IETF Logo Mail Archive

Re: [nfsv4] Comments on minutes of wg meeting at IETF114

David Noveck <davenoveck@gmail.com> Wed, 14 September 2022 11:35 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 921C7C14F732 for <nfsv4@ietfa.amsl.com>; Wed, 14 Sep 2022 04:35:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i0cD3zriK2tw for <nfsv4@ietfa.amsl.com>; Wed, 14 Sep 2022 04:35:04 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3261C14F725 for <nfsv4@ietf.org>; Wed, 14 Sep 2022 04:35:04 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id z13so7803553edb.13 for <nfsv4@ietf.org>; Wed, 14 Sep 2022 04:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=+ViT3D4ACqH0tQf+Vjtoe7f3qGzVziulyurD/TjdDIA=; b=l/hOhYu/9zeydAU3bQYRObGBzX9hU5AIvJYE2iqrkfixjSFB5PYlQH/96CC/jJhZsx IS4Q44lKStB0YcV43XIBhPim/IqY5VddjRemQ9bvNbNqli3TYxEzoJ/4NrZpKWESr/6W +veqA+hZBXds9eDu5mZ+SmRhjSaDx2cEsTjd/NsfzFh9/SD1VsUZ+TTPYuMIAlJ3g2VC 45tNIyHuAVH60QtlV8IoYzZiKi0wH4P7ICTedfs7sg3tNjHWsPChwCGOadpQjjUfZexj 50EXJn3LRceuUywGWYGComly2kBNxG0L0WE7JsjTEOraXwUSMTEca24CuxA7I9hMJyls qAxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=+ViT3D4ACqH0tQf+Vjtoe7f3qGzVziulyurD/TjdDIA=; b=XrqkPmAMj5NxZXRPPDAIiedyG27wjDBNi/svwRCnRxRaB/EOONmAt7nuYZyzcfAE/V AWcAYAaR+bVj09bLwQYw+o6/YQ8D1c0yi9/VE7fuisgjKukfF2SFghCigstoWSLVsAFq LjgVfKaF2iFfMe0sqlkwDt+MYfCkS/YWLPBYqxHBM+YxCGxqQd1p7wkmYDWkJjXaMB6U nGS+bDeCVxjp7OZWEGn76D9Zm/YTAMXDXfKROoTv8vjQ2J9VMjrzF6WHzjfDbxPWFCik J4NVgVz5/IsiORlOg3afVQeqME22lgU0d1CdfeU4/FJOA5biObjks3z8j1LgMr87YaJE 1Ugg==
X-Gm-Message-State: ACgBeo0B9qhfw/krU0dKGfYA8u3sbEdxwvP5w9fPvOxHKtOFVrCYcKwt JTZeiyEyGt5hgE1TQC9oiTDZRYTC2scV/qWNwYCF4ApW
X-Google-Smtp-Source: AA6agR6bNjSZvc+X1EGTiDNJyeXQY6/z2+poQskx2s8goVlSGZ1pv03l08btkT8867qRru/j2nRBuxU6lay0a3CJdiA=
X-Received: by 2002:aa7:c1ce:0:b0:44d:d5b4:adf5 with SMTP id d14-20020aa7c1ce000000b0044dd5b4adf5mr31267828edp.182.1663155302943; Wed, 14 Sep 2022 04:35:02 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jd4+FPhH0m5AuBgop_xJiYMjrRKva8mX0A-gioW_8b+5A@mail.gmail.com> <2CCC6B48-118F-48C3-A764-1380BAB72066@oracle.com> <CADaq8jeoyLbC_cFd8FwSzuSGFZAi9r3UsTGAxx5KykW+-99Jmg@mail.gmail.com> <606B4B27-0DC1-4215-987F-D97A37C4C278@oracle.com> <YQXPR01MB41506E793FF6F63EC6B1E185DD469@YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YQXPR01MB41506E793FF6F63EC6B1E185DD469@YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM>
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 14 Sep 2022 07:34:50 -0400
Message-ID: <CADaq8jfL+H5ZAOzgjh5S4PfrHsSkBxxj0mw8tmLqOWxmEpkHxw@mail.gmail.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: Chuck Lever III <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000009cfbc05e8a185da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/jp_jiOp9ytCR2AAwM19pICmXk-g>
Subject: Re: [nfsv4] Comments on minutes of wg meeting at IETF114
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2022 11:35:08 -0000

Thanks for the clarification.

Have you been following the discussion of internationalized domain names?
Chuck has helpfully provided information, relayed from the Solaris team,
about how this is dealt by the Solaris client and server.  I am hoping to
get some testing results from the Linux client and server and the Ontap
server.

It would help, to round out the picture, to know how the freebsd client and
server deal with internationalized domain names that contain, for example,
umlauts.

On Tue, Sep 13, 2022, 10:10 PM Rick Macklem <rmacklem@uoguelph.ca> wrote:

> Chuck Lever III wrote:
> >David Noveck wrote:
> [stuff snipped to just comments related to FreeBSD/me]
>
> >>Let me give people some background.  Chuck objected to the treatment
> >>of SECINFO in some earlier security-0x draft.  He thought it was to
> >>complicated so we agreed that he would publish his approach, as he did
> >>in rpc- tls-pseudoflavors and I  would refer to that in the next security
> draft.
> >>
> >>Now it appears that Chuck has changed his mind and I'd appreciate
> >>knowing why<http://why.ch/>.
> >
> >Rick told me he is not going to implement it.
> This statement sounds somewhat misleading, although true.
> I do not see the FreeBSD client implementing pseudo-flavors
> because it does not use Secinfo/SecinfoNoName and I doubt
> it ever will.
> --> It just considers NFS4ERR_WRONGSEC to be a fatal error
>       that it maps to EACCES.
>
> The FreeBSD NFSv4 server could easily implement pseudo-flavors.
> I was just waiting to see if there was a consensus that it was
> the correct way to go.  I'll admit I do not see that consensus
> at this time.
>
> > Trond stated that the proposed mechanism is a hack, which I take to mean
> > he will not accept it in the Linux client.
> It would be nice to find out what he thinks is appropriate?
>
> [more stuff snipped]
> >Rick says he plans to implement a simple rejection of RPCs when a
> server’s >security policy does not permit AUTH_SYS without TLS, using
> existing RPC >or upper layer status code. The client can decide to retry
> with TLS (why was >it not defaulting to TLS in the first place?) or let
> such requests fail.
> The current FreeBSD NFSv4 server implementation includes two per
> file system export restrictions:
> - The client must use RPC-over-TLS.
> - The client must use RPC-over-TLS and provide a X.509 certificate
>   that verifies during TLS handshake.
>
> For both of the above cases, if the client does not satisfy the
> requirement,
> NFS4ERR_WRONGSEC is replied. This was anticipating that there would
> be pseudo-flavors for Secinfo/SecinfoNoname that the client (not the
> FreeBSD one) could use to determine why NFS4ERR_WRONGSEC was
> replied.
> --> This can easily be changed since the only RPC-over-TLS client
>       currently shipping (FreeBSD) does not depend on this error.
>
> >That seems like a sensible implementation to me.  However, it is not
> >complete and does not address the fundamental problem, that rpc-with-tls
> >makes SECINFO, as defined in RFCs 7530 and 8881 essentially useless.  It
> >was built when Auth flavors alone defined security capabilities and that
> is >no longer the case 😀.
> >
> >I’d like Rick to write a brief description of his idea.
> As above, I was anticipating implementation of pseudo-flavors in the
> FreeBSD server and see no problem with them.
>
> It just so happens, the FreeBSD client does not find Secinfo useful,
> but that is just one case (which could change some day).  It is
> mostly an implementation issue, where there is no way to easily
> keep track of "per server file system" semantics in the NFSv4 client.
> (They are either "per file" or "per mount".)
>
> >I think I  am getting the implementation idea.  We have to reach a
> >consensus on the future of SECINFO.  I hope nobody objects to augmenting
> >it with pseudoflavors because I object strongly to leaving it almost
> useless >and explaining that in rfc5661bis.
> >
> >Rick and Trond have already rejected the use of pseudoflavors.
> W.r.t. Rick, not exactly, as above.
>
> >Please explain what you mean by "leaving SECINFO useless". If a SECINFO
> >response lists AUTH_SYS and the server rejects a subsequent unprotected
> >AUTH_SYS request with AUTH_TOO_WEAK, the client can retry with >AUTH_SYS
> on a protected transport. If it doesn't have RPC-with-TLS >available, the
> unprotected request fails.
> At this time the FreeBSD server replies NFS4ERR_WRONGSEC for NFSv4
> and AUTH_TOO_WEAK for NFSv3 but, as noted above, that can easily
> be changed.
>
> rick
> [more stuff snipped]
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email