Re: [nfsv4] NFS over TLS for floating clients

Rick Macklem <rmacklem@uoguelph.ca> Fri, 06 March 2020 23:02 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBA733A0CF5 for <nfsv4@ietfa.amsl.com>; Fri, 6 Mar 2020 15:02:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZrOv1HeHinu for <nfsv4@ietfa.amsl.com>; Fri, 6 Mar 2020 15:02:33 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670062.outbound.protection.outlook.com [40.107.67.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6073A0CF3 for <nfsv4@ietf.org>; Fri, 6 Mar 2020 15:02:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DflXYrcuUcpwvJM9YpuzI+EQ+ORr2km3FfgkOzNCe2b/QAxBh6epBKRkdB6edN?= =?utf-8?q?HLbt8K/1oL6CBOQZDN/lfxuueq6PwffC9fHVRZPjff6ix8hWqr13reMIGF+PD3tzQ?= =?utf-8?q?ABdXhRrKfTgs+XoAm/boG07stgdCDo4Ln+pbzjEkDQ9kM/QzeCKS0HvNIfHBjieXv?= =?utf-8?q?4GdQPQ9V3Q9z3k3QAEsHeLcSGg1MwAbBOksQy4fmqp/bK96Om9RtHmK24P7pdV+Ca?= =?utf-8?q?w4hVwdEEV+63wwsNbR8t3yd8mJ4FUj/pFXtqbP4b7L2FrPtF9+ziDliA1zmUr8eZ9?= =?utf-8?q?apqK21z3OjFRlMvlj++0w=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DOmG7kz/1tENzR2xhODpH2JnjKLLi82dr3dOVTRiYa9k=3D=3B_b=3DA6yZcY?= =?utf-8?q?kc4g18EFauS3EkZkkC+k7ikGo97c4ahHD0/hUM3QCuc5dTHq3HnJOXhqS1OSp0syb?= =?utf-8?q?x+lFSYymXb0alUMg+nAdE/lCp3WLhkfn4oxTHR2Twy6WoGnlfAf69+dWVmwqPPLSR?= =?utf-8?q?wFaeAnmcSqTNNuMgOg3KfIRtr96Mw24/Da6F53uZ4DyXLBM8QKMB/ExDVIcsFgJv8?= =?utf-8?q?JU0pNt84DZ+mmOZbgOjzHXpBHizThCu3eCJ4SPheG92tCPQ05OvMm66Y3T00t4Fuk?= =?utf-8?q?xmgJhXXZ+aL9ICtusfZS2U05nJ5wFc8Qp2eLrbk1w2RWDt4lHI7h6QfnKBxXNZct1?= =?utf-8?q?8aSS9L8ojaw=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM (10.255.46.82) by YTBPR01MB3469.CANPRD01.PROD.OUTLOOK.COM (10.255.13.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.16; Fri, 6 Mar 2020 23:02:32 +0000
Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4]) by YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4%6]) with mapi id 15.20.2772.019; Fri, 6 Mar 2020 23:02:32 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Chuck Lever <chuck.lever@oracle.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] NFS over TLS for floating clients
Thread-Index: AQHV82BAxp9O6fa7qEu4EnWyACrtOKg7ymSAgABjgw8=
Date: Fri, 6 Mar 2020 23:02:32 +0000
Message-ID: =?utf-8?q?=3CYTBPR01MB337492D0040004268BF41E89DDE30=40YTBPR01MB3?= =?utf-8?q?374=2ECANPRD01=2EPROD=2EOUTLOOK=2ECOM=3E?=
References: =?utf-8?q?=3CYTBPR01MB337482A9420C1AEF05466D3FDDE30=40YTBPR01MB3?= =?utf-8?q?374=2ECANPRD01=2EPROD=2EOUTLOOK=2ECOM=3E=2C?= <9A4AABCC-D41D-4E91-BF79-54108F78BB41@oracle.com>
In-Reply-To: <9A4AABCC-D41D-4E91-BF79-54108F78BB41@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 38e940d7-78a3-48fd-0f9f-08d7c22273cc
x-ms-traffictypediagnostic: YTBPR01MB3469:
x-microsoft-antispam-prvs: =?utf-8?q?=3CYTBPR01MB3469F276072EF3F4ADC22E02DDE?= =?utf-8?q?30=40YTBPR01MB3469=2ECANPRD01=2EPROD=2EOUTLOOK=2ECOM=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0334223192
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=283760?= =?utf-8?b?MDIpKDM0NjAwMikoMzk4NjA0MDAwMDIpKDEzNjAwMykoMzY2MDA0KSgzOTYwMDMp?= =?utf-8?b?KDE5OTAwNCkoMTg5MDAzKSg2NDc1NjAwOCkoNjY0NDYwMDgpKDY2OTQ2MDA3KSgz?= =?utf-8?b?MzY1NjAwMikoNzg2MDAzKSgzMTYwMDIpKDY2NDc2MDA3KSg2NjU1NjAwOCko?= =?utf-8?q?81156014=29=28478600001=29=2881166006=29=288676002=29=2886362001?= =?utf-8?b?KSg5MTk1NjAxNykoNzYxMTYwMDYpKDg5MzYwMDIpKDI2MDA1KSgyOTA2MDAyKSg1?= =?utf-8?q?2536014=29=285660300002=29=286916009=29=28186003=29=2855016002=29?= =?utf-8?q?=2871200400001=29=284744005=29=287696005=29=284326008=29=28650600?= =?utf-8?q?7=29=289686003=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:YTBPR01MB3469; H:YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?cD/l/I6hOHNkHmyaaMPS9ikJZQ/Pwg5?= =?utf-8?q?fa2u3p2w8Z6FurRyP6ftlaRyhYfjtInBDaWK+3byet8o8qz8Lwc1E14vTtLiVi5dS?= =?utf-8?q?lJh1NzWSNURG1HMOi9nl7bWX7CrHjX3VtaANVXTParDJVZnfgsqyhH/RFsoi9JT4Y?= =?utf-8?q?zlz8VpQfeuY1rcKkxZoKGExOkNoDCVn5KX4tCyR3u3jMyiar/LtgyWCJDkN1MUOT7?= =?utf-8?q?JX3e6eeSuPQnfFzags5ADU6LpF0BaNB8EN0Z7HvuqrAenwqzwSjbktZT9GuexG5fI?= =?utf-8?q?n+7HOdHAjjrjF5As4Jd9/v6Y6KxN4G3e9qvyr+I3RoqSNrazzR7VORr0JzQcTN4A5?= =?utf-8?q?j3z5G5FbGNOfWNe57dsgAZJ0kmXOPKc3NFaexklSwwkTXWY+PmhBfHVRSmaqgTsqi?= =?utf-8?q?c+CuF5X6ZmPbtLtlcgJwEE6iQuR?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?lrL7TSHHoBw1LYE1CvqUTxkNSEv+jU?= =?utf-8?q?m4HV9lk6t3ReApvwAZKq7GoCjZ5GjEwhbS4rj+bwQMdAzAWdix+HBujLwZb5vBmB3?= =?utf-8?q?nzS0l+MjGFw1hu/GpVtWjJA5hCghHsbBOgMZGnJ97pUKAxzTZXkgSXA=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-Network-Message-Id: 38e940d7-78a3-48fd-0f9f-08d7c22273cc
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2020 23:02:32.3054 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?XdLd8ARAVilREH6tjkxHh?= =?utf-8?q?+kb1LciZvOrzGIeEp95JY10bvjQqSkFcEDcB4AmudTPIaTQFKb7NzMKEG1RXdVu8A?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3469
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/vRFKoie_GOEw55v4NKMVhXA2M-8>
Subject: Re: [nfsv4] NFS over TLS for floating clients
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 23:02:35 -0000

Chuck Lever wrote:
>Hi Rick-
>
>Just a couple of observations below.
[good stuff snipped]
>I wrote:
>>
>> Acquiring a certificate from a "well known trust anchor" might be a
>> significant effort that will discourage use of TLS. (Again, you can easily
>> create a self-signed certificate with a couple of openssl commands.)
>> --> Maybe this could be a recommendation instead of a MUST and
>>       the choice of accepting a self-signed certificate be left up to the
>>       client via configuration?
>
>In a Proposed Standard, IMO we want to keep very strong security
>recommendations. An implementer or administrator is of course free
>to ignore these requirements, at some risk to them.
Sure, I can live with this.

My only concern is, that if it sound difficult to do, the NFS admins. won't
bother, similar to not bothering to set up KDCs.

Thanks for the comments everyone, rick

> So, what do others think about this? rick

--
Chuck Lever