Re: [nfsv4] Comments on minutes of wg meeting at IETF114

Rick Macklem <rmacklem@uoguelph.ca> Thu, 15 September 2022 00:38 UTC

From: Rick Macklem <rmacklem@uoguelph.ca>
To: Chuck Lever III <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] Comments on minutes of wg meeting at IETF114
Thread-Index: AQHYxjPDm6k+YDWREEG5Y4QNw6y1YK3b7L6AgAFf0YCAAEVyAIAAmD3SgAEdP4CAAGCiUw==
Date: Thu, 15 Sep 2022 00:38:07 +0000
Message-ID: <YQXPR01MB41503894FC47A634C7840B27DD499@YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM>
References: <CADaq8jd4+FPhH0m5AuBgop_xJiYMjrRKva8mX0A-gioW_8b+5A@mail.gmail.com> <2CCC6B48-118F-48C3-A764-1380BAB72066@oracle.com> <CADaq8jeoyLbC_cFd8FwSzuSGFZAi9r3UsTGAxx5KykW+-99Jmg@mail.gmail.com> <606B4B27-0DC1-4215-987F-D97A37C4C278@oracle.com> <YQXPR01MB41506E793FF6F63EC6B1E185DD469@YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM> <E443ED89-9C34-4099-B8BC-5DCCE09144F7@oracle.com>
In-Reply-To: <E443ED89-9C34-4099-B8BC-5DCCE09144F7@oracle.com>
Accept-Language: en-US
Content-Language: en-US
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: YQXPR01MB4150:EE_|YT2PR01MB6125:EE_
x-ms-office365-filtering-correlation-id: 4526b901-b6ff-4134-2f2a-08da96b28ee4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fVGZfjjKRojNG4pqo8Sp1TtFKkKa+/ObVS8iEuOvOe1djuX+A9Aj8Ch9hOeNsdMtDDEqPSY684gMHYMQqli6GupFk2EY81TlS/Viee35k6C+pNc4fNcuOcWi4pypJI7FdSpxjylZ3NQHxiRPOwuklW3Ac+/UDP/+3UJ09DXFwOWkwnqJRt+2CuA4KYNKPOS3aBUQH6HO7Aj5iQY+cmjuIQpbTgHUSAw6YP3KNJzKqII03JnFl68+7OXnneelzI1hJwtOQe4Fo8UBHzgm3uBTlVYaYBvlX5+j1S0hxBF1zU2w+6s1FsEU7OSJWP38pw3vZE+0HFen6auGUImVPDER6PxdH3ZuRRzuNx7cmlRbPhZ1Xj3MuL3R3CxTUReYhLwVI2lrXF6UlPm8Fuwe4V8+XNejkwHObvLKwkPcSK24R5M1pcprE11F6RHOvXpdSMmS1+fsTiyX/dlINkXRbrC3e7UxReoBaFxAaa9zZJDoMXUuwIUvJzJMnI3mtn8lOT7LNtnJNfhOQ3Bj/SW3Cpy4yF2Z5X0kef4ZknCjx9jtjwqnDppNqpn+SUhs5SfAqqXuZBIFTc//UCU1TEOib5JBmXtFnR/VcK7nrO0cn/7oa8ETKC66MlSdO6mJXM6wGwsH/wp1+zpIOkg4iLiKPt4hyg/Zm2hwwzttv7Tn7tXj+OHx5994S3Il3tfEqhirpp7ZWm1s74N452LMuKoahnoGwVX8ZA3JMB7Kazmq6BZIMo2Q2dAJsxt9VX7SRO/UKfrsTywJdlIC0VFujDutECpiafY1QxrKVQ17ZnCr3ZZBn6I=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(366004)(396003)(136003)(376002)(346002)(451199015)(316002)(66476007)(71200400001)(966005)(91956017)(478600001)(66446008)(66556008)(76116006)(33656002)(66946007)(64756008)(41300700001)(6506007)(86362001)(7696005)(8676002)(38070700005)(53546011)(41320700001)(5660300002)(8936002)(52536014)(186003)(38100700002)(122000001)(9686003)(55016003)(26005)(786003)(83380400001)(110136005)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: c4g//fEMjCm8RKbklH0Q7ZWcRmiQuT/FpZpCIlKyaghl+gDlcTJGTiOxQr+PDum23RgfwDUNgCabQQgji3tgycGEw2fi463cUsf6QFgMxQ/DzBgZaCz/W2YjgP42pjmCOiaIez9MA5sTRAfgGRzFAfre+GOYhJqoRBAtltIum1K0Cz8PPyy/ADRzIyI1K+mr2PANy1wNw5L/w6HbnaqYQ/vgfhiPjOpV2DtaspsnyfoBljxlP0T6MsAoHKcsMuHCVH13aW0cpYjwIu5FFQRg4bzBqtyRgardEsqH5I100+Y9HH9QwOndVfJH1AooI9emUj8oWEh5Luj38cebeKUZvaz1S6rCL9ARsFjXcm6wQWJbuyq4G8dkjVECqvvklXK6/ns0awXPNmK6J5O1xjwJIbzN11WdfDZOWtruGUtTyo7Dk/HEjLVrM0eHFKT65GpXgsJuoYwz1gt4ExFBBjwJ4LA+HvqijphpGqnFIHpmwj5a8gC4tf3FQXnZH8hUUNbskkHneQH8vvjq65NBbiYPiXA/e7k4TkYB18VnhwzsjQjxIo8WkESjouYuuV13pA1lCrv6ERn79vcvOKEmW90QrMf7C0He/vmLm5xQl+EUsrG19ak7CFO8hMlbaivx3DS0f4PbUmSxw70X3zLuPuJ/o3QlsooRtHrRJeghEXuU/jFzv3KA4Z+Szr8vKpo3V20m5M6Tlq7iC8+Pc/TvTiYNxoaDDd1/lZDRORo8H20aTRr658oIvo+1q1b0NcxXUeSM2yBVvZDGcuKlxi+DCbFqnyu5JMJu7KiGc/K0vB2P3hHL5G97vDfki792/NMNS5j6UIlrBNQeJDv7AKOG6pVJaw58Qh3IrYmnkYrEz6q3IZd6z9obRzSpYPCtvE3RnKKdG4tQKjnHQvq/OD/SHeUW8v4OyOIjxYiahhCoEP6CPwoUBm1zzfIx6pDlBKE+6C3twRMpBnovHjc4vcx0UG3AFAUlKkcSORODV2b6otOIIOfu7NQfLlfudau0fbwgCd4WRl8n5xGw3NjJYhoi6JwV6y/kTkj1e11Lsi/R8k4R8Sjm2nO+U8xTRf/gwgIv3pwf9mtpdMClIyZ3Wg/9+gYxDLHkd2n+ipnaXImJ2anB24GfLwJtP+cISySnob+7ALrJ7FpoYuE+iwd1V18xe0bUIwN87eqEXtBDnVMTCXi2xXoa+JKprVfuw5u8ZZWKLaWH1lEiQUn1bQ9MPtzyU2cepvs1v3lTqSJ3WTAc17VNw2HqugOJl2QW9hHtnL6CR7+sHGgsabzC9YwzdZoVmGicafSQ0g5JyxT105Wix1cOtMJGPZexUScEs1O5Nf2GT0fJuem/rHbl7frAkY5fAHvFDgX9QIz2olaZGCciOkTotNCV3e/z42Fui5vns52qJ729a/GeKf20sWMT9Ngf5whyHLk7oFyzkbSX51mW2G3YS2LYL3uUiDOGxP1N92UpZ7pE06R+6/mSwDdE2d0pMusMTf4PfMYkXWQ3VLxrHkLZmD/6P2lroG8CM0mNhzqDaVu1AVTzI1jVMYz/DsVoq15POFzjDwLoMqBmonG7dAYr1GHn828H1UpNN0OJf43K6Nnt
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4526b901-b6ff-4134-2f2a-08da96b28ee4
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2022 00:38:07.1698 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GdX1P+9mqdo3EohMtY0g7wGpkU29QhI+67VvyEL+kD4AKvXhAb1ZN8tUY3hew4H+9aDWb3vgfvRq2oVoyTxRqQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT2PR01MB6125
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/YTJMZNlXWPIrKoFttZHgPR3ycvY>
Subject: Re: [nfsv4] Comments on minutes of wg meeting at IETF114
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2022 00:38:21 -0000

Chuck Lever III <chuck.lever@oracle.com> wrote:
>> On Sep 13, 2022, at 7:09 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
>>
>> Chuck Lever III wrote:
>>> David Noveck wrote:
>> [stuff snipped to just comments related to FreeBSD/me]
>>
>>>> Let me give people some background.  Chuck objected to the
>>>> treatment of SECINFO in some earlier security-0x draft.  He thought it
>>>> was to complicated so we agreed that he would publish his approach, 
>>>>as he did in rpc- tls-pseudoflavors and I  would refer to that in the next
>>>> security draft.
>>>>
>>>> Now it appears that Chuck has changed his mind and I'd appreciate
>>>> knowing why<http://why.ch/>.
>>>
>>> Rick told me he is not going to implement it.
>> This statement sounds somewhat misleading, although true.
>> I do not see the FreeBSD client implementing pseudo-flavors
>> because it does not use Secinfo/SecinfoNoName and I doubt
>> it ever will.
>> --> It just considers NFS4ERR_WRONGSEC to be a fatal error
>>      that it maps to EACCES.
>>
>> The FreeBSD NFSv4 server could easily implement pseudo-flavors.
>> I was just waiting to see if there was a consensus that it was
>> the correct way to go.  I'll admit I do not see that consensus
>> at this time.
>
>Rick made this comment to me in private e-mail last March (don't
>worry, nothing embarrassing!):
>
>> Since NFSv4 has no way of acquiring the pseudoflavors before doing
>> ExchangeID..., I'll admit I don't see the pseuodflavors that useful.
>> I think cases where the security requirements for a given client changes
>> at server file system boundaries as fairly rare.
>
>I concluded based on that that Rick is not interested in
>implementing the mechanisms proposed in rpc-tls-pseudoflavor
>for FreeBSD at all. The mechanism does not add value for the
>use cases commonly deployed on FreeBSD NFS systems.

For the above, I was wearing my "client implementor hat".
It is true that a Secinfo like operation that could be performed
before ExchangeID/CreateSession might be more useful for the
FreeBSD client (but not enough to bother proposing it as
extension;-)

For the FreeBSD NFSv4 server, it is possible for the
security requirements to change on server file system
boundaries but, as above, I doubt that will be a common
case.

rick

--
Chuck Lever



_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4

[nfsv4] Comments on minutes of wg meeting at IETF… David Noveck
Re: [nfsv4] Comments on minutes of wg meeting at … Chuck Lever III
Re: [nfsv4] Comments on minutes of wg meeting at … David Noveck
Re: [nfsv4] Comments on minutes of wg meeting at … Lars Eggert
Re: [nfsv4] Comments on minutes of wg meeting at … Zaheduzzaman Sarker
Re: [nfsv4] Comments on minutes of wg meeting at … Chuck Lever III
Re: [nfsv4] Comments on minutes of wg meeting at … Rick Macklem
Re: [nfsv4] Comments on minutes of wg meeting at … David Noveck
Re: [nfsv4] Comments on minutes of wg meeting at … David Noveck
Re: [nfsv4] Comments on minutes of wg meeting at … Zaheduzzaman Sarker
Re: [nfsv4] Comments on minutes of wg meeting at … Chuck Lever III
Re: [nfsv4] Comments on minutes of wg meeting at … Rick Macklem
Re: [nfsv4] Comments on minutes of wg meeting at … Trond Myklebust
Re: [nfsv4] Comments on minutes of wg meeting at … Trond Myklebust
Re: [nfsv4] Comments on minutes of wg meeting at … David Noveck
Re: [nfsv4] Comments on minutes of wg meeting at … Chuck Lever III