Re: [nfsv4] Murray Kucherawy's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)

Chuck Lever <chuck.lever@oracle.com> Mon, 06 July 2020 14:47 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A80A3A1574; Mon, 6 Jul 2020 07:47:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_TEMPERROR=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ske9n41p9ST; Mon, 6 Jul 2020 07:47:31 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AD083A1501; Mon, 6 Jul 2020 07:47:31 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 066EfiJ8015802; Mon, 6 Jul 2020 14:47:30 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=H8vKY/00VE0fb/S1CxKihi5hJwsRSFUcRezNQkBb0Qc=; b=NlQZE6tI0vl2KkTro+O7TG7Q9p5awQQyVDyd3ulDRg9PIMspMbjcsEOrErnnrGZhGQ/X TcANUo1wcKABKHjuMmJ5WudKMGNqnC4yDO4/bmOTB1NNmXDn1f/xJ6Uva8/RO2iyHw69 Ie6ALG1QlwBhf96qwsBRYzxasTtOvpCKwyYe6+v4HznupFpGWS29WPXXJm2CKmx8eRj5 0oY982GMYCDDes61hNjG+NqEFR4eryTigqu+qWe/hIUGJhbOJ9IbnZYp6xYnG57+k0eG oOEieHENbClwgmNQiVnDTRDEHakgQtYxkEqjehN/lnAOpp4ueYk11VYTGOweU92zlbqU 5g==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2130.oracle.com with ESMTP id 323wacapbs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 06 Jul 2020 14:47:29 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 066Ei7Cw115890; Mon, 6 Jul 2020 14:47:29 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3030.oracle.com with ESMTP id 3233pvf5gv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 06 Jul 2020 14:47:29 +0000
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 066ElSw7032554; Mon, 6 Jul 2020 14:47:28 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 06 Jul 2020 07:47:28 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <159401585841.9918.14751352111344234692@ietfa.amsl.com>
Date: Mon, 06 Jul 2020 10:47:27 -0400
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs <nfsv4-chairs@ietf.org>, NFSv4 <nfsv4@ietf.org>, David Noveck <davenoveck@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3DAF52DF-1A50-4FF1-A731-7F65A8EF4AE2@oracle.com>
References: <159401585841.9918.14751352111344234692@ietfa.amsl.com>
To: Murray Kucherawy <superuser@gmail.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9673 signatures=668680
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007060112
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9673 signatures=668680
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 priorityscore=1501 phishscore=0 spamscore=0 mlxlogscore=999 adultscore=0 cotscore=-2147483648 suspectscore=0 impostorscore=0 bulkscore=0 mlxscore=0 clxscore=1011 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007060112
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/VCq59cb8Id1wxs74AzZNEi3LxZc>
Subject: Re: [nfsv4] Murray Kucherawy's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 14:47:36 -0000

Hi Murray -

Thanks for your review and comments.

> On Jul 6, 2020, at 2:10 AM, Murray Kucherawy via Datatracker <noreply@ietf.org> wrote:
> 
> Murray Kucherawy has entered the following ballot position for
> draft-ietf-nfsv4-rpc-tls-08: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> I'm having trouble parsing the first paragraph of Section 4.1.

The second sentence is perhaps overly complex, but the purpose is to
explain the compromise between backwards compatibility and security.
I propose this clarification:

OLD:

   The mechanism described in the current document interoperates fully
   with RPC implementations that do not support RPC-over-TLS.  Policy
   settings on the RPC-over-TLS-enabled peer determine whether RPC
   operation continues without the use of TLS or RPC operation is not
   permitted.

NEW:

   The mechanism described in the current document interoperates fully
   with RPC implementations that do not support RPC-over-TLS.  When an
   RPC server does not support RPC-over-TLS, policy settings on the RPC-
   over-TLS-enabled client determine whether RPC operation continues
   without the use of TLS, or RPC operation is not permitted.


> Thank you for including Section 6.

You're welcome!


> The REQUIRED in Section 7.1 isn't actually an interoperability concern, is it?

That is correct, this language is not addressing an interoperability issue.

The compliance requirement was added at the request of our second early
SecDir reviewer, Derrell Piper. The request was made in a private e-mail
to me.


--
Chuck Lever