IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

David Noveck <davenoveck@gmail.com> Mon, 06 April 2020 00:34 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3CF33A0A0D for <nfsv4@ietfa.amsl.com>; Sun, 5 Apr 2020 17:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSN9ukDwNo_s for <nfsv4@ietfa.amsl.com>; Sun, 5 Apr 2020 17:33:11 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 605813A0A0B for <nfsv4@ietf.org>; Sun, 5 Apr 2020 17:32:44 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id o1so17198467edv.1 for <nfsv4@ietf.org>; Sun, 05 Apr 2020 17:32:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Mq0iSOzZOE+hPa1+AoCuHhomkU25bOTdLyvatpKM/M=; b=NdKrQhIw778lP77lIIC7QJQcuC7lTLDhaYvxng3acG1vevb3OAbKQV+vM6Kau/MN3z +jU9S6/qwf8ab7qO74xTmhlYE8mbJHNKxCEp6JzXcGsQSOjSwVOni0mpViggPc2PA5y+ d8FFVOHA/EfH+W2Dgmc7cEbUV3SwrivOZSW0NOCOk8bNdjfRVt2xkKAHTCw1k7AowNUs Xc0nCMR+qLdJlWxi84UTa3RKZD48sZxi5sERe7PAG7g2XHhmocn7C+8VDLF6lTmej+Ol E1tXD+EBVGvG7R33xbFR/zryB/1m2jSSCmwvoo1avoEdWPgHyabUkIgIJaUs+mgu+dzq E8ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Mq0iSOzZOE+hPa1+AoCuHhomkU25bOTdLyvatpKM/M=; b=qRQy8rJUbL7JCLlNo/9QiLEQ8pTwaS1jSvKzU2n8fkbqjbupW0C8RkeanETMbNiZoI 7ep6geeZdgIih/g021m/NBIgQb90RHsrFK2c6cPO9s7xkN1ZiyUXE+oDwljJV3/7R3Wl SIH+zilns7S86rRM4nIMqTDdcYn6vqiRyZAz7MERBqtbIMaQviQJMx4XesIbaieF+ufr na5Gxadc6pjE38EqnoJNrtbRl9xvUJdu9Wee3aIwMVwN8Ge/73zlZ29vsvlNLkm3HzKu fUEf2qYTzxDMJzMaoNiRAr/59Vcnl+GqZcN1eQaFkKuXti/Zrtjxh2tBkRQWtL6BSk2L H9tg==
X-Gm-Message-State: AGi0PuavqMrYXYEF8YjTOm+C4ffJiyQQd56ul3J44Olw9ulQV0L2DSRb hE3Iqe5ke34rWlWuHQrmyz4KZWmRkE8jcuWjph4=
X-Google-Smtp-Source: APiQypKNQ1Au/qQxH+6Hq9UnnsE5s41P2KiG++ciFsRfKpSWUcQy0VKCEKebMxcimPQ5YuAqKlEVxqgC/7/8+klRJBM=
X-Received: by 2002:a17:906:6bca:: with SMTP id t10mr18586909ejs.176.1586133157554; Sun, 05 Apr 2020 17:32:37 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <6E2BF0D5-821A-4AA1-9F72-ADDD45AFFE0E@oracle.com>
In-Reply-To: <6E2BF0D5-821A-4AA1-9F72-ADDD45AFFE0E@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Sun, 05 Apr 2020 20:32:26 -0400
Message-ID: <CADaq8jc028432jU3+0i92d4uBW3aqdMVsW1ifOu81G16AOyD+w@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006c2c8005a2946798"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/jv_-6d3FRQfFRDmZNvzrDgQowXo>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 00:34:16 -0000

> However, more context (like a security strategy statement) could be
> helpful. Dave was working on a document like that, but I don't know
> what state is is currently in. I don't see it in the personal drafts
> section of the nfsv4 document datatracker.

Due the press of other work, I now expect to submit an informational I-D
in May rather than in April.  As we will discuss on 4/22, this document
is intended for internal working group use and I don't expect it to be
published
as RFC

> IMO we are on a path towards requiring NFS with TLS.

I agree, but I think pc-tls needs to convey that the working group
shares  that opinion and intends to travw\erse that path, even
though, as you say, we are not in a position to impose
implementation requirements right now.

> This document is but the initial step.

s/but the/a crititical/

On Sun, Apr 5, 2020 at 1:58 PM Chuck Lever <chuck.lever@oracle.com> wrote:

> Going back to Magnus' original concern:
>
> > On Apr 1, 2020, at 4:27 AM, Magnus Westerlund <
> magnus.westerlund@ericsson.com> wrote:
> >
> > 13. Requirement on implementation
> >
> > Should this document actually update any or all of the versions of NFS 4
> to mandate implementation support?
>
> IMO the proper place to make fresh requirements on NFSv4 implementations is
> in NFSv4-specific documents. I would rather not focus this document any
> more
> on NFS than it already is. And we have a plan to author and publish one or
> more NFSv4-specific documents regarding NFS-on-TLS (which will be covered
> to some extent during our interim meeting).
>
> So, I vote that this document should not update any NFSv4 standards-track
> documents.
>
>
> > From the WG's perspective doesn't it make sense to start demand
> implementation support. The mechanism is clearly opportunistic in its
> establishment, however the goal here needs to be to get support in as many
> places is as possible.
>
> Agreed, but practically speaking, the WG is not in control of
> implementations.
>
> With the rpc-tls proposal IMO we are trying to walk a very fine line
> between limiting protocol changes for existing implementations and
> meeting a critical security need. The opportunistic behavior of this
> mechanism is a key part of this proposal. And the document describes
> clearly ways that implementations can make the force the use of TLS.
>
> In other words, I'm hoping rpc-tls provides an easy step forward
> towards "support in as many places as possible".
>
>
> > Thus, sending a clearer signal that NFS 4.x servers and client are
> expected to support this should be sent. If not can you clarify what the
> concerns are? Because we are going to get this question again in the IESG
> evaluation.
>
> We've placed early versions of this document in front of members of the
> IETF's Security Directorate. They immediately recognized that an
> opportunistic tactic such as the one we propose in rpc-tls is a well-
> understand and practical way to improve security of legacy protocols
> such as NFS. I don't expect that they will object to the opportunistic
> nature of the proposal.
>
> However, more context (like a security strategy statement) could be
> helpful. Dave was working on a document like that, but I don't know
> what state is is currently in. I don't see it in the personal drafts
> section of the nfsv4 document datatracker.
>
> Alternately we could introduce some security-related text to the
> WG's charter that outlines NFSv4 security strategy.
>
>
> > To me the reasonable plan towards always used transport security
> (something I expect the full updates, for example of NFS v4.1 to require)
> is to require implementation but not usage now. Then next step to require
> its usage.
>
> That seems like jumping ahead of the gun. We have to get the new
> mechanism out there first. Then a subsequent NFS-on-RPC-on-TLS I-D can
> address the specifics of how NFSv4 will operate on TLS-protected
> transports. As recent nfsv4@ threads show, there are crucial NFS-
> specific details that need to be resolved before a requirement that
> is practical for NFS implementations can be made.
>
> IMO we are on a path towards requiring NFS with TLS. This document
> is but the initial step.
>
>
> --
> Chuck Lever
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email