IETF Logo Mail Archive

Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04

David Noveck <davenoveck@gmail.com> Fri, 06 December 2019 22:35 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0B97120A28 for <nfsv4@ietfa.amsl.com>; Fri, 6 Dec 2019 14:35:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JdKm0S5TzuPZ for <nfsv4@ietfa.amsl.com>; Fri, 6 Dec 2019 14:35:22 -0800 (PST)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6DEB1208EB for <nfsv4@ietf.org>; Fri, 6 Dec 2019 14:35:19 -0800 (PST)
Received: by mail-ot1-x333.google.com with SMTP id x3so7154638oto.11 for <nfsv4@ietf.org>; Fri, 06 Dec 2019 14:35:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ugRLg8/LJNoXTs9D3WhnFvj8rJi/L6kAi7n3A8D2+rk=; b=YihOuvJALIg8YApLLx6Hg7AKqvp/9q8rHgSpnLuBszGiuT1NZqOimOGGojP/uUuhnu jnwM9AvgaTZOZKlGn+l5hS65LtgyLnSkqmyXVSKzrwRQN+H8xFHypxOjw29ncGIaDYLI sQ8MUzIeTBRtlhUjPa9X30fiYs8zhZh+oAvwzO4gXIJDvhEJSRDXCqwB4kXuuxbnRF/0 rNdlhGCXS1DfroC8SCNdh7K5SiHjkwaKuOa+GRWeh7bVefp/QccrTtvIgGkCM1wci2T6 kAKY9os+HBQleIy5cZ4Mj7GPmkZa+XOLtGVP/qMcHSKg9pjVPT2d2vBF6bCYIvacTWB+ LAXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ugRLg8/LJNoXTs9D3WhnFvj8rJi/L6kAi7n3A8D2+rk=; b=GUlYcNWLv9JbNeT/6CNBaCPw1F0L4Mf4Y39WRr6rZ1rggwewtuDHNGY/8Rx6Nnpg6U lwjmanb99Jj3lb8MqiIPOKJ04xeIaeTIo9aS0RZx2pha+n7eJjAYmCMqE6TSVLL3gAH8 CtVEGDx8PcokNE3Dn0r4yGp/7bA7uwsH6py7xvelvwu6vGJmyBYKNTk5ATL+1um34gkY 5rnlG0m7/5Nkv/+jvclG7NdO6aUtzqi+YGCOgrk/FfnDapYjZ1szhrloyLL7kC0YL1Dt beZI37EqEGsKwBTCEs01gk72CbHtmbaOSqEsWozqUQmvuv+NMv8uQ4sx+2gfbyKROZSS CrbQ==
X-Gm-Message-State: APjAAAWEIEBNRDBee5SF4huHiNEiIJG39B9Y431tf6uj/jaRiM9r44Wi p/9DwltlYKrSBToo8M+/zE4EyWU6mRen+0LZGcQ=
X-Google-Smtp-Source: APXvYqwp1aE5gXCoj4Nxn3jt3u0HRe5TX5/n83rAQHvePS820Cojs6ETF8Q6wG1TUizgCDVGFQL2SawMcWqib75GebU=
X-Received: by 2002:a9d:154:: with SMTP id 78mr12611777otu.294.1575671719035; Fri, 06 Dec 2019 14:35:19 -0800 (PST)
MIME-Version: 1.0
References: <CADaq8jdbQJFKS7xoeP+wLMhT0e8gSQQeqHDsV7PHNbT_YC+hSQ@mail.gmail.com> <11820D8F-A192-46EE-AD32-8561BCBE31A2@oracle.com> <MN2PR21MB143931B6F1DC40FF6A765AAEA05F0@MN2PR21MB1439.namprd21.prod.outlook.com> <CADaq8jf5Dh8bMmA2fcDKBknTbz-Oah1dZH=KRawjSRtOa6zh5w@mail.gmail.com> <63ADA2AC-815D-4899-B863-4FD321A968ED@oracle.com> <MN2PR21MB143950BE6F7130739D1280CAA05F0@MN2PR21MB1439.namprd21.prod.outlook.com> <741F6898-6A1B-4968-BC63-B9CDBB97C16F@oracle.com> <b1b36bba-2d60-3665-db67-0e58a2c82dc7@talpey.com> <CEB4BEE5-2BC3-44BB-873F-57FD24F00E45@oracle.com> <c4a0ccc6-ebea-1732-d088-d645f970a3e5@talpey.com> <4648015E-4451-4757-B54F-C5D0069DA13A@oracle.com>
In-Reply-To: <4648015E-4451-4757-B54F-C5D0069DA13A@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 06 Dec 2019 17:35:08 -0500
Message-ID: <CADaq8jf31Taz+Y1MWqOPQX8KtVqC7YF3g56AB-PiOQYs-QK3jQ@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Tom Talpey <tom@talpey.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000188842059910a903"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/TsfxEZB0RWc7aNBoizEvjhBwkUs>
Subject: Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 22:35:28 -0000

> Not a trap,

If it's not, we seem to have an awful lot of difficulty getting out of it.

> it's a conscious choice.

That doesn't means it's not a trap.  Sigh!

> A single machine key is great for protecting HTTPS to a laptop, it
> covers traffic through unsafe networks and gives us a bit of server
> authentication. But NFS is a different scenario.

True, but if the implication seems to be that it is in some way inadequate
for
that scenario, we need to understand exactly why.   If it is truly
inadequate
we might decide that we don't want to do this for NFS.

> An _NFS_ implementation is free to make more restrictive policy
> choices.

Yes, but why would it need to do so?   I'm not looking for spec text
here but I want to know enough to understand where we are going with
this for NFS.   It is going to be better than a privacy service that is
almost
never used, but I had thought was good enough for the Maeketer's of
Coke, Diet Coke,  and Coke Zero to share an NFS Client,  I realize
coke and Pepsi are paranoid about one another.

> We are defining a generic RPC over TLS mechanism here.

Yes, but I want to understand how helpful it is in dealing with NFSv4's
poor security.

> If we want NFS to do something else, I think another document, an
> NFS-specific document, is required.

Sure, but I want to understand why or why not we would want to do
someting else.

> All we want in this iteration is encryption.

Yes, but it would be nice to get some better sense of how adequate it is.

> Using TLS for user
> authentication is future work.

If we do that at all.

On Fri, Dec 6, 2019 at 4:58 PM Chuck Lever <chuck.lever@oracle.com> wrote:

>
>
> > On Dec 6, 2019, at 4:44 PM, Tom Talpey <tom@talpey.com> wrote:
> >
> > On 12/6/2019 4:30 PM, Chuck Lever wrote:
> >>> On Dec 6, 2019, at 3:58 PM, Tom Talpey <tom@talpey.com> wrote:
> >>>
> >>> On 12/6/2019 2:46 PM, Chuck Lever wrote:
> >>>>> On Dec 6, 2019, at 2:24 PM, Tom Talpey <ttalpey@microsoft.com>
> wrote:
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Chuck Lever <chuck.lever@oracle.com>
> >>>>>> Sent: Friday, December 6, 2019 2:12 PM
> >>>>>> To: David Noveck <davenoveck@gmail.com>; Black, David
> >>>>>> <David.Black@dell.com>
> >>>>>> Cc: Tom Talpey <ttalpey@microsoft.com>; NFSv4 <nfsv4@ietf.org>
> >>>>>> Subject: Re: [nfsv4] [EXTERNAL] Re: Review of
> draft-ietf-nfsv4-rpc-tls04
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On Dec 6, 2019, at 11:53 AM, David Noveck <davenoveck@gmail.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> On Fri, Dec 6, 2019 at 10:28 AM Tom Talpey <ttalpey@microsoft.com>
> >>>>>> wrote:
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
> >>>>>>>> Sent: Friday, December 6, 2019 10:11 AM
> >>>>>>>> To: David Noveck <davenoveck@gmail.com>
> >>>>>>>> Cc: NFSv4 <nfsv4@ietf.org>
> >>>>>>>> Subject: [EXTERNAL] Re: [nfsv4] Review of
> draft-ietf-nfsv4-rpc-tls04
> >>>>>>
> >>>>>>>> Essentially, we want to require that the host separates
> >>>>>>>> the encryption of each tenant's traffic.
> >>>>>>>
> >>>>>>> I think the move from "user identiy domain" to "tenant" is helpful
> here even
> >>>>>>> though you would have to explain what multipe tenants, which, as
> Tom
> >>>>>>> points out, can alsooccur without virtalization per se, bein
> involved.
> >>>>>>
> >>>>>>
> >>>>>> Fair 'nuf. To me "tenant" and "user identity domain" mean the same
> thing
> >>>>>> in this context. In Linux, a tenant container is represented by a
> set of
> >>>>>> namespaces, one of which controls the user identity mapping. So
> "user
> >>>>>> identity domain" seems natural to me, but maybe not to others.
> >>>>>>
> >>>>>> RFC 4949 does not have a convenient definition of "tenant."
> >>>>>>
> >>>>>> RFC 7644 Section 6 comes close.
> >>>>>>
> >>>>>> David Black, perhaps you might have thoughts based on your work on
> >>>>>> network virtualization overlays ( RFCs 736[45] )?
> >>>>>
> >>>>> I'm arguing the opposite - that there's no need to bring in "tenant"
> or
> >>>>> "virtualization" or adding references to nvo, etc. Unless you have a
> very
> >>>>> specific vulnerability in mind that this needs to cover.
> >>>>>
> >>>>> In other words, keep it simple and at the highest-level abstraction
> possible.
> >>>> I'm flexible, and philosophically agree that an abstract requirement
> >>>> would be best. I just don't yet see how to make that happen. "Tenancy"
> >>>> seems to me like an inseparable part of the discussion.
> >>>
> >>> [replying from a different account]
> >>>
> >>> I think "tenant" is a loaded word, especially when you seek an
> >>> RFC-based definition. I understand the tenant container and namespace
> >>> approach, but it's only one approach, and shouldn't be written into
> >>> the protocol justification.
> >>>
> >>> For example, the SMB3 protocol protects its traffic with per-user
> >>> keys, and even safely mixes user traffic on a single connection
> >>> because of this isolation. But this is implemented independent of
> >>> containers and virtualization.
> >> With RPCSEC GSS, each user gets its own key as well.
> >
> > Indeed, yes.
> >
> >> With TLS, a set of users shares a single host key. The constraint
> >> we need to state here is how much key sharing is secure/recommended/
> >> allowed.
> >
> > I disagree - this is an implementation choice not a TLS requirement.
> > This is the trap I think the draaft needs to avoid falling into.
>
> Not a trap, it's a conscious choice.
>
>
> > A single machine key is great for protecting HTTPS to a laptop, it
> > covers traffic through unsafe networks and gives us a bit of server
> > authentication. But NFS is a different scenario.
>
> An _NFS_ implementation is free to make more restrictive policy
> choices. We are defining a generic RPC over TLS mechanism here.
>
> If we want NFS to do something else, I think another document, an
> NFS-specific document, is required.
>
>
> >> In addition, Section 4.2 has this language:
> >>>    In either of these modes, RPC user authentication is not affected by
> >>>    the use of transport layer security.  Once a TLS session is
> >>>    established, the server MUST NOT substitute RPC_AUTH_TLS, or the
> >>>    remote identity used for TLS peer authentication, for existing forms
> >>>    of per-request RPC user authentication specified by [RFC5531].
> >> The document explicitly prohibits the use of these keys for making
> >> authorization decisions about individual users. In other words, a
> >> TLS identity in this case is not the same as an RPC user.
> >
> > Right. But the language you quote is pretty vague. "Existing forms of
> > per-request RPC user authentiction" I have to think about that long and
> > hard, much less translate to a specific thing to MUST NOT do.
> >
> >>>> If you have an example, that would help.
> >>>
> >>> Well, it's the same thing - per-user NFS/RPC/TLS mounts, but it
> >>> leaves out any mention of containers or namespaces or tenancy.
> >>> Those are today's Linux approach, but they are by no means required
> >>> to drive the protocol. I'm just suggesting the draft can say this
> >>> without any of that baggage.
> >> Again, I don't disagree with any of this. But I'm stuck when trying
> >> to bridge the gap between "the draft can say this" and actually
> >> writing the text. I'm not arguing with you, just trying to shake out
> >> what it is we need to say in the document.
> >>> A user then becomes an "authenticated principal", and the RPC/TLS
> >>> connection may therefore be protected by a key derived from this
> >>> authentication.
> >> As above: RPC on TLS explicitly does not bind an RPC user to a TLS
> >> identity in this iteration of the protocol. RPC users share the
> >> encrypted TLS session. The TLS identity represents the client, not
> >> the users.
> >
> > But again, why not? Is that forbidden somehow? Or is it simply the
> > way most OS's implement it?
>
> This document/protocol is restricting it to keep it simple. Nothing
> to do with implementations.
>
> All we want in this iteration is encryption. Using TLS for user
> authentication is future work.
>
>
> >>> Or, if the administrator allows, it can be a
> >>> per-machine key, or shared in other ways.
> >> That's the (only) model we are trying to express here. And perhaps
> >> we need to take care not to prevent a future protocol iteration
> >> from going further and binding a single RPC user to a TLS identity.
> >>> But this would not be
> >>> as secure as the former, and the implications need to be stated.
> >> To state those implications, IMO we need to express the concept of
> >> a set of one or more users that reside in a single user identity
> >> domain -- ie, users that are administered in the same security realm.
> >> --
> >> Chuck Lever
> >
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
>
> --
> Chuck Lever
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email