Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
Tom Haynes <loghyr@gmail.com> Wed, 02 May 2018 21:30 UTC
Return-Path: <loghyr@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7410D12DA23 for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 14:30:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HU3Vxr_GdKKk for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 14:30:16 -0700 (PDT)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A99D6120721 for <nfsv4@ietf.org>; Wed, 2 May 2018 14:30:16 -0700 (PDT)
Received: by mail-pf0-x232.google.com with SMTP id f20so4083817pfn.0 for <nfsv4@ietf.org>; Wed, 02 May 2018 14:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=8BiyCAYsVzGswTwayEJAKLVpokOH8Rij57wjdGB8GOk=; b=HF3jlRHCKuzbmD48XCeob+LtHmyxn96t7zsFlnreIPunXfI1eKfGojDXHQAJDAxpXN lWvgadyd/PSo+TleTk6Nq4k51YcjsLFBvIu0bSRRn2TNyc4i1JedjBjEHNpEl5pV/BzG QGGS2qxic4ixS9CoipPeHLlgBOpezk1HRkDKpng6frMwcxpRD+phfSLMKDA67Z8uUqiM A2Om5qa8z3adjjE73Q/kTUduGb1NdSj7sM1HXw06x9KAISBGP5enz/zIlL0iVZgI1MMw rZz8vRaeF5eeoHLD6Xey+n1RnOxbzPcO3WptZRPZ0qo406JJ6Xn7bhMq21N+DnwLoMxn N6/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=8BiyCAYsVzGswTwayEJAKLVpokOH8Rij57wjdGB8GOk=; b=asdLg6RqNUIuao/c/MEHzur85fSzOt0zorJwPZjg32ptxCL++avcDZ3FLSUAZJBU1f jFq41XSXY9h2sI8OG3A3DFbJkz0CSmPjlE/H/xkiU4th+7z1zxhTq3lyY8svZ5gO54+X K2I8mxCw0VTZ9J0XoqDi+LI0FajJjS4pLNOjU88imGo7O0a0OV/SD33q/rXom0Poh51o qlUf0rH85fvNAfjm9rhvrAuKFct83NBrUAGRz+eYtybbpI1QqXu2p5quMn1oGTB5p0ib kt+YL2pHqAivMVAzeem+kGyMfhFY8jDQwSo4Vetw2Fir1f9HnO7ybndwdv14/BZOTV3W 3z2A==
X-Gm-Message-State: ALQs6tCebbQASecCs5pl17lZ3+ntb/2bIQ/iz02ggLPTh9b5VG3X+tJF MLuqB8dFMg1BVnfQl5S3u5s=
X-Google-Smtp-Source: AB8JxZqS2aXgYRy8qYPD2SbT/h/6QZNGRSgGkuot/K3RUVvdAKugmGGn1eFKchgTY+/2HWuboXU3mQ==
X-Received: by 2002:a63:79ce:: with SMTP id u197-v6mr17664791pgc.242.1525296616073; Wed, 02 May 2018 14:30:16 -0700 (PDT)
Received: from kinslayer.corp.primarydata.com (63-157-6-18.dia.static.qwest.net. [63.157.6.18]) by smtp.gmail.com with ESMTPSA id r68sm29017825pfi.174.2018.05.02.14.30.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 May 2018 14:30:15 -0700 (PDT)
From: Tom Haynes <loghyr@gmail.com>
Message-Id: <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C86AB92E-B9CF-4895-AF5D-8EF316CD770D"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Wed, 02 May 2018 14:30:14 -0700
In-Reply-To: <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
To: Chuck Lever <chuck.lever@oracle.com>, Spencer Shepler <spencer.shepler@gmail.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/QpNMHR7HtY15ah6qXlTdIeoHNLc>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 21:30:18 -0000
Hey Chuck, For the most part, my issues are the ones common to first drafts. And Spencer S, Can we nominate this as official WG document? It is mature enough and on point with the earlier LFS work. Thanks, Tom Abstract NFS version 4.2 Need to define NFS first. Introduction Before specifying new protocol, -> Before specifying a new protocol, — (hereafter, IMA) (hereafter, EVM) drop the hereafters — This is done by cryptographically signing HMAC please introduce HMAC -- RSA public key signature Please define RSA —— The goals and use cases of the Linux Integrity Measurement Architecture (IMA) are presented in further detail in [IMA-WP]. Already have defined IMA — with the superuser What is a superuser? —— You then have four bullet points, which as they are complete sentences should end with ‘.’ — execve(2) need a citation (probably to POSIX) === Section 3 Linux file capabilities becomes a capability set without motivating the connection. ===== LFS not introduced. ==== MAC not introduced — In order to enable file capabilities to be retrieved or updated in a single RPC, the text format representation of a capability set MUST NOT exceed 8192 bytes in length. In order to enable IMA metadata to be retrieved or updated in a single RPC, a signed hash MUST NOT exceed 4096 bytes in length. Why the restrictions? Is it a matter of the length of the compound? —— a Merkle citation? —— An NFSv4 server is required to enforce a suitable level of privilege before allowing a local or remote agent to alter NFSv4 Security Labels. Consult Section 9.6 of [RFC7862] for further details. Is the last sentence a sentance? —— Therefore additional protection using GSS [RFC7861] or other security mechanisms is not mandatory. Either define GSS or perhaps say RPCSEC_GSS?
- [nfsv4] Fwd: New Version Notification for draft-c… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Haynes
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Quigley, David
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Quigley, David
- Re: [nfsv4] New Version Notification for draft-ce… Quigley, David
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Haynes
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… J. Bruce Fields
- Re: [nfsv4] New Version Notification for draft-ce… J. Bruce Fields
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… J. Bruce Fields
- Re: [nfsv4] New Version Notification for draft-ce… Tom Haynes
- Re: [nfsv4] New Version Notification for draft-ce… Tom Haynes
- Re: [nfsv4] New Version Notification for draft-ce… Bruce Fields
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Quigley, David
- Re: [nfsv4] New Version Notification for draft-ce… Bruce Fields