Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
Rick Macklem <rmacklem@uoguelph.ca> Thu, 02 December 2021 01:36 UTC
Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42F7B3A03F7; Wed, 1 Dec 2021 17:36:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OTK1l3M2rOz; Wed, 1 Dec 2021 17:36:10 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-to1can01on060f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5d::60f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22043A03EA; Wed, 1 Dec 2021 17:36:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DmZC08GFkR6eumXr3hwU7q2jR/lMY9gPdYXdmb0Pf5laBposMYQkVspYZgc6ciDNobiUQalTnjQ5vQJOu1iOnJcMNa3FwxFc/TwRq/TnLoIxSLdWe7Y8Aq5Q9QF/DJTiR4d6Ex4N2pOm1DPCH1VM+X6U7IQlcHeA+j8t2yfTW/7/9QUOn1XF6VRNAYp+CLXJQqT72APnFWgsYZLCWutuTMTi2sEWPB2dMibr3bpL63RdSw2L722sfdSyCnxQY+Nd4QAHYRn3/9IhWGn2oiKjMGgsrEg67+LRmiVLKtZ7sqVAT0WtuTpOM2LPAFuKwvJxfrwG5lpK5BdqhswRfVb5BQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VIwp/PFhl5k2lJOMaebfWHOmDvh3EB+vsQPGVyIjUtg=; b=kOGdxEZ3EgNdd274HJVCSP5scRXqYwEV+J7l4BIgeZkqtni1cTvN6FfPpM2tD7W7jEVAr0YpcO0E/klym2MNKWU5UnuAEgDKSsnwmCA4EkmXpuqtOhCnNhS9PYjxJmOIgmn0nZ2O9aTZxuIC30TtFpHv0ur6ihLmuYbpu5azT73vhNPRs9nzisrRGyo62gDZW/c9Vak6pX1FdAMGQXQiCM9WDwlOhO0BIQIj/5c4pw58/QKudlYBrNF12znuDTU04egPP9WJtuO5hArvjzISBK+6NKp7oQXauBnckzhiJYg0ikUB6PG5JHTMlXEcwtZZ3pF4/5Nn2hIrWPLQT8wLmA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VIwp/PFhl5k2lJOMaebfWHOmDvh3EB+vsQPGVyIjUtg=; b=Wi9wuVw/lIcH/ToJCQHw39nU+JBp5TIosCU9k8GRi0G4NdDByrHWiDSssNITbFKFJMT4ahSp7whuwJm91JuXaspGUidwW9eR2mdBBBGNrI4prfZUdp5Ub1COPvoPT07KQwkxi37g2mfLUZeKd+vgdmwibAQpRTt6VqBuTv1fEINCusVfDkZ9EkKCq+WJGQoez8y0LmQQ8BJJoO86cGEw1iW27vIQcqIqCYUqjEE2X2yEls87IAe38GItYCdZCTxIJjP9AE8sjUWGzzfBuNInfSxraBDr8r8efxc/hoNrJFjXA8dizGO8Oy2Hmm42d2tgEPPxI2xiqyqULY7/RDZMMw==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by QB1PR01MB2724.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:3e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.11; Thu, 2 Dec 2021 01:36:02 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::e56f:b7a2:3830:5706]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::e56f:b7a2:3830:5706%3]) with mapi id 15.20.4734.024; Thu, 2 Dec 2021 01:36:02 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "J. Bruce Fields" <bfields@fieldses.org>, David Noveck <davenoveck@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>, "nfsv4-ads@ietf.org" <nfsv4-ads@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
Thread-Index: AQHX4HHNsS/W7IErZUGK3n//QZmiW6wauouAgAO73JM=
Date: Thu, 02 Dec 2021 01:36:02 +0000
Message-ID: <YQXPR0101MB096859732928862B39144F45DD699@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <163767514326.26555.17470749244218204323@ietfa.amsl.com> <CADaq8jes2WfwbXoy7D22gRwCh9Mw-Wrkdkugc9jbp3PNjb6jYA@mail.gmail.com> <20211129162527.GB24258@fieldses.org>
In-Reply-To: <20211129162527.GB24258@fieldses.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 64668763-4a6a-b579-e891-9b900e64bcd0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 94ef9090-2812-4dc0-f25c-08d9b53419dd
x-ms-traffictypediagnostic: QB1PR01MB2724:
x-microsoft-antispam-prvs: <QB1PR01MB2724A6A4D3D7FD5A06E8283ADD699@QB1PR01MB2724.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kepBo52IwZ+5jXSJ3y1II9trhcO/nz1kO5+iKEak1WY4MbjVLFnPDoj9QgleX0ir4JjQPxhoybFmUvZQmR7DoIiIwjObMqiAS4WK0fj/ZuW392tDEjMpsLmsk/sUFXvCIs0qgp3Rf60tmhxaqIqqafKrg2ko5vztjsa+iqNaritEfpKjCIZc1giW9J8A+SeA2m82DUoQHGIkQZxnpQR6XYaaAa5oHrN2gH+FWKsahf1tuoidOPR+vGktfXMiXLaDyDKU1u2JoTn308ksdOGO6qwu3POm6BhaQ2QwBFBCz6VefahT8jIrqccG4ilo/jlPHK9PrfcLdWV69WGkgXx7kapGgXHADO+lXDaxTMxlQECs8abJHofFJuM5Z93IcOndjzp9e6ddDrbWQoNqVJrHgqzoNNQhFu5VN9ua//yKicSsLjz2KDOiGAXxTFHietgoIR+eLzT1lD8dWCGrXgVCXeZtxh7cubDDTuEIa6l5Z8KGooMGh3C/9/86kyX138W7PuyuGLkDimJW3Pix2b1dWbvr7m44HLDe8NjggbujCzDEFe37fV1DbdBQ/+8IUhbqgvw9ZLsbvWc8yIDtS+4AaoBYrZIC6egLyjDWiW/Qdl/WSaQFfj4km3aAxrErQcRIjgmbbJ0kZ2cK7EdX5hx8Ldi1tpRYcaeDdQOWpia1Ln5Y+ipia66D1O89VuOBtgf7l7+0elL4ULhLN6SaluhdX9OajpJet66N5A9nTq8yAeKFTyJfhNgvgBhabI/VS6/iJTZEi3X9LG5r8HHaM0cx9j9Yz+FNd7yFcK577oXqDnw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(83380400001)(110136005)(54906003)(15650500001)(966005)(7696005)(38100700002)(2906002)(8676002)(508600001)(71200400001)(8936002)(33656002)(53546011)(6506007)(4001150100001)(786003)(186003)(91956017)(76116006)(86362001)(55016003)(38070700005)(5660300002)(52536014)(9686003)(64756008)(66476007)(66446008)(316002)(66556008)(4326008)(122000001)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6zt87Ui6TomQykXjOQ0jR8FAKocnaj6xEzRdsV2CT+Fo+fF9VaxTmDdMNTdmIytEvm/m3eU+8DKTAr+ncD4e8oXcwdr2YM50JiWcu+1brEqfwNzIzPbNIN+5c1Dpm9Rp4INAybzRedhnQZ2R0ArdPLi/vEzrFGkl0gZHfW5LHl2dZvhWx/s8S/s7XtxS97wd89/i//e1djBw0+xZxsklyUjGo4d71G7/5mKPEM1ib86Y0De4zAeIg6AwN7ug1gIM7awMZSGudQdVlu0hwU2j5/b+rrDh4HetPxFiSji86b4KbDgJlfpthwaoT3lqbxt+MGCdZ0P/acdLSQdwGWfM3/K/PYeIZhnHk3Sw35lZjIEbk93nwW5gtNfTZauRcXfpalpdZZwiZBXz5vsSo1pzUgSfVRqap/w85SASCR94snXTENpx9Ca7mSp9WCACPwSvt0wNRObvrgRZ40InED01A2aO+sfnPDOGoDcLuJzhDjOadU2NquULM25X32uLB0jcAOmoGsxMUWrKUuq9zFDjedLXTeHzPLNy4OhPkt/gdX3+kbj1h44v06fLltkmTnqN9CBQyG6BsR2x4HsaHe0TvN015+GdNd3jeUY60cpEIMa32llbek4YRLwE2ZB6jlZnlAxSYntU/vY0I1CbobhY2kLZ58Pz99aCXRimqVL47X+gd6rTAF5H6B9RWS9/QRUmj55js8dyhO7oMfsLHbQWovm/ZNFvx8uRy1ou+tcrYvOsvYwF2HZJzqBE1HE25dJGk9hHaBdFMF8YkDi1iFvXafw1K0giUr5dcLiwRRIXv5r77WDHtFvL+ip3nOCOgTfh8AKOkKpW7mbYy2iBPGCvkVx3VDverWkV27zrLiHTGKRJtlQfhJsUF/koiDo4xte5+B2zuuh7p80tavARjIFZ1tTcDTSeV6wBePvCRI81pYF8NpmPlfEp5uRVRZFYcZ1DnkgFf8W79hNZYgeXaQO+Uhx6POeA3nb7JLM5LLJ/jq2HJ70hDSRUd1H7PkAJdST97LFelMKlDkyNsL8FGJ4+P6DSIT+MPN2gZ/+dtcXuIuYZUXylHIcMw2MycsXsQsjMrof7u0QMNgWFBWmxrApBI6Fd3/J3qYlvF9gYHwNn0kU7lNW0lF9dZ8orL1SitIDIt/krNjuE5Cut2TEdKkuOM34crRKJ3yjY3MbZQA6/pF5Kj1mUD38+To2Pel2oyLgi3uLFMiJxnJ9SwQfsmdMKZ2QM/adXmN8o+mQ2a2Kt+Q6gQjZ/ccLn2sV0ql1SS/fIIrQ6db9Id8JRTfXJCRf9sqrs7KI9JVkBldMH9K+rtYm3VUtgx6wlvVm9IAtEj62P7Ayj6Zf+1tGOIjIGztlFVBZm5qMuTqlRzQJ/+twlv7l5tbeQU/z8ufCdribGAkTMkUHQar6JxZvlYZes/LwDkfNntNGL+nV+OrC49779mDKGCQIUUmPw2aDB1NaWxyDHum4Yqsz8OcxcbRFnjAi0IXgFD467SwLJvzy6+rWvETG5Zj0ivJcpDn79plb5aqfAqzJBixjOj7+Xk1rrWBbAZR7Au90v708OcgmQAyhSQw7vNRQN+kwUM81BGtVjqUBlTP7Y0nQbrjgEw96qtr/acPbnuTLWQkD9RIqWs8Nl78vHdSFz9fpGstbEE1eKgQ+0g/V9qcL3ocCIK8FEuYnLmQ==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 94ef9090-2812-4dc0-f25c-08d9b53419dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2021 01:36:02.5898 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: R4sX/QGcFG43wDwMADveqNlncsl73S7m5tH+xeQLNdRNZP4/1uwcsO4v05xvx88K4MQ8+I56XJT6xA07yldgDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2724
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/WHHCv92kHqsc6eZ4lfI6QATwGuA>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-03.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 01:36:15 -0000
J. Bruce Fields wrote: > On Tue, Nov 23, 2021 at 08:55:04AM -0500, David Noveck wrote: > > This is considerably different from -02 (1400 lines). Still, a diff > > between -02 and -03 is useful to see where the changes/additions are, if > > you read -02. > > 5.9: special identifiers: "when ACEs containing these who values are > encountered, the server MUST treat all requesting users as not > matching." > > So a two-ACE ACL like: > > allow read to INTERACTIVE > deny everything to EVERYONE > > would require the server to fail all NFS READs, and an ACL like: > > deny read to INTERACTIVE > allow everything to EVERYONE > > would require the server to allow all NFS READs. > > Presumably these special identifiers are mainly only there for the > multiprotocol case--the server can actually make use of them when > accessed by an SMB client, but we still want NFS clients to be able to > e.g. do ACL-preserving copies, so we want NFS clients to still see them. > > So I guess it's a sensible default to treat those special identifiers as > describing groups of which no NFS user is a member. > > Seems more like "a sensible default", though, rather than something to > be enshrined in a MUST. I could imagine server administrators wanting > the option to configure this. > > I'd rather leave this unspecified. At least, unless we can get input > from a wide range of server implementors. I agree with Bruce on this. At this time, the FreeBSD server will normally fail a Setattr of ACL if any ACE in the ACL That goes double for ANONYMOUS and AUTHENTICATED. I don't know all the ways that export permissions and idmapping (like squashing) are implemented on different servers and I'm not sure we can reasonably come up with rules that will work for everyone. --b. > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Tue, Nov 23, 2021 at 8:45 AM > Subject: New Version Notification for draft-dnoveck-nfsv4-security-03.txt > To: David Noveck <davenoveck@gmail.com> > > > > A new version of I-D, draft-dnoveck-nfsv4-security-03.txt > has been successfully submitted by David Noveck and posted to the > IETF repository. > > Name: draft-dnoveck-nfsv4-security > Revision: 03 > Title: Security for the NFSv4 Protocols > Document date: 2021-11-23 > Group: Individual Submission > Pages: 139 > URL: > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.txt > Status: > https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/ > Html: > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-03.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security > Diff: > https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-03 > > Abstract: > This document describes the core security features of the NFSv4 > family of protocols, applying to all minor versions. The discussion > includes the use of security features provided by RPC on a per- > connection basis. > > This preliminary version of the document, is intended, in large part, > to result in working group discussion regarding existing NFSv4 > security issues and to provide a framework for addressing these > issues and obtaining working group consensus regarding necessary > changes. > > When a successor document is eventually published as an RFC, it will > supersede the description of security appearing in existing minor > version specification documents such as RFC 7530 and RFC 8881. > > > > > The IETF Secretariat > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… J. Bruce Fields
- Re: [nfsv4] New Version Notification for draft-dn… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem