials to client host in draft-ietf-nfsv4-rpcsec-gssv3-16
Benjamin Kaduk <kaduk@MIT.EDU> Tue, 26 January 2016 00:36 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EADF41AC3C4 for <nfsv4@ietfa.amsl.com>; Mon, 25 Jan 2016 16:36:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VITuoxBNiUYb for <nfsv4@ietfa.amsl.com>; Mon, 25 Jan 2016 16:36:22 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7231AC3C3 for <nfsv4@ietf.org>; Mon, 25 Jan 2016 16:36:21 -0800 (PST)
X-AuditID: 1209190c-f79c96d00000038e-dd-56a6bf84e663
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id C7.8C.00910.48FB6A65; Mon, 25 Jan 2016 19:36:20 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u0Q0aJ9D004265; Mon, 25 Jan 2016 19:36:19 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0Q0aGSJ003069 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 25 Jan 2016 19:36:18 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u0Q0aFJH007221; Mon, 25 Jan 2016 19:36:15 -0500 (EST)
Date: Mon, 25 Jan 2016 19:36:15 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Adamson, Andy" <William.Adamson@netapp.com>
In-Reply-To: <2CD815F8-843F-48BB-8244-ADD24BB35AFD@netapp.com>
Message-ID: <alpine.GSO.1.10.1601251932130.26829@multics.mit.edu>
References: <20160121191052.316.9921.idtracker@ietfa.amsl.com> <alpine.GSO.1.10.1601231434460.26829@multics.mit.edu> <2CD815F8-843F-48BB-8244-ADD24BB35AFD@netapp.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1387074752-1453768575=:26829"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleLIzCtJLcpLzFFi42IR4hRV1m3ZvyzMoOG/kMXs949YLU5dO8Jm MX2RlQOzx8tT5xg9liz5yeQx49MXtgDmKC6blNSczLLUIn27BK6MyWdWsxa8Vq9YcGceUwPj IvkuRg4OCQETiSmbWbsYOYFMMYkL99azdTFycQgJLGaSmNYyHcrZyCgx5ck6JpAqIYFDTBIn n8lAJBoYJW7tWcwIMolFQFui8YcUSA2bgIrEzDcb2UDCIgIGEhuXqoKEmQXiJboOrWUDsYUF kiS27YEYySlgJ7F10hMWkHJeAUeJnf+LIKYvA1r7/SU7SI2ogI7E6v1TWEBsXgFBiZMzn7BA zAyUePt8PesERsFZSFKzkKQgbHWJxgdn2SBsbYn7N9vYFjCyrGKUTcmt0s1NzMwpTk3WLU5O zMtLLdI11MvNLNFLTSndxAgOc0meHYxvDiodYhTgYFTi4d1QsCxMiDWxrLgy9xCjJAeTkihv wmKgEF9SfkplRmJxRnxRaU5q8SFGCQ5mJRHevXuBcrwpiZVVqUX5MClpDhYlcd5dHXPDhATS E0tSs1NTC1KLYLIyHBxKErz/QRoFi1LTUyvSMnNKENJMHJwgw3mAhhvtAxleXJCYW5yZDpE/ xagoJc4rCpIQAElklObB9YLT0G4m1VeM4kCvCPMag1TxAFMYXPcroMFMQIP/ai4GGVySiJCS amCsFFENCJZ7yV/2+kehTCGvzruzcuW/6oPL3Tex6e+3nfU3zvXjy6Kptz5/ua5psOBF2itX x43RKvHGhqxXZq+yy0r/Lf95847JysdvbmbKZriZvaVGdLHqKgP2RdPuSn6smqi07EPmTRmN 3wUJl4/le5o3JEb/Yvtq+06lO6Gs50HMpBW+/7iVWIozEg21mIuKEwFjFa1yHgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/nfsv4/QVbth9tZbeDswpDaHSW8zllpnvA>
Cc: "nico@cryptonector.com" <nico@cryptonector.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Subject: Re: [nfsv4] binding user credentials to client host in draft-ietf-nfsv4-rpcsec-gssv3-16
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2016 00:36:24 -0000
On Mon, 25 Jan 2016, Adamson, Andy wrote: > > > On Jan 23, 2016, at 2:47 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote: > > > > On Thu, 21 Jan 2016, internet-drafts@ietf.org wrote: > > > >> > >> A New Internet-Draft is available from the on-line Internet-Drafts directories. > >> This draft is a work item of the Network File System Version 4 Working Group of the IETF. > >> > >> Title : Remote Procedure Call (RPC) Security Version 3 > >> Authors : William A. (Andy) Adamson > >> Nico Williams > >> Filename : draft-ietf-nfsv4-rpcsec-gssv3-16.txt > >> Pages : 23 > >> Date : 2016-01-21 > >> > >> Abstract: > >> This document specifies version 3 of the Remote Procedure Call (RPC) > >> security protocol (RPCSEC_GSS). This protocol provides support for > >> multi-principal authentication of client hosts and user principals to > >> a server (constructed by generic composition), security label > >> assertions for multi-level and type enforcement, structured privilege > >> assertions, and channel bindings. > >> > >> > >> > >> The IETF datatracker status page for this draft is: > >> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpcsec-gssv3/ > >> > >> There's also a htmlized version available at: > >> https://tools.ietf.org/html/draft-ietf-nfsv4-rpcsec-gssv3-16 > >> > >> A diff from the previous version is available at: > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-rpcsec-gssv3-16 > > > > > > The change in this version that is attempting to remediate the issue > > raised by Nico is: > > > > OLD: > > A MIC of the RPC call header up to and including the credential is > > computed using the GSS-API security context associated with the inner > > context handle and is placed in rgmp_rpcheader_mic field. > > > > NEW: > > A MIC of the RPC call header up to and including the credential plus the > > GSS security mechanism client host principal name is computed using the > > GSS-API security context associated with the inner context > > handle and is placed in rgmp_rpcheader_mic field. > > > > Unfortunately, I do not think this is sufficient to produce interoperable > > implementations. Is "plus the [principal name]" supposed to mean that I > > put it at the beginning, the end or in the middle. Furthermore (and more > > problematic), GSS name objects have a lot of moving parts and different > > representations. In order to get all the pieces lined up, something like > > this would be needed, I think: "a GSS name identifying the client host is > > constructed, of type GSS_C_NT_HOSTBASED_SERVICE, converted to a mechanism > > name for the GSS mechanism in use with GSS_Canonicalize_name(), then > > converted to wire format with GSS_Export_name(). The resulting octet > > string is included in the MIC." > > > > Given the extra complications, I would suggest a more explicit description > > of the input to the MIC operation than the running prose currently used. > > I see your point. Is this acceptable? That's much better (though the RFC Editor will want to tweak the grammar a bit, I'm sure). Just a couple notes inline. > —>Andy > > NEW: > > A MIC is computed using the GSS-API security context associated with > the inner context handle over the RPC call header > up to and including the credential directly followed by a GSS name > identifying the client host labeled the “gss_client_host_name” below in I hope it is clear from context that figure X is the XDR for the structure in question, but maybe it should be said explicitly. > figure X. The MIC is placed in the rgmp_rpcheader_mic field. The rgmp_rpcheader_mic field is in a different structure than what the previous sentence was talking about, so it's probably best to call it out at "the rgmp_rpcheader_mic field of struct XXX". Thanks, Ben > > The gss_client_hosname is a name of type > GSS_C_NT_HOSTBASED_SERVICE that is converted to a mechanism > name for the GSS mechanism in use with GSS_Canonicalize_name(), > and then converted to wire format with GSS_Export_name(). > > rgmp_rpcheader_mic is computed over the following data: > > unsigned int xid; > msg_type mtype; /* set to CALL */ > unsigned int rpcvers; > unsigned int prog; > unsigned int vers; > unsigned int proc; > opaque_auth cred; /* captures the RPCSEC_GSS handle */ > opaque gss_client_hostname; > > > > > > > > -Ben > > > > _______________________________________________ > > nfsv4 mailing list > > nfsv4@ietf.org > > https://www.ietf.org/mailman/listinfo/nfsv4 > >
- [nfsv4] I-D Action: draft-ietf-nfsv4-rpcsec-gssv3… internet-drafts
- [nfsv4] binding user credentials to client host i… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Adamson, Andy
- Re: [nfsv4] binding user credentials to client ho… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Adamson, Andy