IETF Logo Mail Archive

Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt

Trond Myklebust <trondmy@hammerspace.com> Tue, 18 January 2022 20:10 UTC

Return-Path: <trondmy@hammerspace.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF483A1666; Tue, 18 Jan 2022 12:10:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hammerspace.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUxZu4vtFtQg; Tue, 18 Jan 2022 12:10:15 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2116.outbound.protection.outlook.com [40.107.244.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A0363A14D4; Tue, 18 Jan 2022 12:09:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FFn5AewWUG5Z3ZqXyCWbaoK3RHWMZlIU7VVI6nFowUAgCZEwqoodA7Vl15eTVv8JKycDnUIYOohBJAXk+mJt9qZ+IPXrrWMVCnpGFIqM4fgYbtKHR11EM39aXs5XmuE1ZjAd+K2OCWCOvRLMd1CUXNl9okcmZQ082cDMx26BIMpZoKYsUgIVF6m3R++3dBhz+6G5OvQfbpBktNIAMcfQIovPnPwxyD5Dv07dMfbJAcnMstIhw3M0qA4p00QHNDX+zjJ15UOHDKRfVLce0EEJtlbpv7PiENIrbFW+NNy6jWo/7/s+RxqcSf2ZiiKR3+nsIQCieLBt0sop7RKi/FDNkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Oo/1cQVrSGiwrWmytpNj+hpTZaPdFDvh4FCoSqPx/mo=; b=XTgzQpgEyeUmVJhV7JLYjBPxYpHJusk8FGzIQ9qPprcFczeK6gdQIGDttm6hwAhCP7AxVzgXXK5lFAZ1xahhBCWKeSaDFv9GfB5sbzKyqRf/atVznIMUU/HtWpI3zWwITC1ROZHrzy3TPvdVuViEQ8czrj9xRh0aNA2Hl1Zym87qTX6G7gZdm0/0WaGPW1ZDAuk0oudzYuyCCy6GsbaWWC3hNi9viX2AtHaL//Sh9a4xdfPVKIzN+Aq3mfIgXKneHrZQpZWMW6egkROAAcihVd8Mieu/6hxS0MImW0ILUgulpr8rINWU18/z2l8Bp57yw7l5zwD/djQeRfqKXlWz4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hammerspace.com; dmarc=pass action=none header.from=hammerspace.com; dkim=pass header.d=hammerspace.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hammerspace.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Oo/1cQVrSGiwrWmytpNj+hpTZaPdFDvh4FCoSqPx/mo=; b=AT0vmCtiuOvnTCBrl+gZpzeHR0xAstpqdsynmI770AIa4WnB2F6BauFt04M5V6fC08NtWFP+fGyJNgN0vd1neSfIkMi2VMmywm9wrZ3l1zCvZXB4uu0QvY4tzaC8tWK4Sws9VFB+yu3cGpSTHneStGBswOXEp6DuRejYKSKXG/s=
Received: from CH0PR13MB5084.namprd13.prod.outlook.com (2603:10b6:610:111::7) by BN6PR13MB1475.namprd13.prod.outlook.com (2603:10b6:404:11b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.7; Tue, 18 Jan 2022 20:09:57 +0000
Received: from CH0PR13MB5084.namprd13.prod.outlook.com ([fe80::ecb4:77ee:a645:9bae]) by CH0PR13MB5084.namprd13.prod.outlook.com ([fe80::ecb4:77ee:a645:9bae%6]) with mapi id 15.20.4909.007; Tue, 18 Jan 2022 20:09:57 +0000
From: Trond Myklebust <trondmy@hammerspace.com>
To: "bfields@fieldses.org" <bfields@fieldses.org>, "davenoveck@gmail.com" <davenoveck@gmail.com>
CC: "nfsv4-ads@ietf.org" <nfsv4-ads@ietf.org>, "rmacklem@uoguelph.ca" <rmacklem@uoguelph.ca>, "nfsv4@ietf.org" <nfsv4@ietf.org>, "nfsv4-chairs@ietf.org" <nfsv4-chairs@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
Thread-Index: AQHYDKdc3e1Uz+NIOk2LCeqjoW1jdA==
Date: Tue, 18 Jan 2022 20:09:56 +0000
Message-ID: <aa899da0d997cc72659936f01c0fe92021b93af6.camel@hammerspace.com>
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com> <YQXPR0101MB0968955CCDDFC660EE9180D1DD449@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jeitOwexgH2tq5azmCj9937SBw6e18+qrAYAFC==LhsRA@mail.gmail.com> <YQXPR0101MB09686A72FA4279392797EA36DD4F9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <20220114214509.GA22366@fieldses.org> <YQXPR0101MB0968EA5EAF51A989B1AB034CDD549@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jcF=6+WB-Ai4mDJ-Xjj2qzQL6qguQtvF-fK8z18qkOKyQ@mail.gmail.com> <20220117145138.GA28708@fieldses.org> <CADaq8jdy_2v5q-VqhLbEJxbKonfsDfz2W20_C6Ffrv8SONd1dA@mail.gmail.com>
In-Reply-To: <CADaq8jdy_2v5q-VqhLbEJxbKonfsDfz2W20_C6Ffrv8SONd1dA@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=hammerspace.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 48bd279b-08a2-4787-dcb1-08d9dabe7fc7
x-ms-traffictypediagnostic: BN6PR13MB1475:EE_
x-microsoft-antispam-prvs: <BN6PR13MB1475F9ED052710D5DDEF44D8B8589@BN6PR13MB1475.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4p6o4D1BQPjWeyFdZ4uZDpXF1O7UyARgtgGIYyot/M6kZKSLFTg1wbRlckE0QjiwMQV+DiTegkVa4eRwtSxm2yHadMUO/qE2uWrpU9MYKGVy6K9/Abx1965THtaudky3DGlVKZNm1fpppDZcjAbgw9EfxAZcVK6Ua4BtYx0D0d0pp3ZNDYDL3QHbCq3teTnUh1cj+DdgnJP6mPzjt0acpYfV7MRPF/guXiBkPpy3l9Ne3ktCsS8g6GwuyOI+cwWG6W6PXP7MksKRj/s5nrLrE+kI/v/NuD0MlxqmxNHapDov+TkOvqANyQMvkXsUcANtut8z+3/c4NZi8vCHvpNiA59JF2xxT2sqjqo5Mr93qwymsTnJerrZGDZLxkQz0XIMBxAOERXSWxN7RASOVWvrvjfD8ANsKnzVY3hVZfV1qHCZqDx0L1sIppI4IzDfuZyDyO5GBx+2TVjVr2cxlK+w9LykdlhBA1E4JuvPijA9Uu3bpTOywfFDNIYoZpLXpFFumIMBmFdX0Ji3vfJQk0ZFZVPut90089l9UgRef4vJ9PXL0Iao7r3I4xyt3TYSMkyfnBMq1+/GxdLsxMR2DQNFvW4WOlHlBogwtPUolwwaRz8ttFazvWQhNRihZ77t7+PuBTQbUcBGLYMAYwR0uolm6sk3s54MsGZugu6bDLV1k41+ZRU1Ia+V4L3fqUxfEKQuAJKxJf3GcHvAOyEcXmrNFc7WfBu2xBJbQfPNkkrOHuzcey87pYlh71r8jTOCx8wF
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR13MB5084.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(136003)(366004)(346002)(396003)(39840400004)(376002)(26005)(186003)(36756003)(38070700005)(110136005)(5660300002)(316002)(4326008)(76116006)(6506007)(6486002)(54906003)(2616005)(71200400001)(122000001)(83380400001)(8936002)(66476007)(66946007)(8676002)(2906002)(66556008)(38100700002)(6512007)(86362001)(508600001)(66446008)(64756008)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: SIlKcpe1RtadgYDtQyRrfVMYgEqtwpoylFo6/647PNKz5q5cg/8F7JjrIkSTRwruLJNkfQR0Et9Y5kEeRTIXzm1R7fsrm1TZPk5P2dUCo5+6pPs5PyRhGkDjnPmmui9aVTffBvg+LxYim5bH0jOpvPZDqSFKvniod2vRVJOlZyXM3Ougj9aXDmB1zZWFRpyla1xj3e+OENFnCzQjoNp6AnimNE9q6EvPYRzVsmlvt1f9a4JUhZ5mEjOGS7PoikqGCkqPGHVocQDsIprQmHgbA5n+VD2/OhFDmhKu0KgjU8bAzcG2PeluIJgiAOe5zXPTE/bWfgxcYX710chyWRd5E+LxiVWgzL0iLDi0KjaBg6sNSL6mDF73mrkHArc1bFEZTIYaf+FIg4N4GwmFOkgzE/Gk3Y40jyFY2faUA0h4VCtu+GQfqtCiNomOB5rE5HzafB3JtdXEYQEOYL3uUfwQ4iq+LV/ri+XhQ0ra10wcwxYYOf9weceodajvkvglHy13cX1puDkM5gN7RMSAVEXJaB1QXoB7FYtR4trzSL7yU4FYZoltC5ac7yOg+62VT9EDyyG8FGInqzkTvPtnyzyklrrLaq9RpKYe+SO1RX8jo9KeASR8J4Z23PITnkNLAftZ5pD/a5PfOWXSkzWzoixfFIKiI2hQ2Tj+ekeDTjBisExCSeBhIUuuowksMQsplt9fz126R8TqXR2uZ3qkdrBwSH44UhBc8lw1wDnxuPvFymhccxVHpnGvVM/3XeACdLVP9YrGWkZ6zSSpWVK3pe8DfgRPbDETm4eRMoUA5zaTCKCnqyvY2QBm10wl8je1+qMZ0sTTxuEYbGCgNWOQHjkAO9d/8ZxQ5a/BRrAOjYJV942uIY4wKxrrRY25lZBccHJOer5iL/EafU9gsjUoaDMqEngsrtA9inWg/+uPtRyqoPn1JKb8ws+4eIfPhUvLWTZIPJX4f0BJ4E3i6Itgq6BCsufmHS7r9X2atm1rWkrtzp7LC/pVCovb971n6OBFaXfk67c6Ig1r6rb22jONDNaMlnTHI0xB4YKoExD9P+Lmw8BoRaO0AMfTx4cugIHdAY9FgAPVrBWmfIFfRv7BVr8ikCg2nOT/530iRdIvWoylXuoY2jUBz1PjprdFI7OZwjALNVwOBmcqVtZ03JgPgj237KxwyCJEai70aiY3Tt1H1XXoBlkzXZ5OQwnPq4Dg5Xu2rqxPnEd4jz63EQNyx1lzkprweemA1gpLIFn7rBbL+dzKTnR5GRFwNpRHX6e9Z41HWSzx7DMevvDHEb2OiLk5gXQQQu7Zp87G0PEI04tl/WUU/mQ9Ig5oi/DxSrpHPfE+UhVeiqnFHH9Ej2+XK1LdEGIsnL4JmRZZv4aHqsE2hdm7BQbg1p+sae0iGzU3/MZtieXa120kj3SW+OnavN2BiiHVTmC+MY4pwlQugFyiejihBTIwkY6nFwR1AV/JrXoGJ1pQ7buStr31dtiZzB7WHFr7yMxgMlsmf70D93hBOOsxN9EY11tF2j6c3OiVgwI/iHno5H7v830RjwV4slao4zhTgJwcf5JdhVl2jLCuyh3kJd6ZMnoHAgV1A+eYch1NyhTdGHEXmcQwXNTwmcyS7+Y/n0ECAPvPwBABJZphMhM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <9F451C1C3C8A714AAFCDB1505FB56E79@namprd13.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: hammerspace.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR13MB5084.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 48bd279b-08a2-4787-dcb1-08d9dabe7fc7
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2022 20:09:56.9894 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4fed5c-3a70-46fe-9430-ece41741f59e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oJrOb1yRwp7fGddlC4tOr7veGhyB8eaP6TYn5lkY5ku7o2N00VLa/WO6tom2FlA62VXbefozneYwqLcGlxPG4g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR13MB1475
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/RTmd8Fpl1HEJm4ebkHemjqeT-J0>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 20:10:25 -0000

On Tue, 2022-01-18 at 14:06 -0500, David Noveck wrote:
> 
> 
> On Mon, Jan 17, 2022, 9:51 AM J. Bruce Fields <bfields@fieldses.org>
> wrote:
> > On Sun, Jan 16, 2022 at 04:03:12AM -0500, David Noveck wrote:
> > > It seems to me that, given the absence, of an append-write in the
> > > NFSv4
> > > protocol, APPEND_WRITE belongs in the same bucket as SYNCHRONIZE
> > > and I am
> > > planning to draft -05 on that basis.
> 
> I take it that you agree with that.

I don't. The restriction on extending the file can still be enforced by
the server even without there being an explicit APPEND_WRITE operation.

One use case would be for swap over NFS.

> 
> > > 
> > > Looking forward to -06, I'd like to get away from the text which
> > > makes each
> > > mask bit its own optional feature,. Clearly READ_DATA, WRITE
> > > _DATA, and
> > > EXECUTE should be mandatory
> 
> Do you disagree with that.
> 
> 
> >  but what about the others?  Should any of these
> > > be mandatory?
> 
> It appears that you don't think they should.
> 
> 
> >   If not, why isn't it implemented? Are there
> > > applications/clients that rely on it
> > 
> > Again, I don't agree that it's desirable to specify this level of
> > detail.
> 
> I don't see how you can avoid it. I can see it is undesirable but all
> those mask bits are in the spec.  This undesirable level of detail is
> there and I can't see specifying it and then essentially saying,
> obtw, you can pretty much ignore all of the above and clients just
> have to deal with it.
> 
> > 
> > NFS has always been a protocol which allows exporting filesystems
> > with
> > semantics that vary somewhat.
> 
> It was able to do that because, for most of its lifetime it was a
> purely unix-oriented protocol and did not try to produce an IETF
> proposed standard to enable compatible implementations to be
> produced.  Sigh!
> 
> > 
> > I'd recommend instead thinking hard about what's essential to do in
> > this
> > document and looking for ways to reduce its scope and length.
> 
> The scope and length are the result of decisions made in writing RFCs
> 3530 and 5661.
> 
> > 
> > We've got limited resources, and the attempt to produce a really
> > detailed synthesis of unix and Windows permissions models is an
> > ambitious project.
> 
> It was overambitious and I and others involved failed to point out
> this problem before this was published.  I realize this puts the
> working group in an unfortunate situation but we are where we are.
> 
> I believe the best way forward is to look at the windows support
> features as an optional extra and define clearly the Unix oriented
> subset that clients can rely on.
> 

Do we have any indication that clients have a problem with the current
ACLs? My own testing, with Hammerspace systems that are used for both
SMB and NFSv4 clients has not shown up any protocol level problems yet.



-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@hammerspace.com

v2.23.0 | Report a Bug | By Email