IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt

Chuck Lever III <chuck.lever@oracle.com> Mon, 06 December 2021 23:52 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2F283A0B72 for <nfsv4@ietfa.amsl.com>; Mon, 6 Dec 2021 15:52:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com header.b=CJXykAw8; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.b=CIXML19M
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GPqaCu71fwu7 for <nfsv4@ietfa.amsl.com>; Mon, 6 Dec 2021 15:52:53 -0800 (PST)
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C09DD3A0B6F for <nfsv4@ietf.org>; Mon, 6 Dec 2021 15:52:49 -0800 (PST)
Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B6M56Vn019273; Mon, 6 Dec 2021 23:52:48 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2021-07-09; bh=qoe3KtyCzbrFLQkfF6PzYu2Hfp5dZ3s50DN3lC5Sadg=; b=CJXykAw8xEIu9pV2+2u1f0dpF+dP25kwOgYotNJL2/KwnyzgQaNFHvZnMeWkAClErjxF p2wxfpxV0RvdN6+MfFJK9qMQ/40bsx6e+mB+XgO+RRt0FqF9RDU8/PRx0AaB7+txKyC4 nzEyIWPLKw5WYjinbmNrBfNjx6ShgbT8GQdmdNUDVHqbD8qvLR4ba3IBgCKBALAEjca/ rPXgiNqss4ci6peRFoNfV4fkE9WjMD7uW4GZt3cx4Wyjrnnv0hPSs6FKfgEpx5kqH3ZC /k8wBy4f0tIY+p95nsQRNlrY7K7Ag+PtZMj9vB6NIJd6aWSfzZqEdo+GRVWUPTrX0VH7 5g==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3csbbqm6t5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 06 Dec 2021 23:52:48 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 1B6NjCCS059391; Mon, 6 Dec 2021 23:52:47 GMT
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by aserp3030.oracle.com with ESMTP id 3csc4sgsq3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 06 Dec 2021 23:52:47 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A+m67x29PIrlfcrs0T3z2YJUrMlQ5Ql5UIv8EbXCHK6BEAHcOTtkiUCq6kj3dZ8sHDTktxVHDyu4aHLRb11D8ywgkf1IOoFMcZRYecPHb3ZA2m6hTtnfUUeAxmyuA35T6bLK3Sf41OQEnDE5m2/hrCLfuDUWkEFCcAFW9ipUuxgJWLIz+Igv7lLyAGBkKOJ8+mFk9m6xeswUxv9fiRm1w6sjwBi4sCOVUKFYaekeLt2sLnpN+XPAr+oK+XcJlqO7zzjNFrDrXH9ZBegeOt9IKUJlFbCAl3RCZWlW5jN5OLOSwGvNl8mG6yIDxRgSFFQEGblToM+yBToUC2Mx9uDO+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qoe3KtyCzbrFLQkfF6PzYu2Hfp5dZ3s50DN3lC5Sadg=; b=JnpO3y9M6rOUyd8l4qttgSyHWIaweHb+oW7oCY3kYWRTMKNqAaB1echpIxWw66Rqu7W1N/oInx++CGdELPUadmIytO85hqoicmjMQmjtyhxG1Ss8zZmjO8dkDgA0wJiCxpGRzu9ZJG3m1CHoaTdgcGR7ll34xgqCwKYLuBUGkktpG9qV8fVdB1He6dVswuMn15pzLxsWOyG2qP4xiHqoE4u2p4rW/kCBrg1RGw0dOpPC/91Xi+GeqrhJR5IdWojBlSJQCLuLonz0ZpmdDBvo5yezsm+5/v8vtjRtz6eRFbGiAjvmyHai/KQWJpm0zFENj08ScvQ0QOPIs1JV9lljfQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qoe3KtyCzbrFLQkfF6PzYu2Hfp5dZ3s50DN3lC5Sadg=; b=CIXML19MZA09FXGcXD48J94eraXaVvLZLpEi0SbK+E4+Qcps4FX7zCjyKaeIL5/uFKVoQkGpZZaDW4xR0IfcVQwxRkmUT8EYgTeLYgL2VPrbAghzz4YixmkF+kpHgqvbhxPDmO9hVjNjGxKX6kW5iMiZr+S1O1ATvZGmU6iL28o=
Received: from CH0PR10MB4858.namprd10.prod.outlook.com (2603:10b6:610:cb::17) by CH2PR10MB4294.namprd10.prod.outlook.com (2603:10b6:610:a7::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.11; Mon, 6 Dec 2021 23:52:44 +0000
Received: from CH0PR10MB4858.namprd10.prod.outlook.com ([fe80::a4f2:aef4:d02b:9bde]) by CH0PR10MB4858.namprd10.prod.outlook.com ([fe80::a4f2:aef4:d02b:9bde%9]) with mapi id 15.20.4755.021; Mon, 6 Dec 2021 23:52:44 +0000
From: Chuck Lever III <chuck.lever@oracle.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
Thread-Index: AQHX6hAa5Iy4UaEkKUeUmSSqi5G97awktqlCgADjywCAAG4ZaoAAHAuA
Date: Mon, 06 Dec 2021 23:52:44 +0000
Message-ID: <C1CB89D1-1D5B-4CC8-ACC9-27AFAE73F538@oracle.com>
References: <163873328734.5490.15468230922208392053@ietfa.amsl.com> <856F08E9-CDFD-43B5-B8B1-278BE0DA7339@oracle.com> <YQXPR0101MB0968E2DC868A17423FF8D8B7DD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <56914C1D-97BC-4225-AFD3-01F2CE096C8A@oracle.com> <YQXPR0101MB096887BF90B0107899DBDBC8DD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YQXPR0101MB096887BF90B0107899DBDBC8DD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1ef4b000-b306-4883-06e1-08d9b9137f8a
x-ms-traffictypediagnostic: CH2PR10MB4294:EE_
x-microsoft-antispam-prvs: <CH2PR10MB4294B189F6BAF1E26CA19275936D9@CH2PR10MB4294.namprd10.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BIB/oqwRO5ESmGc7VWLRCr6Ri1HbsZWeCXIzS1n4pOCHeLIkoBM0IoqVJ+fQZZGfyyjlXhwdpRQhvS6wkZZb+iFGueucQIrs5oqST15zy+F8evASFCvEEhS6DEh5+6Mhyuo1y4ttt5ZQoe4WOWiTmarh3Bjh9Bimd+LCszPLWlkMNbqTukUhN6H/6aUWbEY4NIPcToZK4tu5iHrnges2rYyfAAoBsOZmebL7ijGcx8Y9IgTEErrvewsl3jc5GGgADrUvRqzFhVTMn0m6GPItE2v2munPdHrEAlmZd7zYx5PPkXCTsTc3V0+KBRCjAKpZu0VvtCK3YN73AM1eNyZXGNTLWMr+izZDYUIV6u9uk8/xhSrPoF+eA8EyklMSSHH8dKsfdFBiguiK8XzdEh+oVVW1wKTu4RCwmTKP6pbaB8IuHVV4ww1p5dpbo40LrUenMC1lSq/2RIunonpqzq5yn+c6AVjRBTRVwONRSNaAzQdWWLYZKyzmIgDTJjWnaWSGdqkDn6eJxkOWymU0I0Ms84LUh+PjVUHQwUIBFTpNE4TAbTiHTRAInyy+IdIa2Euu3Lj9dNlY18zdTVze99L0fmmHXWBh/HIjZbuNqb8Lc1xaub8C99K2bY4/yGTOa/jgUTWVJ6ZIzDFO6p9rRDfbdaTKvttN+Ehhs9YcnkkU3WRoK/APiG/U/xxgcaUQVB+w0nivEviJ1GjDp2eCjj4bDMlOLolxZsbUldx/pyNVcRe6MN3lrVjyLfsRjYnVzCZt+mxwcQB+UeEY0SeFmxfN2NCMibYgLN1YuaMQo3GZOwEwCxUlwAaeqbSY1XSkz74C9wsW33oWMJU/AdX/l/XxtUjw5PG9SB7RCjqoAdubwoE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR10MB4858.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(26005)(508600001)(86362001)(5660300002)(122000001)(6512007)(38100700002)(2906002)(296002)(15650500001)(6486002)(316002)(4326008)(8676002)(71200400001)(83380400001)(8936002)(66574015)(966005)(36756003)(30864003)(186003)(66446008)(33656002)(2616005)(38070700005)(6506007)(53546011)(66946007)(76116006)(64756008)(6916009)(66476007)(66556008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eg0ajmdtdTQvKNcN/kXvOrdemEied0A0ShGsOcj6BBow8KVJdW6kis2wPrjaPBk6nUqI3+1yJ1qFMS/aH5H6gqgFBzz7e5+CUm579ughFQEIxNnGXM90OqJ2N2XOxjuJRaRLdOlhQAnRjUOxTi+M3r83UpqyA8peKlEMQbkp3/GNeRX5c0rG0PW2ZEiSoJ1e1vNafgJtE+RIfsRuJXoPdYE6fI/4y/vuHQ+bnxcX/ElLzJGYg5iphiVhx246vUloPVYvaKWzvqC0XR7kyD7dk6aKptILCocTo39SkjJWHp5RzNjHrUlBadE5RhfpQt+UFicAbYIwMvdvxnmDA0QpkYybM/za4rgGKqP41EXnnd2yLGcWyFPMf+a9bh4yVeCG3osvNeZSWnt8LwK92wMPutagaS0ZyFyQT/xq46+GYvN4aM58aLi/P8gMX6l95inMRFRM9s7AiMaZX0fagFoPMu+l6AOyFcR8DDRvQfovVr1K0yhIEDb1vHpQdk5dorDQThWG/T918VZRgTbOHi1OB5bfQlp0scpIXV8aLFcxpdOTtvzicDAgSj6lQj/bmNFWP5lHkiMCqWTSqthvzBkM/+CUPcUEcTwOCCVfEMwmXZ01Bfku2cUTLYo28qa3oej9gi/JhH9NFUnaIUle6ztX74UcqisPYtNQ7d6d4AwhS6uqOFouxgQm5Z2JpJurU0e88ZKYwA9lxSInXAikU8KVyggUxrFZu5O8MYmrdBZIEmAMIwZ1ZNFo/Zw8k0i/BZMDPTP06Hv3XzB5cWWs7FuWIxLlvUygL1x/kUui6aKCV5ssNGVkefWFBXYD5m2foNtnVJTAWT6kXMXBRjvAjlFGlgsfD/uT3ZreBvPifz3qQHWkK6ZaIgIkH8aYiKpzyuJs8rSXTSyzBaE0Trcb0keevnLWlafRsVgOx/Wd21bqqN3pugwarxq/he30/G+XcEtIFe536AcCwFCvtwy7xehREqon73/4JCcV3MmDL5LEY2YQPxN01qCiDr1HgujaNtL/XPZ9RvEyhlckFQBfXOIXf0F6tXXTGdidjjjzGo7QJePmRYfnLDGPYtwDnwRi3URZcFSkW8h5RQ51gTjjMJMSBmm9UCf1KJvBR9VeamNGMcNcjyg915dNdshSUdwfTfmHkp2iM8VOcJh1Z15nKlWkqg1qjrjnnkDge+HYPTMMy9jofHfKT+kcCbb/qOGWK4qOdpj3MXMmxu/onXEk2QMxVC6nWLqLnPKi8sYM7nnX8gPjbJbv5aySzxRkFpbK3LagBL9cTG4KgXMifNdNYD7BlMiuqR98XlGKtRO70QenBIB/JcWLO9C2dT2A/ydjnVoCLf8C94x5J9s+aHsciZzQPJtZLIZ2IFw6PcV/QQcUffz8gzCUY7ujJHr/kVS+ttewZMZ6wT7WKYvmtiyrg0r8Scsztc16+ytSvKlg40o/sxMi6TWPZl1dYBOMeUZ33dUt68SwSs6KPN1KzySG2CBnaagvbUzGmmhH5dGsh/wZgWgU7dC5Jj65IRMztgNo94Htz3rRHYFpOXArhKqLGMDF5x8iJkd+o0mhJskFsRiAbafeEArobnYwyDrDRywPqijnrFi7XCgV3prhmrJk0w15RYpr2AL7Deyo39IqR6R07w8=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <415EB94A390C9E4196C85548D7FA851F@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR10MB4858.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1ef4b000-b306-4883-06e1-08d9b9137f8a
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Dec 2021 23:52:44.4019 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lfFCJdEaJWMQNzq8fqzqLcFgwU6butRbhKKDIiktPHr+jaN/EnTXuNuJo8nVaGcTzv+5XBf0Gl32cwvF59J25Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4294
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10190 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxlogscore=999 phishscore=0 bulkscore=0 malwarescore=0 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112060143
X-Proofpoint-GUID: 4IBE27qJ65MOcSNQwRYSikx2EdOVeI8O
X-Proofpoint-ORIG-GUID: 4IBE27qJ65MOcSNQwRYSikx2EdOVeI8O
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/jqKSdCaVXkzORA1sU-WWMUlOXis>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 23:52:58 -0000

Hi Rick-

> On Dec 6, 2021, at 5:34 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> 
> Chuck Lever III wrote:
>> 
>> Hi Rick, thanks for taking a look.
>> 
>>> On Dec 5, 2021, at 9:06 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
>>> 
>>> In section 3.2:
>>> If an RPC client sends an RPC Call using one of these pseudo-flavors
>>>  and the underlying transport does not provide the required additional
>>>  security services as indicated above, the RPC server MUST reject the
>>>  RPC Call and respond with a reply_stat of MSG_DENIED, a reject_stat
>>>  of AUTH_ERR, and an auth_stat of AUTH_TOOWEAK.
>>> 
>>> For NFSv4, wouldn't NFS4ERR_WRONGSEC be a more natural fit than
>>> AUTH_ERR with auth_stat AUTH_TOOWEAK?
>>> --> I understand you wanted to cover NFSv3 as well, but since NFSv4
>>>     clients will need to do a SecInfo/SecInfo_Noname, then it seems weird
>>>     that it will be triggered by a RPC level error and not NFS4ERR_WRONGSEC.
>>> 
>>> Is it possible to allow either AUTH_ERR/AUTH_TOOWEAK or NFS4ERR_WRONGSEC
>>> as a server reply?
>> 
>> In addition to Dave's observation that this is an RPC layer document,
>> not all NFSv4 operations permit an NFS4ERR_WRONGSEC result. Plus, there
>> is a "MUST" here: we can't say "MUST" and then say the server is allowed
>> to send either this or that in response.
> Ok, I can accept this, but see below...
>> IMO there is a reasonable distinction between these two server responses.
>> 
>> * WRONGSEC reports an NFS security policy violation -- for instance,
>>  the user credential doesn't have authorization to access to a file
>>  handle.
> At least at this time, the decision w.r.t. whether or not encryption or
> whether or not the client provided a X.509 certificate that verifies is
> a NFS security policy decision in the FreeBSD server.
> It is done on a per server file system basis using exports (any requirement
> for Kerberized access is controlled there, too).
> 
> I can see NFS servers having "public" file systems where security is not an
> issue and other file systems where security does matter.
> 
>> * AUTH_TOOWEAK reports a mismatch between the caller's RPC auth flavor
>>  and the transport layer security capabilities -- for instance, the
>>  flavor is AUTH_SYS_ENC but it's being sent on a connection without TLS.
> It is the RPC protocol (NFS in our case) that will decide what RPC auth flavors
> are acceptable. But they may choose to do so based on file handle and not just
> globally for all file handles and all clients.

AUTH_TOOWEAK is not an NFS-level protocol error, and is
not there to indicate that the NFS server policy does
not support a particular RPC auth flavor.

You have to send an AUTH_SYS_XYZZY-flavored request on a
properly-protected channel. This is not an authorization or
policy decision, it's how the protocol maintains security.

Let me try an example.

Sending AUTH_SYS_ENC to a server on an unencrypted connection
is just wrong. The upper layer server (NFS) should not even
see that request because the client sent a message that is
insecure and cannot be trusted.

The point of AUTH_TOOWEAK is to forbid clients from sending
AUTH_SYS_XYZZY requests on unprotected connections. If that
happens, the server is supposed to bat that request down
immediately. The transport layer security has to match the
pseudo-flavor. Nothing more than that is going on.


>> In the case of crossing a filesystem boundary, as long as AUTH_SYS_ENC
>> is used and the transport connection is protected, the RPC is accepted.
>> It is then up to the NFSv4 server to authorize that a particular
>> AUTH_SYS_ENC-flavored caller is permitted to access that filesystem.
> Not on the FreeBSD server, at least as implemented now.
> 
> I do not have a problem with always using AUTH_ERR/AUTH_TOOWEAK
> to indicate problems with "machine credentials" (or whatever terminology
> fits?) vs NFS4ERR_WRONGSEC for problems with "user credentials".
> However I do have a problem with the assumption that "machine credential"
> requirements are invariant across the RPC protocol.

I'm not talking about machine credentials v. user credentials.

AUTH_SYS_XYZZY carries a traditional AUTH_SYS user and group
credential. It does not make any requirement of the peer
credential that was used to establish the protected channel.

If the FreeBSD server squashes that AUTH_SYS user and group
into something else based on the peer credential, that's
totally independent of whether the client has sent the RPC
Call properly. I don't see how my proposal interferes with
that security policy in any way.

Or, if the FreeBSD server happens to restrict the set of
RPC auth flavors a client may use when sending a SECINFO,
there is a different mechanism for indicating an authorization
failure there. AUTH_TOOWEAK would be returned only if the
client tried to send AUTH_YADA_XYZZY on a channel that did
not match that flavor's transport layer security requirements.


>> In other words, it's perfectly fine for a server to return only
>> AUTH_SYS_ENC in a SECINFO response, and then the client to try to
>> access that filesystem with AUTH_SYS. The server should respond
>> NFS4ERR_WRONGSEC in that case.
> I think the SECINFO reply should indicate whether or not "peer
> authentication" is required, for this client to access this file system.

I think my proposal does exactly that.

Say SECINFO returns "AUTH_SYS AUTH_SYS_ENC AUTH_SYS_MPA_ENC".

That means the client can send requests using AUTH_SYS on any
connection, or using AUTH_SYS_ENC on a connection that uses at
least encryption, or using AUTH_SYS_MPA_ENC on a connection that
has done peer authentication and is using encryption.

But using AUTH_SYS_MPA (as long as the client constructs the RPC
request properly and sends it on a properly protected connection)
will get NFS4ERR_WRONGSEC.

That's a contrived example, but the server clearly indicates
which RPC auth flavors can be used to access that filesystem.


If SECINFO returns a list containing only "AUTH_SYS_MPA_ENC",
then the client must use only AUTH_SYS_MPA_ENC RPC credentials
on a connection that has done peer authentication and is using
encryption. Everything else (as long as it is constructed
correctly and sent on a properly protected connection) will get
NFS4ERR_WRONGSEC.

In this case, the server requires peer authentication and
encryption before it will let a client use AUTH_SYS user and
group credentials to access that filesystem. The client forms
those requests by using the AUTH_SYS_MPA_ENC RPC auth flavor,
an AUTH_SYS credential and verifier, and it sends them on any
channel that is peer authenticated and encrypted.


>> However, if the client sends that AUTH_SYS_ENC request to access that
>> filesystem on a TCP connection with no TLS session, the proper server
>> response is AUTH_TOOWEAK.
>> 
>> "You can't access that NFS object" versus "you formed the RPC request
>> incorrectly".
> As you can see, I would have worded this as "You can't access that NFS
> object because you formed the RPC request incorrectly".

That might describe the end result seen by a user, but the
protocols aren't layered that way, so the specification has
to express the distinction just as I did it.


> rick
> 
>> rick
>> 
>> 
>> ________________________________________
>> From: nfsv4 <nfsv4-bounces@ietf.org> on behalf of Chuck Lever III <chuck.lever@oracle.com>
>> Sent: Sunday, December 5, 2021 3:07 PM
>> To: NFSv4
>> Subject: [nfsv4] Fwd: New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
>> 
>> CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca
>> 
>> 
>>> Begin forwarded message:
>>> 
>>> From: internet-drafts@ietf.org
>>> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
>>> Date: December 5, 2021 at 2:41:27 PM EST
>>> To: "Charles Lever" <chuck.lever@oracle.com>, "Chuck Lever" <chuck.lever@oracle.com>
>>> 
>>> 
>>> A new version of I-D, draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
>>> has been successfully submitted by Chuck Lever and posted to the
>>> IETF repository.
>>> 
>>> Name:         draft-cel-nfsv4-rpc-tls-pseudoflavors
>>> Revision:     00
>>> Title:                Pseudo-flavors for Remote Procedure Calls with Transport Layer Security
>>> Document date:        2021-12-05
>>> Group:                Individual Submission
>>> Pages:                14
>>> URL:            https://www.ietf.org/archive/id/draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
>>> Status:         https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls-pseudoflavors/
>>> Html:           https://www.ietf.org/archive/id/draft-cel-nfsv4-rpc-tls-pseudoflavors-00.html
>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls-pseudoflavors
>>> 
>>> 
>>> Abstract:
>>> Recent innovations in Remote Procedure Call (RPC) transport layer
>>> security enable broad deployment of encryption and mutual peer
>>> authentication when exchanging RPC messages.  These security
>>> mechanisms can protect peers who continue to use the AUTH_SYS RPC
>>> auth flavor, which is not cryptographically secure, on open networks.
>>> This document introduces several RPC auth pseudo-flavors and other
>>> mechanisms that an RPC service can use to indicate transport layer
>>> security requirements for accessing that service.
>>> 
>>> 
>>> 
>>> 
>>> The IETF Secretariat
>> 
>> I've submitted this personal draft to provide a fleshed-out version of
>> a proposal I have outlined in the recent past:
>> 
>> https://mailarchive.ietf.org/arch/msg/nfsv4/tU1WfkYQUm2AbiZUA3L2uX56uR4/
>> https://mailarchive.ietf.org/arch/msg/nfsv4/7psVqBBY8uhP9L9bMfF7hUbVXK0/
>> 
>> among other places.
>> 
>> This document provides a similar but contrasting approach to the one
>> described in Sections 13 through 15 of draft-dnoveck-nfsv4-security-03.
>> In addition to covering NFSv4, my document also addresses NFSv2/3 and
>> other RPC services that might wish to employ transport layer security.
>> I'm hoping that comparing and contrasting these two approaches will
>> sharpen our vision and thinking as the WG comes to a rough consensus.
>> 
>> Another important reason for a separate document is there seems to be
>> palpable demand for a standards-based NFS in-transit encryption solution.
>> The RPC protocol changes put forth in draft-ietf-nfsv4-rpc-tls are
>> necessary but not sufficient to accomplish this goal. I would like to
>> see a vehicle for moving the remaining components through WG consensus
>> and into the publication queue as quickly as possible. This document
>> might serve as that vehicle.
>> 
>> An -00 is, as always, a rough cut. There are likely to be significant
>> gaps in this proposal, which at this point is still quite malleable.
>> Thanks in advance for your time and attention to this work.
>> 
>> 
>> --
>> Chuck Lever
>> 
>> 
>> 
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4
>> 
> 
> --
> Chuck Lever

--
Chuck Lever

v2.23.0 | Report a Bug | By Email