Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
David Noveck <davenoveck@gmail.com> Thu, 16 April 2020 23:10 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB6033A12F0 for <nfsv4@ietfa.amsl.com>; Thu, 16 Apr 2020 16:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGfEpT0BY4mg for <nfsv4@ietfa.amsl.com>; Thu, 16 Apr 2020 16:10:25 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3665B3A12EC for <nfsv4@ietf.org>; Thu, 16 Apr 2020 16:10:25 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id re23so135322ejb.4 for <nfsv4@ietf.org>; Thu, 16 Apr 2020 16:10:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wvTmajJ7j9JBO4WAfgQR7V6kAukvMCk07mhIT15Pws8=; b=L9YJXF7VxA5IQh4Zd885FgQKO8Ji/UScyndaWp77nRrqAJ77RWI9agUjx842PQ7mZW 1+eFWLDKzucHXPINvtpCs4/IzFOLdBDxW/IYoOpI3t6p1t2oczMNlm69554LPNOIrook WDZ0unad0GFuj3ydnRggLSWd3M6jDaT1UFHGjDVB3Rhkm9yQ7VngwrDoU6ode41clrnv TVM01qXUZaAlfPfHt4TyA8Jyjc5wCYi8sshHKhKdvzrL3TG4btdjph07WXs4rHvWT9er nARS8CvE1W5wWfi2KVkyAR3+TaJu54l9NArdV+/2fpST3/g/TyCWNP4nbqtgAZ9rbVmn ZRmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wvTmajJ7j9JBO4WAfgQR7V6kAukvMCk07mhIT15Pws8=; b=DUTDllBc6eawHgiU0mMZcTYv1U7zR+Wj10+S4OAe5aXLmRYfF0hduHPofHCpLp3n0+ fNE/C2lW8WJtHjCh0sjn6sesAUMdbDaq1WqUThItYfF5UieRqIbh1WnQ9TEZtE9kD8zH KHH0zCPhMXvo7HapRY6lznEul/0p71LEKQb9G7HrpG8ED971o3xEfc77YaxCJVuUmHHR +XhiQ9CCs1Kx/H0dW906ILI83ha3cYJyq4J6hmibPOLWpXQVLi+zGoV4J+RopZqoUQ3M dVNH4aKFjj3OmoQQ/vYbzB4Oy+O5/CV3FP+UUyouJcjh+eeXoiT0SnMmlbGEpxSFUETL vfbg==
X-Gm-Message-State: AGi0PuZvMTsvcXbDSnAxyNiXC6Hfj23s+804Rbd584kgHZiGhQJk3Pz6 5+9pju+LiwlIw3y49DD/JkkvsH76tY0EMQj0UvP7LQ==
X-Google-Smtp-Source: APiQypI7YZJ8FelyogZuuNquZ548wNeFS4oVzPv/fsT5OSPTaBXZQT4f20pEaup4bWrtsCveXMMEAFh8p3VOEer6y5E=
X-Received: by 2002:a17:906:7c4e:: with SMTP id g14mr364532ejp.382.1587078623454; Thu, 16 Apr 2020 16:10:23 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com>
In-Reply-To: <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com>
From: David Noveck <davenoveck@gmail.com>
Date: Thu, 16 Apr 2020 19:10:11 -0400
Message-ID: <CADaq8jc1JGf1uRgsj2Pf8f6Crt4q5K9N-D-q5u2Ui9c64jz1Mg@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
Cc: Chuck Lever <chuck.lever@oracle.com>, Trond Myklebust <trondmy@gmail.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000094ec7c05a37089c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/f5ELeOrl77oxrjgx42XaW1ojxxg>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 23:10:27 -0000
On Thu, Apr 16, 2020, 4:30 PM Magnus Westerlund <magnus.westerlund= 40ericsson.com@dmarc.ietf.org> wrote: > Hi, > > I have reviewed the text proposal and have this comment. > > On Tue, 2020-04-14 at 11:39 -0400, Chuck Lever wrote: > > o If a client uses an ephemeral source port for a TCP connection and > > does not present authentication material to initiate TLS host > > authentication, the server MUST abort the TLS handshake with a > > handshake_failure alert. > > So what is this paragraph trying to say really. Is this a mix of OS/Socket > level > concerns with the transport protocol level. Unfortunately, it is. There are good reasons for it, that derive from the history of NFS "authentication". Becasue from my perspective, I don't > see why it would matter if the NFS client use a single arbitrary source > port for > its TCP connection to the server, where it determines that it has reached > the > server with a requested SNI. After the TCP connection has been established > it > will have a specific 5-tuple. Then the client use RPC level authentication > to > prove to the server which user it is. That's a reasonable perspective. Unfortunately, it doesn't take account of AUTH_SYS in which the authentication task is effectively delegated to the client. In that case, knowing who the client is essential. Without that, there is really no request authentication. Yes, that has certain weakness in that it > doesn't identify the client host system, however for cases where one don't > require that. > I suppose one could allow use of rpcsecgss and only restrict use of AUTH_SYS on such connections. However, I think Chuck's statement makes things simpler on that it requires either that the source kernel take responsibility for the client, be allowing use of a privileged port or the client provides authentication material to support unprivileged clients. NFSV4 might choose to go further to deal with the possibility of untrusted kernels. > > > > Cheers > > Magnus Westerlund > > > ---------------------------------------------------------------------- > Networks, Ericsson Research > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Torshamnsgatan 23 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 >
- [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Rick Macklem
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Benjamin Kaduk
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls David Noveck
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Trond Myklebust
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Magnus Westerlund
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Faibish.Sorin
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever
- Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls Chuck Lever