IETF Logo Mail Archive

Re: [nfsv4] Comments on minutes of wg meeting at IETF114

David Noveck <davenoveck@gmail.com> Tue, 04 October 2022 14:33 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFFC6C14CE31 for <nfsv4@ietfa.amsl.com>; Tue, 4 Oct 2022 07:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aldr6BTWv9ko for <nfsv4@ietfa.amsl.com>; Tue, 4 Oct 2022 07:33:29 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D182C14CE2F for <nfsv4@ietf.org>; Tue, 4 Oct 2022 07:33:29 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id n83so14576732oif.11 for <nfsv4@ietf.org>; Tue, 04 Oct 2022 07:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=UHfgdFAK+RSyxZ/93keXQrxR6+n/iUmkjklwB7cAjoE=; b=BD4/+/Ikh60KwqsmIYPux27u+R7WUORkSSJp8cZFDY82Kj7yYkW4tx1d1COCgd2+rm EUDaqPDHThziR/DEiwxbQmn728s6jga/v1YaW7tAYjd3dcgcDRleDdkKelHEaHJTVrrL P2+H+V4Zd3jbenUzirDC9qHsC6py8A1SvJ9i3sQPjEjJCUqcZUFLVS18xcwHAtqjV0q7 KSJkkURppHmS4y8+y889Q5a3NpZL706fsVkMavxkCUIWq82VLNr3PVMQQ1WCDxhGaFq/ 0gqHOCTno3BXWLnbOHVUzh3uuKHjeQ9wUGlDDCVWy28BcZu4gAvmZK4uP32jxNRx1gxt LM2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=UHfgdFAK+RSyxZ/93keXQrxR6+n/iUmkjklwB7cAjoE=; b=GL2QXlcbB2gWW5UGkMh1JL0NGGSKH0YoAdfEo6wC2QJ/NDyz+4QgUy0O0mqPR61pxg aviPu/CX+N5QgDlqzh5tIUlRrqWO/HhqE8FuLw8AHkQQwkOvIig7vNxAjfofEzbhjn82 qdje5DT/jw/TlwIbQpsljKiWSMDQJqw9+nrHvgKxL+wPBgbJdKEzsY0jXugGdVgL+XRf Vx5IvMt0izU7aeu4bquSm3pODldiHVoq0SwNPWpk0SW2IO9pQFasK30iYTe0SMCeUUES G6xKD0p0SlcubGtGyJm42fQhpGI3QBXA0QJ8n2wUnddMTc4yZ8hPYfB0Zb2CYUjU53nD mUqA==
X-Gm-Message-State: ACrzQf0WZLwOnHv0C81ACWm2PZcIzWCAtmadnu/HlMG98Lq6g7HyYiyf Dt7w0DB4jWz3rP0SwjkZBgIH2R+9xVo3KQp+pKY=
X-Google-Smtp-Source: AMsMyM7ZwjNUI53s7oJPp/fnCHTk1NcZogwNo/LgPGbv8RVusw8DwA8lNu4Ocp0kv+5KBaUPkLCA36ehWrrBaRJ6lrQ=
X-Received: by 2002:a54:4182:0:b0:34f:f1b4:5421 with SMTP id 2-20020a544182000000b0034ff1b45421mr40013oiy.146.1664894008527; Tue, 04 Oct 2022 07:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jd4+FPhH0m5AuBgop_xJiYMjrRKva8mX0A-gioW_8b+5A@mail.gmail.com> <2CCC6B48-118F-48C3-A764-1380BAB72066@oracle.com> <CADaq8jeoyLbC_cFd8FwSzuSGFZAi9r3UsTGAxx5KykW+-99Jmg@mail.gmail.com> <606B4B27-0DC1-4215-987F-D97A37C4C278@oracle.com> <CAABAsM7qhJwe5rw=7VpvJc22=h2gNktXOcarF0iOVv+YnarRHw@mail.gmail.com>
In-Reply-To: <CAABAsM7qhJwe5rw=7VpvJc22=h2gNktXOcarF0iOVv+YnarRHw@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 04 Oct 2022 10:33:17 -0400
Message-ID: <CADaq8jdpW9-X7e_jiucbzpXLHUy25Po0pmURdhL9tq_LKBLiHQ@mail.gmail.com>
To: Trond Myklebust <trondmy@gmail.com>
Cc: Chuck Lever III <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f78e3c05ea36570a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/eGUR-TzacJ0SbhywF7nJEINKhbE>
Subject: Re: [nfsv4] Comments on minutes of wg meeting at IETF114
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2022 14:33:33 -0000

On Sun, Oct 2, 2022 at 11:01 AM Trond Myklebust <trondmy@gmail.com> wrote:

>
>
> On Tue, Sep 13, 2022 at 12:38 PM Chuck Lever III <chuck.lever@oracle.com>
> wrote:
>
>>
>>
>> On Sep 13, 2022, at 5:29 AM, David Noveck <davenoveck@gmail.com> wrote:
>>
>> On Mon, Sep 12, 2022, 12:25 PM Chuck Lever III <chuck.lever@oracle.com>
>> wrote:
>>
>>
>>> The conclusion of this discussion was to let the RDMA and ULB documents
>>> expire and remove the charter milestone.
>>>
>>
>> Regardless of that, we would have to ascertain consensus to do that.
>> Decisions at working group meetings always have to be confirmed on the wg
>> mailing list.
>>
>>
>> Fwiw, the co-chair and area director in the room at the time did not
>> state that requirement. The co-chair stated that the charter change was
>> implied by the decision to allow the documents to expire, so I assumed that
>> meant that no further bureaucratic actions were necessary.
>>
>>
>> That should have been done a month ago, but we might as well have that
>> discussion now.
>>
>>
>>> A version 2 of RPC/RDMA is not in demand by any customer.
>>>
>>
>> Fair enough.  It is a shame we have an RDMA approach so inferior to SMB.
>> Sigh!
>>
>> >  I feel it’s time to let it rest,
>>
>> If you don't want to push this to a conclusion, then we have to live with
>> what we have.
>>
>>
>> It's not a matter of not wanting to push this to conclusion. It is simply
>> not possible for me to finish this by myself: proper protocol development
>> requires two independent implementations.
>>
>> After Linux, where is the second implementation? (Answer: there isn't one)
>>
>> Who is bringing RPC/RDMA v2 implementations to our testing events?
>> (Answer: no one)
>>
>> Which vendors truly want to bring a second implementation of RPC/RDMA to
>> market? (Answer: I have yet to hear of one that has the resources to do
>> this)
>>
>> What customers are demanding it? (Answer: I have yet to hear of any; the
>> demand has come exclusively from complaints made by protocol architects)
>>
>> Improving security for MPA/RDMAP is an approach that lifts all boats.
>> What few resources the WG has is better spent on that instead of RPC/RDMA
>> v2.
>>
>>
>> > Unless or until there are sufficient resources to attack the addition
>> of transport-layer security to MPA/RDMAP.
>>
>> That sounds to me too much like "We'll do it when we get around to it."
>>
>>
>> You can spin it any way you like, but that's always the way it's been.
>> When we have the energy and enthusiasm for an idea, it will get done
>> somehow. We have more enthusiasm for what is essentially iWARP on QUIC than
>> for RPC/RDMA v2.
>>
>>
>> Because of the importance of security, we cannot simply wait for such
>> resources to drop into our laps.
>>
>>
>> It's not clear what motivated this remark, but no-one has suggested that
>> we ignore the security requirements of RPC/RDMA.
>>
>>
>> Chuck has informed me that a wg decision was made to abandon this
>>> document but that does nĺ⁰ot appear in the minutes.
>>>
>>>
>> I'm perplexed by this and expect to remain so even if a 3-D 4K-resolution
>> video were discovered.
>>
>> Given that this was an individual draft, the decision was not a wg
>> decision and does not have to be confirmed on the list.
>>
>> Instead, it is Chuck's decision to make but I'd like to understand why he
>> made it.
>>
>> Let me give people some background.  Chuck objected to the treatment of
>> SECINFO in some earlier security-0x draft.  He thought it was to
>> complicated so we agreed that he would publish his approach, as he did in
>> rpc- tls-pseudoflavors and I  would refer to that in the next security
>> draft.
>>
>> Now it appears that Chuck has changed his mind and I'd appreciate knowing
>> why <http://why.ch/>.
>>
>>
>> Rick told me he is not going to implement it. Trond stated that the
>> proposed mechanism is a hack, which I take to mean he will not accept it in
>> the Linux client.
>>
>>
>  Chuck recently reminded me that I haven't commented publicly on this
> draft. I did explain my reasoning in an email to him a while back, so let
> me just quote that:
>

To clarify things, it appears that your comments relate to Chuck's
individual draft.   While I am interested in the fate of that draft, I am
also interested in the SECINFO changes that shared some of the same
motivation in draft-dnoveck-nfs4-security-05 and that I'm planning to
include in draft-ietf-nfsv4-security-00.

It seems to me that your comments primarily apply to use within v3, but I
can't be sure and want to make sure that there is no objection to these
pseudo-flavors in the context of NFSv4 SECINFO.  Plese let me know if there
are any issues.


> First of all, it is mixing the concept of a transport and authentication.
>

That mixing was part and parcel of rpc-with-tls and don't think it is
inherently harmful.


> While TLS can provide authentication of the client to the server, the only
> thing that should matter conceptually to the SECINFO operation and its ilk
> is that there is some form of trusted channel that is able to underpin the
> otherwise weakly authenticated RPC operations. How that channel is created,
> whether it is by TLS, QUIC, or even krb5i / krb5p using the machine
> principal, …. should be irrelevant to the NFS client.
>

I agree.   I think my current text takes this approach, but it would help
if someone checked it to make sure i haven't mixed up i.e and e.g.

>
> Secondly, we always send a NULL ping on connecting to the server anyway.
> If we’re going to negotiate TLS, then why shouldn’t we just use that NULL
> ping to immediately deduce whether or not TLS is supported? As long as the
> server replies with something (error or not) then we know that the
> connection to the server is good.
>

In the v4 context, we have to account for different fs's (or even different
namespace regions i the same fs) , so that a good connection to access one
piece of the server namespace and it might turn out tnot to be acceptable
in another piece of the namespace.

It might be that if you were designing this now, you wouldn't bother with
SECINFO.  Nevertheless, we can't rip this out in rfc5661bis, and I felt
that the best approach was to augment it to support security provided at
the connection level, rather than limiting it to auth-flavor selection.

>
> Thirdly, there is the fact that you’re learning this information after
> connecting. So what is the point? If you are already connected via TLS,
> then the information that TLS is supported is known. If you connected
> without TLS, then how can you trust the reply?
>

Again this is different in the v4 context.


> This is the whole bootstrapping problem that causes us to prefer to always
> try krb5i first for SETCLIENTID/EXCHANGE_ID if we have access to it, even
> if the NFS mount has specified sec=sys
>

Still, you might find upon accessing a part of the namespace that you can
only do so with encryption.  That requires SECINFO has a way to require a
secure connection.

> .
>
> Thanks!
>   Trond
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email