IETF Logo Mail Archive

Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt

Rick Macklem <rmacklem@uoguelph.ca> Thu, 02 December 2021 01:36 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42F7B3A03F7; Wed, 1 Dec 2021 17:36:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OTK1l3M2rOz; Wed, 1 Dec 2021 17:36:10 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-to1can01on060f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5d::60f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22043A03EA; Wed, 1 Dec 2021 17:36:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DmZC08GFkR6eumXr3hwU7q2jR/lMY9gPdYXdmb0Pf5laBposMYQkVspYZgc6ciDNobiUQalTnjQ5vQJOu1iOnJcMNa3FwxFc/TwRq/TnLoIxSLdWe7Y8Aq5Q9QF/DJTiR4d6Ex4N2pOm1DPCH1VM+X6U7IQlcHeA+j8t2yfTW/7/9QUOn1XF6VRNAYp+CLXJQqT72APnFWgsYZLCWutuTMTi2sEWPB2dMibr3bpL63RdSw2L722sfdSyCnxQY+Nd4QAHYRn3/9IhWGn2oiKjMGgsrEg67+LRmiVLKtZ7sqVAT0WtuTpOM2LPAFuKwvJxfrwG5lpK5BdqhswRfVb5BQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VIwp/PFhl5k2lJOMaebfWHOmDvh3EB+vsQPGVyIjUtg=; b=kOGdxEZ3EgNdd274HJVCSP5scRXqYwEV+J7l4BIgeZkqtni1cTvN6FfPpM2tD7W7jEVAr0YpcO0E/klym2MNKWU5UnuAEgDKSsnwmCA4EkmXpuqtOhCnNhS9PYjxJmOIgmn0nZ2O9aTZxuIC30TtFpHv0ur6ihLmuYbpu5azT73vhNPRs9nzisrRGyo62gDZW/c9Vak6pX1FdAMGQXQiCM9WDwlOhO0BIQIj/5c4pw58/QKudlYBrNF12znuDTU04egPP9WJtuO5hArvjzISBK+6NKp7oQXauBnckzhiJYg0ikUB6PG5JHTMlXEcwtZZ3pF4/5Nn2hIrWPLQT8wLmA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VIwp/PFhl5k2lJOMaebfWHOmDvh3EB+vsQPGVyIjUtg=; b=Wi9wuVw/lIcH/ToJCQHw39nU+JBp5TIosCU9k8GRi0G4NdDByrHWiDSssNITbFKFJMT4ahSp7whuwJm91JuXaspGUidwW9eR2mdBBBGNrI4prfZUdp5Ub1COPvoPT07KQwkxi37g2mfLUZeKd+vgdmwibAQpRTt6VqBuTv1fEINCusVfDkZ9EkKCq+WJGQoez8y0LmQQ8BJJoO86cGEw1iW27vIQcqIqCYUqjEE2X2yEls87IAe38GItYCdZCTxIJjP9AE8sjUWGzzfBuNInfSxraBDr8r8efxc/hoNrJFjXA8dizGO8Oy2Hmm42d2tgEPPxI2xiqyqULY7/RDZMMw==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by QB1PR01MB2724.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:3e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.11; Thu, 2 Dec 2021 01:36:02 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::e56f:b7a2:3830:5706]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::e56f:b7a2:3830:5706%3]) with mapi id 15.20.4734.024; Thu, 2 Dec 2021 01:36:02 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "J. Bruce Fields" <bfields@fieldses.org>, David Noveck <davenoveck@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>, "nfsv4-ads@ietf.org" <nfsv4-ads@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
Thread-Index: AQHX4HHNsS/W7IErZUGK3n//QZmiW6wauouAgAO73JM=
Date: Thu, 02 Dec 2021 01:36:02 +0000
Message-ID: <YQXPR0101MB096859732928862B39144F45DD699@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <163767514326.26555.17470749244218204323@ietfa.amsl.com> <CADaq8jes2WfwbXoy7D22gRwCh9Mw-Wrkdkugc9jbp3PNjb6jYA@mail.gmail.com> <20211129162527.GB24258@fieldses.org>
In-Reply-To: <20211129162527.GB24258@fieldses.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 64668763-4a6a-b579-e891-9b900e64bcd0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 94ef9090-2812-4dc0-f25c-08d9b53419dd
x-ms-traffictypediagnostic: QB1PR01MB2724:
x-microsoft-antispam-prvs: <QB1PR01MB2724A6A4D3D7FD5A06E8283ADD699@QB1PR01MB2724.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kepBo52IwZ+5jXSJ3y1II9trhcO/nz1kO5+iKEak1WY4MbjVLFnPDoj9QgleX0ir4JjQPxhoybFmUvZQmR7DoIiIwjObMqiAS4WK0fj/ZuW392tDEjMpsLmsk/sUFXvCIs0qgp3Rf60tmhxaqIqqafKrg2ko5vztjsa+iqNaritEfpKjCIZc1giW9J8A+SeA2m82DUoQHGIkQZxnpQR6XYaaAa5oHrN2gH+FWKsahf1tuoidOPR+vGktfXMiXLaDyDKU1u2JoTn308ksdOGO6qwu3POm6BhaQ2QwBFBCz6VefahT8jIrqccG4ilo/jlPHK9PrfcLdWV69WGkgXx7kapGgXHADO+lXDaxTMxlQECs8abJHofFJuM5Z93IcOndjzp9e6ddDrbWQoNqVJrHgqzoNNQhFu5VN9ua//yKicSsLjz2KDOiGAXxTFHietgoIR+eLzT1lD8dWCGrXgVCXeZtxh7cubDDTuEIa6l5Z8KGooMGh3C/9/86kyX138W7PuyuGLkDimJW3Pix2b1dWbvr7m44HLDe8NjggbujCzDEFe37fV1DbdBQ/+8IUhbqgvw9ZLsbvWc8yIDtS+4AaoBYrZIC6egLyjDWiW/Qdl/WSaQFfj4km3aAxrErQcRIjgmbbJ0kZ2cK7EdX5hx8Ldi1tpRYcaeDdQOWpia1Ln5Y+ipia66D1O89VuOBtgf7l7+0elL4ULhLN6SaluhdX9OajpJet66N5A9nTq8yAeKFTyJfhNgvgBhabI/VS6/iJTZEi3X9LG5r8HHaM0cx9j9Yz+FNd7yFcK577oXqDnw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(83380400001)(110136005)(54906003)(15650500001)(966005)(7696005)(38100700002)(2906002)(8676002)(508600001)(71200400001)(8936002)(33656002)(53546011)(6506007)(4001150100001)(786003)(186003)(91956017)(76116006)(86362001)(55016003)(38070700005)(5660300002)(52536014)(9686003)(64756008)(66476007)(66446008)(316002)(66556008)(4326008)(122000001)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6zt87Ui6TomQykXjOQ0jR8FAKocnaj6xEzRdsV2CT+Fo+fF9VaxTmDdMNTdmIytEvm/m3eU+8DKTAr+ncD4e8oXcwdr2YM50JiWcu+1brEqfwNzIzPbNIN+5c1Dpm9Rp4INAybzRedhnQZ2R0ArdPLi/vEzrFGkl0gZHfW5LHl2dZvhWx/s8S/s7XtxS97wd89/i//e1djBw0+xZxsklyUjGo4d71G7/5mKPEM1ib86Y0De4zAeIg6AwN7ug1gIM7awMZSGudQdVlu0hwU2j5/b+rrDh4HetPxFiSji86b4KbDgJlfpthwaoT3lqbxt+MGCdZ0P/acdLSQdwGWfM3/K/PYeIZhnHk3Sw35lZjIEbk93nwW5gtNfTZauRcXfpalpdZZwiZBXz5vsSo1pzUgSfVRqap/w85SASCR94snXTENpx9Ca7mSp9WCACPwSvt0wNRObvrgRZ40InED01A2aO+sfnPDOGoDcLuJzhDjOadU2NquULM25X32uLB0jcAOmoGsxMUWrKUuq9zFDjedLXTeHzPLNy4OhPkt/gdX3+kbj1h44v06fLltkmTnqN9CBQyG6BsR2x4HsaHe0TvN015+GdNd3jeUY60cpEIMa32llbek4YRLwE2ZB6jlZnlAxSYntU/vY0I1CbobhY2kLZ58Pz99aCXRimqVL47X+gd6rTAF5H6B9RWS9/QRUmj55js8dyhO7oMfsLHbQWovm/ZNFvx8uRy1ou+tcrYvOsvYwF2HZJzqBE1HE25dJGk9hHaBdFMF8YkDi1iFvXafw1K0giUr5dcLiwRRIXv5r77WDHtFvL+ip3nOCOgTfh8AKOkKpW7mbYy2iBPGCvkVx3VDverWkV27zrLiHTGKRJtlQfhJsUF/koiDo4xte5+B2zuuh7p80tavARjIFZ1tTcDTSeV6wBePvCRI81pYF8NpmPlfEp5uRVRZFYcZ1DnkgFf8W79hNZYgeXaQO+Uhx6POeA3nb7JLM5LLJ/jq2HJ70hDSRUd1H7PkAJdST97LFelMKlDkyNsL8FGJ4+P6DSIT+MPN2gZ/+dtcXuIuYZUXylHIcMw2MycsXsQsjMrof7u0QMNgWFBWmxrApBI6Fd3/J3qYlvF9gYHwNn0kU7lNW0lF9dZ8orL1SitIDIt/krNjuE5Cut2TEdKkuOM34crRKJ3yjY3MbZQA6/pF5Kj1mUD38+To2Pel2oyLgi3uLFMiJxnJ9SwQfsmdMKZ2QM/adXmN8o+mQ2a2Kt+Q6gQjZ/ccLn2sV0ql1SS/fIIrQ6db9Id8JRTfXJCRf9sqrs7KI9JVkBldMH9K+rtYm3VUtgx6wlvVm9IAtEj62P7Ayj6Zf+1tGOIjIGztlFVBZm5qMuTqlRzQJ/+twlv7l5tbeQU/z8ufCdribGAkTMkUHQar6JxZvlYZes/LwDkfNntNGL+nV+OrC49779mDKGCQIUUmPw2aDB1NaWxyDHum4Yqsz8OcxcbRFnjAi0IXgFD467SwLJvzy6+rWvETG5Zj0ivJcpDn79plb5aqfAqzJBixjOj7+Xk1rrWBbAZR7Au90v708OcgmQAyhSQw7vNRQN+kwUM81BGtVjqUBlTP7Y0nQbrjgEw96qtr/acPbnuTLWQkD9RIqWs8Nl78vHdSFz9fpGstbEE1eKgQ+0g/V9qcL3ocCIK8FEuYnLmQ==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 94ef9090-2812-4dc0-f25c-08d9b53419dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2021 01:36:02.5898 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: R4sX/QGcFG43wDwMADveqNlncsl73S7m5tH+xeQLNdRNZP4/1uwcsO4v05xvx88K4MQ8+I56XJT6xA07yldgDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2724
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/WHHCv92kHqsc6eZ4lfI6QATwGuA>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 01:36:15 -0000

J. Bruce Fields wrote:
> On Tue, Nov 23, 2021 at 08:55:04AM -0500, David Noveck wrote:
> > This is considerably different from -02 (1400 lines).  Still, a diff
> > between -02 and -03 is useful to see where the changes/additions are, if
> > you read -02.
>
> 5.9: special identifiers: "when ACEs containing these who values are
> encountered, the server MUST treat all requesting users as not
> matching."
> 
> So a two-ACE ACL like:
>
>         allow read to INTERACTIVE
>         deny everything to EVERYONE
>
> would require the server to fail all NFS READs, and an ACL like:
>
>         deny read to INTERACTIVE
>         allow everything to EVERYONE
>
> would require the server to allow all NFS READs.
>
> Presumably these special identifiers are mainly only there for the
> multiprotocol case--the server can actually make use of them when
> accessed by an SMB client, but we still want NFS clients to be able to
> e.g. do ACL-preserving copies, so we want NFS clients to still see them.
> 
> So I guess it's a sensible default to treat those special identifiers as
> describing groups of which no NFS user is a member.
>
> Seems more like "a sensible default", though, rather than something to
> be enshrined in a MUST.  I could imagine server administrators wanting
> the option to configure this.
>
> I'd rather leave this unspecified.  At least, unless we can get input
> from a wide range of server implementors.
I agree with Bruce on this. At this time, the FreeBSD server will normally
fail a Setattr of ACL if any ACE in the ACL 
That goes double for ANONYMOUS and AUTHENTICATED.  I don't know all the
ways that export permissions and idmapping (like squashing) are
implemented on different servers and I'm not sure we can reasonably come
up with rules that will work for everyone.

--b.

>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Tue, Nov 23, 2021 at 8:45 AM
> Subject: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
> To: David Noveck <davenoveck@gmail.com>
>
>
>
> A new version of I-D, draft-dnoveck-nfsv4-security-03.txt
> has been successfully submitted by David Noveck and posted to the
> IETF repository.
>
> Name:           draft-dnoveck-nfsv4-security
> Revision:       03
> Title:          Security for the NFSv4 Protocols
> Document date:  2021-11-23
> Group:          Individual Submission
> Pages:          139
> URL:
> https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.txt
> Status:
> https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/
> Html:
> https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.html
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-03
>
> Abstract:
>    This document describes the core security features of the NFSv4
>    family of protocols, applying to all minor versions.  The discussion
>    includes the use of security features provided by RPC on a per-
>    connection basis.
>
>    This preliminary version of the document, is intended, in large part,
>    to result in working group discussion regarding existing NFSv4
>    security issues and to provide a framework for addressing these
>    issues and obtaining working group consensus regarding necessary
>    changes.
>
>    When a successor document is eventually published as an RFC, it will
>    supersede the description of security appearing in existing minor
>    version specification documents such as RFC 7530 and RFC 8881.
>
>
>
>
> The IETF Secretariat

> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email