Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-integrity-measurement-03.txt
Chuck Lever <chuck.lever@oracle.com> Thu, 08 November 2018 15:43 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE1561286D9 for <nfsv4@ietfa.amsl.com>; Thu, 8 Nov 2018 07:43:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.769
X-Spam-Level:
X-Spam-Status: No, score=-4.769 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nRK-OYoAhjDt for <nfsv4@ietfa.amsl.com>; Thu, 8 Nov 2018 07:43:45 -0800 (PST)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0150124BAA for <nfsv4@ietf.org>; Thu, 8 Nov 2018 07:43:44 -0800 (PST)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wA8FhOfp076522; Thu, 8 Nov 2018 15:43:43 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=BQg8Jwu58UVacx83qNJrjqa5A+rmLwqBkjm5NNm94+k=; b=Do0HwXI8UifeeKFXN4NSOBu8Q2FP0moluzq4lneccwVQOIKay6zOuKfOJ1qOJzpt09AC HJyg3dfPCcBiFyY8abcruEfRd7Y+uf6XpD7TspIb/hv4lnZSEmXCUT/X5WCSvDum44FF 8CQ2ItUbY1KY8qvNSHU+NcCGHOHFBadnDJFXwJCb97Nh8k5kNnYTc+6NFopPXcEliJgu l63pEG2g8NchasP3o76yXpfwW6Wwua/TgjM08JyASmb1m9xOn/THTWO61amzDa7NFB/O icndaQUML9h/TJizsg7QN19QDPuyoraJ7FUk+MQUV+PpWaSUR/EGI6ngRgbr+Iy/lAb8 gQ==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2120.oracle.com with ESMTP id 2nh4ar23an-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 08 Nov 2018 15:43:43 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wA8FhgZN024461 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 8 Nov 2018 15:43:42 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wA8Fhgxh020075; Thu, 8 Nov 2018 15:43:42 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 08 Nov 2018 07:43:42 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <BBC9F2E1-4E81-4FE4-99D0-A0B23F33AAD4@netapp.com>
Date: Thu, 08 Nov 2018 10:43:40 -0500
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1E8642B-9A07-4812-82E0-982EDC6EF73E@oracle.com>
References: <154160412218.26446.11676556173331817093@ietfa.amsl.com> <74E10D08-6181-49C8-B994-6554C72C4B7D@oracle.com> <BBC9F2E1-4E81-4FE4-99D0-A0B23F33AAD4@netapp.com>
To: "Everhart, Craig" <Craig.Everhart@netapp.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9070 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811080131
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/WYzGgdZc5csq3K6b_vBWey2Jz94>
Subject: Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-integrity-measurement-03.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 15:43:47 -0000
Hi Craig- > On Nov 7, 2018, at 12:18 PM, Everhart, Craig <Craig.Everhart@netapp.com> wrote: > > Hi Chuck, > > Thanks for the update. > > At the end of the introduction (1), you add "Unlike traditional integrity management schemes, the hash is not replaced every time a file is copied. Instead, the signed checksum is copied along with file content and presented whenever the content is about to be used." You're alluding to a practice with which I'm not familiar, even when you're describing traditional schemes. Copied for reading or for writing? What would have replaced the hash every time the file is copied--a storage system? (I want to understand this so that I can understand how the mechanism that you're proposing will replace and modify the existing mechanism.) The traditional scheme I'm thinking of is the mechanism that generates and writes a checksum during media block writes. When a file is copied, each newly allocated and written block gets a freshly generated checksum. This checksum is based on the data as presented to the storage media, so it cannot protect against unwanted changes due to software bugs or malicious acts during the file copy operation. The checksums on blocks of the original copy of the file data are referenced only when the blocks are read. The checksums do not follow the data to the new copy: fresh checksums are generated for the copied blocks. Indeed, block checksums are typically not exposed outside the storage device. So there is no way to copy them. Unlike that scheme, FPI follows without change the file's data content. Or to put it another way, FPI is copied along with the file's content to its destination. This means _any_ change to the content between the time it is generated and the time it is used can be detected. > It sounds like a hash would have been replaced whenever a file was written, but this replacement copies the hash along with file content--presumably by some client-side tool? Yes, when file content is updated, the FPI has to be refreshed. This would be done using a tool, run on a client or on the server, that is capable of re-signing the hash. In it's simplest form, using FPI means that protected files become effectively immutable. That's exactly what we want for things like executables, which change infrequently. > Down in 1.1, you likely want to add "only" immediately before the function that it most closely modifies; "NFS acts as only a conduit ..." rather than "NFS acts only as a conduit...". (e.g.: I'd hope that NFS acts as more than a conduit!) > > In 4.2, can there be multiple FATTR4_FILE_PROVENANCE objects with different fpv_type values? Right now my opinion is that should be allowed. > How do I enumerate them? There isn't an explicit mechanism to do that because I don't believe that's going to be needed. The client will ask the server for the particular fpv_values that the client supports. > Clearly your description of the treatment of distinct fpv_type values would suggest that there would be multiple instances. Are there other FATTR4_xxx attributes with multiple values? Security Labels, but only one label can be stored at a time. > It's a little odd that fpv_type is not in the fattr4 namespace, but that it represents a sub-type. How do I specify a fpv_type to GETATTR? struct file_prov4 { uint32_t fpv_type; opaque fpv_data<>; }; I just copied the security label attribute. I'll have to go back and look at how that works and copy that language to Section 4.3. > Again, how do I enumerate all the stored fpv_type values? > (It might be easier if there were only one possible FATTR4_FILE_PROVENANCE attribute, so that storing any fpv_type value would replace any other FATTR4_FILE_PROVENANCE attribute. Easier how? > Alternatively, you could allow for FATTR4_FILE_PROVENANCE_xxx values, in which the "xxx" extension semantically replaces your suggested fpv_type value.) That means we'd have to extend NFSv4.2 every time we add a new fpv_value. If we use a subtype and an IANA registry, it becomes simple to add a new value -- it does not require any change to the NFSv4 protocol. -- Chuck Lever
- [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-me… internet-drafts
- [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-integri… Chuck Lever
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Everhart, Craig
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Chuck Lever
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Everhart, Craig
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Chuck Lever
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Everhart, Craig
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Chuck Lever
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… David Noveck
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Chuck Lever
- Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-int… Benjamin Kaduk
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Everhart, Craig
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Benjamin Kaduk
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Chuck Lever