IETF Logo Mail Archive

Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07

Chuck Lever <chuck.lever@oracle.com> Tue, 29 October 2019 19:18 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1A001208B3 for <nfsv4@ietfa.amsl.com>; Tue, 29 Oct 2019 12:18:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bljDmWYHouvt for <nfsv4@ietfa.amsl.com>; Tue, 29 Oct 2019 12:18:46 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1263120168 for <nfsv4@ietf.org>; Tue, 29 Oct 2019 12:18:45 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x9TJIiej043232; Tue, 29 Oct 2019 19:18:44 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2019-08-05; bh=9An95an8Emk4KuuTCbchDXuSA8SQLOslRGz4tH6/Z6A=; b=HZ1AlQpT5Mt81EZizIRSfCW9lgSJrZ8Yk5atiV/C69rq0ZfRzW6W18QpDIbB5FxIDdph 27wLM+UsggyjOTXDCjwyVuS682n+yRFBrOMuof5sHDCGEe0HFBO16bi4P87k0DWMU44J gfXw+2MwKkH9nX6S9jTOGCl9DxmEDhQegwgfqyK8aGWxK3q/TllXxiuzYyaMMDqN9wax 0G9lWFnqrppID0ABHquN/kVaj9PboFxAqZO1moCgsRdYjBfixZf+wEJAq72jKWFXNmIO afhszB4hrwLQE8BS02um9nhQHB/5cBaVXm9xMZ8NenhZ6uPz1N7cBJKs+Ck8xMrT6mR2 mw==
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by userp2130.oracle.com with ESMTP id 2vvdjubkbx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 29 Oct 2019 19:18:44 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x9TJIOkd171791; Tue, 29 Oct 2019 19:18:42 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3020.oracle.com with ESMTP id 2vxpfdksqt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 29 Oct 2019 19:18:41 +0000
Received: from abhmp0021.oracle.com (abhmp0021.oracle.com [141.146.116.27]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x9TJIeXk015296; Tue, 29 Oct 2019 19:18:40 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Oct 2019 12:18:40 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CAMhwm9_QpKmGiSQgs6aDWpa81wiw60ARzn6yjNcSY-iFUBjkZQ@mail.gmail.com>
Date: Tue, 29 Oct 2019 15:18:38 -0400
Cc: spencer shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B0E24F63-4273-4332-ADC8-87B04A2393BB@oracle.com>
References: <3D5CAA74-C6DC-447D-81BE-5D9FA02694E2@gmail.com> <182CEA87-F900-4D0F-834E-38085B095CB3@oracle.com> <CAMhwm9_QpKmGiSQgs6aDWpa81wiw60ARzn6yjNcSY-iFUBjkZQ@mail.gmail.com>
To: Craig Everhart <cfeverhart@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9425 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910290165
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9425 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910290165
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/a_qGtbS6QQkvMjCWBPHs4v2MV1Q>
Subject: Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 19:18:49 -0000


> On Oct 29, 2019, at 2:23 PM, Craig Everhart <cfeverhart@gmail.com> wrote:
>> 
>> inline
>> 
>> On Tue, Oct 29, 2019 at 1:59 PM Chuck Lever <chuck.lever@oracle.com> wrote:
>> 
>> 
>> > On Oct 29, 2019, at 12:10 PM, Craig Everhart <cfeverhart@gmail.com> wrote:
>> > 
>> > I think the reason it’s difficult for me to endorse this is that I can’t play in the understanding of integrity, and I’d like to understand any weaknesses.
>> 
>> > Apparently it uses something like what I loosely described, but I have no visibility into it or how it works.
>> 
>> You do have visibility. You can go and look at the references cited
>> by the document. In fact there's a USENIX paper that explains the
>> architecture and provides the analysis you are looking for. There's
>> an open implementation that is available as a prototype and proof of
>> concept.
> 
> If you've added a reference in the last round or two that actually explains this, I'll have a look.  Last time I did, there wasn't anything suitable, IIRC.

   [SAILER]   Sailer, R., Zhang, X., Jaeger, T., and L. van Doorn,
              "Design and Implementation of a TCG-based Integrity
              Measurement Architecture", Proceedings of the 13th USENIX
              Security Symposium, August 2004.


> I don't want to reverse-engineer an implementation, and I don't want to expose myself to the possibility of "taint" by looking into GPL'ed source.

There are well-understood ways to avoid IP taint in cases like this.

Reverse-engineering in this case would also not be difficult: it's
an HMAC signed by a private key. There are only so many ways that
can be done.

The more difficult aspect is constructing the logic that applies
policy to those hashes.


>> But I don't see that kind of analysis as pertinent to whether a file
>> system can store a blob of metadata. The questions you are asking are
>> related to whether you want to implement an appraiser on your non-
>> Linux system. I'm suggesting that's something that can and should
>> be decided independently.
> 
> I want to understand what is being proposed so that I can judge whether it is worth building structure around it.  I want to evaluate the proposal's security properties.  I want to be able to create and verify my own integrity assertions.
> 
> The simple version that I've roughly sketched permits that kind of analysis and deployment.

That's fine, but that's what you need to do to build an appraiser.
Just moving the IMA metadata around does not require that kind of
deep analysis.


>> > Is it using a private key in an HMAC?  If there’s validation of certificates involved, how are they described or registered?  What is the domain of these putative certifications?  Is it meaningful for an NFS server to receive an integrity assertion from one Linux machine and expect that assertion to be validated by a separate Linux machine?
>> 
>> > I know that Chuck doesn’t believe that an NFS server should be able to validate an integrity assertion.  I wonder why not.
>> 
>> That's a needlessly provocative mischaracterization.
> 
> I agree; I didn't mean it to be.  I should have forgone names and asked "Why not?"  Why is it not a valid exercise for an NFS server?

I've said only that it is optional. The document itself explains
that there are reasons why an NFS server might or might not imple-
ment appraisal, and provides examples of interoperation in both
cases.

Claiming that "it is not valid" is a misapprehension on your part.


> At the same time, the previous paragraph contains four questions, which you've ignored.  I wonder what the answers are.

I've repeatedly referred you to the cited documents to answer those
questions. The document itself has some explanation of those elements.
I don't feel the need to repeat all that again.


>> IMA does not trust data storage. The only really meaningful appraisal
>> is done at the time of content consumption. Any other appraisals are
>> just gravy.
> 
> OK, fine.  Some people like gravy.
>  
> 
>> Note that content consumption typically does not occur on servers --
>> certainly not on NetApp filers, for example -- and consumption
>> happens after control of the content has passed from the NFS client
>> implementation to the operating system. The file system is no longer
>> involved when appraisal actually occurs.
>> 
> I understand the current habit.  I want to know if there is a reason why it must be that way.

See the SAILER paper. That's how the architecture and the prototype
are designed: appraisal is separate from data storage. My sense is
that it must be this way because data storage is considered untrusted.


>> For IMA, NFS client and server implementations are simply links in the
>> chain between the content provider and content consumers. Validating an
>> integrity assertion on each link in that chain is OPTIONAL. The only
>> value added by the extra assertions is identifying at which link the
>> file content might have been corrupted.
> 
> This is one piece of value. 
> 
>> If you believe that it is the NFS server's job to avoid handing out
>> corrupted data, then your NFS server should perform appraisal before
>> it honors READ requests. That's a valid point of view. In the Linux
>> world, the NFS server does have an appraisal engine and policy that
>> is applied before data is served to NFS clients.
> 
> Kinda proves the point, no?

Which point? The proposal does not prevent server-side appraisal, but
neither does it fully define a mechanism to do it. I'm not sure what
you mean -- I think the document is actually agnostic on server-side
appraisal.


>> Eventually other NFS servers can have this too. Just not today, because
>> the Linux IMA appraisal metadata format is not yet standardized.
>> 
>> The NFS client implementation is not involved in appraisal either. This
>> is because the mechanism of appraisal is common to all file systems. It
>> would be foolish to have an appraisal mechanism in each file system
>> implementation, because they all do exactly the same thing.
> 
> You must be considering "all file systems" within a Linux box.  Clearly, my (e.g.) FreeBSD client isn't running the same code as your Linux box.

File system implementation - code that implements a particular on-disk
format

File system instance - an on-disk set of data laid out in a particular
recognized format

I'm saying that all file system implementations in an operating
system would share the same IMA appraiser module. Each operating
system would have its own implementation of an IMA appraiser.

Maybe we are agreeing here.


>> All I'm saying is that appraisal is separate from transporting and
>> storing IMA metadata. The question of whether a non-Linux system can
>> perform appraisal is valid, but orthogonal to whether IMA metadata can
>> get from point A to point B.
>> 
>> 
>> > The NFS wg may have previously allowed client-only attributes into the space of an NFS specification.  I don’t think that it’s right to do that here.  There are too many touch points for an integrity proof.
>> 
>> Again, I'm asking for just a narrow piece of the puzzle: transport. I
>> am not proposing a complete solution, because the transport is all
>> that is necessary for NFS, as a file storage system, to play in this
>> architecture. This is the case for every local file system.
> 
> And local file systems don't have to answer questions about whether metadata valid on one machine is valid also on another machine.  For instance, a particular UID value may mean something on machine X and mean something very different on machine Y.

UIDs are not involved. The example in the document shows HMACs signed
using private keys of global entities, not identities local to one
machine.

The architecture assumes that if an appraiser is to work, it needs
to have public keys that match private keys used to sign the HMACs.
Those public keys are supplied out of band. If they are not supplied,
then the appraiser cannot verify the signatures. Local policy
determines whether users are permitted to access a file's content in
that case.

[ at risk of being even more confusing, in a deployment of a single
air-gapped system, the public and private keys could be present there
and used for both signing HMACs and verifying them. That's not a
typical deployment scenario, however. ]

Does the document need to state explicitly that it assumes PK
infrastructure to manage these keys, perhaps?


> As far as I know, there is nothing suggesting that IMA's architecture doesn't share exactly the same kind of problem.  So that it would even be possible for one machine to evaluate an IMA block generated on another machine.

That's right: the matching public keys would be distributed to all the
systems that have appraisers. That's the same whether the IMA metadata
is stored in local file systems on each of those machines, or they all
mount the same NFS server that exposes IMA metadata.


> Or, for instance, whether the IMA architecture made similar implicit assumptions that IMA objects were not to be transported across some authentication domain boundaries, for example.

You've lost me here. Why would such an assumption be necessary? IMA
metadata is not private. If it needs to be private, it could be
encrypted as it is signed, I would think.

The only thing that the appraiser needs is a public key that matches
the signing key. Without that, it cannot verify the signature. I
suppose that lack of an appropriate public key might constitute an
authentication domain boundary.


> If NFS were to support Trip Wire or some other proprietary data
> integrity monitoring and appraisal system, would the nfsv4 WG have the
> same qualms about allocating a FATTR4 attribute for it?
> 
> Is Trip Wire a published mechanism for which answers to these kinds of questions were known? 

I'm asking what if the format was not public, but was widely used?

Is there some BCP or RFC somewhere that documents this restriction
against NFS supporting proprietary data formats in metadata?


--
Chuck Lever

v2.23.0 | Report a Bug | By Email