Re: [nfsv4] review of draft-dnoveck-nfsv4-security-03
David Noveck <davenoveck@gmail.com> Tue, 30 November 2021 14:49 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E56E13A1327 for <nfsv4@ietfa.amsl.com>; Tue, 30 Nov 2021 06:49:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3DEGBn4Zgjal for <nfsv4@ietfa.amsl.com>; Tue, 30 Nov 2021 06:49:16 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 149F93A131E for <nfsv4@ietf.org>; Tue, 30 Nov 2021 06:49:16 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id v1so87710387edx.2 for <nfsv4@ietf.org>; Tue, 30 Nov 2021 06:49:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=awb1qsAH8rDsMAGeJi/RXyftQ3tON8JVZ7im4Gnf/Tw=; b=KLHR+YS7k/pkQSWvkU5/ESJD6+98I5MEmekne+eCsz9Kz6A0EJjGi1+/lGVypG9AIm Tmjb3BQ+PJ4RYgRQDvMW9fWSIYGpsbwV88ezBfgehZRZtv7bhTDMOWuKhgHdPTCAoNCH ggIIY4fLZVIpIzmGrsb06Sth/71SMJJuXkvVFDexgDYEQDjqlMomYq6Zlg1tUnVKgjNt KE85n2PvYEJoKA7OfinYoWH2+jtdkUhy51ojGNE9eh0FT5XeCWK0C311baZ9+g4tzO77 RErYp3qE1Vv09yRln8lU2fwhSsYVk7t9ihzPtJUKpZuUU6e47Egegh62J7uV3JY5/Zyq k8wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=awb1qsAH8rDsMAGeJi/RXyftQ3tON8JVZ7im4Gnf/Tw=; b=q2/DkifLWEUX793jKo+q4dHuw8dvbqGZArPpycx+nzs0Hsi/RmbjxXwH5d/SoJeISe FYr7USQgvQlFX71U8DSyEN7rfAa3T4mVDYWnKsSLtFUnMWsc1R2Y6d7VgBeoZc3ih0Hb OXRMfvgRg4GyQnqxnxv3VC3TrCjxLz9IbKK8nuwG6TEJReuUID/F5YW8BVDsLMA9Cfjj QQhM0Vhrs23MAL8iVWmjf0MShWaYWEdCIJgYoq6L1HWi6mjlcNTCFwQhoZzSTVGUmt5G 2ZodZavVuuq647QTbBpRRO8vQNM6I9SvTiRiFrTasXV98YkRbQOVeL92I2DerhSrP6gQ URBQ==
X-Gm-Message-State: AOAM532nvDcW9ytob7qAWv+ofpNHn5Ha/YL14CVSHF2RtT2dncisOySw Ju5/T8gVXeQWoV5gjAnFRDhJRacpgXESL4JZ1FZDxQV/qhk=
X-Google-Smtp-Source: ABdhPJx6tGVXIS/ha9GV8W9RSoMQVQvtcSDLr1FRDlkCVf5Hi/y0Lvzoi9o96lDZW38YJxAGNH+rdMSMsNRL5NcrjOY=
X-Received: by 2002:a17:907:94c2:: with SMTP id dn2mr67348679ejc.325.1638283752628; Tue, 30 Nov 2021 06:49:12 -0800 (PST)
MIME-Version: 1.0
References: <5AFE5F2F-478B-4FDA-8B5F-8C80F80ED761@oracle.com> <CADaq8jcy5Th-TOaKk8pXfRb=f=XkYNAGBacm78C-VCH8f5dQKA@mail.gmail.com> <F4AD0082-DCFC-4F2A-AF57-E95686841508@oracle.com>
In-Reply-To: <F4AD0082-DCFC-4F2A-AF57-E95686841508@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 30 Nov 2021 09:49:01 -0500
Message-ID: <CADaq8jcNyi+Ok6VdCTU+q5rFXQyBSTNQ7=43AJtqi88BRM4Ltg@mail.gmail.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001de4ee05d202a9af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/dti05yvvoShcFllD3gF8wnCZfFE>
Subject: Re: [nfsv4] review of draft-dnoveck-nfsv4-security-03
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 14:49:22 -0000
On Mon, Nov 29, 2021 at 11:35 AM Chuck Lever III <chuck.lever@oracle.com> wrote: > My immediate concerns are with the discussion of security flavors / > connection types, so permit me to redact the other parts of this thread in > the interest of clarity, and address your responses only in that area, with > one quick detour into the ACL part of the thread. > > > On Nov 26, 2021, at 10:43 AM, David Noveck <davenoveck@gmail.com> wrote: > > On Wed, Nov 24, 2021 at 12:22 PM Chuck Lever III <chuck.lever@oracle.com> > wrote: > >> >> As above, it could be impossible to crisply describe ACL-to-mode >> translation in the face of other, non-standard authorization mechanisms >> that might restrict server security policy. >> > > Could you give me an example of the difficulty you see? I see these issues > as orthogonal. > > > How do you propose to deal with a situation where a server uses multiple > MAC labels (SMACK64, for example) or file capabilities ? > https://linux.die.net/man/7/capabilities (and note that other OSes have > their own flavors of capabilities). > Not all. It is out of scope. > > > There is a class of servers (eg OnTAP) that enable only remote access to > files, and have only one physical file system implementation. The security > document seems designed to address that case. > I don't think "designed" is the right word. It is just that: - Discussion of local file access is out-of-scope in an NFSv4 spec. - Discussion of physical file systems is also out-of-scope. > There is a class of servers (eg Linux, Solaris) that enable remote and > local access to files, and have multiple independently-implemented file > system types. Not all shares on such servers are guaranteed to implement > the same set of access controls. Here, local users (or the server > administrator) can set up additional access controls like capabilities, > which are not visible to users on clients, and are not reflected in either > the ACL or in the mode bits. Are you proposing that the nfsv4 WG mandate > how these file systems update mode bits when those other access control > mechanisms are put into place? > No I am not. It is just that they affect modes and acls equally, and so the mapping between these two is orthogonal. > Some access control mechanisms, such as Linux IMA, are policy-based rather > than controlled by settings on individual files. The policy is specified by > the administrator in control of the file system where files are stored (ie, > the server's file systems). IMO the text at least needs to recognize the > presence of overriding security policy that is not modifiable from NFS > clients. > It already does that in describing read-only fs's. I'm open to suggestions for expansion. > > > I missed the introduction and definition of the terms "forward-slope" and >> "reverse-slope". >> > > It's in section 7.3.1. The Associated Consensus Item is #21. > > > What I meant was: perhaps these terms could be added to the document's > forward glossary. I did browse the text looking for these, and still missed > their definitions. > will try to do this in -04. > > > As it is a substantial piece of work, perhaps it needs its own charter >> mandate. >> > > I don't think so. As part of the rfc5661bis effort, it fits under > maintenance, just as internaiona;ization is. > > > I don't recall a discussion of rewriting the ACL sections from the ground > up when the WG was considering the scope of the rfc5661bis effort. Also, as > you have carefully identified areas where a consensus discussion is needed, > let me tactfully point out that we are possibly veering outside the realm > of simple maintenance. AFAIK there have been no errata filed against the > ACL section of RFC 5661. > > Mainly I want to keep this effort contained and feasible, as I'm sure you > do also. As I stated in the introduction to my review, I'm concerned that > the scope of the rfc5661bis effort is continuing to broaden without any WG > discussion regarding whether that's a desirable thing to do given currently > available resources. > > > *Section 13.1:* >> >> I don't understand the motivation for replacing the historical term "RPC >> authentication flavor". >> > > It is because most of the "RPC 'authentication' flavors" don't do > authentication. > > >> Also, the term "RPC flavor" is generic enough to unhelpfully obscure its >> meaning and purpose. >> > > :-( > > I don't currently have an alternative term, >> > > I'll look for one and address in -04. > > > >> but subsequent discussion in this section is able to successfully >> distinguish between identification and authentication and state plainly >> which authentication flavors provide one, both, or neither. >> > > Right but I'm afraid the repetition of "authentication flavor" would > undercut that. "RPC 'authentication' flavor" is kind of ugly. Sigh! I > think I will introduce the term "RPC auth-flavor", explain why > "authentication flavor" is inaccurate, and proceed from there. > > I don't see a problem with keeping the traditional terminology. >> > > I still feel it would contribute to confusion. > > > "RPC auth flavor" seems like a fine abbreviation with plenty of precedent. > > > *Section 13.4:* >> >> I find the linking of "connection type" with "RPC flavor" to be deeply >> problematic >> > > I don't understand why. > > The sentence in question says; > > Depending on the connection type used, RPC may provide additional > means of authentication. In contrast with the case of RPC flavors, > any authentication happens once, at connection establishment, rather > than on each RPC request. As a result, it is the client and server > peers, rather than individual users that are authenticated > > Could you explain what is problematic about that? > > > We already have RPC auth flavors that provide mutual peer authentication. > I don't think the client peer is included :-( > > We already have a mechanism by which the NFS server can request particular > security services such as mutual peer authentication. > > We already have a mechanism by which the RPC layer can tell an upper layer > "I can't perform the requested security service". > > We already have channel binding, by which an upper layer can determine > whether a security service is provided by an underlying transport layer. > > Therefore, there is no clear use case that requires more than extending > AUTH_SYS to include: > > "AUTH_SYS with mutual peer authentication is OK" > "AUTH_SYS with encryption is OK" > "AUTH_SYS with both is OK" > > Negotiating these does not require the server to stipulate the use of a > specific connection type. > True. > The client and server's RPC layers can figure out which types to use. If > the NFS layer needs to butt in, the channel binding API is available. > Right, but the spec needs to describe how that is to be used. > > > and without precedent. >> > > Perhaps so but, given the innovation that you and trond have provided, > there will be many occasions to say things that were not said before. *stare > decisus *does not apply here. > > > "many occasions" -- OK, let's see some specific real world examples. I'm > not seeing any possible case where we need more than what I outlined above > (Rick's additional exception noted). > > I believe strongly that we should narrowly define new protocol based on > real needs, not expectations about what might happen. Expectations are > almost always short-sighted or incorrect. > > The framework provided by the current IANA registration of RPC auth > flavors is entirely adequate to do what we need for NFSv4 SECINFO and NFSv3 > MNT. It is up to new proposals to affirmatively demonstrate that the > current framework is not adequate. > > > First, and I cannot stress this enough, TLS IS NOT A CONNECTION TYPE. >> > > You have already made that point and I believe it is addressed in -03, > although it is possible there were some editing slip-ups. > > If you know of any, please point that out. > >> > >> For example, QUIC, which *is* a connection type, uses TLS just like TCP >> does, though with QUIC TLS happens to always be enabled. >> > > that is true but, given that there is no RPC-over-QUIC spec (even an > individuaI-D), there are limits in what I can say about that in an I-D that > is intended to morph into a standards-track RFC. > > > You're making my point for me. A missing spec should be enough to give you > pause before defining something more complicated than we know how to use > today. > > Incidentally we do have a nascent personal draft for RPC-with-QUIC, but it > has not been officially submitted to the IETF. We are waiting to understand > the use cases for QUIC (over and above what is provided by existing > technologies), as requested during the most recent previous WG meeting. > > https://github.com/chucklever/i-d-rpc-over-quicv1 > > > We will be better served if the RPC layer simply tells the upper layer: >> yes I can authenticate the peer (eg: GSS or transport layer security is in >> use), or no I can't; yes I can provide confidentiality (eg: GSS, IPsec, or >> TLS is in use), or no I can't. >> > > We might be better off but that would have required an RPC > connection-flavor abstraction paralleling the RPC auth-flavor abstraction. > We don't have that and the benefits of doing so, while real, do not > justify the substantial work do so now. > > As far as confidentiality goes, there have to be three choices, rather > than two: > > 1. Yes you get this automatically for the connection (RPC-with-TLS and > eventually QUIC) --> use this if you can. > 2. You can get this, if you ask for it on a per request basis. (GSS > when connection-based encryption is not available) --> Needed if 1. not > available > 3. No you can't get this (e.g. AUTH_SYS in the clear) --> run away as > fast as you can > > A simpler set of flavors will give us this flexibility. I don't see > anything here that can't be done via what I proposed above. > > > This section needs analysis of specific use cases and explicit rationale >> for why negotiating connection types is necessary. >> > > I'll provide that in the predraft and -04. > > >> Since this is a proposed new feature, that analysis and rationale is >> paramount. >> > > It is not a new feature. It is the adaptation of an existing feature to > be useful in the new environment in which the RPC auth-flavor is no longer > the sole determinant of security services, but the role of the connection > characteristics is of equal or greater importance. > > > Your proposal changes the operation of SECINFO to include BREAK and other > control flow operations IIUC. This is no longer a matter of adding a > pseudoflavor or new protocol element. You are changing the behavior of the > operation, perhaps in ways that are not backwards compatible. That is why I > bring up RFC 8178. > > And I wonder how pleased NFSv3 implementers will be that they would need > to handle XPT_BREAK in a moribund MNT implementation. > > > Burying this proposal in a large document with a broad scope will prevent >> adequate discussion IMO. >> > > We are having a discussion of this now. I hope it is productive. If it > is inadequate, I don't see how putting it in a separate document would > remedy that. > > I prefer to see these three sections split into their own document that >> can proceed to publication as soon as possible rather than being chained to >> the completion of the other potentially lengthier tasks in nfsv4-security. >> > > I presume that you are referring here to sections 13-15. Regarding these; > > - Sections 13 and 14, which deal respectively with authentication and > the security of data in flight are an integral part of the security > provided by NFSv4. They have a critical role in the new security > architecture intended to take proper advantage of the work you and trond > did in RPC-with-TLS. I don't understand the motivation for putting these > three pages anywhere other than draft-dnoveck-nfsv4-security or its > successor documents. > - Section 15 is made necessary is made necessary by the changes in > sections 13 and 14 so might make sense to deal with all these together, > except for the following considerations: > - these sections are a total of eleven pages. > - While 13 and 14 are tightly bound to 15, they are also > tightly bound to the rest of the spec, making any proposed surgery > difficult. > - With regard to the suggestion that this will somehow accelerate > adoption I am inclined to be skeptical. this is not only because you seem > to to feel theses changes not worth doing but also because you find some > matters now in section 13 to be deeply problematic. > > I don't see what is wrong with keeping these eleven pages with the rest of > the security document. > > > Implementers want a TLS flavor negotiation capability in a standard > yesterday, and they want it to include NFSv3 (MNT). The WG has the ability > to meet that goal by writing a document that simply defines the new > AUTH_SYS pseudoflavors, and get it published ASAP. > > > *Section 15:* >> >> I strongly urge reconsideration of adding connection types to security >> negotiation. NFS should state the security services that are required, and >> let the local RPC implementation figure out the mechanisms. >> > > It needs to be noted that SECINFO's job is to allow the NFS server to tell > the client what services to request. It could have been designed around > abstract services, but it was designed around auth-flavors, which made > sense then. The problem is that, given the more limited role of > auth-flavors, some chane is needed. > > > I don't agree: it gives us everything we need. IMO your proposal needs to > adequately justify the need to go outside the boundaries of what we have > today. The document needs to explain why we can't get to where we need to > go with channel binding and a handful of AUTH_SYS pseudoflavors. > > > Section 15.4 and 15.4.1 belong in section 15.5. And again, because this >> subsection is specifying protocol elements, it does not belong in an >> architectural document, but instead should be either a separate smaller >> document that will be replaced eventually by rfc5661bis, >> > > I don't see the point of a separate, temporary document. > > > We need something that covers more than just NFSv4.x, and we need it > quickly. > > It might be helpful to have a contrasting proposal on the table. I can > assemble a small document that makes an IANA request for the new AUTH_SYS - > related RPC auth flavors. > If you do that, I think I could remove (or cut it way back) in a subsequent draft. > > > -- > Chuck Lever > > > >
- [nfsv4] review of draft-dnoveck-nfsv4-security-03 Chuck Lever III
- Re: [nfsv4] review of draft-dnoveck-nfsv4-securit… David Noveck
- Re: [nfsv4] review of draft-dnoveck-nfsv4-securit… Chuck Lever III
- Re: [nfsv4] review of draft-dnoveck-nfsv4-securit… David Noveck