IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Rick Macklem <rmacklem@uoguelph.ca> Sat, 02 January 2021 00:28 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41D223A0E7F for <nfsv4@ietfa.amsl.com>; Fri, 1 Jan 2021 16:28:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3FqbAh_0ZKA for <nfsv4@ietfa.amsl.com>; Fri, 1 Jan 2021 16:28:06 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660070.outbound.protection.outlook.com [40.107.66.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 595933A0E7E for <nfsv4@ietf.org>; Fri, 1 Jan 2021 16:28:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RY/Sn0+19qsCj75kBpV23oN98e1R0fv4oV8UIv4o8lkwcWOiRtBUaxa09XyAVfbOHN0BJWmUGgJtqB+dKkgEHpuNw7KFlf8SQasYyd2O3sj4PqRz+8tDFC8sabbgMVtP+rswWgvz76TQe+4bvQ+34cvxDFP86M1bbRe/w/jbXWm2krTqtZ3qhEAZuSCYTk5Dl04G8tfoCoNeucZbqjWJ7QfWtP9WtTYL/4FmD73j33l7qD2CZdWTTro2I3UF2dtRteQkjvkKOurhxsUcFA4y/bmRru6g/yfRHrJZNgErCYK2obc0fYdPe7AYgtZeRyqJa2BX1SE3Z6IBe9o9k5Eqng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mst+T2zgEuzYE7NGf/eaaQegoWVCzVOUfD2YuCA7SdU=; b=oK9T4xifx5DFl46EWPS2bQDjqvfu5yU+fG0Kd5WuG/3LLG30LV+fT2nT5tko9pDtf/FYukbTgpA/ZaZh8wgxGO3gcJuLIFiJUo/Gv6ylSFfXtS9p059Qf07m2OaQUGVhqtiVUeJqcVmPAptmaNcTF3hVOQSFGjnkkpnrWP3bLqAng5snp7hYIpPts4WBv2ZE2Udhco63RVVL324uBNDl2KakLY6RsHqLpE0Xsw6xRnY2mH1/SeFt6vElkMfuPWFz63O/MTeyLr8VW1+x6HJMM2oizvLnTDIEFpGS2C55eotBtDyaMymqyWewIURnV4o3m654JP3JBeEPnotdJ14HKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mst+T2zgEuzYE7NGf/eaaQegoWVCzVOUfD2YuCA7SdU=; b=X1h1Y9ROkDPyNkQQpm6fgirMBwazAs4/mFZrW+c7wr6PlOQeqbQ9NoLd49ZgLkYSjJ/iv7IYpmlNrnyNkKJc5ywHnDLIaZd01tl2IN00WusCUA6ZHlrf3rNdKg9LQfb3SkpXvHp+gQHpzvJxYxxrx9uRW9OYV7+DKTyIaxOp+tHbHzdtPGrR+WNRPSU+Qm823BNH64Jo2/EduFRzfG/C9JoIV0sm14mNJfvVslEpropEcwZKVPNXIxkofK5rrLLvEuqKhGZD4QzdXR5bPInnbTHg8EPfX/zBK0w5XriKCsP6itgCwQGEwaYDoQTIcESRC/LFcc/Ga1D4Lr4Ju+Rs4A==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR01MB3046.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:47::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.19; Sat, 2 Jan 2021 00:27:59 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::3d86:c7f9:bc4c:40c0]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::3d86:c7f9:bc4c:40c0%6]) with mapi id 15.20.3721.023; Sat, 2 Jan 2021 00:27:59 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Chuck Lever <chuck.lever@oracle.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] NFS over TLS for laptops
Thread-Index: AQHW0NppAc3uZqIjgEq2ArIQwELbLqn2yyYAgACS67yAAO+9eYAAHOsAgAN9YtuAAviagIAAMFYUgAGN13OAATNIAIADjnFRgAkAewCAACjPgIABYW2AgAGUuQqAAOSEAIABMIxx
Date: Sat, 02 Jan 2021 00:27:59 +0000
Message-ID: <YQXPR0101MB09684118744ED0EA876DCE02DDD40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <YQXPR0101MB09680BC1A27265F81C5B5671DDC40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <DEBCFB38-9A1A-43BB-A8DF-0C64792AF30F@oracle.com> <YQXPR0101MB09689564C0543291E25FB274DDC20@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB09687759005C97725CFC1AFCDDC10@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com> <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <1113F47A-BDA1-4C34-95B4-1EB8076BA071@oracle.com> <20201229190707.GB89068@kduck.mit.edu> <0D8595B7-4636-4E6A-A5C1-E0FE85D820D0@oracle.com> <YQXPR0101MB096833395FEE6E63590BE7B5DDD60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <20210101055832.GK93151@kduck.mit.edu>
In-Reply-To: <20210101055832.GK93151@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7e1d5195-be80-4f92-bc5e-08d8aeb54243
x-ms-traffictypediagnostic: YQXPR01MB3046:
x-microsoft-antispam-prvs: <YQXPR01MB3046D19A0E732EC0F089F591DDD40@YQXPR01MB3046.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5eJjlxwuqPzaMfjniItv4MSOi8LlOmog/wDc4aDqnjebpER11vv/M18XIqYDpnZvBzEHLu03Mnw9/FfhLX8kZ5+MUbgHr3/8NE0k2rOcn6BOwwpTbJsFSajI3R37Y/PLqwW3hLpyzEAi6F9F2JWD0OpmiTSyteu3CAfyIxudSeiTarAa73EEz7jtCt+HNtw8t2MojbY+Cd2VcaQSKp1nDVDlB9l+o1iWqR6GB8oAKcnCjA1xTrtW3OI/rdcizkwa0h25ORWwLuZjHdyuS/lgYbnxDAhivO0nc5zd3fYbBKc1wQWGcabtp2iWeEnyQQev2DNDTqsf2hR0TQxcw/s1KEyeOLEAYxUWA5AYNPIgG9gGHtpyq4N09aMl6eQiSVDNjTYqOjvLDrian3xWP5+QpQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(366004)(396003)(39850400004)(376002)(136003)(54906003)(786003)(316002)(2906002)(8676002)(33656002)(5660300002)(7696005)(8936002)(52536014)(6916009)(83380400001)(86362001)(91956017)(66946007)(66556008)(66476007)(64756008)(76116006)(66446008)(478600001)(6506007)(26005)(4326008)(9686003)(55016002)(71200400001)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Hr+bZtrmv6hwVDkjE41mK34xwWvI8kjToob0VwBmZrocaT73SUZ95qK2E1UuZ8QaG2RMa/4c9wdrjWQFJLibaPFKuFAT+AqUUOhBIdB8YUbYvbQaaAhmLnCs13VmDQVvM0Ee3IsOXPAwABmOZMhjZrkLZhv4iYT9detcfT4R6P4bXCW3YYI3z0hwBXPnEB00KytdCILSKVURR+kDdpchSjo85sNmrmgjh8e6nIdpUgntOhayk97sdaS0Uuvl7YpQ7OLbaP2URrNosnwbVGjixk+LgUg0b1oDYEqQ6i61+lmsVYOP9nNyw6/jRnYyQwaeYYV2GIdfBQlQaSAEc3jYRddQ5Nh6luw/uDozZiBAfhdzCRpb3LzH1JcAH3mE1N+BBrQ64/IesvyJr7JmdUWk+uMNiNbI0UpqNOMd4CD2Zd+saeGCE6zTvqah4Qdh7CT/6RhmlVv8Mp+h5+iSiGXBsz4Q8S/n+eVPLG7NAGIVdwHO3kKNKztyrXHGPBihZ3NBsdJV8+s3BKfpoJXrKAaerThpSfe0rAylUe7U+oAGpKT2+Xqc/2YShRnfdTxwB3bri7MfPn7iTuIFRELbIjW0B3tMfpqu2zcDo6IwDQSphoitoVE8ZhbG5vWb94/J792Np0Fm7NM7tQmuacGDee906z1BMa+USk5aKKCPS2yxqmWwrg2IOExck334XBG4p/IaIOA3ywk3UDWIwazOq9ht51MfZkR7thD0W4rRRxcYTPanDS+i1nvPnph/tL7oxai1Fr7TMbPfizj/bMAn42Ul+RteJWvPr3n5A8n1Zx3A0USapzJXY5o04WSM98VheG3k06HoCQ6gcOkp8iP4RsdwRLl+N17+14Ct3M9/tZgc1u7sOdAtIXjodsT1gYZswcQw3XTVXvSanC94/b4WyzspMnQjYougwWVZ3xSo8pT5+r9uiXm2P9EMt9zzEHH4t8qvQzzUYLbzL5DzUkB8pdxZPqRq7IootHOuJODcu/Y12PY=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 7e1d5195-be80-4f92-bc5e-08d8aeb54243
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2021 00:27:59.6094 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wFygu1QA+MQtbJK9F7WfTV414cPDYJEoLwDeCsq3/m5mZNTXToX/scNp0KmYH3BjqKpK/bOXM4KdUN0f/JT5KQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB3046
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/BwsoY5DC1QMQTvlmiwONuFIZ5uc>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Jan 2021 00:28:08 -0000

>From: Benjamin Kaduk <kaduk@mit.edu> wrote:
>On Thu, Dec 31, 2020 at 04:53:04PM +0000, Rick Macklem wrote:
>> Chuck Lever wrote:
>> > Ben Kaduk wrote:
>> >>
>> >> I suspect that we can find a compromise position, yes.
>> >> The certificate still authenticates the client (not the user), and the
>> >> client uses AUTH_SYS to claim what user is performing operations.  But the
>> >> server uses the client's authenticated identity to restrict, by policy,
>> >> what user identities the client is allowed to claim via AUTH_SYS.  In the
>> >> degenerate case there is an otherName in the certificate that corresponds
>> >> to a single user and the client can only claim that one user, which looks
>> >> very similar to just authenticating the user, but we can say that the
>> >> relevant policy logic is located in the server as part of its internal
>> >> implementation choices.
>> >
>> >An NFS client might send legitimate operations as UID 0 too
>> >(e.g., lease management). Those cannot be rejected. Perhaps
>> >we need to specify that the client has to perform _all_
>> >operations as the squashed user.
>> Yes. I agree with this.
>> My current implementation simply ignores the AUTH_SYS RPC
>> credential when TLS squashing is enabled.
>
>Hmm, that may not be as robust as you want, since a certificate is allowed
>to have more than one SAN of any given type.  I think that if we do write
>up something like this we should be sure to define behavior when multiple
>names are present in the certificate.
Good point. I assumed there would only be one "user@domain" entry.
I can see a couple of alternatives for this:
1 - Only allow one and reply AUTH_ERR if there is more than one.
2 - Allow more than one, but require that they all have different
  "domain" fields. The server would use the one for the "domain"
  that the server supports. The NFS server would reply AUTH_ERR
  if none of the domain names match one the server supports.
  If the server supports more than one of the domains in the set
  of names, it could be required that the server reply AUTH_ERR
  or leave it up to the server implementor?
  This would allow the certificate to work for multiple NFS servers
  with different username domains.
Personally, I prefer #2.

As an aside, I think that an NFSv4 server can support multiple
username domains. However I am not aware of any NFSv4 server
implementations that handle more than one username domain
in Owner and Owner_Group names at this time.
Are there any?

rick

-Ben

v2.23.0 | Report a Bug | By Email