IETF Logo Mail Archive

Re: [nfsv4] Benjamin Kaduk's Discuss on draft-ietf-nfsv4-rpc-tls-09: (with DISCUSS and COMMENT)

Chuck Lever <chuck.lever@oracle.com> Thu, 08 October 2020 22:03 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C951C3A0EC5; Thu, 8 Oct 2020 15:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.297
X-Spam-Level:
X-Spam-Status: No, score=-3.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zpzsmb8QV7ST; Thu, 8 Oct 2020 15:03:22 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 138883A0EA7; Thu, 8 Oct 2020 15:03:21 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 098M0dMj180856; Thu, 8 Oct 2020 22:03:21 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=IYXBUXpDXTGTauu3HCDUEm/w3K4uPNasCsn6VAJPYCo=; b=YnIzmX62TWWdvUndFL4/NJwOtGLUFJBtO6p2d1JPeDYKdpGZPqsvc32fEhrYkLjp+EEU IovgaESXHPwX8o3FU9f0XTJXNStJ4bJ7lKXF68leG+ixhwYFxeQNWUi7jaaPVWmDV8NH Rpwt6yzg1gAwtIZovJAVTMdQMyBc6yjZVltVCMW9QctevVbp6g7fqc+eaz1I+Oi9U+Ik wWsYI8vRlldRLt5HtXHDuOd47wlwZ85PYIMjw2B+lgHyrBIMR5N/JNgLef29FrQhLUVd 1QoXQpo4klBT0l/9la0UhlLxvCAlynvqiGLmu3mR269M0BqQKsjw5LhMdvQvCyyJgudj 2Q==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2130.oracle.com with ESMTP id 3429jyghfm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 08 Oct 2020 22:03:20 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 098LtOYR107810; Thu, 8 Oct 2020 22:03:20 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3030.oracle.com with ESMTP id 3429kk2q82-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 08 Oct 2020 22:03:20 +0000
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 098M3IxJ028599; Thu, 8 Oct 2020 22:03:18 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 08 Oct 2020 15:03:18 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <160219416878.16580.9008177457237311659@ietfa.amsl.com>
Date: Thu, 08 Oct 2020 18:03:15 -0400
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs <nfsv4-chairs@ietf.org>, nfsv4@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3CE0C224-5BE4-4070-8BBE-ABD77DDC48DD@oracle.com>
References: <160219416878.16580.9008177457237311659@ietfa.amsl.com>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9768 signatures=668681
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 malwarescore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010080152
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9768 signatures=668681
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 priorityscore=1501 phishscore=0 suspectscore=0 clxscore=1015 mlxscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010080152
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/bBXNl9Qn742eGYJ4rTHxpvcujig>
Subject: Re: [nfsv4] Benjamin Kaduk's Discuss on draft-ietf-nfsv4-rpc-tls-09: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2020 22:03:24 -0000

Hi Ben-

I've browsed all your replies so far. Haven't seen anything
outlandish. Give me a few days to digest them thoroughly and
come up with appropriate replacement text.

Glad you are on the mend!



> On Oct 8, 2020, at 5:56 PM, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
> 
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-nfsv4-rpc-tls-09: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Thank you for the updates in the -09; they address all my previous Discuss points
> (from the -08).  Unfortunately, there is one more issue that was introduced in the
> update and will need to be resolved:
> 
> While I appreciate the efforts to find appropriate external specifications to
> reference, I do not believe that an id-kp-rpcTLSServer certificate
> is a Resource Certificate per RFC 6487 -- that specification deals with
> the RPKI (Resource PKI) used to authenticate IP address assignment, but
> the RPKI is an entirely separate PKI than the Internet PKI ("PKIX").  I
> think we should drop that sentence entirely.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> I also have a few non-discuss-level comments on the -09.
> 
> Section 5.1.2
> 
>   Sending a TLS Closure Alert terminates a DTLS session.  Because
>   neither DTLS nor UDP provide in-order delivery, after session closure
>   there can be ambiguity as to whether a datagram should be interpreted
>   as DTLS protected or not.  Therefore receivers MUST discard datagrams
>   exchanged using the same 5-tuple that just terminated the DTLS
>   session for 60 seconds.
> 
> The mandatory waiting period before reusing a 5-tuple is a fine
> mechanism for resolving the ambiguity.  However, I worry that
> prescribing the exact 60-second timeout is over-prescriptive, and it
> might be better to say something like "MUST discard [...] for a
> sufficient length of time to ensure that retransmissions have ceased and
> packets already in the network have been delivered.  In the absence of
> more specific data, a period of 60 seconds is expected to suffice."
> 
> Section 5.2.1.1
> 
>   The current document defines two new KeyPurposeId values: one that
>   identifies the RPC-over-TLS peer as an RPC client, and one that
>   identifies the RPC-over-TLS peer as an RPC server.  Additional
>   KeyPurposeId values related to RPC-over-TLS may be specified in
>   subsequent Standards Track documents.
> 
> Perhaps I am just forgetting a previous discussion, but I am not sure
> why this is apparently limited to Standards-Track documents -- the
> normal PKIX convention is that anyone can define whatever EKU they want
> and specify the semantics of it.
> 
> Section 7.1.2
> 
>   Appendix C of [RFC8446] discusses precautions that can mitigate
>   exposure during the exchange of connection handshake information and
>   TLS certificate material that might enable attackers to track the RPC
>   client.
> 
> I suggest adding another sentence at the end: "When PSK authentication
> is used, the PSK identifier is exposed during the TLS handshake, and can
> be used to track the RPC client."  I'm a bit surprised that this fact
> was not stated in the referenced appendix, but didn't find it there!
> 
> 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

--
Chuck Lever

v2.23.0 | Report a Bug | By Email