IETF Logo Mail Archive

Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04

Chuck Lever <chuck.lever@oracle.com> Fri, 06 December 2019 21:55 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D381A120CB1 for <nfsv4@ietfa.amsl.com>; Fri, 6 Dec 2019 13:55:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXkVtnxVpQl5 for <nfsv4@ietfa.amsl.com>; Fri, 6 Dec 2019 13:55:17 -0800 (PST)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F7D4120B28 for <nfsv4@ietf.org>; Fri, 6 Dec 2019 13:54:54 -0800 (PST)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id xB6LsCAB187625; Fri, 6 Dec 2019 21:54:54 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2019-08-05; bh=SFbBsD2EpcqF/Je57WAl3qsBKm2bcQ8Vg172uLi4lvs=; b=rFxT+0qOTT8J8vmFIyLV3H4eI1G4AinqEk3Ohgj0Lm6/Y1DL14fYJov/OVmFWjR5BdBs 8BcqR4uwKJhAnlyISBmougflbZMvwySIVgiWKL50FGT+Ae3AJQYBopah+Ti3Rvu26CQK 9I6EucCy/ZdXQNpVQmlyd9njnhpD84iwN7kVc+ovXR8wLw0NiLuEVtdJMuHQIshYdAdB +2BqVEFDK7FsANU3JkTqSJ6l3Ocx/f0XgKXNjtMF+A+brpL4R61Tt9IU7RVyBkPNR6WC RoNA1xktyQG5nZ1mQLdmkM07r+dZQN23z+K06waKPfjxLVOv8hdOixxtvFRTmm7EPStk Nw==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2120.oracle.com with ESMTP id 2wkh2rxf7v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 06 Dec 2019 21:54:53 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id xB6LrRDM186954; Fri, 6 Dec 2019 21:54:53 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userp3030.oracle.com with ESMTP id 2wqt45ep3d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 06 Dec 2019 21:54:53 +0000
Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id xB6Lsqri004641; Fri, 6 Dec 2019 21:54:52 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 06 Dec 2019 13:54:52 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <c4a0ccc6-ebea-1732-d088-d645f970a3e5@talpey.com>
Date: Fri, 06 Dec 2019 16:54:51 -0500
Cc: nfsv4@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4648015E-4451-4757-B54F-C5D0069DA13A@oracle.com>
References: <CADaq8jdbQJFKS7xoeP+wLMhT0e8gSQQeqHDsV7PHNbT_YC+hSQ@mail.gmail.com> <11820D8F-A192-46EE-AD32-8561BCBE31A2@oracle.com> <MN2PR21MB143931B6F1DC40FF6A765AAEA05F0@MN2PR21MB1439.namprd21.prod.outlook.com> <CADaq8jf5Dh8bMmA2fcDKBknTbz-Oah1dZH=KRawjSRtOa6zh5w@mail.gmail.com> <63ADA2AC-815D-4899-B863-4FD321A968ED@oracle.com> <MN2PR21MB143950BE6F7130739D1280CAA05F0@MN2PR21MB1439.namprd21.prod.outlook.com> <741F6898-6A1B-4968-BC63-B9CDBB97C16F@oracle.com> <b1b36bba-2d60-3665-db67-0e58a2c82dc7@talpey.com> <CEB4BEE5-2BC3-44BB-873F-57FD24F00E45@oracle.com> <c4a0ccc6-ebea-1732-d088-d645f970a3e5@talpey.com>
To: Tom Talpey <tom@talpey.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9463 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1912060174
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9463 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1912060175
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/_XrlKO_GySXruiXhPorJDa-NsMs>
Subject: Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 21:55:24 -0000


> On Dec 6, 2019, at 4:44 PM, Tom Talpey <tom@talpey.com> wrote:
> 
> On 12/6/2019 4:30 PM, Chuck Lever wrote:
>>> On Dec 6, 2019, at 3:58 PM, Tom Talpey <tom@talpey.com> wrote:
>>> 
>>> On 12/6/2019 2:46 PM, Chuck Lever wrote:
>>>>> On Dec 6, 2019, at 2:24 PM, Tom Talpey <ttalpey@microsoft.com> wrote:
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Chuck Lever <chuck.lever@oracle.com>
>>>>>> Sent: Friday, December 6, 2019 2:12 PM
>>>>>> To: David Noveck <davenoveck@gmail.com>; Black, David
>>>>>> <David.Black@dell.com>
>>>>>> Cc: Tom Talpey <ttalpey@microsoft.com>; NFSv4 <nfsv4@ietf.org>
>>>>>> Subject: Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Dec 6, 2019, at 11:53 AM, David Noveck <davenoveck@gmail.com>
>>>>>> wrote:
>>>>>>> 
>>>>>>> On Fri, Dec 6, 2019 at 10:28 AM Tom Talpey <ttalpey@microsoft.com>
>>>>>> wrote:
>>>>>>>> -----Original Message-----
>>>>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
>>>>>>>> Sent: Friday, December 6, 2019 10:11 AM
>>>>>>>> To: David Noveck <davenoveck@gmail.com>
>>>>>>>> Cc: NFSv4 <nfsv4@ietf.org>
>>>>>>>> Subject: [EXTERNAL] Re: [nfsv4] Review of draft-ietf-nfsv4-rpc-tls04
>>>>>> 
>>>>>>>> Essentially, we want to require that the host separates
>>>>>>>> the encryption of each tenant's traffic.
>>>>>>> 
>>>>>>> I think the move from "user identiy domain" to "tenant" is helpful here even
>>>>>>> though you would have to explain what multipe tenants, which, as Tom
>>>>>>> points out, can alsooccur without virtalization per se, bein involved.
>>>>>> 
>>>>>> 
>>>>>> Fair 'nuf. To me "tenant" and "user identity domain" mean the same thing
>>>>>> in this context. In Linux, a tenant container is represented by a set of
>>>>>> namespaces, one of which controls the user identity mapping. So "user
>>>>>> identity domain" seems natural to me, but maybe not to others.
>>>>>> 
>>>>>> RFC 4949 does not have a convenient definition of "tenant."
>>>>>> 
>>>>>> RFC 7644 Section 6 comes close.
>>>>>> 
>>>>>> David Black, perhaps you might have thoughts based on your work on
>>>>>> network virtualization overlays ( RFCs 736[45] )?
>>>>> 
>>>>> I'm arguing the opposite - that there's no need to bring in "tenant" or
>>>>> "virtualization" or adding references to nvo, etc. Unless you have a very
>>>>> specific vulnerability in mind that this needs to cover.
>>>>> 
>>>>> In other words, keep it simple and at the highest-level abstraction possible.
>>>> I'm flexible, and philosophically agree that an abstract requirement
>>>> would be best. I just don't yet see how to make that happen. "Tenancy"
>>>> seems to me like an inseparable part of the discussion.
>>> 
>>> [replying from a different account]
>>> 
>>> I think "tenant" is a loaded word, especially when you seek an
>>> RFC-based definition. I understand the tenant container and namespace
>>> approach, but it's only one approach, and shouldn't be written into
>>> the protocol justification.
>>> 
>>> For example, the SMB3 protocol protects its traffic with per-user
>>> keys, and even safely mixes user traffic on a single connection
>>> because of this isolation. But this is implemented independent of
>>> containers and virtualization.
>> With RPCSEC GSS, each user gets its own key as well.
> 
> Indeed, yes.
> 
>> With TLS, a set of users shares a single host key. The constraint
>> we need to state here is how much key sharing is secure/recommended/
>> allowed.
> 
> I disagree - this is an implementation choice not a TLS requirement.
> This is the trap I think the draaft needs to avoid falling into.

Not a trap, it's a conscious choice.


> A single machine key is great for protecting HTTPS to a laptop, it
> covers traffic through unsafe networks and gives us a bit of server
> authentication. But NFS is a different scenario.

An _NFS_ implementation is free to make more restrictive policy
choices. We are defining a generic RPC over TLS mechanism here.

If we want NFS to do something else, I think another document, an
NFS-specific document, is required.


>> In addition, Section 4.2 has this language:
>>>    In either of these modes, RPC user authentication is not affected by
>>>    the use of transport layer security.  Once a TLS session is
>>>    established, the server MUST NOT substitute RPC_AUTH_TLS, or the
>>>    remote identity used for TLS peer authentication, for existing forms
>>>    of per-request RPC user authentication specified by [RFC5531].
>> The document explicitly prohibits the use of these keys for making
>> authorization decisions about individual users. In other words, a
>> TLS identity in this case is not the same as an RPC user.
> 
> Right. But the language you quote is pretty vague. "Existing forms of
> per-request RPC user authentiction" I have to think about that long and
> hard, much less translate to a specific thing to MUST NOT do.
> 
>>>> If you have an example, that would help.
>>> 
>>> Well, it's the same thing - per-user NFS/RPC/TLS mounts, but it
>>> leaves out any mention of containers or namespaces or tenancy.
>>> Those are today's Linux approach, but they are by no means required
>>> to drive the protocol. I'm just suggesting the draft can say this
>>> without any of that baggage.
>> Again, I don't disagree with any of this. But I'm stuck when trying
>> to bridge the gap between "the draft can say this" and actually
>> writing the text. I'm not arguing with you, just trying to shake out
>> what it is we need to say in the document.
>>> A user then becomes an "authenticated principal", and the RPC/TLS
>>> connection may therefore be protected by a key derived from this
>>> authentication.
>> As above: RPC on TLS explicitly does not bind an RPC user to a TLS
>> identity in this iteration of the protocol. RPC users share the
>> encrypted TLS session. The TLS identity represents the client, not
>> the users.
> 
> But again, why not? Is that forbidden somehow? Or is it simply the
> way most OS's implement it?

This document/protocol is restricting it to keep it simple. Nothing
to do with implementations.

All we want in this iteration is encryption. Using TLS for user
authentication is future work.


>>> Or, if the administrator allows, it can be a
>>> per-machine key, or shared in other ways.
>> That's the (only) model we are trying to express here. And perhaps
>> we need to take care not to prevent a future protocol iteration
>> from going further and binding a single RPC user to a TLS identity.
>>> But this would not be
>>> as secure as the former, and the implications need to be stated.
>> To state those implications, IMO we need to express the concept of
>> a set of one or more users that reside in a single user identity
>> domain -- ie, users that are administered in the same security realm.
>> --
>> Chuck Lever
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

--
Chuck Lever

v2.23.0 | Report a Bug | By Email