Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)

David Noveck <davenoveck@gmail.com> Sat, 08 August 2020 23:31 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E64663A0A64; Sat, 8 Aug 2020 16:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5t9wpmZQgpxv; Sat, 8 Aug 2020 16:31:30 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A720A3A0A62; Sat, 8 Aug 2020 16:31:29 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id m22so5786424eje.10; Sat, 08 Aug 2020 16:31:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BQxjwTqZ/i4kP97xhXvC9WqwsWtMDcfxnYfHvcRdJY0=; b=eHBFZZxdhN/CQhV55Ij4eZyH3a/duBkzpnFFADL3v09QbpEvVdCX7qbShYakNF2poB 4X/ufdyV6Cw7esk/RSORibe8s6LhWL+QYbVgokc19jZAp065sy0q0YmCcGSG8dbgn6W/ uX1IwVyKznxAiH/tXcGH1q+KbqHZO97d/XS1ggq0WARFOFEgtpj5GaEB7azjeMY/6rCb +viN6Z5A9h8k5yb72GYZgYpA/F8nEOhvaK7gQLPWg41Yvc1nxaLKv3KI41AFIGBe7Aq2 OHIY20g/I8vjqYfdO6E0W8LPHt/wENzJC5lOISeZQxGLt1bxUBHVH5Ph3DcFfIDSmmGF CQsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BQxjwTqZ/i4kP97xhXvC9WqwsWtMDcfxnYfHvcRdJY0=; b=otzwTjK2sHh13pDD+m2djRAzxr9V9VK+aSql4gEt2SGeFYR4ODpBs2Uf/cAxKR3f2G cF6cnJy/geXoNs9IfQoNOYOowc5p6zOxak8S1avsqoByH5b2nD/V/bQdcV3DSUj0y/tj BYgyJRW82frjmZ7rdu9oojFpkYfG+32TBVb4x6d9l+xZnxTRgBaWB0qG8uVnTyBhLFXF 6N19g2mM/r4kKZ8paiWwhNJnNAOMjydt929Q4DDA/jrWnVH4XrtitYGbZLd9ZtJ25JRb NHiyaD07Vz5aXr5+WdVJdgPQHewMcMXEHkWE/rc3VccrAhUL89pc0/3XwX2AXPv/rTVo Ys/A==
X-Gm-Message-State: AOAM532l4fhPsgP1ebtXfNSN4EGOezItYoshEvlsCuCTqMdfWfadbGEH Fv9drQiR8zi77+KisNjJI+TlP2dOrUgyn7SQjDWxpw==
X-Google-Smtp-Source: ABdhPJwist6rgiTulNdPzSS2P2cRDTjwhr3e0Q7IrfbqxD4taAfnulM0uJHtSf1Z3utT5XtglsZbpMXHKCFArw77G5g=
X-Received: by 2002:a17:906:fad1:: with SMTP id lu17mr15275305ejb.127.1596929488190; Sat, 08 Aug 2020 16:31:28 -0700 (PDT)
MIME-Version: 1.0
References: <159409225571.12966.1097397622994927028@ietfa.amsl.com> <18B68FBF-34A1-4F8F-A0E3-4A88ABAAF900@oracle.com> <F9231574-4E6B-49F2-A752-085C5A58C561@oracle.com> <93A02493-3212-4474-994F-7345409D6499@oracle.com>
In-Reply-To: <93A02493-3212-4474-994F-7345409D6499@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Sat, 8 Aug 2020 19:31:17 -0400
Message-ID: <CADaq8jc+=Q65wif8w9g9g9-vkzfZqWHMG3xDuuZAfZ6NFhmE4A@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Roman Danyliw <rdd@cert.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e001a905ac661e3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/cCa-bIyTnmHSbBJ5vLuGYRc4qFg>
Subject: Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2020 23:31:32 -0000

On August 4th, Chuck Lever wrote:
> This review process has been waiting on your response for a month

Actually it was only 27 days then, since the messages that Chuck was
waiting for response to were only sent 7/7-8. Now that it has been a full
month, I think it is appropriate to look at where we are and how to  best
proceed on this review.

Considerable progress has been made on this document since IESG
Consideration began on 6/22. I'd like to thank everybody who participated
in moving this document toward being ready for RFC editing and subsequent
publication.   Clearly, we need to incorporate the many suggestions that
have been made in a new document revision.   However, I am afraid that, if
we continue as we have been,, we are facing an essentially unbounded delay
in moving this work forward.

Has anybody receiving this been in contact with Roman over the last month?
 I'm afraid he might be sick, in  which case we all wish him a speedy
recovery.   We haven't seen any out-of-the-office mail so he probably isn't
on vacation. I'd appreciate any info people have that bears on the question
of when we might expect a  response.  In any case, given the history so
far, it doesn't seem very likely that we will see a quick resolution of
this.

Chuck has, for understandable reasons, been reluctant to start on the
remaining DISCUSS (which is Ben K.'s, I believe) untIl we see closure
on the current one.   However, given the ongoing delay in receiving Roman's
response, I think it would be best if we moved on without waiting for a
response from Roman himself.   It would be helpful if the IESG as a whole
could look at Chuck's response to Roman's DISCUSS and COMMENTs and point
out any problems.   This would be especially important in the case of those
who supported Roman's DISCUSS (Ben K. at least). This might allow Chuck an
opportunity to deal with any issues/gaps that people see and allow him to
move on to deal with the final DISCUSS holding this up.

This will provide some additional time for Roman to get into contact,
without holding up the process waiting.   If he is able to get into
contact, he can make his own judgement about the adequacy of Chuck's
response.  Then, if the delay continues indefinitely, the IESG could
consider necessary administrative steps to allow the document to go forward
in the absence of Roman's participation.

On Tue, Aug 4, 2020 at 8:59 AM Chuck Lever <chuck.lever@oracle.com> wrote:

> Hi Roman-
>
> This review process has been waiting on your response for a month.
>
>
> > On Jul 20, 2020, at 8:32 AM, Chuck Lever <chuck.lever@oracle.com> wrote:
> >
> > Hi Roman-
> >
> > I haven't heard any response on these items. Is there something more
> > you need from me?
> >
> >
> >> On Jul 7, 2020, at 11:15 AM, Chuck Lever <chuck.lever@oracle.com>
> wrote:
> >>
> >> Hi Roman-
> >>
> >> Thanks for your review and comments. If I may, I'd like to handle
> >> the DISCUSS first, and then respond to the COMMENTs in a separate
> >> reply.
> >>
> >>
> >>> On Jul 6, 2020, at 11:24 PM, Roman Danyliw via Datatracker <
> noreply@ietf.org> wrote:
> >>>
> >>> Roman Danyliw has entered the following ballot position for
> >>> draft-ietf-nfsv4-rpc-tls-08: Discuss
> >>>
> >>> ----------------------------------------------------------------------
> >>> DISCUSS:
> >>> ----------------------------------------------------------------------
> >>>
> >>> ** Despite Section 5.0 stating that only TLS v1.3+ can be used, there
> are two
> >>> references to TLS v1.2 mechanisms:
> >>
> >> Good catch!
> >>
> >>
> >>> -- Section 5.0. Per “Implementations MUST support certificate-based
> mutual
> >>> authentication.  Support for TLS-PSK mutual authentication [RFC4279] is
> >>> OPTIONAL”.  Shouldn’t Section 2.2.2 or 4.2.11 of RFC8446 be used
> instead?
> >>
> >> In fact Section 5.2.3 already cites RFC8446 Section 2.2. I propose
> changing
> >> Section 5.0 as follows:
> >>
> >> OLD:
> >>
> >>  *  Implementations MUST support certificate-based mutual
> >>     authentication.  Support for TLS-PSK mutual authentication
> >>     [RFC4279] is OPTIONAL.  See Section 4.2 for further details.
> >>
> >> NEW:
> >>
> >>  *  Implementations MUST support certificate-based mutual
> >>     authentication.  Support for PSK mutual authentication is
> >>     OPTIONAL; see Section 5.2.3 for further details.
> >>
> >>
> >>> -- Section 5.2.4.  The token binding mechanism suggested here,
> RFC8471, only
> >>> applies to TLS v1.2.  The expired draft-ietf-tokbind-tls13 provides
> the TLS
> >>> v1.3 mechanism.
> >>
> >> Potential replacement:
> >>
> >> OLD:
> >>
> >> 5.2.4.  Token Binding
> >>
> >>  This mechanism is OPTIONAL to implement.  In this mode, a token
> >>  uniquely identifies the RPC peer.
> >>
> >>  Versions of TLS after TLS 1.2 contain a token binding mechanism that
> >>  is more secure than using certificates.  This mechanism is detailed
> >>  in [RFC8471].
> >>
> >> NEW:
> >>
> >> 5.2.4.  Token Binding
> >>
> >>  This mechanism is OPTIONAL to implement.  In this mode, a token
> >>  uniquely identifies the RPC peer.  The TLSv1.3 token binding
> >>  mechanism is detailed in [I-D.ietf-tokbind-tls13].
> >>
> >>
> >> Another option would be to remove this section.
> >>
> >>
> >>> ** Section 7.4.  Per “When using AUTH_NULL or AUTH_SYS, both peers are
> required
> >>> to have DNS TLSA records and certificate material …”, what is
> “certificate
> >>> materials”?  Can this guidance please be clarified (and perhaps
> related to the
> >>> options specified in Section 5.2).
> >>
> >> Potential replacement:
> >>
> >> OLD:
> >>
> >>  *  When using AUTH_NULL or AUTH_SYS, both peers are required to have
> >>     DNS TLSA records and certificate material, and a policy that
> >>     requires mutual peer authentication and rejection of a connection
> >>     when host authentication fails.
> >>
> >> NEW:
> >>
> >>  *  When using AUTH_NULL or AUTH_SYS, both peers are required to have
> >>     DNS TLSA records, keys with which to perform mutual peer
> >>     authentication using one of the methods described in Section 5.2,
> >>     and a security policy that requires mutual peer authentication and
> >>     rejection of a connection when host authentication fails.
> >
> > --
> > Chuck Lever
> >
> >
> >
>
> --
> Chuck Lever
>
>
>
>