Re: [nfsv4] Stephen Farrell's No Objection on draft-ietf-nfsv4-rfc5666bis-10: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 06 March 2017 12:36 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C669E129672; Mon, 6 Mar 2017 04:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uh584aHRDsJj; Mon, 6 Mar 2017 04:36:23 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F9712966D; Mon, 6 Mar 2017 04:36:23 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1955DBE38; Mon, 6 Mar 2017 12:36:20 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AAijTXujwKJ; Mon, 6 Mar 2017 12:36:19 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 65C6EBE2E; Mon, 6 Mar 2017 12:36:19 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1488803779; bh=J6pA8fq/RbecsbL80skuY5roZqlpFMdwNt8Ua9cU3bQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Yayt/jOAbPFYLP2SN9SFxsIFqG63MN8XRVpS/Ng7kBp6g3D/Olcn+2TJNFARQxJkq E3ikUQ3Vze02Pq0N/iOd0VfDcrJoRqzRU2RhxsEE+SR7Qbc8km7/dqg585mRDcNemy FfVRMLU2qWx7BhP31TIome+v0PJRbVQ/TGBFJILw=
To: Chuck Lever <chuck.lever@oracle.com>
References: <148832579359.29544.2444756146429228739.idtracker@ietfa.amsl.com> <BE771BD3-81C0-4B54-8788-6A990A868F49@oracle.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <7d1688b9-cfdf-cdfe-e5be-312730889116@cs.tcd.ie>
Date: Mon, 06 Mar 2017 12:36:19 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <BE771BD3-81C0-4B54-8788-6A990A868F49@oracle.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="u06RawJc3Vu2knmPgeKPslC4V8FqMVqaq"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/RXPflbpVpdBBPFJO_M2xL7tYoks>
Cc: draft-ietf-nfsv4-rfc5666bis@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
Subject: Re: [nfsv4] Stephen Farrell's No Objection on draft-ietf-nfsv4-rfc5666bis-10: (with COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 12:36:26 -0000
Hiya, Just one thing below... On 02/03/17 20:06, Chuck Lever wrote: > >> On Feb 28, 2017, at 3:49 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >> >> Stephen Farrell has entered the following ballot position for >> draft-ietf-nfsv4-rfc5666bis-10: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rfc5666bis/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> - 3.4.5: Can a requester DoS a responder by asking the >> latter to read giga- or tera-bytes? > > A storage server would be prepared to respond appropriately > to requests for that much data in a way that manages the > bandwidth of the connection, RNIC, and fabric. > > The responder is free to reject requests with Read chunks > of unreasonable size (RCOUS's ;-). > > The transport protocol does not place a limit on chunk > size. The Upper Layer Protocol may place a limit on the > amount of data transferred by one RPC. That limit might > be used as a chunk size sanity check by the transport. > > >> And the same question >> the other way about for 3.4.6. > > In this case, the client provisions each Write chunk. > If the server transmits more data than the client is > prepared to receive in that chunk, the connection is > dropped immediately. > > The client would have to reconnect to send more RPCs. > If any of them have Write chunks, and the server > overruns one or more of them, the client would drop > the connection again. > > Other connections should be unaffected, depending on > the RNIC implementation. > > So, a rogue server could prevent forward progress on > a connection. > > >> - 4.4.1: not having access to memory allocated for >> "cancelled RPCs" also seems like a potential DoS that ought >> be noted. Is it? > > IMO signaled RPCs would not prevent forward progress > of other RPCs on each new connection, though it might > slow them down. > > >> - General: I was surprised see no mention of DoS. Is that >> covered in some reference? Even if so, I'd have expected >> some discussion of DoS attacks and mitigations. > > As far as I am aware DoS is not covered in any of this > document's references, and was not covered in the > original text of RFC 5666. > > I am open to suggestion about the addition of such > discussion, as I'm sure my co-authors are. So my suggestion is: Yes, please do think about DoS and then add what you conclude is the right text:-) That may involve you reaching out to some folks who know about DoS and about nfs, but I'm sure such folks do exist and you probably know 'em already or can find 'em. (I'm not such a person btw.) Cheers, S. > > >> - 8.2.1: "Protection below the RDMA layer is a more >> appropriate security mechanism for RDMA transports in >> performance-sensitive deployments." I think that's a bit >> over-stated. A deployment could be performance-sensitive >> but yet prioritise application layer crypto for various >> reasons. As you're really just talking about trade-offs, >> and I think that's sufficiently explained already, I figure >> you could omit that sentence. > > That sentence could be considered implementation > advice. If my co-authors agree, I can remove it in the > next revision. > > > -- > Chuck Lever > > >
- [nfsv4] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [nfsv4] Stephen Farrell's No Objection on dra… Chuck Lever
- Re: [nfsv4] Stephen Farrell's No Objection on dra… Stephen Farrell