Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
Chuck Lever <chuck.lever@oracle.com> Fri, 10 April 2020 15:00 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC0AF3A0AAA for <nfsv4@ietfa.amsl.com>; Fri, 10 Apr 2020 08:00:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEyPSFhRftxB for <nfsv4@ietfa.amsl.com>; Fri, 10 Apr 2020 08:00:29 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A80FA3A0C09 for <nfsv4@ietf.org>; Fri, 10 Apr 2020 08:00:29 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03AErdD9011191; Fri, 10 Apr 2020 15:00:28 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=corp-2020-01-29; bh=BJQVeSvuM5XMTsHRf4Gi/6MEq1amvW1m14zLMjzCDjg=; b=uMTJIb/b61o4I4QasJeWTQQoIVJZdDS6cvBwciJZvyj6rIFdH1/CT329mu9AEVVRPAOf IX79EQEMXq/AHFfZovlYdnvjtP9lW8YSGX/IbQ8GTwzvMo9UX3odFs/AqBJyZf8pYheE oWxDvodJpFiunRSKi6mVZ/0ELkqtnGIMZo5RVkUCRfNBcLXKvzGhLNOKFza407G8sV/W sjwmAm31XB01UxBcAMLu6znNV5g9Rjx8URTJ46HiNqs6SLhOo92Aq+zjBlTSrmx7y1yn VaC3xJR+qjPnACq0s0D3r/yCk5M28mLnvJrgO06n3z4YMsqkKBQVD2uL/M8mIgucTD2i 8g==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by userp2120.oracle.com with ESMTP id 309gw4jn6t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Apr 2020 15:00:27 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03AEqqcN163392; Fri, 10 Apr 2020 15:00:27 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserp3030.oracle.com with ESMTP id 309ag7v5mq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Apr 2020 15:00:26 +0000
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 03AF0PGR024455; Fri, 10 Apr 2020 15:00:25 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 10 Apr 2020 08:00:21 -0700
From: Chuck Lever <chuck.lever@oracle.com>
Message-Id: <179D2287-D3E9-4B92-924B-82A14D0AD8C9@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7CCBFC88-B3AC-44D5-ACC6-1D8EB0A8E67E"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 10 Apr 2020 11:00:20 -0400
In-Reply-To: <CADaq8jcVe=g2Sao_X+tsQowm=Lus3dv=wbqiK4gc3k6ejdXEOA@mail.gmail.com>
Cc: NFSv4 <nfsv4@ietf.org>
To: David Noveck <davenoveck@gmail.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jcVe=g2Sao_X+tsQowm=Lus3dv=wbqiK4gc3k6ejdXEOA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9587 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 spamscore=0 malwarescore=0 phishscore=0 mlxscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004100125
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9587 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 bulkscore=0 phishscore=0 lowpriorityscore=0 impostorscore=0 clxscore=1015 suspectscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004100125
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/bdjrnGIBfZsCxdR-4D6gboDNaYs>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2020 15:00:32 -0000
> On Apr 10, 2020, at 8:40 AM, David Noveck <davenoveck@gmail.com> wrote: > > > > On Thu, Apr 9, 2020, 3:28 PM Chuck Lever <chuck.lever@oracle.com <mailto:chuck.lever@oracle.com>> wrote: > > > On Apr 1, 2020, at 4:27 AM, Magnus Westerlund <magnus.westerlund@ericsson.com <mailto:magnus.westerlund@ericsson.com>> wrote: > > > > 8. Section 5.1.2: > > > > As soon as a client > > initializes a socket for use with an unfamiliar server, it uses the > > mechanism described in Section 4.1 to discover DTLS support and then > > negotiate a DTLS session. > > > > So first of all is the usage of TLS for TCP completely separate from using DTLS over UDP? > > It seems that that was Chuck's intention and was the way I have been reading the spec. However, it is not explicitly stated right now and does need to be clarified as part of the response to Magnus's review. > > So having determined TLS support for TCP does not indicate the same for UDP? > > I would hope not. Ad a practical matter, there are many servers that would not be all > interested in implementing DTLS, given that UDP is not allowed by NFSv4. Tying this > to TLS support would haveth effect of increasing the effort to provide support without > correspondingly increasing the benefit. > > Even though we cleary don't have consensus on the TCP-connection-sharing, we might > well have consensus on this. > > And is it in any cases possible to skip the initial RPC null request with AUTH_TLS authentication and go directly to negotiate TLS after support has been determined with a server? > > rpc-tls does not discuss this a possibility. On the other hand it does not forbid it either. > Addressing this whole area is part of the needed clarification. > > rpc-tls is written assuming opportunistic TLS access is the only means > of RPC-TLS access but it never states that explicitly. As a result, Magnus, > quite reasonably, asks whether there are cases in which opportnistic acces > might be used as an information-gathering mechasnism to support non- > opportunistic TLS access. > > There seems to be a high-order bit here that rpc-tls does not currently > address. Leaving it unaddressed could introduce significant > interoperability issues. > > I don't think that's the high order bit but I agree it does need to be resolved :-( > > Our new STARTTLS RPC NULL probe carries an RPC program. > > It does. > > Does a successful > probe mean that the RPC server supports TLS for every RPC program on that > that host? on that port? Or just for the program used in the probe? I think > it means TLS can be used only with the RPC program used in that probe, > > While I read things that way, I'm not committed to that reading. Given the lack > of consensus on that point, I want to understand how important that > reading is to you. At this point I'm simply trying to align my understanding and the text in rpc-tls with the WG's consensus. So, I'm not strongly advocating this interpretation. Think of it, I guess, as a strawman. > and only for the lifetime of that connection. (ie each connection has to > do the probe). > > I think that part is the high-order bit. Yes, probably so. > I'm hoping we might be able to get > consensus on that since I feel that changing that might be more disruptive > than restrictions on the program used which run into the contentious > connection-sharing issue. > > Since the STARTTLS RPC NULL probe is always done in clear-text, that means > a second probe cannot be done once a TLS session has been established on > a connection. > > Right. > > (A separate connection must be established to initiate a > second TLS session). > > That's not made clear in rpc-rls but I hope that everyone is OK with that > being made explicit. IMO rpc-tls should be updated to make it clear. However, it needs to be made clear in a way that does not preclude the possibility of having multiple sessions per connection in a future RPC-on-TLS iteration. > Therefore with RPC-on-TLS we do not allow multiple RPC programs to share > a TLS session. > > What is the justification for the "therefore"? See my response to Trond: it was a thought experiment that reached this conclusion. > Although we may reasonably conclude that a successful STARTTLS indicates > that you do may support for the specified program and version, I don't see that > you are forced to conclude that no other program is supported. I read it that > way because the connection sharing case isn't important to me, but, since it appears > that we can't reach consensus on that, we might want to consider whether being > more relaxed on that point is a viable path forward. Using the existing PROG_UNAVAIL accept status seems appropriate to enable clients to work through this issue. I proposed some new text in my response to Trond that leads in that direction. > And we do not allow multiple RPC-on-TLS sessions per TCP > connection. > > Yes. > > For DTLS, the STARTTLS probe has to be done for each RPC program on each > server. Only that one RPC program can use the established DTLS session. > > I hope we can achieve consensus on that. > > This means RPC-on-TLS robs us of some TCP connection sharing opportunities. > > I don't feel robbed, but it appears some people do :-( > > Is there consensus on this, > > I appears not. > > or should these design points be revisited? > > Not all of them, I would hope we can disturb as few decisions already made as possible. That is my hope too. -- Chuck Lever
- [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Rick Macklem
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Faibish.Sorin
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever