Re: [nfsv4] Comments on draft-ietf-nfsv4-rpcsec-gss-v2-00
Mike Eisler <email2mre-ietf@yahoo.com> Wed, 20 February 2008 21:29 UTC
Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: ietfarch-nfsv4-archive@core3.amsl.com
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE15528C400; Wed, 20 Feb 2008 13:29:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.521
X-Spam-Level:
X-Spam-Status: No, score=-0.521 tagged_above=-999 required=5 tests=[AWL=-0.084, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dKMcRh71HP+L; Wed, 20 Feb 2008 13:29:41 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E6B1C28C7A3; Wed, 20 Feb 2008 13:29:40 -0800 (PST)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60F5028C7A3 for <nfsv4@core3.amsl.com>; Wed, 20 Feb 2008 13:29:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TDbvjEQoeoA for <nfsv4@core3.amsl.com>; Wed, 20 Feb 2008 13:29:39 -0800 (PST)
Received: from web38115.mail.mud.yahoo.com (web38115.mail.mud.yahoo.com [209.191.124.142]) by core3.amsl.com (Postfix) with SMTP id B68A828C400 for <nfsv4@ietf.org>; Wed, 20 Feb 2008 13:29:38 -0800 (PST)
Received: (qmail 39660 invoked by uid 60001); 20 Feb 2008 21:29:35 -0000
X-YMail-OSG: Ry0G3SYVM1nCp6cfyO_gjfNssvmKDle4wBosf9JK1v9MXPK3GZzD6GkcMze0SuHq3jChXDS8gwaEEogV8O2Pcv7ujXdSdYJNt4E_JTa.rds3jZM-
Received: from [198.95.226.230] by web38115.mail.mud.yahoo.com via HTTP; Wed, 20 Feb 2008 13:29:35 PST
Date: Wed, 20 Feb 2008 13:29:35 -0800
From: Mike Eisler <email2mre-ietf@yahoo.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>, nfsv4@ietf.org
In-Reply-To: <20080220202356.GQ14350@Sun.COM>
MIME-Version: 1.0
Message-ID: <463557.38809.qm@web38115.mail.mud.yahoo.com>
Subject: Re: [nfsv4] Comments on draft-ietf-nfsv4-rpcsec-gss-v2-00
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: email2mre-ietf@yahoo.com
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org
--- Nicolas Williams <Nicolas.Williams@sun.com> wrote: > - Please add a reference to RFC5056 > > - Section 2 discusses what RFC5056 calls "unique channel bindings." > > There's another kind, "end-point channel bindings" that IPsec is > likely to provide instead of unique channel bindings. > > Quoting text from RFC5056 to describe channel binding might be > more > appropriate. I'll take a look > > - Instead of: > > struct rpc_gss_chan_bind_input { > unsigned int rgcbi_seq_num; > opaque rgcbi_chan_bindings<>; > }; > > struct rpc_gss_bind_channel_arg { > int rgbca_chan_bind_type; > opaque rgbca_MIC_hdr<>; > opaque rgbca_MIC_chan_bindings<>; > }; > > I propose this: > > struct rpc_gss_chan_bind_input { > opaque rgbca_chan_bind_prefix; > opaque rgcbi_chan_bindings<>; > opaque rgbca_hdr<>; > unsigned int rgcbi_seq_num; > }; > > struct rpc_gss_bind_channel_arg { > opaque rgbca_MIC_chan_bindings<>; > }; > > and similarly for rpc_gss_bind_channel_res. > > I.e., make the RPC header and sequence number, and the channel > binding type (or, rather, "prefix") part of the input to a single > getMIC() call for the request, and similarly for the reply > (instead > of two getMIC()s). In that case, we can keep it really simple. The MIC input consists of what is currently input into the MIC plus: struct rpc_gss_chan_bind_input { int rgbci_chan_bind_type; opaque rgcbi_chan_bindings<>; }; I.e., the RPC header plus the above is passed into GetMIC(). > > - As implied above, there's a registry of channel binding types that > includes a "prefix" that should be included in the channel binding > operation. See section 7 of RFC5056. > > > - How is v1 vs. v2 negotiated? > > In the case of NFSv4 the answer is simple: the new > rpc_gss_service_t > value allows this to be negotiated via SECINFO/WRONGSEC. > > But in general, what should happen if a server that supports only > RPCSEC_GSS_VERS_1 receives a RPCSEC_GSS_VERS_2? > > Is it possible that it may respond with silence or by closing the > connection? I hope not. An RPC auth-level error should be returned. I will add text. > > > - Section 3.3. AUTH_NONE cannot be the right answer here! We need > to > use an RPCSEC_GSS context handle so we can identify the client > principal of a given RPC request -- we just don't need to > authenticate that handle via a getMIC()/verifyMIC() because we > have > the protection of the underlying channel. > AUTH_NONE is the flavor of the verifer. The flavor of the cred remains RPCSEC_GSS, and the cred has the same format as it does now. > > Nico > -- > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > http://www.ietf.org/mailman/listinfo/nfsv4 > _______________________________________________ nfsv4 mailing list nfsv4@ietf.org http://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] I-D Action:draft-ietf-nfsv4-rpcsec-gss-v2… Internet-Drafts
- [nfsv4] Comments on draft-ietf-nfsv4-rpcsec-gss-v… Nicolas Williams
- Re: [nfsv4] Comments on draft-ietf-nfsv4-rpcsec-g… Mike Eisler