IETF Logo Mail Archive

Re: [nfsv4] [secdir] SECDIR Review of draft-ietf-nfsv4-umask-03

Watson Ladd <watsonbladd@gmail.com> Thu, 01 June 2017 03:59 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6722C12EB0F; Wed, 31 May 2017 20:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xh_ZIRGxzxR7; Wed, 31 May 2017 20:59:31 -0700 (PDT)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE8391267BB; Wed, 31 May 2017 20:59:30 -0700 (PDT)
Received: by mail-pf0-x22c.google.com with SMTP id m17so25575196pfg.3; Wed, 31 May 2017 20:59:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=r6tsKvprVD6hHzPiauZZJ1AZwbpUOaY/XGE7WIRDIPw=; b=nov409/6NpbO3GRlpvKf8wLPeU71NeC+uxIwme4DtD3lZz6cXvr8WOIZpFkIox/CxG lA2wD/B1vdH5ir88kboWy9uPzzb+SBn7gXFiniPKvr+Vr71Ir/FOS6YlaANztcb26Kf+ 54DJKr4oSUa7GiV4hYLRcCrG3HbkdwoCQMonoir+nFlVQn4IXtkY2mWWkHttDkIC8jze HyG9CoEGuz8Pjf78gHePxiN/z0HK+14V8exKtQbne1QZIo4dIs5QMSoQJ2Bs0yRpgXGQ 9M8pnlPRe8xzpYkYXrMHMJHYNV9Qu6HujrHCiw8PSMHfwLnBdY+/fap+XYNCwPmiWoZb leKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=r6tsKvprVD6hHzPiauZZJ1AZwbpUOaY/XGE7WIRDIPw=; b=oofLLEoaUrA6l4syxD/aPjOvq7f4i50gDtHaFQLRoY/sEccKAJ94g9CnzDuA1+vqe3 ZhEH+VTG4w4FOvx2bp7eiReuIaYdHjzK1NrXBksJwhZGNsXCCJZhCy2eKQmIfPKQ1w7U /vAnrXa0fNehOyUtv1Z/1llB5nScFgkGemURkBS7aEs4daTpw2VjHnnGBRNarNOpKguq zW5iwYCVG83fjsHLlbMQTUHRgP4OZBh0uh9ZbrS2n76yrfuhq+y4yZb3pi4eoSbppBP2 SSxwoFXqsRr+BnyOo7Z4AdvGxeTlV6Ar7CWjau3r5uNq3BsbT7bQ8Ra5gYPQnWWWJc8y u4eg==
X-Gm-Message-State: AODbwcBISpKS00tiRCVhr+7/U4nDIroEkF+pShTZuTcrIitKuJfUO3+B bCCJt8iljEuthLTakeagZl1y6I1YbxBs
X-Received: by 10.98.9.91 with SMTP id e88mr34386102pfd.177.1496289570436; Wed, 31 May 2017 20:59:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.207.228 with HTTP; Wed, 31 May 2017 20:59:29 -0700 (PDT)
In-Reply-To: <CADaq8jd+6gN2H0QWC+dM-e3pb1gUJKLE7=8PPpprGGKBQZhueg@mail.gmail.com>
References: <CAMm+Lwh+E+BsATQmmX6ccJou-sz1XNtFHxQZikohYCeT0qkfdQ@mail.gmail.com> <CAKKJt-fsJ1UinNiW2LitxVQT4M1YqnFF+1cygU132=bQNgiUnA@mail.gmail.com> <CADaq8jd+6gN2H0QWC+dM-e3pb1gUJKLE7=8PPpprGGKBQZhueg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 31 May 2017 20:59:30 -0700
Message-ID: <CACsn0cnd0L2o2Db6OA1Uvp-C+geA+Ju-7E8Yo=OKS1V3P4G8sA@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Cc: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Phillip Hallam-Baker <phill@hallambaker.com>, NFSv4 <nfsv4@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/R81VtwI2K4-GjKrfFK-hoJDwBCk>
Subject: Re: [nfsv4] [secdir] SECDIR Review of draft-ietf-nfsv4-umask-03
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 03:59:33 -0000

On Wed, May 31, 2017 at 6:23 AM, David Noveck <davenoveck@gmail.com> wrote:
> Phillip Hallam-Baker wrote
>> They are not so much a security plan as a collection of random thoughts
>> jotted down
>> in haphazard fashion.
>
> This is fair criticism.  I've looked through the Security Considerations
> sections of RFCs 3530, 7530, and 5661 and the differences are minor.   None
> of these sections were written to provide a security plan, but tried to
> describe, somewhat inelegantly, the evolution of NFS from its origins in a
> LAN environment towards NFSv4 which attempted to provide some reasonable
> security features.  Any security needs were provided by RPCSECGSS, and not
> by the protocol itself.
>
>> There is clearly no coherent model of what NFS security should achieve,
>> what the
>> threats are, what controls are deployed to control them
>
> An alternative would have been to define an entirely new protocol with a
> real security plan covering these matters, but that wasn't the goal then.
> If it had been, we would probably have a much more secure protocol that
> nobody would deploy.  What happened was that NFSv4 was defined requiring
> implementation, but not use, of RPCSECGSS.  Even today, many NFSv4
> deployments use AUTH_SYS and very few which use RPCSECGSS, use integrity or
> privacy, because of performance issues.  Security is provided by use of
> physically isolated networks or VPNs.   That was considered adequate when
> RFCs 3530, 5661, and 7530 were written and approved.

How does this address the sorts of problems associated with the NFS
permissions model? Furthermore, this candy bar network (crunchy shell
with gooey inside) is a real liability. It would be nice if we could
make it easier to move away from.

>
> If it is appropriate to move the goal posts here, based on current needs, we
> have to understand exactly what is being asked for, in order to see if
> remediation is possible while maintaining continuity with the existing NFSv4
> protocol and implementations.  Some possibilities:
>
> A clear security plan which defines the threats that NFSv4 addresses and is
> clear about those it does not address (and so have to addressed by other
> means).
> A security plan plan defining the threats that NFSv4 should address, how
> some of those are addressed by various NFSv4 minor versions, and others will
> be by extensions to NFSv4.2 or later minor versions.

I prefer the second, but it might never happen. The first is at least
useful (when combined with what NFSv4 could address as shown by other
systems of similar kind)

>
> Spencer Dawkins wrote:
>> Speaking as the responsible AD, I'm thinking that the right thing to do,
>> is for me to ask the NFSv4
>> working group to consider the issue you're raising, with the high-order
>> bit question being whether
>> it's time to revisit NFS security.
>
> If so, we need to better understand exactly what we need to do in this area
> and are able to do while supporting adequately other uses of NFS, in more
> controlled environments, where the concerns are different.
>
>> The working group is actively discussing a recharter, likely to be
>> discussed in Prague, so it's
>> the right time to ask the question.
>
> Yes.  Right now, one of the bulleted items in the extensions section of my
> proposed draft reads:
>
> Provide effective NFS response to increasing security challenges.
>
> It seems to me that the IESG might reasonably be skeptical of our attempt to
> address new/increasing security challenges, given the level of
> dissatisfaction with the base we are building on.
>
> My next draft will try to address the clarity needs regarding security in
> the Maintenance section.  In any case, the working group will have to
> discuss these issues in Prague.  As it is, we have allocated a total of 30
> minutes to the entire charter discussion, so there will probably only be
> time to begin the discussion and not reach a conclusion.
>
>> Given that RFC 7530 is the umbrella RFC for all of NFSv4.
>
> Actually, there is no umbrella RFC for all of NFSv4, which is a definite
> problem given reasonable precipitation expectations :-(
>
> RFC5661 is pretty clear about the the fact that it stands on its own.
>
> The only NFSv4 RFC that will apply to all of NFSv4 is the one that will
> arise from the vesioning work.  We could create others.
>
>> I'm thinking that's  the right place to fix anything that needs fixing.
>
> I think that will depend on what we decide is fixable, but any substantive
> securIty extensions would require definition in a new document.
>
> With regard to updating the Security Considerations section, we need to
> address both NFSv4.0 and NFSv4.1, so I don't see an rfc7530bis in our
> future.  If we are able to provide an appropriate updated treatment, it
> would have to be marked as updating RFCs 5661 and 7530.
>
>
>
> On Fri, May 26, 2017 at 12:00 PM, Spencer Dawkins at IETF
> <spencerdawkins.ietf@gmail.com> wrote:
>>
>> Hi, Phillip,
>>
>> (adding the NFSv4 working group mailing list, because the issue you raised
>> in this review is relevant to pretty much all of NFSv4)
>>
>> On Thu, May 18, 2017 at 12:10 PM, Phillip Hallam-Baker
>> <phill@hallambaker.com> wrote:
>>>
>>> Reviewer:
>>> Phillip Hallam-Baker
>>>
>>> Review result:
>>> OK but...
>>>
>>>
>>> I reviewed this document as part of the Security Directorate's
>>> ongoing
>>> effort to review all IETF documents being processed by the IESG.
>>> These
>>> comments were written primarily for the benefit of the Security Area
>>> Directors.  Document authors, document editors, and WG chairs should
>>> treat these comments just like any other IETF Last Call comments.
>>>
>>> Document: Review of draft-ietf-nfsv4-umask-03
>>> Reviewer:
>>> Phillip Hallam-Baker
>>>
>>>
>>>
>>> Review result:
>>> OK but...
>>>
>>>
>>> This particular draft looks OK to me. Aligning the semantics of NFS with
>>> the semantics of the file system seems to me to be absolutely the way to go
>>> forward. I am not sufficiently experienced in the semantics of NFS or Unix
>>> as deployed to be able to offer an opinion on whether the draft achieves
>>> that. However it appears that the author does.
>>>
>>> What is problematic here is that the Security Considerations in the draft
>>> are essentially relying on those in rfc7530 which are woefully inadequate
>>> given the critical role of NFS in Internet security. They are not so much a
>>> security plan as a collection of random thoughts jotted down in haphazard
>>> fashion.
>>>
>>> There is clearly no coherent model of what NFS security should achieve,
>>> what the threats are, what controls are deployed to control them. Also note
>>> that the main reason this review is late is that I have been dealing with
>>> issues arising from WannaCry which used an SMB:1 exploit. Re-reading RFC7530
>>> in the light of that experience gives me grave concern.
>>
>>
>> This is very interesting ...
>>
>> Speaking as the responsible AD, I'm thinking that the right thing to do,
>> is for me to ask the NFSv4 working group to consider the issue you're
>> raising, with the high-order bit question being whether it's time to revisit
>> NFS security. The working group is actively discussing a recharter, likely
>> to be discussed in Prague, so it's the right time to ask the question.
>>
>> Given that RFC 7530 is the umbrella RFC for all of NFSv4, I'm thinking
>> that's the right place to fix anything that needs fixing.
>>
>> And thanks for your review.
>>
>> Spencer
>>
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4
>>
>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email