Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-measurment-01
Chuck Lever <chuck.lever@oracle.com> Sun, 30 September 2018 16:21 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD08130DC2 for <nfsv4@ietfa.amsl.com>; Sun, 30 Sep 2018 09:21:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76ZDOeIjA9Kr for <nfsv4@ietfa.amsl.com>; Sun, 30 Sep 2018 09:21:19 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CC40130DC7 for <nfsv4@ietf.org>; Sun, 30 Sep 2018 09:21:18 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w8UGKR2V027472; Sun, 30 Sep 2018 16:21:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=UMVLvZkJpqV3YIK3I6pTdRPafLDRjfy4Yo9Q2F00Df8=; b=Mvkeb8gn5Y4JzAnkL5eyzNZeSC+a8+ujunpHtzq0kgt7FtE8CTO/jaaHvORdij3hpNuU r+/iXyuAV+ZDybASVxzTO6ks4eMoroAGlF+t19tcj1rFFtyDeX7RJo+LH98LCmg/RGhr FRD+xYVANtvhVLSacqdmw/oIiZH/sFXWb3FHvRxSP7KUiYMmZ8kpxWwygnljnODCYPku Lyh9W5O848ELCw135COAH3pEsxznnSG+g6dbagCrhd+lFD6B6SAhce/CxX3NSwgPHmrz 5dT4jy/qIq6GV3yADXvpeYqnwqQEnPBy9TpJRXbWI8su/01Nzw5WsD66sju7QA+IVwtR qQ==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2mt0ttbgq3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 30 Sep 2018 16:21:16 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w8UGLFTM015835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 30 Sep 2018 16:21:15 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w8UGLDQb011760; Sun, 30 Sep 2018 16:21:13 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 30 Sep 2018 09:21:13 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CADaq8jdU_JO5SSut6y+1iutNH450VXXDjY_UVKnr1iBkP-4w5w@mail.gmail.com>
Date: Sun, 30 Sep 2018 12:21:12 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7E67B7CA-8E26-4D2C-A897-45A38BBAA436@oracle.com>
References: <CADaq8jcz_hKQb_EAxq5GD-__D7aigiMm6GFjks9BJ_iKzE3Meg@mail.gmail.com> <F1A0FD61-BB29-499C-9F1B-3CFD128C2123@oracle.com> <CADaq8jdU_JO5SSut6y+1iutNH450VXXDjY_UVKnr1iBkP-4w5w@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9032 signatures=668707
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809300173
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/VIr7R6_QA9Bi9vX1hjj1oGo2tW0>
Subject: Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-measurment-01
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Sep 2018 16:21:21 -0000
> On Sep 28, 2018, at 8:58 PM, David Noveck <davenoveck@gmail.com> wrote: > > > > The things that we are waiting for are: > > > • A definition of the fornat of the provenance information. > > > I don't expect the draft to ever provide a format for the provenance > > information. > > I now understand that, but that doesn't mean that people are not waiting > for it. Without a definition of the format somwhere, implementations > cannot be written and if implementations cannot be written, there is no > point in doing this. > > > This information is _opaque_ to NFS, > > As I understand it, it is opaque to the server, but for there to a be client implementations > there needs to be code written to create the provenance information and verify it and > that ccode cannot be written without the format being known. It is opaque to the NFS client implementation as well. There is a security module on each system where FPI is used that reads the FPI and determines whether to prevent access to the file's content. It is entirely independent of the file system in which the FPI and file content is stored. > > and at least in IMA's case, > > As I understand things the chances of there being any other case is quite low, and I > believe that that is your feeling as well. > > there is no published normative specification that defines it. > > Perhaps not, but one would hope that there is definition of the format somewhere. If there isn't, how > could implementations be developed and interoperate? > > > There is no practical way to specify the format in this document. > > What makes it impractical? IMA has no specification. It has a web site and a white paper and an implementation in Linux. I cite the web site as an Informative reference and use IMA as an example. As far as I can tell, that's the best that can be done. The IMA web site and white paper state that IMA uses an HMAC. HMAC is defined by RFC 2104, but that's an Informative document. I cite that RFC as an Informative reference as well. Thus I have no normative specification of the format that IMA uses that I can use in a normative specification of an extension to NFS. But aside from that, the FPI format is application-specified, and the file system does not care what that format looks like, as I state in the new Introduction below. No file system cares what FPI looks like. > > I thought the point of this revision was to make that clear, but > > reviewers have been confused on this point. > > Confused or disbelieving. > > > What more can the draft do to make it clear? > > The normal function of a specfication like this is to explain how interoprating implementations can be developed. If, as I understand to be the case, you feel that this document or some successor draft cannot do that, I think you need to clearly state that it will not do that and explain how you expect interoperating implementations to be developed. I don't disagree with this, but I stated well before posting this revision that I planned to remove discussion of IMA from this document and state that the FPI format is defined elsewhere and is self-describing. There was no objection at that time. Now suddenly neither of those is adequate. But OK: I take the review comments to mean I've removed too much context. I've rewritten the Introduction to include the details about the layering that were removed along with the IMA-specific language. I hope this is a step toward addressing the stated concerns. 1. Introduction The security of software distribution systems is complex and challenging, especially as software distribution has become increasingly decentralized. An end administrator needs to trust that she is running executables just as they are supplied by a software vendor; in other words, that they have not been modified by malicious actors, contracted system administration services, or broken hardware or software. Software vendors want a guarantee that customer- installed executables that fall under support contracts have similarly not been modified. There already exist mechanisms that protect file data during certain portions of a file's life cycle: o Whole file system checksumming can verify so-called Golden Master installation media before it is used to install the software it contains. o File or block integrity mechanisms can protect data at rest on storage servers. o For a distributed file system such as NFS, transport layer security or a GSS integrity service (as described in [RFC7861]) can protect data while it traverses a network between a storage server and a client. A more extensive mechanism is needed to guarantee that no modification of a particular file has occurred since it was created, even perhaps after several generations of copies have been made of the file's content. This guarantee can be accomplished by separately preserving a keyed hash, such as an HMAC [RFC2104], of a file's content. The checksum and its signature are verified as the file's content is read into memory immediately before it is used. If verification fails, access to the file's content is prevented. The hash is updated and re- signed only when the file is legitimately modified. 1.1. Architecture Basics A keyed hash authenticates the identity of the last modifier of a file's content and serves as a strong check of the content's integrity. For the purposes of this document, we refer to this metadata using the generic term "file provenance information". File provenance information is generated and signed by a "provenance authority", and then placed in the file system using special tools. A security module separate from the file system stack specifies the format of the file provenance information and enforces a policy for utilizing it to determine when a protected file's content is safe to use on the local system. For the purposes of this document, we refer to this module as a "provenance assessor", and the policy it uses as the "provenance assessment policy". NFS acts as a conduit by which file provenance information and file content move between storage on an NFS server and the provenance assessor where that content is to be accessed. NFS peers accessing a set of shared files must all agree on the at-rest file provenance information format. The format is specified by the provenance assessor and is therefore not described in this document. The protocol extension in this document enables the storage and use of file provenance information to protect files stored on an NFS server. The Linux Integrity Measurement Architecture (IMA) is an example of a mechanism that provides a full provenance assessment service [IMA-WP]. A Trusted Platform Module [TPM-SUM] can seal the key material used to sign and verify file content. Distributing and protecting such key material is outside the scope of the OPTIONAL extension specified in this document. -- Chuck Lever
- [nfsv4] Review of draft-ietf-nfsv4-integrity-meas… David Noveck
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… Chuck Lever
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… Everhart, Craig
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… Chuck Lever
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… Everhart, Craig
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… David Noveck
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… Chuck Lever
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… Benjamin Kaduk
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… David Noveck
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… J. Bruce Fields
- Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-… Chuck Lever