[nfsv4] Sending a stronger message in rpc-tls
David Noveck <davenoveck@gmail.com> Sat, 04 April 2020 13:40 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA1D83A0CD6 for <nfsv4@ietfa.amsl.com>; Sat, 4 Apr 2020 06:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6NIJmv61oGu for <nfsv4@ietfa.amsl.com>; Sat, 4 Apr 2020 06:40:16 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEE613A0CD5 for <nfsv4@ietf.org>; Sat, 4 Apr 2020 06:40:15 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id z65so12870151ede.0 for <nfsv4@ietf.org>; Sat, 04 Apr 2020 06:40:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=nAV/iL3aIiHnfY/8YvRwUsUqwlRPWok2zHR8dw9T6qc=; b=Au6xfZUyPCZ5GsOihpp22jHhbHaggNAXLFQCBPkBHX38uI+e9ncqdWp9ey7XE8PLoW pYYr0MG05a1mChiHCUeVNUXBv8zv2ZZiLMZhKLJ85O/jyHm0FpnqSeIdoo72jZJx7f2X AAigT3Bi/9luXdyzCSByfLGcUKObeNKz6Gx9SIzyg+N6fzo0B9EhwKL/eouo4Yj2+e1X 7Ghn74TbYCNSw2Yh0QzMlFIC7WPGa/Qku1az9WCxs16WX9Ob28NkYHip7gGldKQQ8YqP Fnn+i4ZUy2Ip6v1Qh81zWjstyGPIC3suWa0scX5Ykw2jzUCi836Gfr3qOVYVFZC+blxI xC/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=nAV/iL3aIiHnfY/8YvRwUsUqwlRPWok2zHR8dw9T6qc=; b=cSxQU4EM9gQuQGKoJzkCSw8hbf+jaWGkhChzuDAIW95qaGWj0iuzFgA19jpyY10maY DmXUNUEj7dJxL6o/QcRjl0sdrWoMNFYwgciSZU5qoX3dNDilWzx/xUdQ9mPGeqTWc993 c+EMOI2nrQ7l7qWJgh05yJCSZjU9uSnb1FAxoKdCr2NzZFCT2hoVLbDy47SLXG/XPTgm v0lvbHNZ4vdk2+GnTg20NHzvP3CqfbxxCKNsO//7l9K0vOrW9JL8a7b23di7wmgWAbzv OP0aDNNcw+0b0LzWWDD0Ih5sPe7kJTDHfujK1tXoGY1u3LwTa0OBASiyypWQag5a65F4 kI6w==
X-Gm-Message-State: AGi0PuZ0qoNASenU2erJcGLAs2w6KF2vyyQukcosgZ1NX/9hM8ei1IWE N2TcIf0pi37Cl71SwWvoX5aZxhOBQms09WpkbKbh8wxL
X-Google-Smtp-Source: APiQypL7LeWhGjSt+Z0D2fSZPAD7VexSaVRqW2n93eZsdJGXt2TWExPcg5ut1u3LLJaCygHkBIKy/1y2QYvSBXIWjKE=
X-Received: by 2002:a17:906:1952:: with SMTP id b18mr12764462eje.216.1586007614128; Sat, 04 Apr 2020 06:40:14 -0700 (PDT)
MIME-Version: 1.0
From: David Noveck <davenoveck@gmail.com>
Date: Sat, 04 Apr 2020 09:40:01 -0400
Message-ID: <CADaq8jfR5HVTKU3-7J0idyxBjFRM0ewx83TECDnYNerBQGF4Tg@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>, Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: multipart/alternative; boundary="0000000000007386cc05a2772ccb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/fJi3Nvs09Y9Vuru0tssj8a2nliY>
Subject: [nfsv4] Sending a stronger message in rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2020 13:40:18 -0000
One possibility to consider is replacing the penultimate paragraph of the Introduction by the following two paragraphs. The current document assumes policies in line with [RFC7435] in order to enable RPC-on-TLS to be deployed opportunistically in environments that contain RPC implementations that do not support TLS. Specifications for RPC-based upper-layer protocols will often choose to require stricter policies in order to guarantee that encryption or host authentication is in use on every connection. Imposition of such stricter policies is of particular importance with regard to protocols for which the within-protocol security infrastrucure is weak, allowing common deployments without encryption of request and response data or providing attackers the opportunity to easily obtain server execution of substantively unauthenticated requests, with authentication presumptively provided by the clients (e.g. using AUTH_SYS), which themselves have not been authenticated.
- [nfsv4] Sending a stronger message in rpc-tls David Noveck
- Re: [nfsv4] Sending a stronger message in rpc-tls Chuck Lever
- Re: [nfsv4] Sending a stronger message in rpc-tls David Noveck
- Re: [nfsv4] Sending a stronger message in rpc-tls Chuck Lever
- Re: [nfsv4] Sending a stronger message in rpc-tls Magnus Westerlund