Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Mon, 25 March 2019 08:54 UTC
Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74B1212038E for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 01:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhTArlDlItk2 for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 01:53:58 -0700 (PDT)
Received: from smtp-o-1.desy.de (smtp-o-1.desy.de [IPv6:2001:638:700:1038::1:9a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E375F1203F7 for <nfsv4@ietf.org>; Mon, 25 Mar 2019 01:53:55 -0700 (PDT)
Received: from smtp-buf-1.desy.de (smtp-buf-1.desy.de [131.169.56.164]) by smtp-o-1.desy.de (DESY-O-1) with ESMTP id 9548A28023B for <nfsv4@ietf.org>; Mon, 25 Mar 2019 09:53:52 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-1.desy.de 9548A28023B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1553504032; bh=6bwyeXlP25isz3yi0xOciXAJhmeCFCHzwaLLQHtF/7k=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=g4BzUIKqJmuQZkwCHo3qm6xNvinEXlqS0VuuCtQ+vNPypxiAXQWlNXe8yoDnSMA5y D9XriM6MAk08euTF+KEhzXtEy/nHhRBfPNfagnFC+5ZVAORUlOKEyvkjhGspiYotmS xmSORkiIG9vjeVZYEaOkkW5FlwBMlrKo8UQAGXuk=
Received: from smtp-m-1.desy.de (smtp-m-1.desy.de [IPv6:2001:638:700:1038::1:81]) by smtp-buf-1.desy.de (Postfix) with ESMTP id 8F368120261; Mon, 25 Mar 2019 09:53:52 +0100 (CET)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (DESY-INTRA-1) with ESMTP id 47F253E901; Mon, 25 Mar 2019 09:53:52 +0100 (MET)
Date: Mon, 25 Mar 2019 09:53:51 +0100
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Message-ID: <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de>
In-Reply-To: <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.10_GA_3781 (ZimbraWebClient - FF66 (Linux)/8.8.10_GA_3786)
Thread-Topic: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: MWLelL/lGtUTYxAPGmrrB9zCyAXU+A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/YOtZGCvyeDYJwQlD73M4VtrBy6E>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 08:54:07 -0000
Hi Chuck, By working on our implementation we got a following questions: what should server do when a client requests startTLS twice? Fail with an auth error or just ignore? It would be nice if spec will explicitly define this situation. Thanks, Tigran. ----- Original Message ----- > From: "Dave Noveck" <davenoveck@gmail.com> > To: "Chuck Lever" <chuck.lever@oracle.com> > Cc: "NFSv4" <nfsv4@ietf.org> > Sent: Friday, January 4, 2019 5:25:18 PM > Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt >> I've been studying RFC 8471 to understand what would be needed to support >> TLS token binding with RPC. It appears there are two components: > > > - The TLS handshake is extended to indicate support for token binding >> and negotiate the supported version > >> - The upper layer protocol (RPC, in our case) is required to send a Token >> Binding message as the first message > >> We would need to provide a mechanism for encapsulating this message in >> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, >> RPCSEC GSS could provide a mechanism for transporting this message. > > As I understand things, one of the potential goals here is to satisfactorily > authenticate the client so that AUTH_SYS can reasonably used. For that use > case, I'm not sure how depending on RPCSEC GSS would fit in. > >> It appears to me that there is a natural boundary between what we have >> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token >> Binding, such that Token Binding could be handled by a separate document. > > That makes sense. > >> That would allow the quick completion > > Since this is the IETF, let's just say "quicker completion". > >> of rpc-tls to enable encryption by >> default using self-signed certificates, with support for Token Binding >> to appear later. > > It depens on how much later. I don't see how it would be necessary to get > through the RFC process, including that rigorous search for split > infinitives, cycles > of discussion of RFC2119 terms before starting the follow-up work on token > binding. Once rpc-tls is accepted as a working group document, the group > would > be in a position to make plans for the follow-on work that seems to be > warranted. > >> Thoughts, comments... > > If work on client autehentication is to be punted, then the document will > need to reflect that. > In particular, if you, as a server, are prepared to accept an > unauthenticatted client's user > identifications, then your security is pretty much non-existent, despite > the fact that > enryption prevents eavesdropping. In that case, it probably best to say > nothing about use > of AUTH_SYS. > >> Am I on the wrong track? > > No. > > On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote: > >> >> > On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote: >> > >> > Hi Chuck >> > >> > Apologies for top posting, blame MS >> > >> > I was interested in the comment "We believe the combination of host >> authentication via TLS and user authentication via RPC provides optimal >> security, efficiency, and flexibility,". There's been a huge amount of >> negative press for TLS client auth, but there's been a push for TLS token >> binding as a basis for better client/server authentication. Does the >> proposal need to consider work in this area? >> >> I've been studying RFC 8471 to understand what would be needed to support >> TLS token binding with RPC. It appears there are two components: >> >> - The TLS handshake is extended to indicate support for token binding >> and negotiate the supported version >> >> - The upper layer protocol (RPC, in our case) is required to send a Token >> Binding message as the first message >> >> We would need to provide a mechanism for encapsulating this message in >> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, >> RPCSEC GSS could provide a mechanism for transporting this message. >> >> It appears to me that there is a natural boundary between what we have >> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token >> Binding, such that Token Binding could be handled by a separate document. >> That would allow the quick completion of rpc-tls to enable encryption by >> default using self-signed certificates, with support for Token Binding >> to appear later. >> >> Thoughts, comments... Am I on the wrong track? >> >> >> > -----Original Message----- >> > From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever >> > Sent: Monday, November 19, 2018 15:56 >> > To: NFSv4 <nfsv4@ietf.org> >> > Subject: [nfsv4] Fwd: New Version Notification for >> draft-cel-nfsv4-rpc-tls-01.txt >> > >> > >> > Hi- >> > >> >> Begin forwarded message: >> >> >> >> From: internet-drafts@ietf.org >> >> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt >> >> Date: November 19, 2018 at 10:52:07 AM EST >> >> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles >> >> Lever" <chuck.lever@oracle.com>, "Chuck Lever" >> >> <chuck.lever@oracle.com> >> >> >> >> >> >> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been >> >> successfully submitted by Charles Lever and posted to the IETF >> >> repository. >> >> >> >> Name: draft-cel-nfsv4-rpc-tls >> >> Revision: 01 >> >> Title: Remote Procedure Call Encryption By Default >> >> Document date: 2018-11-19 >> >> Group: Individual Submission >> >> Pages: 9 >> >> URL: >> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt >> >> Status: >> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/ >> >> Htmlized: https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01 >> >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls >> >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01 >> >> >> >> Abstract: >> >> This document describes a mechanism that enables encryption of in- >> >> transit Remote Procedure Call (RPC) transactions with little >> >> administrative overhead and full interoperation with RPC >> >> implementations that do not support this mechanism. This document >> >> updates RFC 5531. >> >> >> >> >> >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> >> submission until the htmlized version and diff are available at >> tools.ietf.org. >> >> >> >> The IETF Secretariat >> > >> > Minor changes in revision 01: >> > - Correct a legal issue reported by idnits >> > - Clarify terminology throughout document >> > - Add editor's note in Section 4.3 "Authentication" >> > - Wordsmithing throughout >> > >> > >> > The immediate question I have is whether members of WG feel this topic >> and document are important enough to promote rpc-tls-01 to Working Group >> document status. If yes, I can submit the next revision as >> draft-ietf-nfsv4-rpc-tls-00. >> >> -- >> Chuck Lever >> >> >> >> _______________________________________________ >> nfsv4 mailing list >> nfsv4@ietf.org >> https://www.ietf.org/mailman/listinfo/nfsv4 >> > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Fwd: New Version Notification for draft-c… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Rob Thurlow
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… McDonald, Alex
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Tom Talpey
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… David Noveck
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran