Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
David Noveck <davenoveck@gmail.com> Tue, 30 November 2021 10:58 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE2CA3A1207; Tue, 30 Nov 2021 02:58:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hv_fVis-auzk; Tue, 30 Nov 2021 02:58:26 -0800 (PST)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75A663A120C; Tue, 30 Nov 2021 02:58:26 -0800 (PST)
Received: by mail-ed1-x530.google.com with SMTP id g14so84985294edb.8; Tue, 30 Nov 2021 02:58:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ttH9ozYmoVI4drVOXUaG9d1oyG3YCU7O7H063U3Jg2g=; b=NavZ1A/6S7LMWZo5oNcYwakqIAH3ZLmK5p04a/hiVgvPOQKm1D2TR25WtZGPHahpJR ts88HseNI1cYMS+UzECJWupV9iY0zVEnYolcse7pVlldZ/kYnrF5hlRqZ6EpG57MgBcQ DB1Fj9tOz1Q5U91Jn6jSO/OH7rr/3KjcQIZuq920nGUfw1jL79nkqwKSoM8GvSzgecCV Ms5vNDaUIIzlISWtxn1rkfZ5o1jKGqkimpleeG96MSgQFnzQKf4MBtaCkwYiCTgjIMWk gWhE4ozgIjqafw2Z66DEOF9KKCcWQoIgaYLhcNWT5p/0a2cKyhZOlhXJ3fJaC602xJED Rajg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ttH9ozYmoVI4drVOXUaG9d1oyG3YCU7O7H063U3Jg2g=; b=xTX1INLCb1Uw2Ml7vKQSlEHRHZf0/Nh7GSqrYD81pNVQglMg2aO30fc1Abebu3xWnY yKd4ANnKgu5Zja+Jw++BsIZkcdO9YBZvEUdPHzfYDpcRhvVgl5S5sbQt8f/V94AlDvoo GYS6TEfywif1R7HR3rAr/1VvwHAHG3hkNVSZHRHd+gfL74OEUnA7LjVASpoTpTRAKtvJ F4SoAj3+QRLABgnx+uQoTXDFwns+HRRV/MX9VdtYcQO6rv+erllcAREiUItJA5uqUNCQ b1GLKAHiEYKgvEc590tdrZKW0DiYx95gKeca8r16Ai0So6OMiTu7526p46ORj5XhSNe/ pQdA==
X-Gm-Message-State: AOAM531Mxtb7+4eDEPuTYm+dOy0/kALS5jskmhWOotfBP0ixBWVk+dWj /bpvn0/DIfPuah4FnXqE9QI7gOFKEn5bXGA92rI=
X-Google-Smtp-Source: ABdhPJyhier5+QThGVSVneX0aFLkFEZAkUXIhCXmoEpMRFwgQB/9xxogH3D+emVDkXFizCH/pearAXkp9NVmU/uiKsU=
X-Received: by 2002:a17:907:94c2:: with SMTP id dn2mr65945977ejc.325.1638269904077; Tue, 30 Nov 2021 02:58:24 -0800 (PST)
MIME-Version: 1.0
References: <163767514326.26555.17470749244218204323@ietfa.amsl.com> <CADaq8jes2WfwbXoy7D22gRwCh9Mw-Wrkdkugc9jbp3PNjb6jYA@mail.gmail.com> <20211129162527.GB24258@fieldses.org>
In-Reply-To: <20211129162527.GB24258@fieldses.org>
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 30 Nov 2021 05:58:11 -0500
Message-ID: <CADaq8jfaS2QjC5fyjejH0ZpujCpjVd+6h4VfAh5Hi3X4iPZg4Q@mail.gmail.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: NFSv4 <nfsv4@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>, nfsv4-ads@ietf.org
Content-Type: multipart/alternative; boundary="000000000000adca0005d1ff6f36"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Us69Kw2tRVJMOLyy-jfb7vA9ljQ>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 10:58:31 -0000
On Mon, Nov 29, 2021, 11:25 AM J. Bruce Fields <bfields@fieldses.org> wrote: > On Tue, Nov 23, 2021 at 08:55:04AM -0500, David Noveck wrote: > > This is considerably different from -02 (1400 lines). Still, a diff > > between -02 and -03 is useful to see where the changes/additions are, if > > you read -02. > > 5.9: special identifiers: "when ACEs containing these who values are > encountered, the server MUST treat all requesting users as not > matching." > > So a two-ACE ACL like: > > allow read to INTERACTIVE > deny everything to EVERYONE > would require the server to fail all NFS READs, Yes and an ACL like: > deny read to INTERACTIVE > allow everything to EVERYONE > > would require the server to allow all NFS READs. > Yes. > Presumably these special identifiers are mainly only there for the > multiprotocol case--. I don't know what they are there for the server can actually make use of them when > accessed by an SMB client, I don't see how. I'm not sure they exist in SMB ACLs. but we still want NFS clients to be able to > e.g. do ACL-preserving copies, so we want NFS clients to still see them. > I guess so. We appear to be stuck with them. > So I guess it's a sensible default to treat those special identifiers as > describing groups of which no NFS user is a member. > > Seems more like "a sensible default", though, rather than something to > be enshrined in a MUST. I get your point. I can see how this might cause people to think of is as control freaks. > I could imagine server administrators wanting > the option to configure this. > Perhaps, but I can't imagine anybody bothering to write the code to configure this and the accompanying documentation. > > I'd rather leave this unspecified. I think I will make that change in -04. At least, unless we can get input > from a wide range of server implementors. > Good luck with that. > That goes double for ANONYMOUS and AUTHENTICATED. I don't know all the > ways that export permissions and idmapping (like squashing) are > implemented on different servers and I'm not sure we can reasonably come > up with rules that will work for everyone. > Leaving these unspecified will mean that no sane client would ever use them. That works for me. Not sure who it wouldn't work for. > > --b. > > > > > ---------- Forwarded message --------- > > From: <internet-drafts@ietf.org> > > Date: Tue, Nov 23, 2021 at 8:45 AM > > Subject: New Version Notification for draft-dnoveck-nfsv4-security-03.txt > > To: David Noveck <davenoveck@gmail.com> > > > > > > > > A new version of I-D, draft-dnoveck-nfsv4-security-03.txt > > has been successfully submitted by David Noveck and posted to the > > IETF repository. > > > > Name: draft-dnoveck-nfsv4-security > > Revision: 03 > > Title: Security for the NFSv4 Protocols > > Document date: 2021-11-23 > > Group: Individual Submission > > Pages: 139 > > URL: > > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.txt > > Status: > > https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/ > > Html: > > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.html > > Htmlized: > > https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security > > Diff: > > https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-03 > > > > Abstract: > > This document describes the core security features of the NFSv4 > > family of protocols, applying to all minor versions. The discussion > > includes the use of security features provided by RPC on a per- > > connection basis. > > > > This preliminary version of the document, is intended, in large part, > > to result in working group discussion regarding existing NFSv4 > > security issues and to provide a framework for addressing these > > issues and obtaining working group consensus regarding necessary > > changes. > > > > When a successor document is eventually published as an RFC, it will > > supersede the description of security appearing in existing minor > > version specification documents such as RFC 7530 and RFC 8881. > > > > > > > > > > The IETF Secretariat > > > _______________________________________________ > > nfsv4 mailing list > > nfsv4@ietf.org > > https://www.ietf.org/mailman/listinfo/nfsv4 > >
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… J. Bruce Fields
- Re: [nfsv4] New Version Notification for draft-dn… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem