IETF Logo Mail Archive

Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07

David Noveck <davenoveck@gmail.com> Mon, 28 October 2019 16:04 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9608C12081C for <nfsv4@ietfa.amsl.com>; Mon, 28 Oct 2019 09:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-86FTWy5kHB for <nfsv4@ietfa.amsl.com>; Mon, 28 Oct 2019 09:04:36 -0700 (PDT)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7233D120827 for <nfsv4@ietf.org>; Mon, 28 Oct 2019 09:04:33 -0700 (PDT)
Received: by mail-ot1-x32c.google.com with SMTP id u13so7110244ote.0 for <nfsv4@ietf.org>; Mon, 28 Oct 2019 09:04:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cPCIQn2bkvHYbU4j68f7LXklswPqth4xVkfItXYuv+A=; b=gzO9xwE9UcsiYFv4QUaJGc9JyY9N73JJ0GWrK3IaGXlq+v3Xf2jpSxPNQI0/s3H4Iq 560o0iiTpt/7kO0wqZ6k67Ghe+2DhDfSXuA3RWNSRg+n8XE2pwnbKOYT086kVge6Us/G PNoZr0HwwjbHIrwuFYzfnf4bMfDqS/brvMMCm2fxYoqD6zwve8XQEOo37ebjoFot4h5o yAyF5sXdyfNMjrnoCsJIMrWANb5XNypuKYkTrhLvGGmS/S6XuP4/C5jVD/VrITpYXZoi 5/4v+rokp+BF+5BpC+Qorgb1t4FdLcINSI7FSqFWwgCEGJH8UZaN2Irb5yL9NXaiNEJo zbdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cPCIQn2bkvHYbU4j68f7LXklswPqth4xVkfItXYuv+A=; b=T/TSZizSf8XWe+le1xBKsISCGr0jJe6X3UQgaLYu2S7yXZRS+IxZWBfu2Fpv8bhLNI mc/EhUwjKrZDp3zFIPASt3lSx6RbsGH58M48lU+Zh0qkXAxagIKzouXktovkjhVKHLyL t61I1U2HkduV+IYAma54t4aSBnvLXoN9uAgrGUmqcqR8XLttQxrn848OrcX7AQcv8ou1 hsrKQ7Bf+2PkbxS45f1o4U82vgh36pcVeyXeqfPkboESlG/6atwaDNvDSaCwmCMAGIBG N6mwVCrsRPJUpo2Df2dz3PuLWlZx1H+JbA+bWS3jMm8ZyBQuJfTNkm08gERl5ClIeA7g XLaw==
X-Gm-Message-State: APjAAAUsWKExekrrjfRbrTP+N7hqsSf8RkRQB0qhwAogE5uNYr1NKczL TvUXbU3R8KBf0n0JjJea+6RnCXAUQwcxGBqqMEfl/A==
X-Google-Smtp-Source: APXvYqx6yDxCaOZanmRTXXX5jho5hsF+DbixksC+O1VMFXackvdkbM6vD8AGtz6KBSl9cqw1OrseW1YJu4Fb1kqBZEA=
X-Received: by 2002:a9d:721c:: with SMTP id u28mr14194004otj.359.1572278672620; Mon, 28 Oct 2019 09:04:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAFt6BakApq=FJWs+r-jwxvTdXYs9yOg9KS47no93kdnp2gZ_+Q@mail.gmail.com> <9BEBDE7A-522A-4A6B-8132-D9C3A8A4922C@oracle.com>
In-Reply-To: <9BEBDE7A-522A-4A6B-8132-D9C3A8A4922C@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Mon, 28 Oct 2019 12:04:21 -0400
Message-ID: <CADaq8jdbQpW3ZGr4R7cjo9-BHzKT1821dtqkCy_jC==3pdQmbw@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: spencer shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c500070595faa790"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/fXIkRnZJQwYqA-RS_SBATLmK5LA>
Subject: Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 16:04:40 -0000

> There are two options, in my opinion, to moving this document forward:
>
> 1)  Limit the description to the addition of the new, opaque attribute
and corresponding errors that can be returned as a result of the
interpretation of that attribute.
>
> 2)  Fully define the contents of the new attribute such that independent
implementations can be achieved. This would include, but is not limited to,
the open definition of the content of the new attribute and the procedures
associated with defining new content and interpretation thereof.

There is a third option which should be mentioned:

3) Provide enough information to enable interoperable server implementation
to be developed, while delaying work necessary to accomplish the ability to
develop other client implementations, i.e. to do 2)

While 2) would be preferrable to doing 3), that appears not to be possible,
in any realistic time frame, so the choice we have is between 3) and 1)
(or nothing).  If that is the choice, and I think it is, my choice would be
3).    I realize there may be objections to 3) as a general approach but I
feel that it makes sense to address those during the document's WGLC.
Given the naturre of the situation, it does not make sense to delay WGLC
until this issue addressed, since it is not the kind of issue where a delay
of any reasonable length could change the situation.

> > Note that I am also doubtful of the use case being presented. Using NFS
to directly store and supply application executables seems to be in rapid
decline or has already fallen out of use.  Given the rise of virtualization
and the hosting of virtual disks on NFS along with the rise of containers
and distribution thereof, application distribution seems to be a thing of
the past with respect to their store/retrieval from NFS mounts.

> Do you have evidence that this change is taking place? Sharing the same
> application executable on NFS seems pretty common in Oracle deployments.

Even if it were happening there would still be a need to transfer the
executables
acros machine boundaries, even if the uyltimate use were not using NFS to
access
directly.   I would prefer that if there are important  file system
interfaaces supported
by local file systems, we  provide that support remotely as well, unless
doing so
poses insuperable obstacles.   In this case it doesn't and so we should be
able to
proceed to WGLC as soon as Chuck feels the document is ready and have the
necessary discussion about 1), 2), and 3)  above.


On Mon, Oct 28, 2019 at 11:00 AM Chuck Lever <chuck.lever@oracle.com> wrote:

> Hi Spencer, thanks for taking time to review this document. Responses
> to individual comments are below.
>
>
> > On Oct 28, 2019, at 2:50 AM, spencer shepler <spencer.shepler@gmail.com>
> wrote:
> >
> >
> > Feedback and comments on the draft “Integrity Measurement for Network
> File System version 4” - draft-ietf-nfsv4-integrity-measurement-07.
> >
> >
> > Note that these comments are personal contribution and do not reflect my
> position as working group co-chair.
> >
> > In short, I am opposed to moving this draft to last call in its current
> state.  Generally, the draft describes the Linux implementation of a
> feature that is to be extended via NFS.  However, the description provided
> is insufficient for interoperable implementations to be achieved.
>
> Issues about interoperation have already been raised and addressed
> multiple times both on the mailing list and in presentations at IETF
> meetings. The metadata stored in this attribute is opaque to the NFS
> protocol and implementations, just like file data is opaque.
>
> The metadata is not created by the NFS implementation; it is created
> by a user space tool. It is not interpreted by the NFS implementation;
> it is interpreted by a separate privileged security module.
>
> NetApp, for instance, could create a fully interoperating implementation
> today, based solely on this document, simply by enabling clients to store
> and retrieve this attribute. There is no more to it than that.
>
> NFS, in this case, is used as a transport. It is an intermediary. There's
> no reason it needs to interpret the metadata. It's only job is to ensure
> that data and metadata is not maliciously or accidentally altered.
>
>
> > There are two options, in my opinion, to moving this document forward:
> >
> > 1)  Limit the description to the addition of the new, opaque attribute
> and corresponding errors that can be returned as a result of the
> interpretation of that attribute.
> >
> > 2)  Fully define the contents of the new attribute such that independent
> implementations can be achieved. This would include, but is not limited to,
> the open definition of the content of the new attribute and the procedures
> associated with defining new content and interpretation thereof.
> >
> > If option 1) were chosen, I would still be of the opinion that the draft
> should not move forward since it would present another barrier to open,
> interoperable implementations.
>
> "To move this document forward, pick option 1 or 2. But if you pick option
> 1, I will still object."
>
> That means there is really only one option in your opinion. I have
> repeatedly
> stated why option 2 is not practical or necessary. The nfsv4 working group
> and the IETF does not want to be the bearer of the IMA standard for Linux.
>
> Further, there is no need for it do so, because the metadata stored in this
> attribute is opaque to the NFS protocol and to NFS implementations.
>
> "Barrier to open implementations." The Linux implementation is open source.
> It would certainly be possible to port the Linux implementation, or with a
> little more work, provide a clean-room implementation. In an era in which
> open source dominates, "open" no longer means just that there is an open
> standard. Maybe "open" is not what you actually meant here.
>
> Seems to me that rejecting a protocol mechanism that enables the use of a
> data format with an open source implementation but no published standard is
> also a barrier to open implementations.
>
>
> > Note that I am also doubtful of the use case being presented. Using NFS
> to directly store and supply application executables seems to be in rapid
> decline or has already fallen out of use.  Given the rise of virtualization
> and the hosting of virtual disks on NFS along with the rise of containers
> and distribution thereof, application distribution seems to be a thing of
> the past with respect to their store/retrieval from NFS mounts.
>
> Do you have evidence that this change is taking place? Sharing the same
> application executable on NFS seems pretty common in Oracle deployments.
>
> Do you believe IMA is not also useful for the read-only virtual disk use
> case?
>
> One reason that virtual disks are used is /because/ NFS does not support
> things like xattrs, capabilities, and integrity metadata. Otherwise,
> maintaining guest root filesystems on NFS would be a popular solution.
>
> How about protection of other types of read-mostly data like configuration
> files?
>
>
> > If the effort was more focused on more traditional data integrity from
> source to consumption, that would be a more interesting use case.  With the
> rise of large scale data center usage of NFS (e.g. cloud computing) where
> customers expect data integrity or the identification of failure, the scale
> of cloud computing presents many opportunities for the loss of data
> integrity and NFS (and the client and server implementations thereof) do
> nothing to ensure data integrity.  The draft does mention spot fixes of
> data-at-rest methods, and in-transit methods, but there are many points
> that present areas of potential failure, and these are ignored in today’s
> implementations (at least to this commenter's knowledge).
>
> There is no claim made in the document that this mechanism closes all
> integrity exposures. Can you identify particular areas that need to be
> addressed by this mechanism but are not? Do you have specific alternative
> proposals?
>
>
> --
> Chuck Lever
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email