IETF Logo Mail Archive

Re: [nfsv4] Agenda items for virtual interim

Chuck Lever III <chuck.lever@oracle.com> Mon, 18 October 2021 14:12 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 094213A0DE2 for <nfsv4@ietfa.amsl.com>; Mon, 18 Oct 2021 07:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com header.b=fTM6PivM; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.b=YXlL183J
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHx7bumdUsCd for <nfsv4@ietfa.amsl.com>; Mon, 18 Oct 2021 07:12:44 -0700 (PDT)
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D06C53A0C7A for <nfsv4@ietf.org>; Mon, 18 Oct 2021 07:12:44 -0700 (PDT)
Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19IE5HMV000977; Mon, 18 Oct 2021 14:12:43 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2021-07-09; bh=kvKvSK3Q93GH7OtCKyYe21reZx8B0iwZkQtseP4V0zM=; b=fTM6PivMtl2jl9t37xKVE3XjAqTCY5MYtXy9jApjroaxsVbBncenVH1nCw2hwrs5x+Iz WJE0Wa6hI4QzbS2sOT/eI46FKYBOKdB1chm7JWD8FzaSFt31gO5Eh0GhZUyboF0YGuFS CoyRRjlgfdN+2AF470nlKQRIRZojJStCNif5KLnkqunDQACuuymnBxduXZItSjbsfb6U vS+UBwsmqpWHt0/13z8Jw7cji2UBL5kf1evpwpjG4U+qql6BY8zKWAMyqvAW6fa7EpyN 7PyIJZJj49/jbQMRnTaZ0+ld0DuhfGM4Yu8EG1zDfRZVzHSljdlPc4bjxJXX1QjfruiE Xw==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3brnmf438x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Oct 2021 14:12:34 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 19IEAlRc137203; Mon, 18 Oct 2021 14:12:16 GMT
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by aserp3030.oracle.com with ESMTP id 3bqmsd4y9k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Oct 2021 14:12:16 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RJfo5U9lIkdJg9AkzK2D1KbCi3VCaIzplzppY/EQh2T8FUVCEHBXYGRymQXouH2Xn2bqiK/UZZq3W2ewsbJsFRXK4MdKJlcg32NO2NfIlKAK6nOA0O98x2BYAyNDAccT5Jl4r2kkGnNNmALVayBKH+C/SaUfXJ3yi7MOUz2gYptNezGQSE8QzDQVkZKGfhRQcKablw3UNedwGvDBv2+G/b6ir0D4T1UVFqzr3KqD1DEQLG4f4t5pIgpkAnyw5hQJkMiQGwlDd8Evp1AQeU8YeNmZ3MaYnaplwaELNsLkYb9M7ZvKwtXX7OkBYEoU8ynd02tuGYvX7ToJObccKaJZ9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kvKvSK3Q93GH7OtCKyYe21reZx8B0iwZkQtseP4V0zM=; b=MGPb9nFu7ZFjKBYTH8lIEyJFExqVJmoN4Y9TuKT3AeFSG7SzTmmjnrDMwJ8NomFFvpfC7vmXnwSzqKqMgx8stF+tuW3t8kf1W33WT1924/RW6v84SHMJNDZ/dJKt8WxR3L2fYQbHNu0RHaoYhacpwpo+WEXRimvib+A7jadgXggqyGQG6Egpgd/cPxrk8p2nc9Nx7Kwexsu8Zw8jESCdiD8Wt9kyX4Z1SrZLd55tIYwvA6EClitkoiG45Qt04oUq70ClP/9i9ZxOtzg+FkU74QhpNKOIuVceLXen7wtLpcuwF20jX+cyRCDqa+yzjRWGjTLqQpFMELfhOaEtYuclag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kvKvSK3Q93GH7OtCKyYe21reZx8B0iwZkQtseP4V0zM=; b=YXlL183JUfRaZ4T13dY2qYhgEOvVC3DdsbOFnc4FHoHCp0IpfXCi+qaVbi3WB/kkAytRubwuDrOetA3BZf70ELH110WD8B9liV6UYH5RPyxsL6BaQx783SzoFltOUs4CHg2m45sL/LL0LCRle4V1ozamdr6484de7pVLNrzYfVw=
Received: from SJ0PR10MB4688.namprd10.prod.outlook.com (2603:10b6:a03:2db::24) by SJ0PR10MB4623.namprd10.prod.outlook.com (2603:10b6:a03:2dc::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4608.16; Mon, 18 Oct 2021 14:12:14 +0000
Received: from SJ0PR10MB4688.namprd10.prod.outlook.com ([fe80::f4fe:5b4:6bd9:4c5b]) by SJ0PR10MB4688.namprd10.prod.outlook.com ([fe80::f4fe:5b4:6bd9:4c5b%6]) with mapi id 15.20.4608.018; Mon, 18 Oct 2021 14:12:14 +0000
From: Chuck Lever III <chuck.lever@oracle.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
CC: David Noveck <davenoveck@gmail.com>, Tom Talpey <tom@talpey.com>, NFSv4 <nfsv4@ietf.org>
Thread-Topic: Agenda items for virtual interim
Thread-Index: AQHXwpGttGFuyxBM60eQzXiEbYfQQKvWI2yAgABUIgCAACYugIAAfQ+AgACXA4CAADrCgIAA4peA
Date: Mon, 18 Oct 2021 14:12:14 +0000
Message-ID: <769385BF-B024-4130-9CA8-3AA4A1EE8E3D@oracle.com>
References: <CADaq8jd_pcwJrqnFCqnHo7DXxnzc+ZpL28wRUMqkK-3zesc6mg@mail.gmail.com> <7560301C-4C5C-422C-9F55-B4F362AE5BF7@oracle.com> <CADaq8je9MWT5CzLaTYnRgMh5x9+AHL8F78QxJs_YyGSR67F6nQ@mail.gmail.com> <FA1E4520-6D01-46DE-8B06-54C9A8CA2492@oracle.com> <CADaq8jcj9OQe_PVbfAkDHYEr4wJOsmDtuLLgPCLoX8MvNLe2QA@mail.gmail.com> <D44A8309-6ABE-4B76-9927-70A9EEA8FEA2@oracle.com> <YQXPR0101MB0968783C495B8AD53967BD39DDBB9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YQXPR0101MB0968783C495B8AD53967BD39DDBB9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
authentication-results: uoguelph.ca; dkim=none (message not signed) header.d=none;uoguelph.ca; dmarc=none action=none header.from=oracle.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d1322753-0f22-4f82-e46b-08d9924148ee
x-ms-traffictypediagnostic: SJ0PR10MB4623:
x-microsoft-antispam-prvs: <SJ0PR10MB46230C3F10314E25527512AA93BC9@SJ0PR10MB4623.namprd10.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PwsSlSa1MOM4uJ+h/HGbt5GqnrlqYkTHJEkUInATpUaI1YBelNY/nJucPJucQxMrtxqhkqDoqZwz81jLJM0NrDySJZCwauOJ/2m0UTDDF0m18en++5q/7+DQgwYrJs7C3At/0V5wKQyTBglU0BrpbEiu/SZhbCSw30eOC7gJ+M4ntCsigirfsPxI02tdNXBVPTT6P2PyNf/q/UoORBeWsIdNZ0i5yNoALVDRaxkCzWXBYwkTltRNXmK81t/8Ajo9Q/ux2s9Q08kLz9Iu14x0+gR19y19hPzpZTCjunRBeP0gJJ83fMT82MJHnt3eOuFXoN320QEjRxv76hbMsbboRCuwR3kzrufK8F5s7bD7HSvTyzC05GovsHGwDbgvnEZxmFowzjH78WXADBGUTJFslynsIncvVvpgc4BWi5EU0WiM9N+O2vVdWt13YlFU1ijHKUebdPuTq8ziiO+VT12v4d35uN06oPegTq+QNShlE0PZS7SopULM8+PYHKmSqIezVrEbHUwxikvg0cUa3xRma04LmqfNXU5dToLvs1AoG7ZaQWLEf/V8zftUJl/zGJppacRZ0ZXf9YtwqBk1E+78CXhMF/pCQilO8YAoPfrLVRSU7mCeaOiKBpukmBeHBWIDfHhI3mWwp9010DeJlxkbrUgZMr3el0KRtqH+L4i3Rp1kWT5sVrSoAtdYjxmRbjxfKvDaPkLqDPl9sGLdXOL5SugJ4nMo/eFOZDRPr+Bcx34j+4PmZfz0LUKKMM7uUwqitE3OetehuTL0mwUuuZT1QA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR10MB4688.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(38100700002)(316002)(8936002)(6486002)(71200400001)(66556008)(296002)(122000001)(36756003)(186003)(91956017)(66446008)(86362001)(4326008)(66476007)(64756008)(66946007)(2906002)(76116006)(38070700005)(2616005)(6916009)(5660300002)(508600001)(6506007)(53546011)(8676002)(6512007)(83380400001)(26005)(54906003)(33656002)(21314003)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7wuzQyXyVrCM8M/fQWhRi4gIc6OSKcPXBQxVnFS17JdvOohmjf/RbPWQyEqVlA6me7V8pTUne+ZnnX6md3sh8R82yQ4m/1VnoC7OJA6XSAhJOD5K0XV7dfyC+fZzjXjVAyZr+kk4AAquyavVqmbTMIIb9XmXuMWHE/G8XKQYrWcVauhcwlWu9vybuFDGSbWICl80i1j1KXSVBzIYiQ8+8UgqMTUCGir/8sgYGCmtOjQ06Ol8VME7SoSaOUAshZhAUMTzriVxKtVV11PyXBIxvdZsdwKZWTN5hDjgL6ZinvrETg46YJsh9UWhYazpiag/Tc8XKvIID1ZR5uccvhEsczTkYHDD7/7vHunhjDlwPhQuoglbAc9QxUaP4wk8Ht3GMZeWYQSmOrXSfJCfwoUvJ/08c4v8XYUg5ZAQ+4+bC0GMUIw/aztOgc81X0YRqHVDgB0PiK6EYaotoEvhucQXicI/R/EjqD5P09XYTc0AO5QXmLaCgA2K3J03i2oaIMgVTM4TOP62toh9Qj4V2tA4szv/PLd9MS6qM4xuz0Z5iUTjnBedMWWYX6eMdAhG/LKczdrMWPwz4nhDqsuDetcLuphYv9PfDLOnLPKtsnRwCD/EWjKGwH1vw/LQUV4BSDDkpkUGmcZEwUqDKUjCTXCUqnvAnsHroEJvoKYtJxYy8LG0+IBTU8SjvG14Ea/1cKyvUu3HUe47fMAf5FvuKdbymxHKZUCbabg6TU6+DmFcPoPKmP0raEGbeorV4JuSvsyosMLRMGfbMosCf2LMw8quviqGylz6x8Z3DyWeC/l3GlRfDZTs8t4Ewy4E9pdT2iT3XmqdYSadaO/1b+Z6VuzVTSVE+0Zo+lCPUCYJJ+193+nnNrmOCE0CpUi3yJx+nTsak26l5tpZH/ZP5bkfX2puqpYJxtwv03/JGQZlkO0FILUPwzY7lzvY6GxAL8VKxxww/Gj+n5vOFE9rJ4qmv7KSsazI1cbfVfBuAMlhf+bujhxYjyKQKIOfgDrdXv5MYFrIJL9rWB7i//8SSWOn/3+DAum4oNsr415iaCr5qDl4w1dA8b2NC+j3zyVyujMaAIcbbIfySPRimLm1BsliiY5fiWQjDA218hUpdBeoTPpZiJEJSifOOP8KdZ73G+sx9tYdlepU/f8qqkzwhhLlEuhxueMexguHeKKjpaKgg4bUsE81MMMjO1RsKeGWHcY76NIezE5IcUmCJu1NjVL8R1cWP5uc6Ae2bFgIcvjzP+cEh4ko540ywASBVeXfMXI+TXQ+4BdJdY7KnTwE3X/0mnhG83Cla7LbZ38NhWKYC8dSZ+eppUKtncsI/00J6R/5WwU2
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A595EA10ACEAA24DB0B8272598BC2BD7@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR10MB4688.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1322753-0f22-4f82-e46b-08d9924148ee
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2021 14:12:14.3113 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mM+1afMBJBFgFmQVeDetDaV+2UdyknRFKyrBPU/zjMDD7tDH9bQayUTJvBeefCrd3hjG2FJUv8A4Z7Gv6u53lw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR10MB4623
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10140 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 adultscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110180089
X-Proofpoint-GUID: uB6n_QBf3PNWJm3Qugzx6NrJH6g81d9e
X-Proofpoint-ORIG-GUID: uB6n_QBf3PNWJm3Qugzx6NrJH6g81d9e
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/k9SK8BQT05VRufjV4KDrRtA1PlA>
Subject: Re: [nfsv4] Agenda items for virtual interim
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 14:12:51 -0000

> On Oct 17, 2021, at 8:41 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> 
> Chuck Lever III wrote:
> [lots of stuff snipped]
>> So expose the security mechanisms but not the transport
>> types here. The pseudoflavors should work just like GSS
>> in Appendix B of RFC 5531. The pseudoflavor numbers here
>> are just examples.
>> 
>>       AUTH_NONE               0       /* plain old NONE */
>>       AUTH_SYS                1       /* plain old SYS */
>> 
>>       AUTH_NONE_PEERAUTH      400001  /* peer authentication */
>>       AUTH_NONE_ENC           400002  /* encryption */
>>       AUTH_NONE_PA_ENC        400003  /* authentication and encryption */
>> 
>>       AUTH_SYS_PEERAUTH       410001  /* peer authentication */
>>       AUTH_SYS_ENC            410002  /* encryption */
>>       AUTH_SYS_PA_ENC         410003  /* authentication and encryption */
> I think this sounds reasonable. There is another case that might be worth
> considering. I am thinking of a rather specific case where an X.509
> certificate provided by a client is pinned to a fixed IP address/DNS name.
> --> The server expects that the X.509 certificate will have a DNS or IP component
>       in subjectAltName that matches the IP address used by the client to connect
>       to the server. (There is an RFC that discusses this for the case where a client is
>       checking a server's certificate.)
> 
> Maybe a generic term for it could be something like:
>          AUTH_xxx_PEERAUTH_FIXED_IPADDR

I'm not understanding why a server would need to communicate
this to a client during security negotiation. Wouldn't it
just be a matter of setting up this policy on the server?
Does a client choose a special certificate to use in this
case?

But also, I think we have some leeway here to introduce a
narrow basic set of pseudoflavors now and then expand them
as needs arise, via additional documents.


> Btw, there are a couple of things that I don't recall being in the draft I read (an
> earlier one). If they are there now, please just ignore the following...
> 
> machine credential - It seems that a TLS handshake and/or verification of a
>    client's X.509 peer certificate establishes a "client machine credential".
>    However, there is no "machine principal" that can be used by the client
>    for RPCs that must be done with a "machine principal" (such as EXCHANGE_ID...)
>    --> One possibility I can think of is adding a new authentication flavor called
>          something like "AUTH_MACHINE_PRINCIPAL" that would indicate
>          "use the machine credential established via TLS handshake and/or X.509
>            certificate verification" as the credentials for this RPC.

I had forgotten about that!

Again, not sure there needs to be a unique p-flavor, but
I agree there needs to be some documentation about
promoting a client's peer credential for authenticating
lease management operations.


> Then there is the case of the NFSv4.0 callback TCP connection.
> Should the server attempt to use RPC-with-TLS if the client-->server TCP connection is doing so?
> And, should the server stop doing callbacks if the RPC-with-TLS probe or handshake fails?

IMO those are (reasonable) security policy choices.


> RFC 7530 Sec. 3.3.3 addresses the use of the credentials in the callback RPCs, but I don't
> think it answers the above questions.
> If an NFSv4.0 server were to do a successful TLS handshake and/or provide an appropriate
> X.509 certificate to the client, it could use the AUTH_MACHINE_PRINCIPAL described above.

Or the client and server could be required to use the same
certificate pair that was used to establish the forward
channel? I recall there is a similar restriction on which
GSS service principals are used for callback operation.

Establishing a TLS-protected callback channel would
necessitate that the client have a certificate/PSK. The
server-only encryption mode would not work at all.


> --> Although you could argue this is a server implementation choice, interoperability will be
>      impacted negatively if there is no guidance in this (or a companion) document, I think?

--
Chuck Lever

v2.23.0 | Report a Bug | By Email