IETF Logo Mail Archive

Re: [nfsv4] Security document - sense of the working group

Thomas Haynes <loghyr@gmail.com> Tue, 30 January 2024 17:42 UTC

Return-Path: <loghyr@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C52A4C14F5F5 for <nfsv4@ietfa.amsl.com>; Tue, 30 Jan 2024 09:42:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5JQivAJv0Qo for <nfsv4@ietfa.amsl.com>; Tue, 30 Jan 2024 09:42:31 -0800 (PST)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAB50C14F5ED for <nfsv4@ietf.org>; Tue, 30 Jan 2024 09:42:31 -0800 (PST)
Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-5d81b08d6f2so3623640a12.0 for <nfsv4@ietf.org>; Tue, 30 Jan 2024 09:42:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706636551; x=1707241351; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=wMnWZQqFejVJ7jdWdxT4shU/2C3nK0MeMMioKYWnqEw=; b=HF+rg1z4HU1KCYzLMI2f8yrfh3wsgUOoZ2TyeqNpoQLNUq5WU6e2lngneZHWjbD2rJ Yk1dvmz1QhFG9h2uigj2rRrh4JenEYZxNNziNg/mdpjD6MHgVgK7W4hzrFxzSXKmYISe +CI2BYIJerZxxDNpHweHTOKh6mo2tKc7BQHymcyimLgVFztgxx9pbtAQgndEHUQD1dNy 5jyegJd1BJa9/B/OZInJdBiKGDRAGQCLMQ0fBuY2RkQwsrurGLdneXzAF32vZoVktpVN mOFxZ7F2pVwr0EZt3frO3Vby/ffKijW5vfMXbb/wnqHGpVejVbWkom3V3EkN50+T12EG l8Mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706636551; x=1707241351; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wMnWZQqFejVJ7jdWdxT4shU/2C3nK0MeMMioKYWnqEw=; b=bwLZwvhfXwD36RW84jSrR6CC/wRugHEDe48k8QcNb43pn9Gc0glIi9cM1d3KpzEemZ 8tXLOXljMCIdrWdfylExTSChxIJ1bg2f5auJ7/UXA2iOhn23FpoXm0SYb1J51YypJRnd ahVQhtu6b1D0uHbUR64hLKYPBa5id/SgqkelhzK1+pHYhp7NufYmdAVOZz7HhQJ15Rrz 5yijPkWfJkuPtkDIA7vS3KSLacqxiy3XRadszmI7gT4AXLCMW+zXLUQBU7/VjlJTDJCf Ni2Wb0gyfw+ZtRy3g8DR/ov4KznysElJJI7yNMsboU99d/G2UIKCGlWxRfyO130cOPUV e/6w==
X-Gm-Message-State: AOJu0Yzb976tEHQKhujLfSREcToBna63pntIKOPzC7mUyV2rC/7VQThV lkzGhUxiHZ/z7X0tV5pV8OFNS3xFlFRJjxuUktqnO49H04yPH03n
X-Google-Smtp-Source: AGHT+IGQhcvQTjXZfx+vc3SSctC/B//h2ngPiYt3mYmQ9NqP0LZpwLukvWOjbzQyB8Ks9G2Ci93qEQ==
X-Received: by 2002:a05:6a20:491b:b0:19a:fbe9:bcd with SMTP id ft27-20020a056a20491b00b0019afbe90bcdmr6891707pzb.50.1706636550740; Tue, 30 Jan 2024 09:42:30 -0800 (PST)
Received: from smtpclient.apple ([12.27.99.197]) by smtp.gmail.com with ESMTPSA id k139-20020a628491000000b006ddd355283asm8681774pfd.91.2024.01.30.09.42.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jan 2024 09:42:30 -0800 (PST)
From: Thomas Haynes <loghyr@gmail.com>
Message-Id: <CA49B26F-0F81-4290-8EEF-7FDE5B250CA1@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_02F213C2-6BD9-4F09-8EB9-E65AB3B09B86"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Tue, 30 Jan 2024 09:42:19 -0800
In-Reply-To: <7CFC98DA-BFC3-462D-861E-009BCE960F1C@cert.org>
Cc: NFSv4 <nfsv4@ietf.org>
To: Chris Inacio <inacio@cert.org>
References: <7CFC98DA-BFC3-462D-861E-009BCE960F1C@cert.org>
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/U4KTnXpWu2_JpgW6H3uh3ePcbEI>
Subject: Re: [nfsv4] Security document - sense of the working group
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 17:42:36 -0000


> On Jan 30, 2024, at 8:22 AM, Chris Inacio <inacio@cert.org> wrote:
> 
> All,
> 
> The chairs would like a sense of the working group with regards to the draft-dnoveck-nfsv4-security-07 (https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/) and adoption.  Please let us know if you think the working group collectively agrees to the body of work proposed in the draft.
> 
> The sense of the chairs is that the working group does not have consensus on the scope or set of items presented in the current individual draft.  If that is the case, we would like to know what topics/items in the draft that you do support and which ones you do not believe are ready or that the WG will not be able to reach consensus on.  If there are steps that you think the working group should take towards clarity on any of those topics, the chairs are interested in hearing those too.
> 
> Thanks,
> NFSv4 Chairs
> 
> ----
> Chris Inacio
> inacio@cert.org
> 
> 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4


For me, the largest issue is whether vendors are required to revamp their implementations when we effectively rewrite NFSv4.0, NFSv4.1, and NFSv4.2.

I would propose that instead of the security changes being “backported” to the earlier versions, we make the security document apply to all future releases.

Perhaps to differentiate, we make it NFSv5. I.e., NFSv5 is secure NFS.

v2.23.0 | Report a Bug | By Email