Re: [nfsv4] Sending a stronger message in rpc-tls
David Noveck <davenoveck@gmail.com> Sun, 05 April 2020 16:54 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398B53A0E97 for <nfsv4@ietfa.amsl.com>; Sun, 5 Apr 2020 09:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZidylcMTUB9i for <nfsv4@ietfa.amsl.com>; Sun, 5 Apr 2020 09:54:14 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FED43A0E91 for <nfsv4@ietf.org>; Sun, 5 Apr 2020 09:54:13 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id cw6so15893057edb.9 for <nfsv4@ietf.org>; Sun, 05 Apr 2020 09:54:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RKYYPTTFd1Qi96h/kPR9EuprwV/eNgM01n8f0kMnM6w=; b=t/Vy9mU8hnh/TNSQKF0SjtfatjasCVOi7w7XvvitB7ZB8akoyihhqvWrZEGudcY5dp LFD6E/0Ad1AFvX6aFelS1+hzUbAR7qeH1Zc3F1MzStgEraqUE4nD+Xx2KWzgC7g7ItV2 Y0/uFGyh0Sj538gPTQ3hmtZpWxG0THFFq0JQGq5t9F/7BzRkE1ZYwKJltbV1a7ySs9mh T5mQpc1Y52w43/WhW6rkUXwuPRRg2ZThvGTbfefs2aS01SiBzOil4hRVAwF7w8C0bg0E ou+sUnbbHZ0BMezYXk2PoxbdqvCsfWPrVCtYJ/+sBeVcN4MJOqJMvsLOZaWbkN6S+SgK c9DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RKYYPTTFd1Qi96h/kPR9EuprwV/eNgM01n8f0kMnM6w=; b=nfHJn2rIsz7JQrgc0iAfy/FbraLFlvFGgIRewJvcGYM0mZJkv4DRV78h42RrNsKp+o 3s0DbzQDY49uIZHNTfoL9yktBAA02vYzhsGi5tmqDVDfVGLmhhILcIlBfLJuSt5mMsfw lhBLbwDMDlERwVjIsfttZF6BVvNBv+UHJVi6V9kSrBqHPSd/OB9HDQYVSfM4drJhj6l1 vt7imCtfx29qKYG6m+/Wm2Owqh8WwiapOdOFnpQ973IE/l4gkMpAo7iYnANiKIczYZs8 egyGTwUditpzYTKcgpiKPGYhFKo/AJIDw+kMYnCGE1TzCDPjG8AgQK2kRfOcTmOVLFUs CMJg==
X-Gm-Message-State: AGi0PuYwtEFaVDRHFSh/7nefvK1yL/Lb3TTAzmsju+Npk2qxgxuJHXzK u312XGu6TqeF+Hyz8DTnI2bKaCdP7PNUfU2WY2wpGQA6
X-Google-Smtp-Source: APiQypJ2od4QBCwXD4H5hd8QwzyNiYixSq5VmZ0x+qEyuvnvE/gnkjnJfyAXht6RjnrkFmLG9w4xg72cQJ6okBGRJ0E=
X-Received: by 2002:a50:d61c:: with SMTP id x28mr15753515edi.344.1586105651971; Sun, 05 Apr 2020 09:54:11 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jfR5HVTKU3-7J0idyxBjFRM0ewx83TECDnYNerBQGF4Tg@mail.gmail.com> <B5959F35-D33E-4729-B511-38C185A7F79F@oracle.com>
In-Reply-To: <B5959F35-D33E-4729-B511-38C185A7F79F@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Sun, 05 Apr 2020 12:54:00 -0400
Message-ID: <CADaq8jdnqrv9wY0-OLkEJ15C4g8P2p9qDEArbo=f-6C62fo5Jg@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>, Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: multipart/alternative; boundary="000000000000f648f405a28dff60"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/cepM7VZVU0P6cum6Vf_Tl_7Krrs>
Subject: Re: [nfsv4] Sending a stronger message in rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Apr 2020 16:54:16 -0000
On Sun, Apr 5, 2020 at 10:38 AM Chuck Lever <chuck.lever@oracle.com> wrote: > > > > On Apr 4, 2020, at 9:40 AM, David Noveck <davenoveck@gmail.com> wrote: > > > > One possibility to consider is replacing the penultimate paragraph of > the Introduction by the following two paragraphs. > > > > The current document assumes policies in line with [RFC7435] > > in order to enable RPC-on-TLS to be deployed opportunistically in > > environments that contain RPC implementations that do not support > > TLS. Specifications for RPC-based upper-layer protocols will often > > choose to require stricter policies in order to guarantee that > encryption > > or host authentication is in use on every connection. > > > > Imposition of such stricter policies is of particular importance with > regard to > > protocols for which the within-protocol security infrastrucure is weak, > > allowing common deployments without encryption of request and response > > data or providing attackers the opportunity to easily obtain server > execution > > of substantively unauthenticated requests, with authentication > presumptively > > provided by the clients (e.g. using AUTH_SYS), which themselves have not > > been authenticated. > > Forgive me, Dave. You removed the context, so I'm not certain which of > Magnus' comments you're responding to. Can you clarify? > > -- > Chuck Lever > > Hope so. I was referring back to the following text from one of Magnus's followup message sent Apr 1. > > The mechanism is clearly opportunistic in its establishment, however the > > goal here needs to be to get support in as many places is as possible. > > Yes. > > > Thus, sending a clearer signal that NFS 4.x servers and client are expected > > to support this should be sent. > > I think we can figure out how to send a clearer signal. I guess I mixed up "stronger" and "clearer" but I think my proposed text does send a clearer signal.
- [nfsv4] Sending a stronger message in rpc-tls David Noveck
- Re: [nfsv4] Sending a stronger message in rpc-tls Chuck Lever
- Re: [nfsv4] Sending a stronger message in rpc-tls David Noveck
- Re: [nfsv4] Sending a stronger message in rpc-tls Chuck Lever
- Re: [nfsv4] Sending a stronger message in rpc-tls Magnus Westerlund