IETF Logo Mail Archive

Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-02.txt

"Everhart, Craig" <Craig.Everhart@netapp.com> Mon, 08 October 2018 17:44 UTC

Return-Path: <Craig.Everhart@netapp.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A12C5130EE9 for <nfsv4@ietfa.amsl.com>; Mon, 8 Oct 2018 10:44:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netapp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NELtNrdJusEH for <nfsv4@ietfa.amsl.com>; Mon, 8 Oct 2018 10:44:07 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0040.outbound.protection.outlook.com [104.47.36.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC15A1310DC for <nfsv4@ietf.org>; Mon, 8 Oct 2018 10:40:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netapp.onmicrosoft.com; s=selector1-netapp-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fl5yAyLUuCBjiaAIJK/JGpjrlb8nSmklIeAD/m9u+V0=; b=PkSC+obenQDobNZZ+QZ8bewlzGa6q0L0Gm4QRhBQ29fSiYjN6XEDClzcCgDZIbVv95SmMvGu9srqmftTVDHqlaGP4vQVjfK2gXi0d8eK1XRqYkdaryfH0cCqiQ14rzE874z9GZ/9CnUb8bNHBuy0++WzVeL/EMy/6Nn1b0Y+ajE=
Received: from BN6PR06MB3089.namprd06.prod.outlook.com (10.174.95.163) by BN6PR06MB2562.namprd06.prod.outlook.com (10.173.144.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.28; Mon, 8 Oct 2018 17:40:51 +0000
Received: from BN6PR06MB3089.namprd06.prod.outlook.com ([fe80::8935:a8ae:f256:fe6]) by BN6PR06MB3089.namprd06.prod.outlook.com ([fe80::8935:a8ae:f256:fe6%5]) with mapi id 15.20.1207.024; Mon, 8 Oct 2018 17:40:51 +0000
From: "Everhart, Craig" <Craig.Everhart@netapp.com>
To: Chuck Lever <chucklever@gmail.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-02.txt
Thread-Index: AQHUXxdeq4VZRMmWm0utjltynZGocaUVO2KAgABSTgD//80uAA==
Date: Mon, 08 Oct 2018 17:40:51 +0000
Message-ID: <55FF4CA0-BB68-44F1-AFAC-DD1E0F9443C2@netapp.com>
References: <153901060913.16390.8389561648327812120@ietfa.amsl.com> <23D33FE9-54F9-40CB-AC41-23EC15603E47@netapp.com> <BACFE07D-B843-485F-97EE-4D36ABAB356F@gmail.com>
In-Reply-To: <BACFE07D-B843-485F-97EE-4D36ABAB356F@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Craig.Everhart@netapp.com;
x-originating-ip: [216.240.30.4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR06MB2562; 6:qtk50Npz33bUwJSmDXWUVsZj2sEOf81ADofT5b4wbGfH/Bms8MqY0hilGM2QCNfeIUj4U2ZbEZ3X26t6oKzxKwx1Z3QgRMWdlf2Hqs3j7IISMICF0D035G7JRl6WqPg7CWvXRkXx9c6W+hHPgyqscJ8d4pgipgUpa0KvhSrXDI6y5q0EF5Gb55qgKXq72y86jyqcDtasqASIFVnC3tuw8y7cT50/159TqnJ+NzFGeQZ6jEdl+8AXnLqJKcTTujBtYFHYteT5I4jljQ4OWgoc2Q/DI4V0EMbEA5wX5zKt5LE+rM+PPKkU2XcPN/XaAOj+YB/nnaOoaxUzwphVWOIcdT+tEoAmH4pp6cE/GQb78OTu+X3xKN3YYDZ1UZZf4agcijnKfh9ny3ygwSbbK5okxpNYxLM2M+3PDXLTaklkppRmafU0JsdbF6bKTauGS83qR8fEOZve5uLlEF8U7HofDA==; 5:/6xWZz2TWSwuqWi+g4TnCdYSRFGoxR5A6dEaukSGtihqlQa2gLoZc87qqIalwlpFeeQLm2+gKmB+7R4atLrNdM58X7Yc2Ak0+LvFTCnTh46N7slQiO2tjz/KzAlla8DsEcMhws3iyBjeCxc2DzxfYCQJsgTB1O2N4i0O2x+8ntI=; 7:riYb2GioPoJtArH25cfUM9FAm7IQThKvzYi61v48WdrvhNxfzSODGxeUlCJR6eVBYdIQYw2OPcx7wUzU1bAwZx8lmH8J/IW9sQBeSA8ymScDnjFLMbCamOCTbZlm6n/AeOC2hz4PLRp3yw0hJkupRW3sGDzxB3Vk/Sc76hob81PBMvIax6mNyRYDyrj3LGQS+BiNquS4hFXNMxuw0rlzCkvPKeqziFHwkxyN5xisaq/DtNR04WnPOURgLfXXnsNU
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 8d57f208-9380-497a-fd82-08d62d4530be
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7193020); SRVR:BN6PR06MB2562;
x-ms-traffictypediagnostic: BN6PR06MB2562:
x-microsoft-antispam-prvs: <BN6PR06MB2562BF7952CDA73A943423FCF0E60@BN6PR06MB2562.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(85827821059158);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231355)(944501410)(52105095)(3002001)(6055026)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201708071742011)(7699051); SRVR:BN6PR06MB2562; BCL:0; PCL:0; RULEID:; SRVR:BN6PR06MB2562;
x-forefront-prvs: 081904387B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(366004)(136003)(346002)(39860400002)(51914003)(199004)(189003)(68736007)(6916009)(97736004)(5250100002)(102836004)(81166006)(81156014)(66066001)(478600001)(1411001)(316002)(53936002)(58126008)(186003)(7736002)(26005)(6306002)(8676002)(6512007)(6486002)(105586002)(256004)(71190400001)(71200400001)(14454004)(106356001)(5024004)(305945005)(5660300001)(25786009)(2906002)(229853002)(83716004)(33656002)(99286004)(36756003)(76176011)(2900100001)(82746002)(966005)(4326008)(53546011)(446003)(72206003)(6116002)(11346002)(3846002)(8936002)(6246003)(14444005)(6436002)(86362001)(6506007)(39060400002)(2616005)(476003)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR06MB2562; H:BN6PR06MB3089.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: netapp.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 4BUIbJi6a7IY8S4Mt8l6Q01GCbXhNP3SqRP1crhe9TsFdsbykrkNdSvTKqnz6/q/30pf8ELkbj84hHW8P8sT0wRFY6rDhFBUypv/mHwshsPopYCVGsWxPKkq6vDqd+kIbOzthGeHxjb/aUMs1O0Voao9cFbA2Meci6cllBmNI/mbHm0HHUtZ6s7+9AGfbtV+zb++VbLMBwqna16WmmeU387XirCc76XJK437Y+5LNpAVe30gcYTmM4trFgHMFIJWDZvvbhpWu8b/vxn7LtXUrV5D/aXLv5bofZCv6syNZCiifK5lwDkLdMr9ns/ZTmfslXz732EElz1g9e87IbEEG2yc+AH+Nae5GCdxjHESpxg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <B712B7E3D2D0644ABA90C3CE3412CBE2@namprd06.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: netapp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8d57f208-9380-497a-fd82-08d62d4530be
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2018 17:40:51.2399 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4b0911a0-929b-4715-944b-c03745165b3a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR06MB2562
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/SReHra1NFyKaTGc2g_uBK5yCHCw>
Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-02.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Oct 2018 17:44:11 -0000

Hi Chuck, thanks for the quick reply.

On 10/8/18, 12:43 PM, "nfsv4 on behalf of Chuck Lever" <nfsv4-bounces@ietf.org on behalf of chucklever@gmail.com> wrote:

    Hi Craig -
    
    > On Oct 8, 2018, at 11:48 AM, Everhart, Craig <Craig.Everhart@netapp.com> wrote:
    >
    > In the "1. Introduction", the opaque provenance information is described as including a "keyed hash, such as an HMAC [RFC2104]" without any indication as to the management of the key information.  Must that information, also, be taken on faith?  What's the basis for this claim?  Is it required for all provenance information, or just for some?
    
    The Introduction describes that as "out of scope" but suggests key
    management can be done via another distribution channel and stored
    locally in a Trusted Platform Module.
    
    Section 1.1:
       A Trusted Platform Module [TPM-SUM] can seal the key material used to
       sign and verify file content.  Distributing and protecting such key
       material is outside the scope of the OPTIONAL extension specified in
       this document.
    
Are we talking about a keyed hash or signing/verifying the content (as in encrypting a hash)?  They're similar, but different, kinds of operations.


    
    > There's an effort made in this draft to distinguish participating/non-participating clients and servers.  Because this draft really talks about only one kind of provenance information, what is to be done with clients or servers that participate in one but not all kinds of provenance information?
    
    The Introduction states that "participating" clients have to agree on
    using the same provenance assessor.
    
    Section 1.1:
       NFS acts as a conduit by which file provenance information and file
       content move between storage on an NFS server and the provenance
       assessor where that content is to be accessed.  NFS peers accessing a
       set of shared files must all agree on the at-rest file provenance
       information format.  The format is specified by the provenance
       assessor and is therefore not described in this document.

So, NFS, as an interchange protocol, is not being tasked with even the little bit of interoperability necessary to identify which kind of provenance information is in use?
    
    The document later states that provenance assessors have to be prepared
    to encounter unrecognized provenance information.

Recognized how?
    
    Section 5.3:
       A provenance assessor on an NFS version 4.2 peer needs to be prepared
       to deal with file provenance information it does not recognize or
       cannot parse.  Typically its policy treats this case as a provenance
       verification failure.
    
    Again, I'm struggling to see the purpose of deploying multiple
    incompatible FPI schemas concurrently. Do you have something specific in
    mind?

I bring up the issue because NFS can transit multiple storage domains.  Think of it as having multiple authentication domains.  It's the job of the communication protocol not only to deal with how the happy path works, but what happens when it isn't the happy path.
    
    
    > Apparently, the updating of file content must be done in conjunction with updating of provenance information.  What can be done to make such operations mutually atomic?
    
    I don't believe these "race conditions" are consequential, typically.
    While the provenance information does not match the content, assessors
    will prevent access to that content.
    
    Moreover, attaching FPI is usually a final step before content distri-
    bution, performed separately via a tool. The tool, not the file system
    stack, has access to the private signing key.
    
    
    > What's to be done with a server that wants to vet provenance information, but notices that the stored provenance information is not correct with respect to the stored file content?  Surely there are other, similar, race-like conditions.
    
    NFS servers do not vet the provenance information during remote access
    of content. A provenance assessor on the server may prevent access only
    to local accessors.
    
    Section 5.3:
       Note that an NFS version 4.2 server may use a provenance assessor to
       prevent access by local users to protected files.  To enable NFS
       version 4.2 clients to do their own assessment, an NFS version 4.2
       server should never prevent remote access to clients if local
       provenance assessment fails.
    
    If the content and FPI are out of sync, local assessment on the server
    prevents only local access to that content.
    
    Because FPI is meant to be end-to-end protection, the goal here is to
    perform provenance assessment immediately before the content is to be
    used. Because it is typically expensive, assessment should be done as
    few times as needed (once?) to guarantee protection. No point in having
    the server do it and then the client do it again.
    
So, finally, a piece of architecture accidentally falls out: you couldn't have the server do assessment once and for all, for all its clients, for all future uses of a file.  You're declaring that kind of interaction to be not well-defined.  Why?

		Thanks,
		Craig

    
    >
    >
    > On 10/8/18, 10:58 AM, "nfsv4 on behalf of internet-drafts@ietf.org" <nfsv4-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:
    >
    >    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    >    This draft is a work item of the Network File System Version 4 WG of the IETF.
    >
    >            Title           : File Content Provenance for Network File System version 4
    >            Author          : Charles Lever
    >            Filename        : draft-ietf-nfsv4-integrity-measurement-02.txt
    >            Pages           : 13
    >            Date            : 2018-10-08
    >
    >    Abstract:
    >       This document specifies an OPTIONAL extension to NFS version 4 minor
    >       version 2 that enables file provenance information to be conveyed
    >       between NFS version 4.2 servers and clients.  File provenance
    >       information authenticates the creator of a file's content and helps
    >       guarantee the content's integrity from creation to use.
    >
    >
    >    The IETF datatracker status page for this draft is:
    >    https://datatracker.ietf.org/doc/draft-ietf-nfsv4-integrity-measurement/
    >
    >    There are also htmlized versions available at:
    >    https://tools.ietf.org/html/draft-ietf-nfsv4-integrity-measurement-02
    >    https://datatracker.ietf.org/doc/html/draft-ietf-nfsv4-integrity-measurement-02
    >
    >    A diff from the previous version is available at:
    >    https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-integrity-measurement-02
    >
    >
    >    Please note that it may take a couple of minutes from the time of submission
    >    until the htmlized version and diff are available at tools.ietf.org.
    >
    >    Internet-Drafts are also available by anonymous FTP at:
    >    ftp://ftp.ietf.org/internet-drafts/
    >
    >    _______________________________________________
    >    nfsv4 mailing list
    >    nfsv4@ietf.org
    >    https://www.ietf.org/mailman/listinfo/nfsv4
    >
    >
    > _______________________________________________
    > nfsv4 mailing list
    > nfsv4@ietf.org
    > https://www.ietf.org/mailman/listinfo/nfsv4
    
    --
    Chuck Lever
    chucklever@gmail.com
    
    
    
    _______________________________________________
    nfsv4 mailing list
    nfsv4@ietf.org
    https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email