Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009
James Lentini <jlentini@netapp.com> Thu, 03 December 2009 22:32 UTC
Return-Path: <jlentini@netapp.com>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D4CA28C1C1 for <nfsv4@core3.amsl.com>; Thu, 3 Dec 2009 14:32:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yo84JpR5CUlA for <nfsv4@core3.amsl.com>; Thu, 3 Dec 2009 14:32:54 -0800 (PST)
Received: from mx2.netapp.com (mx2.netapp.com [216.240.18.37]) by core3.amsl.com (Postfix) with ESMTP id ACEB328C1BD for <nfsv4@ietf.org>; Thu, 3 Dec 2009 14:32:54 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.47,337,1257148800"; d="scan'208";a="283477141"
Received: from smtp1.corp.netapp.com ([10.57.156.124]) by mx2-out.netapp.com with ESMTP; 03 Dec 2009 14:32:37 -0800
Received: from jlentini-linux.hq.netapp.com (jlentini-linux.hq.netapp.com [10.97.16.21]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id nB3MWaBH014176; Thu, 3 Dec 2009 14:32:37 -0800 (PST)
Date: Thu, 03 Dec 2009 17:32:35 -0500
From: James Lentini <jlentini@netapp.com>
X-X-Sender: jlentini@jlentini-linux.nane.netapp.com
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20091203211232.GS773@Sun.COM>
Message-ID: <alpine.LFD.2.00.0912031707380.11932@jlentini-linux.nane.netapp.com>
References: <alpine.LFD.2.00.0912031553170.11932@jlentini-linux.nane.netapp.com> <20091203211232.GS773@Sun.COM>
User-Agent: Alpine 2.00 (LFD 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 22:32:56 -0000
On Thu, 3 Dec 2009, Nicolas Williams wrote: > On Thu, Dec 03, 2009 at 03:54:30PM -0500, James Lentini wrote: > > - NFS URL > > This seems good to me: > > fednfs://<domain>/<path> > > For all other paths use nfs://<server>/<path> (RFC2224), or change the > scheme to "nfs4". > > See below. > > > - Client Processing of an NFS SRV RR > > (as defined in draft-ietf-nfsv4-federated-fs-dns-srv-namespace-02) > > > > [...] > > > > Craig noted that there were two ways of naming a particular point. > > There is the traditional way, server://path/to/file, and a new > > SRV based name, roughly <domain> + <federated namespace path>. > > Yes. > > > Paul speculated that the behavior of the OS mount command could be updated > > to incorporate the federated naming. In particular, he wondered if the > > mount command would take a domain and mount the domain's federated root. > > The distinction between "server:/path" and "domain:/path" is very > important. It must be made. It must be made in URLs, and it must be > made in mount command arguments, and in automount maps, and GUIs. > > See above. > > > We noted that an OS mount command could be augmented to include the > > process of (1) mapping from a domain to an SRV query string, > > (2) performing the SRV query and extracting the host fileservers running > > the service, and (3) mounting the fileserver + ".domain-root-<domain>" > > path. Another option would be to perform steps (1) and (2) separately > > and then input the result into the standard mount command. > > Oh no, the mount command must do the whole enchilada. We discussed performing steps (1) and (2) separately in the context of backward compatibility with existing tools. I guess I was doing too much talking and neglected to capture that. :) > Also, we can't actually tell implementors what to do in their UIs. I noted that a protocol specification would not be the proper place to define the behavior of the mount command. Again, I inadvertently omitted that from the minutes. > What we can do is create a distinct URI/URL scheme for > domain-relative paths. See above. > > > + Admin NSDB Trust Anchor Management > > > > We briefly reviewed the mechanisms by which LDAP can be secured. LDAP > > connections can be secured using TLC or SASL. [Editor's note see RFC4513]. > > s/TLC/TLS/ (yes, lately TLS has needed TLC, but that's another story! ;) Good catch. > > > We discussed the following question who or what determines if a fileserver's > > NSDB connections are secure. We asked if the ONC RPC Administrative protocol > > should indicate, possibly at junction create time, the desired security > > properties to use for an FSN's resolution. > > In order to use TLS for this you only have two choices: > > - server certs (here's where TA mgmt comes in) > - PSK (pre-shared keys), which is not really scalable here, so I say to > heck with PSK > > As for SASL... you have these choices: > > - PLAIN > > PLAIN offers no real security unless you're running over TLS and > authenticating the server via TLS, but since that's all we want to > do, PLAIN is not applicable! > > - DIGEST-MD5 > - SCRAM (on the RFC-Editor queue now) > > These are not unlike PSK in terms of scalability, ergo: not scalable, > ergo not applicable for us. > > - GSSAPI (RFC4752) or GS2-KRB5, meaning Kerberos (GS2-KRB5 will soon be > on the RFC-Editor queue) > > I.e., Kerberos. As long as you're willing to have cross-realm trusts > for this, this is an available choice, and it will scale. What about these other SASL authentication mechanisms: http://www.iana.org/assignments/sasl-mechanisms > So we really only have two choices for server authentication: > > - TLS with server certs (and TA mgmt, since we're NOT going to have a > global PKI) > > - Kerberos V5 (via SASL/GSSAPI or SASL/GS2-KRB5) This is great information, but we were discussing a different question than what security mechanism are possible. In the current Admin protocol, the client can request a fileserver to create a junction but does not have a mechanism for indicating the authentication,integrity,and privacy mechanisms to use when resolving the junction. The question is therefore, should the Admin protocol's JUNCTION_CREATE arguments include a parameter that indicates how the junction should be resolved in the future? > By far the most likely case in actual federated deployments will be "TLS > with server certs". It's just simpler (e.g., no need to talk to > Kerberos realm administrators). Doesn't Active Directory use SASL with Kerberos? > > There are at least three different ways the security properties of an NSDB > > connection could be derived: (1) each implementation could have its own > > policy and settings, (2) the ONC RPC Admin protocol could indicate the > > desired security mechanism, or (3) the NSDB could require a particular > > security mechanism. > > (3) is not quite right: it's the _client_ that wants to authenticate the > _server_ here, not vice-versa. The reverse of (3) is really what you > wrote for (1). The server might want to insist on confidentiality > protection, in which case it will want to authenticate the client, but > the bottom line is that the most important thing here is that the client > authenticate the server. > > > Trond asked if there was a standard way for LDAP to indicate the required > > level of security. If so, it could be used as an auto configuration > > mechanism. James noted that there are ways for a user to indicate to > > an LDAP client that a security mechanism should be used (ldap:// versus > > ldaps:// to request standard versus SSL/TLS connections respectively or > > the various SASL configuration settings). James was not aware of any > > way to automatically determine if an LDAP directory should be contacted > > via TLS, SASL, etc. > > > > [AI] James Lentini will investigate if an LDAP client can automatically > > determine the security properties of an LDAP directory. > > See above and below. > > > James suggested that it could be dangerous for a fileserver to depend > > totally on an NSDB for indicating the security mechanism for an LDAP > > connection. For example, a impostor might setup a rogue NSDB that > > indicated no security was necessary (and hence the NSDB did not need to > > be authenticated). > > Exactly! > > > We discussed the security properties desired for an NSDB connection. > > If security is a concern, the fileserver will want to authenticate the > > identity of the NSDB and have protect the integrity of the LDAP connection. > > Note that the identity of the NSDB, in the sense of having a "name" is > not important. The identity of the NSDB in the sense of it have > authentication credentials that match what the ADMIN client meant (when > they created the junction) is important. A very subtle distinction, I > know, but think of self-signed certs -- the names they bear are not > important, but the names you take them to authenticate are. > > > Privacy did not stand out as a concern on the call. [editor's note: while > > writing up these notes, I realized that privacy is also desirable. The > > contents of an FSL, for example the path name, may convey information > > that the federation members which to keep private]. > > Confidentiality protection may or may not be desirable; it should be > OPTIONAL. > > In practice TLS is always used with confidentiality protection, so this > is practically moot, except that a server that wants confidentiality > protection also wants to authenticate (and authorize) clients. > > > James suggested that the fileserver administrator would have a > > vested interest in ensuring that the fileserver's referrals were > > valid. Therefore, the administrator will want the ability to > > configure the security properties used to resolve an FSN. > > Yes. > > > Trond pointed out that the fileserver must be able to query the NSDB > > over a long period of time. This leads inevitably to the topic of > > key/certificate management. > > With Kerberos, for example, this is non-issue. > > With PKI this is a real issue. The ADMIN protocol may need a procedure > by which to list soon-to-expire certs/TAs and a procedure to update > them. > > Nico > -- >
- [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 James Lentini
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 Nicolas Williams
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 James Lentini
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 Nicolas Williams
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 Daniel Ellard
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 James Lentini
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 James Lentini
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 Nicolas Williams
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 Nicolas Williams
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009 Nicolas Williams
- [nfsv4] Fwd: [FedFS] Meeting Minutes, 12/03/2009 Daniel Ellard