Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
David Noveck <davenoveck@gmail.com> Fri, 04 January 2019 16:25 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35C6130E29 for <nfsv4@ietfa.amsl.com>; Fri, 4 Jan 2019 08:25:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8rzhFLvRtIZ for <nfsv4@ietfa.amsl.com>; Fri, 4 Jan 2019 08:25:30 -0800 (PST)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7C85130E0F for <nfsv4@ietf.org>; Fri, 4 Jan 2019 08:25:29 -0800 (PST)
Received: by mail-ot1-x32a.google.com with SMTP id t5so32584157otk.1 for <nfsv4@ietf.org>; Fri, 04 Jan 2019 08:25:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mLzcvpkM8za+Pshmco9hYCj7d2hxgoOii3ENuHCdl94=; b=MktHTvKV0qFNLiwh1cp8IC3emX7FeOCAtUXcbe72+fseOJik0CmkaGLoZNg+JfNP23 v4AZjW+BLv2VG5STM3B9dDozCPTkM9UcxYrQWJYNUvxdQmpLdPYwBpY+6kpfkIMB9B24 rVK62wy5cPzJ4pnziGUGOqqaSI97q9hDC+/JtpZ2jaPlAkoS8Ro+SOfs3d9MZZCnwhiO Ft36VQYxKAnTOc4rV/SAt1XuWfhdv7hL8Xk6/Ta3EHcTinNZM8doDAv0s8kAKyeZKmsc w+pe1D5L7pmtJh1A7Taep1TtnB7D7e0mypSNF3xMLPPpSDay2GS90mCvPQ5LxSpRkVMb ZMOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mLzcvpkM8za+Pshmco9hYCj7d2hxgoOii3ENuHCdl94=; b=WXWZQ3VFyxwMQxuesoEt3bZ/9J9sGxFF2TpRwrPdJSO+Tshxbu1Og8SUNtb7JVQtHN H4gp8W0zJ0igqeCo+VGnNK+c9chyliBtcuRqvuuwsrk5G+C46qXKbKLsN/HXiakDDoQt p2svZKl5w1JXWcdc8ChK/doGHLMResExYPv66cOYsVLH9sKWOQMCZu5R51WM3B9/ZXQw l9nyFGlTDEzTXzGeCHnJOcYqZpbl8V9wMLDnNkVkledK+btDfwkUwTDIMav2BJI3DDKg AellmN4reZgHWX0bSolXKYmE6om6lQpqYH0Rmloxr57UWGxOwOVVuAQCAjMTMQYNjIjx QgBQ==
X-Gm-Message-State: AJcUukdC9lY7OvgqoRyzpFG0bt+5zRpXNjqendLWdExIyEJZB866J1+u J4/Q4OZrgwx66Iy51uO1LBcwyh3K3ggsYBU+m1U=
X-Google-Smtp-Source: ALg8bN6Qag+fca72271bwjtWNc0hYuckeX+lZG2vm0fpImlQsyecxMc8t/YilNiEYOWGtpzKP6wry83TtBqzKofUN7k=
X-Received: by 2002:a05:6830:1d1:: with SMTP id r17mr31073259ota.36.1546619129027; Fri, 04 Jan 2019 08:25:29 -0800 (PST)
MIME-Version: 1.0
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com>
In-Reply-To: <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 04 Jan 2019 11:25:18 -0500
Message-ID: <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9e229057ea45390"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Sx9f1mqywVwtij6DP6cgY0xaWNs>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2019 16:25:33 -0000
> I've been studying RFC 8471 to understand what would be needed to support > TLS token binding with RPC. It appears there are two components: > - The TLS handshake is extended to indicate support for token binding > and negotiate the supported version > - The upper layer protocol (RPC, in our case) is required to send a Token > Binding message as the first message > We would need to provide a mechanism for encapsulating this message in > the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, > RPCSEC GSS could provide a mechanism for transporting this message. As I understand things, one of the potential goals here is to satisfactorily authenticate the client so that AUTH_SYS can reasonably used. For that use case, I'm not sure how depending on RPCSEC GSS would fit in. > It appears to me that there is a natural boundary between what we have > already described in draft-cel-nfsv4-rpc-tls and support for TLS Token > Binding, such that Token Binding could be handled by a separate document. That makes sense. > That would allow the quick completion Since this is the IETF, let's just say "quicker completion". > of rpc-tls to enable encryption by > default using self-signed certificates, with support for Token Binding > to appear later. It depens on how much later. I don't see how it would be necessary to get through the RFC process, including that rigorous search for split infinitives, cycles of discussion of RFC2119 terms before starting the follow-up work on token binding. Once rpc-tls is accepted as a working group document, the group would be in a position to make plans for the follow-on work that seems to be warranted. > Thoughts, comments... If work on client autehentication is to be punted, then the document will need to reflect that. In particular, if you, as a server, are prepared to accept an unauthenticatted client's user identifications, then your security is pretty much non-existent, despite the fact that enryption prevents eavesdropping. In that case, it probably best to say nothing about use of AUTH_SYS. > Am I on the wrong track? No. On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote: > > > On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote: > > > > Hi Chuck > > > > Apologies for top posting, blame MS > > > > I was interested in the comment "We believe the combination of host > authentication via TLS and user authentication via RPC provides optimal > security, efficiency, and flexibility,". There's been a huge amount of > negative press for TLS client auth, but there's been a push for TLS token > binding as a basis for better client/server authentication. Does the > proposal need to consider work in this area? > > I've been studying RFC 8471 to understand what would be needed to support > TLS token binding with RPC. It appears there are two components: > > - The TLS handshake is extended to indicate support for token binding > and negotiate the supported version > > - The upper layer protocol (RPC, in our case) is required to send a Token > Binding message as the first message > > We would need to provide a mechanism for encapsulating this message in > the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, > RPCSEC GSS could provide a mechanism for transporting this message. > > It appears to me that there is a natural boundary between what we have > already described in draft-cel-nfsv4-rpc-tls and support for TLS Token > Binding, such that Token Binding could be handled by a separate document. > That would allow the quick completion of rpc-tls to enable encryption by > default using self-signed certificates, with support for Token Binding > to appear later. > > Thoughts, comments... Am I on the wrong track? > > > > -----Original Message----- > > From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever > > Sent: Monday, November 19, 2018 15:56 > > To: NFSv4 <nfsv4@ietf.org> > > Subject: [nfsv4] Fwd: New Version Notification for > draft-cel-nfsv4-rpc-tls-01.txt > > > > > > Hi- > > > >> Begin forwarded message: > >> > >> From: internet-drafts@ietf.org > >> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt > >> Date: November 19, 2018 at 10:52:07 AM EST > >> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles > >> Lever" <chuck.lever@oracle.com>, "Chuck Lever" > >> <chuck.lever@oracle.com> > >> > >> > >> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been > >> successfully submitted by Charles Lever and posted to the IETF > >> repository. > >> > >> Name: draft-cel-nfsv4-rpc-tls > >> Revision: 01 > >> Title: Remote Procedure Call Encryption By Default > >> Document date: 2018-11-19 > >> Group: Individual Submission > >> Pages: 9 > >> URL: > https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt > >> Status: > https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/ > >> Htmlized: https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01 > >> Htmlized: > https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls > >> Diff: > https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01 > >> > >> Abstract: > >> This document describes a mechanism that enables encryption of in- > >> transit Remote Procedure Call (RPC) transactions with little > >> administrative overhead and full interoperation with RPC > >> implementations that do not support this mechanism. This document > >> updates RFC 5531. > >> > >> > >> > >> > >> Please note that it may take a couple of minutes from the time of > >> submission until the htmlized version and diff are available at > tools.ietf.org. > >> > >> The IETF Secretariat > > > > Minor changes in revision 01: > > - Correct a legal issue reported by idnits > > - Clarify terminology throughout document > > - Add editor's note in Section 4.3 "Authentication" > > - Wordsmithing throughout > > > > > > The immediate question I have is whether members of WG feel this topic > and document are important enough to promote rpc-tls-01 to Working Group > document status. If yes, I can submit the next revision as > draft-ietf-nfsv4-rpc-tls-00. > > -- > Chuck Lever > > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 >
- [nfsv4] Fwd: New Version Notification for draft-c… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Rob Thurlow
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… McDonald, Alex
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Tom Talpey
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… David Noveck
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran