IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

Tom Talpey <ttalpey@microsoft.com> Fri, 29 March 2019 15:47 UTC

Return-Path: <ttalpey@microsoft.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1219512003E for <nfsv4@ietfa.amsl.com>; Fri, 29 Mar 2019 08:47:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xcdBTuIzaGiI for <nfsv4@ietfa.amsl.com>; Fri, 29 Mar 2019 08:47:17 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810121.outbound.protection.outlook.com [40.107.81.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D31CC120220 for <nfsv4@ietf.org>; Fri, 29 Mar 2019 08:47:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=OPo1A5t0x76XkmSqtrmmpDsexhtMZkNt1NkA3aiPPprgTcv+bouue1qRi/A+n6i1bpUcM7Tlheshrs3mrsGEPD/KRid/XIdGXTbno91zHlLUlGnOlDh2dLVAWtCME6ZHFBYJ2UAK2ojjuSmnL/l3RdEwrOUs5gyF6qGXy0do7KI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1bI3V2hrlqANELRM13mhSlZKiGejm/Dj/TQHS0UhnZE=; b=op9Sd5U545jzStn4kxLWh/D5OSIdo/98rfzX2om79cVAMwLeIwdMh6VyMvDWuvb07etLvmt0fHqzsnZHQSOMqPqZ1/Ks//47YqRF8YGNck1fXA5Ieh/xRxJHJSiuOk4yyuZvLTDHUv0wQWo620DLdTrFEyU+Agvc8t5YCrWzP/c=
ARC-Authentication-Results: i=1; test.office365.com 1; dmarc=none action=none header.from=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1bI3V2hrlqANELRM13mhSlZKiGejm/Dj/TQHS0UhnZE=; b=JurMTZcRADZ8vcF7m8gChtoXNVcuftx6nd7wh4w5AWY+nZyIm4z8eOdwyBiZt2X6Q87rNLEwexHY/xGz11o8l/Ff3BdFKUA9TIlkXy37ofqz/8B6JOdwYsSa2H0kNZ3SuCk9YkrLDRBLVzqqU0OyceYugioGxjpuAzIXpT1OEW4=
Received: from SN4PR2101MB0736.namprd21.prod.outlook.com (10.167.151.155) by SN4PR2101MB0733.namprd21.prod.outlook.com (10.167.150.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.3; Fri, 29 Mar 2019 15:47:15 +0000
Received: from SN4PR2101MB0736.namprd21.prod.outlook.com ([fe80::804d:6cd0:c000:791c]) by SN4PR2101MB0736.namprd21.prod.outlook.com ([fe80::804d:6cd0:c000:791c%3]) with mapi id 15.20.1771.003; Fri, 29 Mar 2019 15:47:15 +0000
From: Tom Talpey <ttalpey@microsoft.com>
To: Chuck Lever <chuck.lever@oracle.com>
CC: Lars Eggert <lars@eggert.org>, NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: AQHU4+Vn/M2YRfR8/UyeHEaGBO4iYKYeF5yAgAAD8ICAAAB/gIAAFWuAgAABC8CAA0J/gIAAUK5QgADm6gCAABbsAA==
Date: Fri, 29 Mar 2019 15:47:14 +0000
Message-ID: <SN4PR2101MB073626121664068AB6290125A05A0@SN4PR2101MB0736.namprd21.prod.outlook.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com> <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de> <CAN-5tyGggDUe2DNSjRc6vAyXgGo4LVwYVK5zmTOyr0soPFVKrQ@mail.gmail.com> <3705AA25-10DF-43BF-BE1D-B0BE27F705DE@eggert.org> <0E00BED9-74D4-4594-A7AC-FCD624461DD7@eggert.org> <880CC259-A82A-401F-A81D-5FCD6A9758B3@oracle.com> <SN4PR2101MB0736EF7A385F5D95107D4118A05F0@SN4PR2101MB0736.namprd21.prod.outlook.com> <3A634328-B190-473B-A6D7-C5878CC2654B@oracle.com> <SN4PR2101MB073663820F28F2AAA8766E38A05A0@SN4PR2101MB0736.namprd21.prod.outlook.com> <D43B092E-03D1-470F-AF57-1E9416E8518E@oracle.com>
In-Reply-To: <D43B092E-03D1-470F-AF57-1E9416E8518E@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=ttalpey@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-29T15:47:12.8476492Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=98c77dc9-9b85-4bb7-95c2-062826cfa528; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
x-originating-ip: [2601:18f:981:12f8::1003]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dd5c15b4-46ca-45a3-1040-08d6b45dd103
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600138)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:SN4PR2101MB0733;
x-ms-traffictypediagnostic: SN4PR2101MB0733:
x-microsoft-antispam-prvs: <SN4PR2101MB07330244BDAC7F6E8F79E922A05A0@SN4PR2101MB0733.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0991CAB7B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(346002)(366004)(136003)(39860400002)(52314003)(199004)(13464003)(189003)(71200400001)(14444005)(186003)(54906003)(81156014)(6436002)(4326008)(53936002)(6506007)(478600001)(316002)(52536014)(229853002)(10090500001)(53546011)(6916009)(102836004)(2906002)(46003)(6346003)(8936002)(105586002)(7696005)(68736007)(22452003)(8990500004)(6246003)(256004)(8676002)(97736004)(25786009)(74316002)(33656002)(11346002)(93886005)(486006)(4001150100001)(15650500001)(76176011)(305945005)(10290500003)(476003)(99286004)(81166006)(86362001)(55016002)(86612001)(14454004)(106356001)(446003)(6116002)(7736002)(9686003)(71190400001)(5660300002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN4PR2101MB0733; H:SN4PR2101MB0736.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ttalpey@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Zr+Tom2m0ySIt4QdHEs6sPRTDTSosbZRSpq3RDouxv5aOyZvYbAbjKb2E9N5TUWyC50miFx8KtK9+7GPB8E1nR0cU/LcfiQQEDNdoFMKEwdYRtbx/8lWpA4Jhxxy7sQQSX850PmE0Vwclc3Oj7zmqVHIyGIEgPcSkvxRnRnwsxG3tR/xNR2eMZYsCNe+hy0ZOrvKTrAmOeyegMEBLbGXXj9B1S46fxs1LmcvJV7Vp6TdNc7a9USfrs9vyDggmxuNJsIAjFPEwJmLGiuuW49x/sJdAM+ZmGDJ2R18ksEbhcsF/A2aCuEa9r8SPOokOyx/E/dhRip/CUCRb5AA13J21xbNqy52xHPRi5vlXuXZCx6d834f2dMGBWeyKQ7p/wsxIUOTm6Nm4cYusXw0S7CSiihYAQTmVN3wXCHAPkMpSpY=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dd5c15b4-46ca-45a3-1040-08d6b45dd103
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 15:47:14.9129 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR2101MB0733
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/MhfMkykhFuRt-0goA4-jENQAG_I>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 15:47:20 -0000

> -----Original Message-----
> From: Chuck Lever <chuck.lever@oracle.com>
> Sent: Friday, March 29, 2019 10:18 AM
> To: Tom Talpey <ttalpey@microsoft.com>
> Cc: Lars Eggert <lars@eggert.org>; NFSv4 <nfsv4@ietf.org>
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> 
> 
> 
> > On Mar 28, 2019, at 8:35 PM, Tom Talpey <ttalpey@microsoft.com> wrote:
> >
> >> -----Original Message-----
> >> From: Chuck Lever <chuck.lever@oracle.com>
> >> Sent: Thursday, March 28, 2019 3:43 PM
> >> To: Tom Talpey <ttalpey@microsoft.com>
> >> Cc: Lars Eggert <lars@eggert.org>; NFSv4 <nfsv4@ietf.org>
> >> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-
> 01.txt
> >>
> >>
> >>> On Mar 26, 2019, at 1:58 PM, Tom Talpey <ttalpey@microsoft.com>
> wrote:
> >>>
> >>>> -----Original Message-----
> >>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
> >>>> Sent: Tuesday, March 26, 2019 1:52 PM
> >>>> To: Lars Eggert <lars@eggert.org>
> >>>> Cc: NFSv4 <nfsv4@ietf.org>
> >>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-
> >> 01.txt
> >>>>
> >>>>
> >>>>
> >>>>> On Mar 26, 2019, at 12:35 PM, Lars Eggert <lars@eggert.org> wrote:
> >>>>>
> >>>>> On 2019-3-26, at 17:33, Lars Eggert <lars@eggert.org> wrote:
> >>>>>> Also note that STARTTLS is somewhat less secure than running TLS
> >> directly.
> >>>> See for example Section 6 of RFC3207:
> >>>>>>
> >>>>>>  A man-in-the-middle attack can be launched by deleting the "250
> >>>>>>  STARTTLS" response from the server.  This would cause the client not
> >>>>>>  to try to start a TLS session.  Another man-in-the-middle attack is
> >>>>>>  to allow the server to announce its STARTTLS capability, but to alter
> >>>>>>  the client's request to start TLS and the server's response.
> >>>>>>
> >>>>>>  ...
> >>>>>
> >>>>> And RFC8314 recommends (for mail) that "implicit TLS" should be used
> >>>> instead of STARTTLS.
> >>>>
> >>>> Perhaps that is what we should require for RPC on TLS;
> >>>> that is, "STARTTLS MUST NOT be used"?
> >>>
> >>> It's a fine requirement, but there may need to be a justification for the
> MUST.
> >>>
> >>> It's important to note that such a requirement means you'll need to
> allocate
> >>> a new port number for such connections. This would apply to any upper
> >>> layer using the new RPC flavor, which in turn might impact the
> portmapper.
> >>> Note, it may also have implications on the proposed negotiation. If TLS is
> >>> a "done deal", negotiating the auth flavor may be moot.
> >>
> >> We could create a new netid for this purpose.
> >>
> >> Advertise an RPC program with this new netid, and no STARTTLS would
> >> be needed. The client simply connects and begins TLS negotiation.
> >
> > But, the current draft proposes using a new AUTH_TLS exchange, which
> > if successful allows the client to perform a STARTTLS. If you define a netid
> > and/or port number, the client would simply start in TLS, prior to even
> > sending its first RPC.
> >
> > Would that not simply make the whole draft unnecessary?
> 
> No. The current revision places a number of restrictions on how TLS
> is used, and that is needed in any case. But, the draft could define
> new netids and reserve a new port number for making portmapper requests
> using TLS.
> 
> Anyway, this is a strawman. I wanted to bring it up to ensure we are
> happy with using STARTTLS.

Ok. I definitely feel that STARTTLS, or some form of dynamic TLS enablement,
is important here. For one thing, not all transports support TLS, for example RDMA.
By the same token, servers may not support TLS-only services on new ports, or
new portmappers, and allocating new ports for existing RPC services is just
as problematic.

I do agree that MITM protection is critical if STARTTLS is to be used. Perhaps
the RPC AUTH exchange could address this protection, by extending the
AUTH_TLS exchange. This may require messages to be sent both before and
after establishing TLS. The SMB3 protocol, for example, uses something it
calls VALIDATE_NEGOTIATE for a similar purpose.

I look forward to the next draft.

Tom.

v2.23.0 | Report a Bug | By Email