Re: [nfsv4] draft-quigley-nfsv4-labeled-00 - some comments

[Jarrett Lu <jarrett.lu@oracle.com>]

On 04/ 7/11 10:07 AM, Nico Williams wrote:
> On Thu, Apr 7, 2011 at 11:48 AM, Jarrett Lu<jarrett.lu@oracle.com>  wrote:
>> On 04/ 7/11 07:43 AM, Nico Williams wrote:
>>> Surely you agree with me that the server needs to know the subject's
>>> label and that we want something better than a single label
>>> per-principal, no?
>> Yes, RPCSEC_GSSv3 will be great. It offers so many goodies. Other
>> than fine grained subject label, it can also be used to convey privileges
>> and privilege set, which could be very useful information among like
>> systems.
>>
>> RPCSEC_GSSv3 is considered a related but separate piece from NFS
>> MAC label extensions. So it's great to have but not required, i.e. we
>> should be able to do labeled NFS without RPCSEC_GSSv3. Again, I'd
>> love to have both.
> "Is considered"?  By whom?  I consider it a requirement for some of
> the cases where both, the client and the server are MAC-aware
> (specifically: whenever you need support for label sets or ranges,
> which is generally the case in MLS deployments for example).  (But
> clearly not a requirement for the cases where either or both of the
> client and server are MAC-unaware.)

I got the impression from the WG meeting session that RPCSEC_GSSv3
is related but separate from labeled NFS. Can others chime in on this?
I also think about this "requirement" in terms of dependency, e.g. does
NFS MAC label extension depends on RPCSEC_GSSv3? Is the extension
useless with RPCSEC_GSSv3? My opinion is labeled NFS works best with
RPCSEC_GSSv3. It can also work, in a less secure or less expressive way,
absent of RPCSEC_GSSv3. For example, a MAC server may need to do
some mapping to get client's subject label.

- Jarrett

> Nico
> --