Re: [nfsv4] Benjamin Kaduk's Discuss on draft-ietf-nfsv4-rpc-tls-09: (with DISCUSS and COMMENT)
Chuck Lever <chuck.lever@oracle.com> Thu, 08 October 2020 22:03 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C951C3A0EC5; Thu, 8 Oct 2020 15:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.297
X-Spam-Level:
X-Spam-Status: No, score=-3.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zpzsmb8QV7ST; Thu, 8 Oct 2020 15:03:22 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 138883A0EA7; Thu, 8 Oct 2020 15:03:21 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 098M0dMj180856; Thu, 8 Oct 2020 22:03:21 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=IYXBUXpDXTGTauu3HCDUEm/w3K4uPNasCsn6VAJPYCo=; b=YnIzmX62TWWdvUndFL4/NJwOtGLUFJBtO6p2d1JPeDYKdpGZPqsvc32fEhrYkLjp+EEU IovgaESXHPwX8o3FU9f0XTJXNStJ4bJ7lKXF68leG+ixhwYFxeQNWUi7jaaPVWmDV8NH Rpwt6yzg1gAwtIZovJAVTMdQMyBc6yjZVltVCMW9QctevVbp6g7fqc+eaz1I+Oi9U+Ik wWsYI8vRlldRLt5HtXHDuOd47wlwZ85PYIMjw2B+lgHyrBIMR5N/JNgLef29FrQhLUVd 1QoXQpo4klBT0l/9la0UhlLxvCAlynvqiGLmu3mR269M0BqQKsjw5LhMdvQvCyyJgudj 2Q==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2130.oracle.com with ESMTP id 3429jyghfm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 08 Oct 2020 22:03:20 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 098LtOYR107810; Thu, 8 Oct 2020 22:03:20 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3030.oracle.com with ESMTP id 3429kk2q82-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 08 Oct 2020 22:03:20 +0000
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 098M3IxJ028599; Thu, 8 Oct 2020 22:03:18 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 08 Oct 2020 15:03:18 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <160219416878.16580.9008177457237311659@ietfa.amsl.com>
Date: Thu, 08 Oct 2020 18:03:15 -0400
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs <nfsv4-chairs@ietf.org>, nfsv4@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3CE0C224-5BE4-4070-8BBE-ABD77DDC48DD@oracle.com>
References: <160219416878.16580.9008177457237311659@ietfa.amsl.com>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9768 signatures=668681
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 malwarescore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010080152
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9768 signatures=668681
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 priorityscore=1501 phishscore=0 suspectscore=0 clxscore=1015 mlxscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010080152
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/bBXNl9Qn742eGYJ4rTHxpvcujig>
Subject: Re: [nfsv4] Benjamin Kaduk's Discuss on draft-ietf-nfsv4-rpc-tls-09: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2020 22:03:24 -0000
Hi Ben- I've browsed all your replies so far. Haven't seen anything outlandish. Give me a few days to digest them thoroughly and come up with appropriate replacement text. Glad you are on the mend! > On Oct 8, 2020, at 5:56 PM, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-nfsv4-rpc-tls-09: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thank you for the updates in the -09; they address all my previous Discuss points > (from the -08). Unfortunately, there is one more issue that was introduced in the > update and will need to be resolved: > > While I appreciate the efforts to find appropriate external specifications to > reference, I do not believe that an id-kp-rpcTLSServer certificate > is a Resource Certificate per RFC 6487 -- that specification deals with > the RPKI (Resource PKI) used to authenticate IP address assignment, but > the RPKI is an entirely separate PKI than the Internet PKI ("PKIX"). I > think we should drop that sentence entirely. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I also have a few non-discuss-level comments on the -09. > > Section 5.1.2 > > Sending a TLS Closure Alert terminates a DTLS session. Because > neither DTLS nor UDP provide in-order delivery, after session closure > there can be ambiguity as to whether a datagram should be interpreted > as DTLS protected or not. Therefore receivers MUST discard datagrams > exchanged using the same 5-tuple that just terminated the DTLS > session for 60 seconds. > > The mandatory waiting period before reusing a 5-tuple is a fine > mechanism for resolving the ambiguity. However, I worry that > prescribing the exact 60-second timeout is over-prescriptive, and it > might be better to say something like "MUST discard [...] for a > sufficient length of time to ensure that retransmissions have ceased and > packets already in the network have been delivered. In the absence of > more specific data, a period of 60 seconds is expected to suffice." > > Section 5.2.1.1 > > The current document defines two new KeyPurposeId values: one that > identifies the RPC-over-TLS peer as an RPC client, and one that > identifies the RPC-over-TLS peer as an RPC server. Additional > KeyPurposeId values related to RPC-over-TLS may be specified in > subsequent Standards Track documents. > > Perhaps I am just forgetting a previous discussion, but I am not sure > why this is apparently limited to Standards-Track documents -- the > normal PKIX convention is that anyone can define whatever EKU they want > and specify the semantics of it. > > Section 7.1.2 > > Appendix C of [RFC8446] discusses precautions that can mitigate > exposure during the exchange of connection handshake information and > TLS certificate material that might enable attackers to track the RPC > client. > > I suggest adding another sentence at the end: "When PSK authentication > is used, the PSK identifier is exposed during the TLS handshake, and can > be used to track the RPC client." I'm a bit surprised that this fact > was not stated in the referenced appendix, but didn't find it there! > > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 -- Chuck Lever
- [nfsv4] Benjamin Kaduk's Discuss on draft-ietf-nf… Benjamin Kaduk via Datatracker
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… Chuck Lever
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… Chuck Lever
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… Chuck Lever
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… Chuck Lever
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… David Noveck
- Re: [nfsv4] Benjamin Kaduk's Discuss on draft-iet… Chuck Lever