IETF Logo Mail Archive

Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-measurment-01

Chuck Lever <chuck.lever@oracle.com> Sun, 30 September 2018 16:21 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD08130DC2 for <nfsv4@ietfa.amsl.com>; Sun, 30 Sep 2018 09:21:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76ZDOeIjA9Kr for <nfsv4@ietfa.amsl.com>; Sun, 30 Sep 2018 09:21:19 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CC40130DC7 for <nfsv4@ietf.org>; Sun, 30 Sep 2018 09:21:18 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w8UGKR2V027472; Sun, 30 Sep 2018 16:21:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=UMVLvZkJpqV3YIK3I6pTdRPafLDRjfy4Yo9Q2F00Df8=; b=Mvkeb8gn5Y4JzAnkL5eyzNZeSC+a8+ujunpHtzq0kgt7FtE8CTO/jaaHvORdij3hpNuU r+/iXyuAV+ZDybASVxzTO6ks4eMoroAGlF+t19tcj1rFFtyDeX7RJo+LH98LCmg/RGhr FRD+xYVANtvhVLSacqdmw/oIiZH/sFXWb3FHvRxSP7KUiYMmZ8kpxWwygnljnODCYPku Lyh9W5O848ELCw135COAH3pEsxznnSG+g6dbagCrhd+lFD6B6SAhce/CxX3NSwgPHmrz 5dT4jy/qIq6GV3yADXvpeYqnwqQEnPBy9TpJRXbWI8su/01Nzw5WsD66sju7QA+IVwtR qQ==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2mt0ttbgq3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 30 Sep 2018 16:21:16 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w8UGLFTM015835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 30 Sep 2018 16:21:15 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w8UGLDQb011760; Sun, 30 Sep 2018 16:21:13 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 30 Sep 2018 09:21:13 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CADaq8jdU_JO5SSut6y+1iutNH450VXXDjY_UVKnr1iBkP-4w5w@mail.gmail.com>
Date: Sun, 30 Sep 2018 12:21:12 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7E67B7CA-8E26-4D2C-A897-45A38BBAA436@oracle.com>
References: <CADaq8jcz_hKQb_EAxq5GD-__D7aigiMm6GFjks9BJ_iKzE3Meg@mail.gmail.com> <F1A0FD61-BB29-499C-9F1B-3CFD128C2123@oracle.com> <CADaq8jdU_JO5SSut6y+1iutNH450VXXDjY_UVKnr1iBkP-4w5w@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9032 signatures=668707
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809300173
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/VIr7R6_QA9Bi9vX1hjj1oGo2tW0>
Subject: Re: [nfsv4] Review of draft-ietf-nfsv4-integrity-measurment-01
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Sep 2018 16:21:21 -0000


> On Sep 28, 2018, at 8:58 PM, David Noveck <davenoveck@gmail.com> wrote:
> 
> > > The things that we are waiting for are:
> > >       • A definition of the fornat of the provenance information.
> 
> > I don't expect the draft to ever provide a format for the provenance
> > information. 
> 
> I now understand that, but that doesn't mean that people are not waiting 
> for it.  Without  a definition of the format somwhere, implementations
> cannot be written and if implementations cannot be written, there is no 
> point in doing this.
> 
> > This information is _opaque_ to NFS, 
> 
> As I understand it, it is opaque to the server, but for there to a be client implementations
> there needs to be code written to create the provenance information and verify it and
> that ccode cannot be written without the format being known.

It is opaque to the NFS client implementation as well. There is
a security module on each system where FPI is used that reads
the FPI and determines whether to prevent access to the file's
content. It is entirely independent of the file system in which
the FPI and file content is stored.


> > and at least in IMA's case, 
> 
> As I understand things the chances of there being any other case is quite low, and I
> believe that that is your feeling as well.

> > there is no published normative specification that defines it.
> 
> Perhaps not, but one would hope that there is definition of the format somewhere.   If there isn't, how
> could implementations be developed and interoperate?
> 
> > There is no practical way to specify the format in this document.
> 
> What makes it impractical?

IMA has no specification. It has a web site and a white paper and
an implementation in Linux. I cite the web site as an Informative
reference and use IMA as an example. As far as I can tell, that's
the best that can be done.

The IMA web site and white paper state that IMA uses an HMAC.
HMAC is defined by RFC 2104, but that's an Informative document.
I cite that RFC as an Informative reference as well.

Thus I have no normative specification of the format that IMA
uses that I can use in a normative specification of an extension
to NFS.

But aside from that, the FPI format is application-specified, and
the file system does not care what that format looks like, as I
state in the new Introduction below. No file system cares what FPI
looks like.


> > I thought the point of this revision was to make that clear, but
> > reviewers have been confused on this point. 
> 
> Confused or disbelieving.
> 
> > What more can the draft do to make it clear? 
> 
> The normal function of a specfication like this is to explain how interoprating implementations can be developed.  If, as I understand to be the case, you feel that this document or some successor draft cannot do that, I think you need to clearly state that it will not do that and explain how you expect interoperating implementations to be developed.

I don't disagree with this, but I stated well before posting this
revision that I planned to remove discussion of IMA from this
document and state that the FPI format is defined elsewhere and is
self-describing. There was no objection at that time.

Now suddenly neither of those is adequate. But OK: I take the
review comments to mean I've removed too much context. I've
rewritten the Introduction to include the details about the
layering that were removed along with the IMA-specific language.
I hope this is a step toward addressing the stated concerns.


1.  Introduction

   The security of software distribution systems is complex and
   challenging, especially as software distribution has become
   increasingly decentralized.  An end administrator needs to trust that
   she is running executables just as they are supplied by a software
   vendor; in other words, that they have not been modified by malicious
   actors, contracted system administration services, or broken hardware
   or software.  Software vendors want a guarantee that customer-
   installed executables that fall under support contracts have
   similarly not been modified.

   There already exist mechanisms that protect file data during certain
   portions of a file's life cycle:

   o  Whole file system checksumming can verify so-called Golden Master
      installation media before it is used to install the software it
      contains.

   o  File or block integrity mechanisms can protect data at rest on
      storage servers.

   o  For a distributed file system such as NFS, transport layer
      security or a GSS integrity service (as described in [RFC7861])
      can protect data while it traverses a network between a storage
      server and a client.

   A more extensive mechanism is needed to guarantee that no
   modification of a particular file has occurred since it was created,
   even perhaps after several generations of copies have been made of
   the file's content.

   This guarantee can be accomplished by separately preserving a keyed
   hash, such as an HMAC [RFC2104], of a file's content.  The checksum
   and its signature are verified as the file's content is read into
   memory immediately before it is used.  If verification fails, access
   to the file's content is prevented.  The hash is updated and re-
   signed only when the file is legitimately modified.

1.1.  Architecture Basics

   A keyed hash authenticates the identity of the last modifier of a
   file's content and serves as a strong check of the content's
   integrity.  For the purposes of this document, we refer to this
   metadata using the generic term "file provenance information".

   File provenance information is generated and signed by a "provenance
   authority", and then placed in the file system using special tools.

   A security module separate from the file system stack specifies the
   format of the file provenance information and enforces a policy for
   utilizing it to determine when a protected file's content is safe to
   use on the local system.  For the purposes of this document, we refer
   to this module as a "provenance assessor", and the policy it uses as
   the "provenance assessment policy".

   NFS acts as a conduit by which file provenance information and file
   content move between storage on an NFS server and the provenance
   assessor where that content is to be accessed.  NFS peers accessing a
   set of shared files must all agree on the at-rest file provenance
   information format.  The format is specified by the provenance
   assessor and is therefore not described in this document.

   The protocol extension in this document enables the storage and use
   of file provenance information to protect files stored on an NFS
   server.  The Linux Integrity Measurement Architecture (IMA) is an
   example of a mechanism that provides a full provenance assessment
   service [IMA-WP].

   A Trusted Platform Module [TPM-SUM] can seal the key material used to
   sign and verify file content.  Distributing and protecting such key
   material is outside the scope of the OPTIONAL extension specified in
   this document.


--
Chuck Lever

v2.23.0 | Report a Bug | By Email