[nfsv4] Comments on draft-ietf-nfsv4-rpcsec-gss-v2-00
Nicolas Williams <Nicolas.Williams@sun.com> Wed, 20 February 2008 20:24 UTC
Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: ietfarch-nfsv4-archive@core3.amsl.com
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C93728C91F; Wed, 20 Feb 2008 12:24:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.793
X-Spam-Level:
X-Spam-Status: No, score=-0.793 tagged_above=-999 required=5 tests=[AWL=-0.356, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hv5m4gml6qQ2; Wed, 20 Feb 2008 12:24:11 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A4A828C24D; Wed, 20 Feb 2008 12:24:11 -0800 (PST)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D8483A68A3 for <nfsv4@core3.amsl.com>; Wed, 20 Feb 2008 12:24:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RB5s+PvQMR73 for <nfsv4@core3.amsl.com>; Wed, 20 Feb 2008 12:24:08 -0800 (PST)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id 990EF28C9B6 for <nfsv4@ietf.org>; Wed, 20 Feb 2008 12:24:04 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m1KKO1Ol012584 for <nfsv4@ietf.org>; Wed, 20 Feb 2008 20:24:01 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m1KKO0BQ042876 for <nfsv4@ietf.org>; Wed, 20 Feb 2008 13:24:00 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m1KKNv0N015518 for <nfsv4@ietf.org>; Wed, 20 Feb 2008 14:23:57 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m1KKNvBA015517 for nfsv4@ietf.org; Wed, 20 Feb 2008 14:23:57 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Wed, 20 Feb 2008 14:23:57 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: nfsv4@ietf.org
Message-ID: <20080220202356.GQ14350@Sun.COM>
Mail-Followup-To: nfsv4@ietf.org
References: <20080219051501.6715C3A689D@core3.amsl.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20080219051501.6715C3A689D@core3.amsl.com>
User-Agent: Mutt/1.5.7i
Subject: [nfsv4] Comments on draft-ietf-nfsv4-rpcsec-gss-v2-00
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org
- Please add a reference to RFC5056
- Section 2 discusses what RFC5056 calls "unique channel bindings."
There's another kind, "end-point channel bindings" that IPsec is
likely to provide instead of unique channel bindings.
Quoting text from RFC5056 to describe channel binding might be more
appropriate.
- Instead of:
struct rpc_gss_chan_bind_input {
unsigned int rgcbi_seq_num;
opaque rgcbi_chan_bindings<>;
};
struct rpc_gss_bind_channel_arg {
int rgbca_chan_bind_type;
opaque rgbca_MIC_hdr<>;
opaque rgbca_MIC_chan_bindings<>;
};
I propose this:
struct rpc_gss_chan_bind_input {
opaque rgbca_chan_bind_prefix;
opaque rgcbi_chan_bindings<>;
opaque rgbca_hdr<>;
unsigned int rgcbi_seq_num;
};
struct rpc_gss_bind_channel_arg {
opaque rgbca_MIC_chan_bindings<>;
};
and similarly for rpc_gss_bind_channel_res.
I.e., make the RPC header and sequence number, and the channel
binding type (or, rather, "prefix") part of the input to a single
getMIC() call for the request, and similarly for the reply (instead
of two getMIC()s).
- As implied above, there's a registry of channel binding types that
includes a "prefix" that should be included in the channel binding
operation. See section 7 of RFC5056.
- How is v1 vs. v2 negotiated?
In the case of NFSv4 the answer is simple: the new rpc_gss_service_t
value allows this to be negotiated via SECINFO/WRONGSEC.
But in general, what should happen if a server that supports only
RPCSEC_GSS_VERS_1 receives a RPCSEC_GSS_VERS_2?
Is it possible that it may respond with silence or by closing the
connection? I hope not.
- Section 3.3. AUTH_NONE cannot be the right answer here! We need to
use an RPCSEC_GSS context handle so we can identify the client
principal of a given RPC request -- we just don't need to
authenticate that handle via a getMIC()/verifyMIC() because we have
the protection of the underlying channel.
Nico
--
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
http://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] I-D Action:draft-ietf-nfsv4-rpcsec-gss-v2… Internet-Drafts
- [nfsv4] Comments on draft-ietf-nfsv4-rpcsec-gss-v… Nicolas Williams
- Re: [nfsv4] Comments on draft-ietf-nfsv4-rpcsec-g… Mike Eisler