Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04
Chuck Lever <chuck.lever@oracle.com> Fri, 06 December 2019 21:55 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D381A120CB1 for <nfsv4@ietfa.amsl.com>; Fri, 6 Dec 2019 13:55:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXkVtnxVpQl5 for <nfsv4@ietfa.amsl.com>; Fri, 6 Dec 2019 13:55:17 -0800 (PST)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F7D4120B28 for <nfsv4@ietf.org>; Fri, 6 Dec 2019 13:54:54 -0800 (PST)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id xB6LsCAB187625; Fri, 6 Dec 2019 21:54:54 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2019-08-05; bh=SFbBsD2EpcqF/Je57WAl3qsBKm2bcQ8Vg172uLi4lvs=; b=rFxT+0qOTT8J8vmFIyLV3H4eI1G4AinqEk3Ohgj0Lm6/Y1DL14fYJov/OVmFWjR5BdBs 8BcqR4uwKJhAnlyISBmougflbZMvwySIVgiWKL50FGT+Ae3AJQYBopah+Ti3Rvu26CQK 9I6EucCy/ZdXQNpVQmlyd9njnhpD84iwN7kVc+ovXR8wLw0NiLuEVtdJMuHQIshYdAdB +2BqVEFDK7FsANU3JkTqSJ6l3Ocx/f0XgKXNjtMF+A+brpL4R61Tt9IU7RVyBkPNR6WC RoNA1xktyQG5nZ1mQLdmkM07r+dZQN23z+K06waKPfjxLVOv8hdOixxtvFRTmm7EPStk Nw==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2120.oracle.com with ESMTP id 2wkh2rxf7v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 06 Dec 2019 21:54:53 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id xB6LrRDM186954; Fri, 6 Dec 2019 21:54:53 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userp3030.oracle.com with ESMTP id 2wqt45ep3d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 06 Dec 2019 21:54:53 +0000
Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id xB6Lsqri004641; Fri, 6 Dec 2019 21:54:52 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 06 Dec 2019 13:54:52 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <c4a0ccc6-ebea-1732-d088-d645f970a3e5@talpey.com>
Date: Fri, 06 Dec 2019 16:54:51 -0500
Cc: nfsv4@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4648015E-4451-4757-B54F-C5D0069DA13A@oracle.com>
References: <CADaq8jdbQJFKS7xoeP+wLMhT0e8gSQQeqHDsV7PHNbT_YC+hSQ@mail.gmail.com> <11820D8F-A192-46EE-AD32-8561BCBE31A2@oracle.com> <MN2PR21MB143931B6F1DC40FF6A765AAEA05F0@MN2PR21MB1439.namprd21.prod.outlook.com> <CADaq8jf5Dh8bMmA2fcDKBknTbz-Oah1dZH=KRawjSRtOa6zh5w@mail.gmail.com> <63ADA2AC-815D-4899-B863-4FD321A968ED@oracle.com> <MN2PR21MB143950BE6F7130739D1280CAA05F0@MN2PR21MB1439.namprd21.prod.outlook.com> <741F6898-6A1B-4968-BC63-B9CDBB97C16F@oracle.com> <b1b36bba-2d60-3665-db67-0e58a2c82dc7@talpey.com> <CEB4BEE5-2BC3-44BB-873F-57FD24F00E45@oracle.com> <c4a0ccc6-ebea-1732-d088-d645f970a3e5@talpey.com>
To: Tom Talpey <tom@talpey.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9463 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1912060174
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9463 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1912060175
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/_XrlKO_GySXruiXhPorJDa-NsMs>
Subject: Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 21:55:24 -0000
> On Dec 6, 2019, at 4:44 PM, Tom Talpey <tom@talpey.com> wrote: > > On 12/6/2019 4:30 PM, Chuck Lever wrote: >>> On Dec 6, 2019, at 3:58 PM, Tom Talpey <tom@talpey.com> wrote: >>> >>> On 12/6/2019 2:46 PM, Chuck Lever wrote: >>>>> On Dec 6, 2019, at 2:24 PM, Tom Talpey <ttalpey@microsoft.com> wrote: >>>>> >>>>>> -----Original Message----- >>>>>> From: Chuck Lever <chuck.lever@oracle.com> >>>>>> Sent: Friday, December 6, 2019 2:12 PM >>>>>> To: David Noveck <davenoveck@gmail.com>; Black, David >>>>>> <David.Black@dell.com> >>>>>> Cc: Tom Talpey <ttalpey@microsoft.com>; NFSv4 <nfsv4@ietf.org> >>>>>> Subject: Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-nfsv4-rpc-tls04 >>>>>> >>>>>> >>>>>> >>>>>>> On Dec 6, 2019, at 11:53 AM, David Noveck <davenoveck@gmail.com> >>>>>> wrote: >>>>>>> >>>>>>> On Fri, Dec 6, 2019 at 10:28 AM Tom Talpey <ttalpey@microsoft.com> >>>>>> wrote: >>>>>>>> -----Original Message----- >>>>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever >>>>>>>> Sent: Friday, December 6, 2019 10:11 AM >>>>>>>> To: David Noveck <davenoveck@gmail.com> >>>>>>>> Cc: NFSv4 <nfsv4@ietf.org> >>>>>>>> Subject: [EXTERNAL] Re: [nfsv4] Review of draft-ietf-nfsv4-rpc-tls04 >>>>>> >>>>>>>> Essentially, we want to require that the host separates >>>>>>>> the encryption of each tenant's traffic. >>>>>>> >>>>>>> I think the move from "user identiy domain" to "tenant" is helpful here even >>>>>>> though you would have to explain what multipe tenants, which, as Tom >>>>>>> points out, can alsooccur without virtalization per se, bein involved. >>>>>> >>>>>> >>>>>> Fair 'nuf. To me "tenant" and "user identity domain" mean the same thing >>>>>> in this context. In Linux, a tenant container is represented by a set of >>>>>> namespaces, one of which controls the user identity mapping. So "user >>>>>> identity domain" seems natural to me, but maybe not to others. >>>>>> >>>>>> RFC 4949 does not have a convenient definition of "tenant." >>>>>> >>>>>> RFC 7644 Section 6 comes close. >>>>>> >>>>>> David Black, perhaps you might have thoughts based on your work on >>>>>> network virtualization overlays ( RFCs 736[45] )? >>>>> >>>>> I'm arguing the opposite - that there's no need to bring in "tenant" or >>>>> "virtualization" or adding references to nvo, etc. Unless you have a very >>>>> specific vulnerability in mind that this needs to cover. >>>>> >>>>> In other words, keep it simple and at the highest-level abstraction possible. >>>> I'm flexible, and philosophically agree that an abstract requirement >>>> would be best. I just don't yet see how to make that happen. "Tenancy" >>>> seems to me like an inseparable part of the discussion. >>> >>> [replying from a different account] >>> >>> I think "tenant" is a loaded word, especially when you seek an >>> RFC-based definition. I understand the tenant container and namespace >>> approach, but it's only one approach, and shouldn't be written into >>> the protocol justification. >>> >>> For example, the SMB3 protocol protects its traffic with per-user >>> keys, and even safely mixes user traffic on a single connection >>> because of this isolation. But this is implemented independent of >>> containers and virtualization. >> With RPCSEC GSS, each user gets its own key as well. > > Indeed, yes. > >> With TLS, a set of users shares a single host key. The constraint >> we need to state here is how much key sharing is secure/recommended/ >> allowed. > > I disagree - this is an implementation choice not a TLS requirement. > This is the trap I think the draaft needs to avoid falling into. Not a trap, it's a conscious choice. > A single machine key is great for protecting HTTPS to a laptop, it > covers traffic through unsafe networks and gives us a bit of server > authentication. But NFS is a different scenario. An _NFS_ implementation is free to make more restrictive policy choices. We are defining a generic RPC over TLS mechanism here. If we want NFS to do something else, I think another document, an NFS-specific document, is required. >> In addition, Section 4.2 has this language: >>> In either of these modes, RPC user authentication is not affected by >>> the use of transport layer security. Once a TLS session is >>> established, the server MUST NOT substitute RPC_AUTH_TLS, or the >>> remote identity used for TLS peer authentication, for existing forms >>> of per-request RPC user authentication specified by [RFC5531]. >> The document explicitly prohibits the use of these keys for making >> authorization decisions about individual users. In other words, a >> TLS identity in this case is not the same as an RPC user. > > Right. But the language you quote is pretty vague. "Existing forms of > per-request RPC user authentiction" I have to think about that long and > hard, much less translate to a specific thing to MUST NOT do. > >>>> If you have an example, that would help. >>> >>> Well, it's the same thing - per-user NFS/RPC/TLS mounts, but it >>> leaves out any mention of containers or namespaces or tenancy. >>> Those are today's Linux approach, but they are by no means required >>> to drive the protocol. I'm just suggesting the draft can say this >>> without any of that baggage. >> Again, I don't disagree with any of this. But I'm stuck when trying >> to bridge the gap between "the draft can say this" and actually >> writing the text. I'm not arguing with you, just trying to shake out >> what it is we need to say in the document. >>> A user then becomes an "authenticated principal", and the RPC/TLS >>> connection may therefore be protected by a key derived from this >>> authentication. >> As above: RPC on TLS explicitly does not bind an RPC user to a TLS >> identity in this iteration of the protocol. RPC users share the >> encrypted TLS session. The TLS identity represents the client, not >> the users. > > But again, why not? Is that forbidden somehow? Or is it simply the > way most OS's implement it? This document/protocol is restricting it to keep it simple. Nothing to do with implementations. All we want in this iteration is encryption. Using TLS for user authentication is future work. >>> Or, if the administrator allows, it can be a >>> per-machine key, or shared in other ways. >> That's the (only) model we are trying to express here. And perhaps >> we need to take care not to prevent a future protocol iteration >> from going further and binding a single RPC user to a TLS identity. >>> But this would not be >>> as secure as the former, and the implications need to be stated. >> To state those implications, IMO we need to express the concept of >> a set of one or more users that reside in a single user identity >> domain -- ie, users that are administered in the same security realm. >> -- >> Chuck Lever > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 -- Chuck Lever
- [nfsv4] Review of draft-ietf-nfsv4-rpc-tls04 David Noveck
- Re: [nfsv4] Review of draft-ietf-nfsv4-rpc-tls04 Chuck Lever
- Re: [nfsv4] Review of draft-ietf-nfsv4-rpc-tls04 Chuck Lever
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Tom Talpey
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… David Noveck
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Chuck Lever
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Tom Talpey
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Chuck Lever
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Tom Talpey
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Chuck Lever
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Tom Talpey
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Chuck Lever
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… David Noveck
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Chuck Lever
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Tom Talpey
- Re: [nfsv4] [EXTERNAL] Re: Review of draft-ietf-n… Chuck Lever