IETF Logo Mail Archive

Re: [nfsv4] New wording of Security Section for Flex Files

Rick Macklem <rmacklem@uoguelph.ca> Fri, 04 August 2017 21:41 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADDF7127058 for <nfsv4@ietfa.amsl.com>; Fri, 4 Aug 2017 14:41:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WFC33I2S2Izu for <nfsv4@ietfa.amsl.com>; Fri, 4 Aug 2017 14:41:31 -0700 (PDT)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660070.outbound.protection.outlook.com [40.107.66.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB311241F5 for <nfsv4@ietf.org>; Fri, 4 Aug 2017 14:41:31 -0700 (PDT)
Received: from YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM (10.165.218.133) by YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM (10.165.218.133) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.22; Fri, 4 Aug 2017 21:41:29 +0000
Received: from YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM ([10.165.218.133]) by YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM ([10.165.218.133]) with mapi id 15.01.1304.025; Fri, 4 Aug 2017 21:41:29 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Thomas Haynes <loghyr@primarydata.com>, Olga Kornievskaia <aglo@citi.umich.edu>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] New wording of Security Section for Flex Files
Thread-Index: AQHTBOJTubmEu3G57EqvOqsgsMtAEKJoh0CAgAdGdgCAABDDgIAAGPyAgAFQjwCAA3LeAIAACpDN
Date: Fri, 04 Aug 2017 21:41:29 +0000
Message-ID: <YTXPR01MB01898E7371F1E3A4E9D75E40DDB60@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
References: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com> <20170728022333.GI58771@kduck.kaduk.org> <CAN-5tyG9cE9JhccW7Fnho10jVE-5YnpoArZ=3DZuz79dFFD9sQ@mail.gmail.com> <CADaq8jc=K5f4cia-jFKjDMAtNhZntFE+Xa0=Lb=LSXOy+sc7Ww@mail.gmail.com> <37BF354D-CF56-4A1C-B391-8565F0E38E72@primarydata.com> <CAN-5tyH-j937PPA=nRSA5iEHOTKynryQjwfKui9dgVdZa3oQrQ@mail.gmail.com>, <CAFAFD9C-DF89-4867-8880-1EA43FD4095F@primarydata.com>
In-Reply-To: <CAFAFD9C-DF89-4867-8880-1EA43FD4095F@primarydata.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca;
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; YTXPR01MB0189; 6:DfLW+EVHcGqdMp09YOk2fQIM+0m50liIwS1c6Ui7nm5QsMW1nuif1nB17KxC0h2eMHchPvzmgxnR1CrtZs+qJnG1B0Wrnt1vgQTSwm42W3XYF2xrs1tJYzj6b2Z/7+HIP7ujslNwaTQTRJolsWxZlu4amjI6vN/GxPyykbSBH2lqXfwZVzfQii7H57/BpJLtkSY7YEHC7+/i6dkdshUQABF6mLooTFd3ABeynyLR8I83AKjK/7fHxJknJ8Elpw+bRa3V90z1B1rZL9z7FJQqIVF0LGQoTYT8NJgSP/FKHZWj3hgDm7XGXazJoT9upXnmbmB34Ap9y0vnx5r/HsVpjA==; 5:8TX7bbfkN9kRTU7vS5bbG2T237YGmt3U524EacQC7jvbagEGsgLeMluiP4T9twcKRL0cdMEZfiHLRCDfJQmUTF4+JUqCYjHfzs7rXz2wR907C9GP4zHFLk/7rOq4d1VI053HYT+3zHMlX3jVeW/JFw==; 24:cCTCMU7asgOYJFQrxeZ3gIpN9u+JK1XD8QVYGFl6mZ/zvC2cX5imZIxCTveiBee5lAYBHtbhqPAdOkSllkRwEU8A5UM3EbGh6yELKTVCh8E=; 7:wUBe+YN7ivU1K02vYUVPSdnIDpLZ1IewlA/ap9XE4RYzZbdLQVc3xxcV40dVimCuQOMcckCQ4aEQFxhBHvfJT5+1+kuNczfT1n8Rmsq0iKWqwffgmPSCVL4n0Ixv8B9Eyi3OatV+Ad2l4qGY8kSQHY15dQmjhm4CO8gAJD3rjOw3wzKsy+l/xbCv6MxSdCGWl4yKkgGHQQuRabxIKd1m6PhbdGNfKdsE5WjUekuUCug=
x-ms-office365-filtering-correlation-id: a25f5717-8b02-47f5-8075-08d4db8190f6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:YTXPR01MB0189;
x-ms-traffictypediagnostic: YTXPR01MB0189:
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(100405760836317)(6911010853514)(177329092695168)(225473673943800)(17755550239193);
x-microsoft-antispam-prvs: <YTXPR01MB018934F0E800C96C69D3A939DDB60@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(6041248)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:YTXPR01MB0189; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:YTXPR01MB0189;
x-forefront-prvs: 0389EDA07F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(39840400002)(39850400002)(39400400002)(39410400002)(189002)(377454003)(199003)(24454002)(93886004)(76176999)(53546010)(101416001)(478600001)(189998001)(6436002)(55016002)(3660700001)(4326008)(3280700002)(102836003)(25786009)(305945005)(50986999)(15650500001)(68736007)(229853002)(97736004)(77096006)(14454004)(74316002)(86362001)(9686003)(2171002)(561944003)(6246003)(53936002)(6306002)(54356999)(6506006)(33656002)(106356001)(105586002)(8676002)(5660300001)(38730400002)(551544002)(8936002)(81156014)(81166006)(7696004)(2950100002)(2906002)(74482002)(2900100001); DIR:OUT; SFP:1101; SCL:1; SRVR:YTXPR01MB0189; H:YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="windows-874"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2017 21:41:29.4326 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTXPR01MB0189
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/kZJ8inOILi0o9rn91_A8rnL4rjs>
Subject: Re: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 21:41:36 -0000

Well, first I'll mention that fattr4_owner and fattr4_owner_group don't
seem to be defined anywhere (not in the RFCs such as 5661 I grep'd).
Presumably, they are strings, so you can define anything you want in them,
can't you?

Having said that. I think all you should do is say "if support of RPCSEC_GSS
is required, tight coupling needs to be used".
I think Olga suggested this in her first post on the topic?

If someone really wants to support RPCSEC_GSS/Kerberos for a loose
coupled pNFS server, let them figure out exactly how to do it and
write that up at that time. (I believe it might be possible, but doubt
anyone will actually implement it. Just like no one implements security
mechanisms other than Kerberos.)

rick
________________________________________
From: nfsv4 <nfsv4-bounces@ietf.org> on behalf of Thomas Haynes <loghyr@primarydata.com>
Sent: Friday, August 4, 2017 4:43:29 PM
To: Olga Kornievskaia
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] New wording of Security Section for Flex Files

Hi,

I’m going to top post to keep the focus on the problem at hand.

In a nutshell, Olga is correct that we are not going to be able to secure loosely coupled flex files.
The removal of “opaque_auth” prevents this from occurring.

And while I have a bastardized approach using RPCSEC_GSSv3 structured privilege assertions,
like we did for SSC - see Section 4.9.1. in RFC 7862, I think a better approach is to
document the failure of securing loosely coupled flex files v1 and create a flex files v2
which addresses a minor change in the XDR to:

(a) Fix the stateid issue for loosely coupled NFSv4.x
(b) Fix this issue for “opaque_auth” - which includes the issues raised by Olga at the end of
her email.

As to how we go about that, I see two scenarios:

(1) We produce a single standards track document with a request for:

     +-----------------------+-------+----------+-----+----------------+
     | Layout Type Name      | Value | RFC      | How | Minor Versions |
     +-----------------------+-------+----------+-----+----------------+
     | LAYOUT4_FLEX_FILES    | 0x4   | RFCTBD10 | L   | 1              |
     | LAYOUT4_FLEX_FILES_v2 | 0x6   | RFCTBD10 | L   | 1              |
     +-----------------------+-------+----------+-----+----------------+

(2) We produce two standards track documents, the first for LAYOUT4_FLEX_FILES
and the second much smaller document which would have a normative
reference to the first and encompass LAYOUT4_FLEX_FILES_v2. It would
have the delta XDR and the new required text.

What I am approaching the WG for is consensus on which approach to take. For
me, the first is less administrative headache and the second preserves a much
cleaner separation of the minor versioning.

Oh, and in case it is not clear, I am very appreciative of Olga’s review in
getting me to see the flaw in this document.

Thanks,
Tom


On Aug 2, 2017, at 9:03 AM, Olga Kornievskaia <aglo@citi.umich.edu<mailto:aglo@citi.umich.edu>> wrote:



On Tue, Aug 1, 2017 at 3:59 PM, Thomas Haynes <loghyr@primarydata.com<mailto:loghyr@primarydata.com>> wrote:

On Aug 1, 2017, at 11:29 AM, David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com>> wrote:

> Is stating that an out-of-band scheme
> is used satisfies the "MUST" of semantics for managing security?

Probably not, but the "MUST" can always be changed to a "SHOULD" :-)

The problem is deeper here.   The job of a standards-track document that defines a protocol or layout type is to clearly tell the implementer what must be done to implement the protool or layout type.  Despite the possble issues with the specificity of any of these three possible alternatives, the big problem is the fact that there is more than one.  If the client and  MDS do not pick the same one, or they do and that one is not fully specfied, they will not nteroperate.  If that is the case, then the document is not ready[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif].

I think the treatment of security with tight coupling is sufficiently clear to implement from and has been for a while.  With regard to security for loose coupluing, what you have is essentially a promise to provide a specfication at some later date.  I don't think the IESG is going to be OK with that.

You have focusing on it being plausible in the sense of convincing people that this can be done
(i.e. that a definition along these lines can be produced) which it can, but I think the IESG is going to want you to show them that it has been done (i.e. that the definiton has been arrived at), and you are a ways away from being there.


The problem isn’t that we are pushing off a specification to a later date, but rather that the security is implementation specific. The client and MDS are forced to pick the same one.

Section 1.7.1 RFC 5661 is quite clear that:

   As with previous versions of NFS, the External Data Representation
   (XDR) and Remote Procedure Call (RPC) mechanisms used for the NFSv4.1
   protocol are those defined in [2] and [3].  To meet end-to-end
   security requirements, the RPCSEC_GSS framework [4] is used to extend
   the basic RPC security.  With the use of RPCSEC_GSS, various
   mechanisms can be provided to offer authentication, integrity, and
   privacy to the NFSv4 protocol.  Kerberos V5 is used as described in
   [5] to provide one security framework.  With the use of RPCSEC_GSS,
   other mechanisms may also be specified and used for NFSv4.1 security.

Note that nothing is stated as to how the TGT are constructed, so Ben’s approach:

Semi-relatedly, I forget exactly how much trust/coupling there is supposed
to be between the data and metadata servers/operators in this scheme.
In particular, if the metadata server is sufficiently trusted that it can
have a copy of the data server's kerberos credentials (the nfs/ keytab),
then there is quite a lot of flexibility, since the metadata server can
literally construct an arbitrary ticket and encrypt it to "itself" (i.e.,
the data server's keytab).  But I don't know whether it's appropriate
to mention this example in the document or not.

meets the requirements of RFC 5661 and the loosely coupled model. The details
of how the mds gets the storage device’s keytab are up to the implementation
(just as how the storage device gets the keytab in the first place).


We could wait until the first implementation and then make that a standard, but I
don’t like that approach.

I think you would agree that implementations frequently find issues with this spec. But yes, all the previous specs when ahead prior to full implementations. And that's why we have versions, right? It'll be fixed later.

I'm thinking like an implementor and I have questions that cause me problems. Let's for the moment assume that metadata server will be running on the same machine as the normal KDC and have access to the principals database. To construct these tickets you need a new service as it will not be a part of the (existing) KDC. Let's assume it is practical.

Let's talk about of the fact that user doesn't know the password for the synthetic identity.

Metadata server gets a flexile layout request. It, at some point, constructs a service ticket  (session key, "synthetic identity", ... )encrypted with data server's key. It needs to encrypt the "session key" with the client's TGT key so that the client can then use the service ticket against the data server. How doest the client gets this ticket?

In normal kerberos, the client would initiate request for a service ticket. But here the client doesn't know the "synthetic identity" ahead of time.  And even if the intent is that once the ffds_owner is returned, then the client would request a service ticket for the specified identity. Well in that case, the client would need to provide the password for the synthetic identity. But he doesn't know the password so that's not going to work. So at this point we can't use normal kerberos to get a service ticket for the synthetic identity.

Initially, in some earlier drafts of the spec the creds was "opaque_auth" but it's not no longer there so I don't see a way of passing the service ticket, encrypted session key. So I think if you want to pass the service ticket back, then you need to add the "opaque_auth" back to the structure? Ok now, we are just passing them back, how are we going to protect against replay attacks? typically there is a challenge response. So perhaps require that LAYOUTGET is always done with krb5i/p?

Also on the (linux) client side I would suspect you won't be able to use standard krb5 libraries to deal with the processing the "service ticket". You might have issues getting the gssd given that the identity inside the ticket doesn't "match" the running identity of the user (I'm not 100%sure here). *i understand that this comment is really implementation specific and not specs job*

Having said all that, I still feel like we are proposing an "SPKM" security here. It will not be practical and later on would be removed. I'd say AUTH_SYS or GSSv3 should be used.

And if you still want to keep Kerberos then I guess I'm proposing (a) add "opaque_auth cred" back to the ff_data_server_4 and (b) require that LAYOUTGET much be done with krb5i/p. (c) as suggested by Ben, issue "service tickets" and explicitly specify what is being passed back, need to dig out the Kerberos spec and write out how the "synthetic identity" information is fitted into those Kerberos structures. I feel that you need to do this because the spec isn't use standard Kerberos so can't just say see Kerberos spec.  (d) explicitly specify that metadata must have access to the principal database for the non-synthetic client and the storage servers.

I wonder is "opaque_auth" the right structure? I think the spec defines it upto 400bytes. Is that sufficient to capture service ticket + the encrypted stuff for the client. I dunno.

You mentioned that RFC5661 doesn't state anything as to how TGT are constructed. That's only true because it states the Kerberos v5 and cites the spec is used. This proposal does not follow Kerberos v5 spec -- the proposal does not engage in KRB_AP/REP sequence which is what kerberos is -- and thus i feel it must specify what goes into the service ticket.

v2.23.0 | Report a Bug | By Email