IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Chuck Lever <chuck.lever@oracle.com> Mon, 13 April 2020 14:05 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 135E03A1661 for <nfsv4@ietfa.amsl.com>; Mon, 13 Apr 2020 07:05:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22JdXPKLCcDV for <nfsv4@ietfa.amsl.com>; Mon, 13 Apr 2020 07:05:53 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 808F93A1660 for <nfsv4@ietf.org>; Mon, 13 Apr 2020 07:05:53 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03DE2W9P150822; Mon, 13 Apr 2020 14:05:50 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=kTKlH9V3k7Tv8/ukkIKfpjB/5SCUU4Wduy/D65kKswQ=; b=cE3Ol8PpJMbX+2sZsYxFJLpikb8rHTnw13e+z0izMQZA182UkyOdmPSvBoZlQq6z8hMB ei534akMLhqHPtpRj5NLNh/5vXFRgbHIT/KKilVUizHMKtCUlWOmraBwF+RycLj4WqOf NJUGHt9vByz+fD4Z2r1EF98BiYyd7HD2vqWs/Z5I3m7bZU8ObRVDHsHrTQohbIwDgbIV prfVVWcevVdrY+av4d7uxtjiurZj1+CrAlNM0opbdcXNM5Uyqv7HwNDr7cz9hGhq0/qi zahR/RYLXF8jgvP6gKQ3kOUbfIv15hHW89jq2lbZPsJquSoSeIoBtJeAOQ7xSqqapKq/ 7Q==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2130.oracle.com with ESMTP id 30b5aqxn9h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 13 Apr 2020 14:05:50 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03DE3iTK022883; Mon, 13 Apr 2020 14:03:50 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3030.oracle.com with ESMTP id 30bqce5khn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 13 Apr 2020 14:03:50 +0000
Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 03DE3nW3009865; Mon, 13 Apr 2020 14:03:49 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 13 Apr 2020 07:03:49 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <750B9471-1BC2-4E18-B8D5-F4129353DC6C@gmail.com>
Date: Mon, 13 Apr 2020 10:03:47 -0400
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E83895A0-65FA-461D-B5FE-480B4FBB247D@oracle.com>
References: <93C777E4-1C58-4307-9943-680E2527A7A3@oracle.com> <750B9471-1BC2-4E18-B8D5-F4129353DC6C@gmail.com>
To: Craig Everhart <cfeverhart@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9590 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 bulkscore=0 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004130106
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9590 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 impostorscore=0 clxscore=1011 priorityscore=1501 malwarescore=0 phishscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004130106
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/fRKHBLP5k0u1aU1JApciqyOhrU8>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 14:05:55 -0000

Hi Craig-

I don't know of a functional dependency, but someone who would know best
(perhaps a member of the IESG, I don't remember exactly whom) requested that
this document REQUIRE the known most secure version of TLS, which at present
is 1.3, to avoid certain known security exposures in 1.2 and enable the use
of token binding as an OPTIONAL means of peer authentication.

The requirement has been present since draft-ietf-nfsv4-rpc-tls-00 was
submitted a year ago, but is absent in the predecessor personal draft.

I believe RPC-on-TLS can be implemented on TLS 1.2. It won't be spec-compliant
in that case, and it won't be as secure.


> On Apr 12, 2020, at 6:30 PM, Craig Everhart <cfeverhart@gmail.com> wrote:
> 
> Is there a reason to require TLS 1.3?  TLS 1.2 isn’t old in many contexts.
> 
> Best,
> Craig
> 
> 
>> On Apr 12, 2020, at 12:52 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
>> 
>> 
>> 
>>> On Apr 12, 2020, at 12:32 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>> 
>>>> On Sun, Apr 12, 2020 at 12:27:14PM -0400, Chuck Lever wrote:
>>>> Hi Ben -
>>>> 
>>>>> On Apr 11, 2020, at 10:37 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>>> 
>>>>> On Fri, Apr 10, 2020 at 03:33:51PM +0000, Rick Macklem wrote:
>>>>>> Chuck Lever wrote:
>>>>>> [stuff snipped]
>>>>>>> Then I started thinking about TCP.
>>>>>>> 
>>>>>>> Since we have implementations that use the same connection to transport
>>>>>>> multiple RPC programs, we have to make a different statement. What should
>>>>>>> that statement be?
>>>>>>> 
>>>>>>> I wondered again about whether it makes sense to permit or encourage
>>>>>>> multiple TLS sessions on the same connection.
>>>>>>> 
>>>>>>> If you wanted to, how would you establish a second TLS session? Because
>>>>>>> of the "no clear-text RPCs after a TLS session has been established"
>>>>>>> stipulation, the client would have to perform a bunch of AUTH_TLS probes
>>>>>>> _before_ sending any ClientHello messages.
>>>>>>> 
>>>>>>> (And in any event we probably want rpc-tls to discuss what should happen
>>>>>>> if there is traffic on the connection between the AUTH_TLS probe and
>>>>>>> the ClientHello message).
>>>>>> I think that multiple AUTH_TLS probes before sending ClientHello
>>>>>> is both difficult to implement and confusing.
>>>>>> 
>>>>>> The AUTH_TLS probe serves two purposes well.
>>>>>> 1 - It establishes whether or not RPC-over-TLS is supported by the server.
>>>>>> 2 - If supported, it triggers a TLS handshake for the first session.
>>>>>> 
>>>>>> If you do want multiple TLS sessions on the same TCP connection (I'll assume TLS
>>>>>> allows this?), then I think a separate kind of AUTH_TLS Null RPC which is done
>>>>> 
>>>>> TLS doesn't really allow this.
>>>> 
>>>> I want to understand how to word the text in rpc-tls. "this" here means
>>>> "multiple TLS sessions on the same TCP connection" ? What happens when
>>>> the client peer sends a second ClientHello message on a connection with
>>>> an established TLS session? I haven't been able to find a firm description
>>>> of how a server is supposed to respond in this case.
>>> 
>>> There's two possibilities that I see:
>>> 
>>> (1) the second ClientHello is unencrypted, in which case the server sees a
>>> TLS record whose deprotection fails and aborts the connection
>>> 
>>> (2) the second ClientHello is encrypted with the current record-protection
>>> keys, in which case a TLS 1.2 server starts the "renegotiation" process and
>>> a TLS 1.3 server aborts the connection for a protocol violation.
>>> 
>>> TLS 1.2 renegotiation semantics are not particularly well specified, which
>>> is part of why renegotiation was removed from TLS 1.3.  In particular, many
>>> people will argue that that the "renegotiated" handshake would completely
>>> replace the original one in a logical sense, so that only one client
>>> authentication would be active (the latest one).  What is clear is that
>>> only one cryptographic context would be active, so you could not interleave
>>> TLS records on the TCP stream that are protected by different encryption
>>> keys.
>>> 
>>> Does that help?
>> 
>> Yes this explanation does help, thank you! rpc-tls requires the use of TLS
>> 1.3 or later, so it needn't be concerned with the TLS 1.2 renegotiation
>> case at all.
>> 
>> The RPC-on-TLS protocol already assumed only a single TLS session per
>> connection. It will simplify the text, I think, that the multiple
>> session case, though not supported, is right off the table.
>> 
>> Within the next day or two I intend to post updated text for Sections 4.1
>> and 5.1, based on the conversation from the past few days, for review and
>> comment.
>> 
>> 
>> --
>> Chuck Lever
>> 
>> 
>> 
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4

--
Chuck Lever

v2.23.0 | Report a Bug | By Email