IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

David Noveck <davenoveck@gmail.com> Thu, 16 April 2020 23:10 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6033A12F0 for <nfsv4@ietfa.amsl.com>; Thu, 16 Apr 2020 16:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGfEpT0BY4mg for <nfsv4@ietfa.amsl.com>; Thu, 16 Apr 2020 16:10:25 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3665B3A12EC for <nfsv4@ietf.org>; Thu, 16 Apr 2020 16:10:25 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id re23so135322ejb.4 for <nfsv4@ietf.org>; Thu, 16 Apr 2020 16:10:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wvTmajJ7j9JBO4WAfgQR7V6kAukvMCk07mhIT15Pws8=; b=L9YJXF7VxA5IQh4Zd885FgQKO8Ji/UScyndaWp77nRrqAJ77RWI9agUjx842PQ7mZW 1+eFWLDKzucHXPINvtpCs4/IzFOLdBDxW/IYoOpI3t6p1t2oczMNlm69554LPNOIrook WDZ0unad0GFuj3ydnRggLSWd3M6jDaT1UFHGjDVB3Rhkm9yQ7VngwrDoU6ode41clrnv TVM01qXUZaAlfPfHt4TyA8Jyjc5wCYi8sshHKhKdvzrL3TG4btdjph07WXs4rHvWT9er nARS8CvE1W5wWfi2KVkyAR3+TaJu54l9NArdV+/2fpST3/g/TyCWNP4nbqtgAZ9rbVmn ZRmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wvTmajJ7j9JBO4WAfgQR7V6kAukvMCk07mhIT15Pws8=; b=DUTDllBc6eawHgiU0mMZcTYv1U7zR+Wj10+S4OAe5aXLmRYfF0hduHPofHCpLp3n0+ fNE/C2lW8WJtHjCh0sjn6sesAUMdbDaq1WqUThItYfF5UieRqIbh1WnQ9TEZtE9kD8zH KHH0zCPhMXvo7HapRY6lznEul/0p71LEKQb9G7HrpG8ED971o3xEfc77YaxCJVuUmHHR +XhiQ9CCs1Kx/H0dW906ILI83ha3cYJyq4J6hmibPOLWpXQVLi+zGoV4J+RopZqoUQ3M dVNH4aKFjj3OmoQQ/vYbzB4Oy+O5/CV3FP+UUyouJcjh+eeXoiT0SnMmlbGEpxSFUETL vfbg==
X-Gm-Message-State: AGi0PuZvMTsvcXbDSnAxyNiXC6Hfj23s+804Rbd584kgHZiGhQJk3Pz6 5+9pju+LiwlIw3y49DD/JkkvsH76tY0EMQj0UvP7LQ==
X-Google-Smtp-Source: APiQypI7YZJ8FelyogZuuNquZ548wNeFS4oVzPv/fsT5OSPTaBXZQT4f20pEaup4bWrtsCveXMMEAFh8p3VOEer6y5E=
X-Received: by 2002:a17:906:7c4e:: with SMTP id g14mr364532ejp.382.1587078623454; Thu, 16 Apr 2020 16:10:23 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com>
In-Reply-To: <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com>
From: David Noveck <davenoveck@gmail.com>
Date: Thu, 16 Apr 2020 19:10:11 -0400
Message-ID: <CADaq8jc1JGf1uRgsj2Pf8f6Crt4q5K9N-D-q5u2Ui9c64jz1Mg@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
Cc: Chuck Lever <chuck.lever@oracle.com>, Trond Myklebust <trondmy@gmail.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000094ec7c05a37089c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/f5ELeOrl77oxrjgx42XaW1ojxxg>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 23:10:27 -0000

On Thu, Apr 16, 2020, 4:30 PM Magnus Westerlund <magnus.westerlund=
40ericsson.com@dmarc.ietf.org> wrote:

> Hi,
>
> I have reviewed the text proposal and have this comment.
>
> On Tue, 2020-04-14 at 11:39 -0400, Chuck Lever wrote:
> >    o  If a client uses an ephemeral source port for a TCP connection and
> >       does not present authentication material to initiate TLS host
> >       authentication, the server MUST abort the TLS handshake with a
> >       handshake_failure alert.
>
> So what is this paragraph trying to say really. Is this a mix of OS/Socket
> level
> concerns with the transport protocol level.


Unfortunately, it is. There are good reasons for it, that derive from the
history of NFS "authentication".

Becasue from my perspective, I don't
> see why it would matter if the NFS client use a single arbitrary source
> port for
> its TCP connection to the server, where it determines that it has reached
> the
> server with a requested SNI. After the TCP connection has been established
> it
> will have a specific 5-tuple. Then the client use RPC level authentication
> to
> prove to the server which user it is.


That's a reasonable perspective.  Unfortunately, it doesn't take account of
AUTH_SYS in which the authentication task is effectively delegated to the
client. In that case, knowing who the client is essential. Without that,
there is really no request authentication.

Yes, that has certain weakness in that it
> doesn't identify the client host system, however for cases where one don't
> require that.
>

I suppose one could allow use of rpcsecgss and only restrict use of
AUTH_SYS on such connections.  However, I think Chuck's statement makes
things simpler on that it requires either that the source kernel take
responsibility for the client, be allowing use of a privileged port or the
client provides
authentication material to support unprivileged clients.

NFSV4 might choose to go further to deal with the possibility of untrusted
kernels.

>
>
>
> Cheers
>
> Magnus Westerlund
>
>
> ----------------------------------------------------------------------
> Networks, Ericsson Research
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> Torshamnsgatan 23           | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email