IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

David Noveck <davenoveck@gmail.com> Fri, 04 January 2019 16:25 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35C6130E29 for <nfsv4@ietfa.amsl.com>; Fri, 4 Jan 2019 08:25:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8rzhFLvRtIZ for <nfsv4@ietfa.amsl.com>; Fri, 4 Jan 2019 08:25:30 -0800 (PST)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7C85130E0F for <nfsv4@ietf.org>; Fri, 4 Jan 2019 08:25:29 -0800 (PST)
Received: by mail-ot1-x32a.google.com with SMTP id t5so32584157otk.1 for <nfsv4@ietf.org>; Fri, 04 Jan 2019 08:25:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mLzcvpkM8za+Pshmco9hYCj7d2hxgoOii3ENuHCdl94=; b=MktHTvKV0qFNLiwh1cp8IC3emX7FeOCAtUXcbe72+fseOJik0CmkaGLoZNg+JfNP23 v4AZjW+BLv2VG5STM3B9dDozCPTkM9UcxYrQWJYNUvxdQmpLdPYwBpY+6kpfkIMB9B24 rVK62wy5cPzJ4pnziGUGOqqaSI97q9hDC+/JtpZ2jaPlAkoS8Ro+SOfs3d9MZZCnwhiO Ft36VQYxKAnTOc4rV/SAt1XuWfhdv7hL8Xk6/Ta3EHcTinNZM8doDAv0s8kAKyeZKmsc w+pe1D5L7pmtJh1A7Taep1TtnB7D7e0mypSNF3xMLPPpSDay2GS90mCvPQ5LxSpRkVMb ZMOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mLzcvpkM8za+Pshmco9hYCj7d2hxgoOii3ENuHCdl94=; b=WXWZQ3VFyxwMQxuesoEt3bZ/9J9sGxFF2TpRwrPdJSO+Tshxbu1Og8SUNtb7JVQtHN H4gp8W0zJ0igqeCo+VGnNK+c9chyliBtcuRqvuuwsrk5G+C46qXKbKLsN/HXiakDDoQt p2svZKl5w1JXWcdc8ChK/doGHLMResExYPv66cOYsVLH9sKWOQMCZu5R51WM3B9/ZXQw l9nyFGlTDEzTXzGeCHnJOcYqZpbl8V9wMLDnNkVkledK+btDfwkUwTDIMav2BJI3DDKg AellmN4reZgHWX0bSolXKYmE6om6lQpqYH0Rmloxr57UWGxOwOVVuAQCAjMTMQYNjIjx QgBQ==
X-Gm-Message-State: AJcUukdC9lY7OvgqoRyzpFG0bt+5zRpXNjqendLWdExIyEJZB866J1+u J4/Q4OZrgwx66Iy51uO1LBcwyh3K3ggsYBU+m1U=
X-Google-Smtp-Source: ALg8bN6Qag+fca72271bwjtWNc0hYuckeX+lZG2vm0fpImlQsyecxMc8t/YilNiEYOWGtpzKP6wry83TtBqzKofUN7k=
X-Received: by 2002:a05:6830:1d1:: with SMTP id r17mr31073259ota.36.1546619129027; Fri, 04 Jan 2019 08:25:29 -0800 (PST)
MIME-Version: 1.0
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com>
In-Reply-To: <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 04 Jan 2019 11:25:18 -0500
Message-ID: <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9e229057ea45390"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Sx9f1mqywVwtij6DP6cgY0xaWNs>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2019 16:25:33 -0000

> I've been studying RFC 8471 to understand what would be needed to support
> TLS token binding with RPC. It appears there are two components:

 > - The TLS handshake is extended to indicate support for token binding
>   and negotiate the supported version

>  - The upper layer protocol (RPC, in our case) is required to send a Token
>   Binding message as the first message

> We would need to provide a mechanism for encapsulating this message in
> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
> RPCSEC GSS could provide a mechanism for transporting this message.

As I understand things, one of the potential goals here is to satisfactorily
authenticate the client so that AUTH_SYS can reasonably used.  For that use
case, I'm not sure how depending on RPCSEC GSS would fit in.

> It appears to me that there is a natural boundary between what we have
> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
> Binding, such that Token Binding could be handled by a separate document.

That makes sense.

> That would allow the quick completion

Since this is the IETF, let's just say "quicker completion".

> of rpc-tls to enable encryption by
> default using self-signed certificates, with support for Token Binding
> to appear later.

It depens on how much later.  I don't see how it would be necessary to get
through the RFC process, including that rigorous search for split
infinitives, cycles
of discussion of RFC2119 terms before starting the follow-up work on token
binding.   Once rpc-tls is accepted as a working group document, the group
would
be in a position to make plans for the follow-on  work that seems to be
warranted.

> Thoughts, comments...

If work on client autehentication is to be punted, then the document will
need to reflect that.
In particular, if you, as a server, are prepared to accept an
unauthenticatted client's user
identifications, then your security is pretty much non-existent, despite
the fact that
enryption prevents eavesdropping.  In that case, it probably best to say
nothing about use
of AUTH_SYS.

> Am I on the wrong track?

No.

On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote:

>
> > On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote:
> >
> > Hi Chuck
> >
> > Apologies for top posting, blame MS
> >
> > I was interested in the comment "We believe the combination of host
> authentication via TLS and user authentication via RPC provides optimal
> security, efficiency, and flexibility,". There's been a huge amount of
> negative press for TLS client auth, but there's been a push for TLS token
> binding as a basis for better client/server authentication. Does the
> proposal need to consider work in this area?
>
> I've been studying RFC 8471 to understand what would be needed to support
> TLS token binding with RPC. It appears there are two components:
>
>  - The TLS handshake is extended to indicate support for token binding
>    and negotiate the supported version
>
>  - The upper layer protocol (RPC, in our case) is required to send a Token
>    Binding message as the first message
>
> We would need to provide a mechanism for encapsulating this message in
> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
> RPCSEC GSS could provide a mechanism for transporting this message.
>
> It appears to me that there is a natural boundary between what we have
> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
> Binding, such that Token Binding could be handled by a separate document.
> That would allow the quick completion of rpc-tls to enable encryption by
> default using self-signed certificates, with support for Token Binding
> to appear later.
>
> Thoughts, comments... Am I on the wrong track?
>
>
> > -----Original Message-----
> > From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
> > Sent: Monday, November 19, 2018 15:56
> > To: NFSv4 <nfsv4@ietf.org>
> > Subject: [nfsv4] Fwd: New Version Notification for
> draft-cel-nfsv4-rpc-tls-01.txt
> >
> >
> > Hi-
> >
> >> Begin forwarded message:
> >>
> >> From: internet-drafts@ietf.org
> >> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> >> Date: November 19, 2018 at 10:52:07 AM EST
> >> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles
> >> Lever" <chuck.lever@oracle.com>, "Chuck Lever"
> >> <chuck.lever@oracle.com>
> >>
> >>
> >> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been
> >> successfully submitted by Charles Lever and posted to the IETF
> >> repository.
> >>
> >> Name:         draft-cel-nfsv4-rpc-tls
> >> Revision:     01
> >> Title:                Remote Procedure Call Encryption By Default
> >> Document date:        2018-11-19
> >> Group:                Individual Submission
> >> Pages:                9
> >> URL:
> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt
> >> Status:
> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/
> >> Htmlized:       https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01
> >> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls
> >> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01
> >>
> >> Abstract:
> >>  This document describes a mechanism that enables encryption of in-
> >>  transit Remote Procedure Call (RPC) transactions with little
> >>  administrative overhead and full interoperation with RPC
> >>  implementations that do not support this mechanism.  This document
> >>  updates RFC 5531.
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> >> submission until the htmlized version and diff are available at
> tools.ietf.org.
> >>
> >> The IETF Secretariat
> >
> > Minor changes in revision 01:
> > - Correct a legal issue reported by idnits
> > - Clarify terminology throughout document
> > - Add editor's note in Section 4.3 "Authentication"
> > - Wordsmithing throughout
> >
> >
> > The immediate question I have is whether members of WG feel this topic
> and document are important enough to promote rpc-tls-01 to Working Group
> document status. If yes, I can submit the next revision as
> draft-ietf-nfsv4-rpc-tls-00.
>
> --
> Chuck Lever
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email