IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

Benjamin Kaduk <kaduk@mit.edu> Tue, 26 March 2019 19:05 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E06412068C for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 12:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nIz2cHSqDOP for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 12:05:12 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CC9B12093C for <nfsv4@ietf.org>; Tue, 26 Mar 2019 12:05:11 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2QJ55U6002647 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Mar 2019 15:05:06 -0400
Date: Tue, 26 Mar 2019 14:05:04 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>, NFSv4 <nfsv4@ietf.org>
Message-ID: <20190326190504.GK86501@kduck.mit.edu>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/X4Vvea-LkaaCGeojbIKfv6MLFY4>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 19:05:15 -0000

On Tue, Mar 26, 2019 at 09:56:10AM -0400, Chuck Lever wrote:
> 
> 
> > On Mar 25, 2019, at 4:44 PM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
> > 
> > 
> > 
> > ----- Original Message -----
> >> From: "Chuck Lever" <chuck.lever@oracle.com>
> >> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>
> >> Cc: "NFSv4" <nfsv4@ietf.org>
> >> Sent: Monday, March 25, 2019 2:44:32 PM
> >> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> > 
> >>> On Mar 25, 2019, at 4:53 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
> >>> 
> >>> 
> >>> 
> >>> Hi Chuck,
> >>> 
> >>> By working on our implementation we got a following questions:
> >>> 
> >>> what should server do when a client requests startTLS twice? Fail
> >>> with an auth error or just ignore?
> >> 
> >> I don't have a ready answer, but seems to me your TLS library
> >> might have an opinion. Can a web browser be made to generate
> >> a second STARTTLS to see what the behavior is like?
> >> 
> >> Is there any guidance in RFC 8446 or its antecedants?
> > 
> > Looks like LDAP have that case clearly specified rfc2830:
> > 
> > 2.3:
> > 
> > ...
> > 
> >   If the Start TLS extended request was not successful, the resultCode
> >   will be one of:
> > 
> >   operationsError  (operations sequencing incorrect; e.g. TLS already
> >                    established)
> > 
> > 3.1:
> > 
> > ...
> > 
> >   The client MAY send the Start TLS extended request at any time after
> >   establishing an LDAP association, except that in the following cases
> >   the client MUST NOT send a Start TLS extended request:
> > 
> >     - if TLS is currently established on the connection, or
> > 
> > You may adopt a similar wording to rpc-over-tls. However, what about UDP and
> > retransmits?
> 
> UDP will use DTLS.
> 
> My hesitance is that STARTTLS is part of the TLS protocol, and we're
> not specifying that here, we're only using it. Surely TLS has a proper
> mechanism for managing this situation.

As others have covered, this is a matter for the application that is trying
to use the opportunistic TLS.

> I would like to see a recent RFC that covers your case. RFC 6614 appears
> to require TLS negotiation to occur immediately after the underlying
> transport connection is established, and never later. Is that what you
> want?

Since STARTTLS for NFS doesn't exist other than this draft (right?), you
have a pretty clean slate to work from and should be able to set tight
bounds on usage, disallowing a lot of the potential complications.

So, requiring at most one STARTTLS, and for that to be the first RPC (or
othr traffic) after the transport connection is established, seems
simplest.  STARTTLS when TLS is already active can be rejected, and
STARTTLS after non-TLS RPCs have occurred as well.  That would be my
recommendation, at least (having not really read the draft,at least
recently).

-Ben

v2.23.0 | Report a Bug | By Email