IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Mon, 25 March 2019 08:54 UTC

Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74B1212038E for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 01:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhTArlDlItk2 for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 01:53:58 -0700 (PDT)
Received: from smtp-o-1.desy.de (smtp-o-1.desy.de [IPv6:2001:638:700:1038::1:9a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E375F1203F7 for <nfsv4@ietf.org>; Mon, 25 Mar 2019 01:53:55 -0700 (PDT)
Received: from smtp-buf-1.desy.de (smtp-buf-1.desy.de [131.169.56.164]) by smtp-o-1.desy.de (DESY-O-1) with ESMTP id 9548A28023B for <nfsv4@ietf.org>; Mon, 25 Mar 2019 09:53:52 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-1.desy.de 9548A28023B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1553504032; bh=6bwyeXlP25isz3yi0xOciXAJhmeCFCHzwaLLQHtF/7k=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=g4BzUIKqJmuQZkwCHo3qm6xNvinEXlqS0VuuCtQ+vNPypxiAXQWlNXe8yoDnSMA5y D9XriM6MAk08euTF+KEhzXtEy/nHhRBfPNfagnFC+5ZVAORUlOKEyvkjhGspiYotmS xmSORkiIG9vjeVZYEaOkkW5FlwBMlrKo8UQAGXuk=
Received: from smtp-m-1.desy.de (smtp-m-1.desy.de [IPv6:2001:638:700:1038::1:81]) by smtp-buf-1.desy.de (Postfix) with ESMTP id 8F368120261; Mon, 25 Mar 2019 09:53:52 +0100 (CET)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (DESY-INTRA-1) with ESMTP id 47F253E901; Mon, 25 Mar 2019 09:53:52 +0100 (MET)
Date: Mon, 25 Mar 2019 09:53:51 +0100
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Message-ID: <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de>
In-Reply-To: <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.10_GA_3781 (ZimbraWebClient - FF66 (Linux)/8.8.10_GA_3786)
Thread-Topic: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: MWLelL/lGtUTYxAPGmrrB9zCyAXU+A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/YOtZGCvyeDYJwQlD73M4VtrBy6E>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 08:54:07 -0000


Hi Chuck,

By working on our implementation we got a following questions:

what should server do when a client requests startTLS twice? Fail
with an auth error or just ignore? It would be nice if spec will
explicitly define this situation.

Thanks,
   Tigran. 

----- Original Message -----
> From: "Dave Noveck" <davenoveck@gmail.com>
> To: "Chuck Lever" <chuck.lever@oracle.com>
> Cc: "NFSv4" <nfsv4@ietf.org>
> Sent: Friday, January 4, 2019 5:25:18 PM
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

>> I've been studying RFC 8471 to understand what would be needed to support
>> TLS token binding with RPC. It appears there are two components:
> 
> > - The TLS handshake is extended to indicate support for token binding
>>   and negotiate the supported version
> 
>>  - The upper layer protocol (RPC, in our case) is required to send a Token
>>   Binding message as the first message
> 
>> We would need to provide a mechanism for encapsulating this message in
>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>> RPCSEC GSS could provide a mechanism for transporting this message.
> 
> As I understand things, one of the potential goals here is to satisfactorily
> authenticate the client so that AUTH_SYS can reasonably used.  For that use
> case, I'm not sure how depending on RPCSEC GSS would fit in.
> 
>> It appears to me that there is a natural boundary between what we have
>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>> Binding, such that Token Binding could be handled by a separate document.
> 
> That makes sense.
> 
>> That would allow the quick completion
> 
> Since this is the IETF, let's just say "quicker completion".
> 
>> of rpc-tls to enable encryption by
>> default using self-signed certificates, with support for Token Binding
>> to appear later.
> 
> It depens on how much later.  I don't see how it would be necessary to get
> through the RFC process, including that rigorous search for split
> infinitives, cycles
> of discussion of RFC2119 terms before starting the follow-up work on token
> binding.   Once rpc-tls is accepted as a working group document, the group
> would
> be in a position to make plans for the follow-on  work that seems to be
> warranted.
> 
>> Thoughts, comments...
> 
> If work on client autehentication is to be punted, then the document will
> need to reflect that.
> In particular, if you, as a server, are prepared to accept an
> unauthenticatted client's user
> identifications, then your security is pretty much non-existent, despite
> the fact that
> enryption prevents eavesdropping.  In that case, it probably best to say
> nothing about use
> of AUTH_SYS.
> 
>> Am I on the wrong track?
> 
> No.
> 
> On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> 
>>
>> > On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote:
>> >
>> > Hi Chuck
>> >
>> > Apologies for top posting, blame MS
>> >
>> > I was interested in the comment "We believe the combination of host
>> authentication via TLS and user authentication via RPC provides optimal
>> security, efficiency, and flexibility,". There's been a huge amount of
>> negative press for TLS client auth, but there's been a push for TLS token
>> binding as a basis for better client/server authentication. Does the
>> proposal need to consider work in this area?
>>
>> I've been studying RFC 8471 to understand what would be needed to support
>> TLS token binding with RPC. It appears there are two components:
>>
>>  - The TLS handshake is extended to indicate support for token binding
>>    and negotiate the supported version
>>
>>  - The upper layer protocol (RPC, in our case) is required to send a Token
>>    Binding message as the first message
>>
>> We would need to provide a mechanism for encapsulating this message in
>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>> RPCSEC GSS could provide a mechanism for transporting this message.
>>
>> It appears to me that there is a natural boundary between what we have
>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>> Binding, such that Token Binding could be handled by a separate document.
>> That would allow the quick completion of rpc-tls to enable encryption by
>> default using self-signed certificates, with support for Token Binding
>> to appear later.
>>
>> Thoughts, comments... Am I on the wrong track?
>>
>>
>> > -----Original Message-----
>> > From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
>> > Sent: Monday, November 19, 2018 15:56
>> > To: NFSv4 <nfsv4@ietf.org>
>> > Subject: [nfsv4] Fwd: New Version Notification for
>> draft-cel-nfsv4-rpc-tls-01.txt
>> >
>> >
>> > Hi-
>> >
>> >> Begin forwarded message:
>> >>
>> >> From: internet-drafts@ietf.org
>> >> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>> >> Date: November 19, 2018 at 10:52:07 AM EST
>> >> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles
>> >> Lever" <chuck.lever@oracle.com>, "Chuck Lever"
>> >> <chuck.lever@oracle.com>
>> >>
>> >>
>> >> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been
>> >> successfully submitted by Charles Lever and posted to the IETF
>> >> repository.
>> >>
>> >> Name:         draft-cel-nfsv4-rpc-tls
>> >> Revision:     01
>> >> Title:                Remote Procedure Call Encryption By Default
>> >> Document date:        2018-11-19
>> >> Group:                Individual Submission
>> >> Pages:                9
>> >> URL:
>> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt
>> >> Status:
>> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/
>> >> Htmlized:       https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01
>> >> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls
>> >> Diff:
>> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01
>> >>
>> >> Abstract:
>> >>  This document describes a mechanism that enables encryption of in-
>> >>  transit Remote Procedure Call (RPC) transactions with little
>> >>  administrative overhead and full interoperation with RPC
>> >>  implementations that do not support this mechanism.  This document
>> >>  updates RFC 5531.
>> >>
>> >>
>> >>
>> >>
>> >> Please note that it may take a couple of minutes from the time of
>> >> submission until the htmlized version and diff are available at
>> tools.ietf.org.
>> >>
>> >> The IETF Secretariat
>> >
>> > Minor changes in revision 01:
>> > - Correct a legal issue reported by idnits
>> > - Clarify terminology throughout document
>> > - Add editor's note in Section 4.3 "Authentication"
>> > - Wordsmithing throughout
>> >
>> >
>> > The immediate question I have is whether members of WG feel this topic
>> and document are important enough to promote rpc-tls-01 to Working Group
>> document status. If yes, I can submit the next revision as
>> draft-ietf-nfsv4-rpc-tls-00.
>>
>> --
>> Chuck Lever
>>
>>
>>
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4
>>
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email