Re: [nfsv4] Éric Vyncke's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Fri, 03 July 2020 15:52 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8D7B3A0964; Fri, 3 Jul 2020 08:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=cSb+ue4C; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=AlCMA68U
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CBuKbxc8Ky9k; Fri, 3 Jul 2020 08:52:36 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C14B73A083A; Fri, 3 Jul 2020 08:52:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6376; q=dns/txt; s=iport; t=1593791555; x=1595001155; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=3UNWi3YJCneXOpudMM7h3Gx/Ki7N+9GQQ9hzFi7J8ew=; b=cSb+ue4CvxhnO9unB3Qskyg/bmK9LBGmgHdZYPvEdjkiGi2EGj24gZut xK+z0b52fgP4Dbrg2VN35Z8EuP34QO5pzg1eT8WDt2GEXlGwAkfAqnyyh vYEgoPcYV3J14TtSwB6hfrlOPNXi0rbGjYDGi0aFbF6g9we2/ajru97do A=;
IronPort-PHdr: =?us-ascii?q?9a23=3A2kU5vhDVLY6zhQHRCeXyUyQJPHJ1sqjoPgMT9p?= =?us-ascii?q?ssgq5PdaLm5Zn5IUjD/qw00g3OR4zQ7/8CgO3T4OjsWm0FtJCGtn1KMJlBTA?= =?us-ascii?q?QMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8HkblbWrzu56jtBUh?= =?us-ascii?q?n6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mR?= =?us-ascii?q?Y=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CrAAB4U/9e/5JdJa1gHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgTgFAQELAYFRIy4Hb1gvLIQxg0YDjUqYWoEuFIEQA1ULAQE?= =?us-ascii?q?BDAEBIwoCBAEBhEcCF4IJAiQ2Bw4CAwEBCwEBBQEBAQIBBgRthVsMhW4BAQE?= =?us-ascii?q?BAgESEREMAQE3AQsEAgEIEQECAQIBAgImAgICMBUCAwMIAgQOBSKDBAGCSwM?= =?us-ascii?q?OIAEOnxwCgTmIYXaBMoMBAQEFgUZBg0AYgg4DBoEOKgGCaIVihB8agUE/gRE?= =?us-ascii?q?nHIJNPoJcAgECAYEmARIBCRiDFjOCLY8ngxOhWHwKglyIS4wUhGsDHYJziTC?= =?us-ascii?q?SeoQil1OURAIEAgQFAg4BAQWBWgQuZlgRB3AVZQGCPlAXAg2OHgwXFIM6hRS?= =?us-ascii?q?FQnQCNQIGAQcBAQMJAXuPVQEB?=
X-IronPort-AV: E=Sophos;i="5.75,308,1589241600"; d="scan'208";a="783810595"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Jul 2020 15:52:34 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 063FqYBc026657 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 3 Jul 2020 15:52:34 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 3 Jul 2020 10:52:34 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 3 Jul 2020 11:52:33 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 3 Jul 2020 10:52:33 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VaQSEhrCw6Fbcc3OCbR+90ClxIC3a+qre0PORYBXEW5/U3MTyaBvwvj1nvIRarSmbvsESUfsuHamX0fTHcMtmR8UflVVyiFbWe1ffYC9RGGQvP+Ieg+H6MH5FT+dNHomt0Jje8xi2YLce/+clWQ2l0/hlyBd/o+YyWIincdWHES0BoJBDIZDDJZM64fvVx8x9bRe9leIK6KvzXNKmhuBH62E0HkVLeA0aN6xRD8MkjyTd6Y0QkQp960ruj2NBIF0FJcdKOoXizPcCjru2uHDk9IJsgBiK7jbAdY0Rin2MinckaVy8wOWZ1JKvwuXXFTl+cOz40r4RGF5ZG+JG7sa7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3UNWi3YJCneXOpudMM7h3Gx/Ki7N+9GQQ9hzFi7J8ew=; b=fDp9xNL3hUUYCmrZ7kRBhjXHMSJU8rI34c2PccuslODTZaAOKfk2agzU0S1wXIdcvrpdLf6Hryzjc08VnDPUe/olZg7DHe51XmD3c6fKJqjDwdIu5WQeTmKWdfCoJ0MlkSN07qP/U+RkyBu3VQBBflaKwWy7Ox/EAFBGPKJt6ljp6gSWGFuhpv6H7WZ98lPOYRC9X+dRa2GwFzpIuZz64TOqwfQMN820fVUqdZDIMtIPuFte7/NBLmfYOkBtKCUPzS3mQSGVSZr8I0doZRkEQImZUF2yfmU0xkMK7wYrmnaKSaCUlXi9soLNZoawhrYYAPbpIC/bhvkqrsRRezaVxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3UNWi3YJCneXOpudMM7h3Gx/Ki7N+9GQQ9hzFi7J8ew=; b=AlCMA68Uu49KPgxxh3h4FJp3coh6nNKSJzBRXV34ZG45wzJdcgDMMRUz7hgJaDAEFImEhmanfSnHy99rx2zCN8ZOOnWcEbZJVkkKmFHUFGS1rh0cpk/ylfRFEXaAleHBUKawyV342obIjQJjp3s2GBucohOl5iO4MtobvhktjdA=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB1626.namprd11.prod.outlook.com (2603:10b6:4:9::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.27; Fri, 3 Jul 2020 15:52:32 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::a14c:59b6:47b0:f630]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::a14c:59b6:47b0:f630%7]) with mapi id 15.20.3153.028; Fri, 3 Jul 2020 15:52:32 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Chuck Lever <chuck.lever@oracle.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-nfsv4-rpc-tls@ietf.org" <draft-ietf-nfsv4-rpc-tls@ietf.org>, "nfsv4-chairs@ietf.org" <nfsv4-chairs@ietf.org>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: =?utf-8?B?W25mc3Y0XSDDiXJpYyBWeW5ja2UncyBObyBPYmplY3Rpb24gb24gZHJhZnQt?= =?utf-8?Q?ietf-nfsv4-rpc-tls-08:_(with_COMMENT)?=
Thread-Index: AQHWUR9z8wplJcYgPUueLdJgVuRiBqj1/DKAgAAnAYA=
Date: Fri, 3 Jul 2020 15:52:32 +0000
Message-ID: <D303BC2E-C021-4CCF-BF3F-79FFDF3209A9@cisco.com>
References: <159376981406.23976.3823367265505746988@ietfa.amsl.com> <779F15A7-6217-4865-9155-49FD305340FF@oracle.com>
In-Reply-To: <779F15A7-6217-4865-9155-49FD305340FF@oracle.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:795b:9be4:252c:d5fa]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e23b9d0b-2132-4838-613c-08d81f69190f
x-ms-traffictypediagnostic: DM5PR11MB1626:
x-microsoft-antispam-prvs: <DM5PR11MB1626E19CDF2251DBD1A0BB2DA96A0@DM5PR11MB1626.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 045315E1EE
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kA4CrvMEOvxTlINB3j5zPCfdE+xXBlVM9bM7K72Tnw88x9TpPp8Dg7yOU2k4LfUmq4P7O1WL2s2+YMpMpFW4IgdRU3A/1wu4wmL7x2ZT7TC+zmjgr4pDmYuLn6gW1yyjWbXatNohSWEzBLLCC9cGgU+GwC34nY2PouzQ6mc053RYuycqxNqtv6UjM7iTWprT2WIH9c5qXQZNhSAgSA6RhJqZs29Xl8DEx34avjCykCdvceYydkFrLARlxD3o7VzuD2sXU8tcIljCF4+eS5j8+lLFhfwRRq4BqTppAw6bt58wMkehedC3AFBAmDHf7FlubV8GzIKPEDwU+CDCPPnlK17N4TyvBFkrMTIq5Cv2etwHcwtWBqwDwcdZK9AntyrFYvYinLDd0zUXHvgUHd0psA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR11MB1753.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(396003)(346002)(376002)(39860400002)(136003)(4326008)(91956017)(186003)(76116006)(2616005)(224303003)(83380400001)(6486002)(6512007)(64756008)(66946007)(66476007)(66556008)(36756003)(66446008)(54906003)(6916009)(33656002)(71200400001)(8936002)(966005)(86362001)(316002)(5660300002)(6506007)(66574015)(2906002)(53546011)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 78G1ALjLRhlJhefOl+6q2OrQNbZKGS38QP8e9YSLmiVGg3GRPp9abUm5oh4QdiGrQ6vm2wXEyLShmZjY0KFcfn64u65jpSXR/xzdOTygYox5JlCaseMpaDu+h3GHdwR+zier0dj7930enJqHDa85s0cZVlM8Ylw1lleqCDzFbBrUUftI8Xwxta9MBQW8bsXA3Lf31KQlKjiG6F8YqQZjftMmGFLvuMPhQ7juMBZPz+u2pKTk3KcLUADCvDbIfX4WpA0wlPepZihvVyILsS/EEGW8/LfHByjERlMcVHsyHkxFnhOdonlNMeAcF5AHJP/ZNp2hCDPIMhnMpr7PeeFlJbR4nNOhyvrBsMwevBKd+zMbVz+4S+G0dGgxLtq6N7iy6ygxx+A97S28+h+qyF5m7vMsnH14m3BTFgy0CNDQBIVVeSTDPsmX2HYF4qMhF2XIu/tD4ogVXmKE9GZc08EwWGFwcpEmIsCIAwhXMXwR5Tt03sw6EnREcwgpquA65wRTPRHD7PEgerWp56SPC/WfKKJQEuGPBqYbENWWaJy9un0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <29738F6500D787448A477FB0FB64D16F@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM5PR11MB1753.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e23b9d0b-2132-4838-613c-08d81f69190f
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2020 15:52:32.4161 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MzPUoE25LtAUxVG1JuI7tbtTDE/2m1OTmFPhz41LqCnC/Q0skQqTwEpJyqeQQhyNpy55S9oixwOD1+ykE7C12A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1626
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/WHz_RHNiediKGfnYVGSxuKn2MhM>
Subject: Re: [nfsv4] =?utf-8?q?=C3=89ric_Vyncke=27s_No_Objection_on_draft-iet?= =?utf-8?q?f-nfsv4-rpc-tls-08=3A_=28with_COMMENT=29?=
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 15:52:38 -0000

Chuck

Thank you for your prompt and detailed reply. Your suggested texts and explanations are perfect for me

Regards

-éric

-----Original Message-----
From: Chuck Lever <chuck.lever@oracle.com>
Date: Friday, 3 July 2020 at 17:33
To: Eric Vyncke <evyncke@cisco.com>
Cc: The IESG <iesg@ietf.org>rg>, "draft-ietf-nfsv4-rpc-tls@ietf.org" <draft-ietf-nfsv4-rpc-tls@ietf.org>rg>, "nfsv4-chairs@ietf.org" <nfsv4-chairs@ietf.org>rg>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Subject: Re: [nfsv4] Éric Vyncke's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)

    Hi Éric-

    Thanks for your review and comments.


    > On Jul 3, 2020, at 5:50 AM, Éric Vyncke via Datatracker <noreply@ietf.org> wrote:
    > 
    > Éric Vyncke has entered the following ballot position for
    > draft-ietf-nfsv4-rpc-tls-08: No Objection
    > 
    > When responding, please keep the subject line intact and reply to all
    > email addresses included in the To and CC lines. (Feel free to cut this
    > introductory paragraph, however.)
    > 
    > 
    > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    > for more information about IESG DISCUSS and COMMENT positions.
    > 
    > 
    > The document, along with other ballot positions, can be found here:
    > https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/
    > 
    > 
    > 
    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------
    > 
    > Thank you for the work put into this document.
    > 
    > Please find below a couple on non-blocking COMMENTs.
    > 
    > I hope that this helps to improve the document,
    > 
    > Regards,
    > 
    > -éric
    > 
    > == COMMENTS ==
    > 
    > -- Abstract --
    > As section 4.2 specifies the use of at least server-side authenticated TLS
    > session, I wonder why the abstract contains 'opportunistic encryption'.

    Clients that support TLS can be deployed in environments with servers that
    do not. The client has to detect a server's TLS support before TLS can be
    used.

    Opportunism here means that the RPC protocol still works if the server does
    not support TLS. The choice of whether to proceed with operation is
    determined by security policy.


    > -- Section 4.1 --
    > 
    > "(D)TLS-protected RPC" while DTLS was never expanded before... or did I miss it
    > ?

    That's recently-added text. Sorry for the oversight. To address it, I
    propose changing the Introduction as follows:

    OLD:

       The alternative described in the current document is to employ a
       transport layer security mechanism that can protect the
       confidentiality of each RPC connection transparently to RPC and
       upper-layer protocols.  The Transport Layer Security protocol
       [RFC8446] (TLS) is a well-established Internet building block that
       protects many standard Internet protocols such as the Hypertext
       Transport Protocol (HTTP) [RFC2818].

    NEW:

       The alternative described in the current document is to employ a
       transport layer security mechanism that can protect the
       confidentiality of each RPC connection transparently to RPC and
       upper-layer protocols.  The Transport Layer Security [RFC8446] (TLS)
       and Datagram Transport Layer Security [I-D.ietf-tls-dtls13] (DTLS)
       protocols are a well-established Internet building blocks that
       protect many standard Internet protocols such as the Hypertext
       Transport Protocol (HTTP) [RFC2818].


    > -- Section 6.3 --
    > Just puzzled by "No comments from implementors" about Hammerspace while one
    > author is affiliated with Hammerspace.

    Hammerspace is covered in Section 6.2.

    Trond invented the probing mechanism specified in Section 4.1, but as far
    as I know has not proffered any direct feedback resulting from
    implementation experience. If that's incorrect, I invite him to correct me.

    However, I see that Section 6.3 should be updated:

    When this section was written many months ago, we optimistically assumed
    the Linux prototype would be further along by now.

    A Linux in-kernel prototype is underway, but implementation delays have
    resulted from the challenges of handling a TLS handshake in a kernel
    environment. Those issues stem from the architecture of TLS and the
    kernel, not from the design of the RPC-over-TLS protocol.


    --
    Chuck Lever