IETF Logo Mail Archive

Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-01.txt

bfields@fieldses.org (J. Bruce Fields) Wed, 26 September 2018 20:22 UTC

Return-Path: <bfields@fieldses.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86CDD1294D7 for <nfsv4@ietfa.amsl.com>; Wed, 26 Sep 2018 13:22:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7YY0OoVgjAx for <nfsv4@ietfa.amsl.com>; Wed, 26 Sep 2018 13:22:28 -0700 (PDT)
Received: from fieldses.org (fieldses.org [173.255.197.46]) by ietfa.amsl.com (Postfix) with ESMTP id 432BD1293FB for <nfsv4@ietf.org>; Wed, 26 Sep 2018 13:22:28 -0700 (PDT)
Received: by fieldses.org (Postfix, from userid 2815) id 62B561F67; Wed, 26 Sep 2018 16:21:57 -0400 (EDT)
Date: Wed, 26 Sep 2018 16:21:57 -0400
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: Chuck Lever <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Message-ID: <20180926202157.GA826@fieldses.org>
References: <153780090601.28221.16958675117475194416@ietfa.amsl.com> <CADE569F-8584-42CF-A297-E60956D368A2@oracle.com> <CAKKJt-fmB5psmtbm9PJTnhkZkZLCBnCVZnr3fMsf++exN5XObQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKKJt-fmB5psmtbm9PJTnhkZkZLCBnCVZnr3fMsf++exN5XObQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
From: bfields@fieldses.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/kjv4GVoWAD5Xu5HsJUtIMlphVRM>
Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 20:22:30 -0000

On Mon, Sep 24, 2018 at 10:45:29AM -0500, Spencer Dawkins at IETF wrote:
> Hi, Chuck,
> On Mon, Sep 24, 2018 at 10:06 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> 
> >
> >
> > > On Sep 24, 2018, at 7:55 AM, internet-drafts@ietf.org wrote:
> > >
> > >
> > > A New Internet-Draft is available from the on-line Internet-Drafts
> > directories.
> > > This draft is a work item of the Network File System Version 4 WG of the
> > IETF.
> > >
> > >        Title           : File Content Provenance for Network File System
> > version 4
> > >        Author          : Charles Lever
> > >       Filename        : draft-ietf-nfsv4-integrity-measurement-01.txt
> > >       Pages           : 9
> > >       Date            : 2018-09-24
> > >
> > > Abstract:
> > >   This document specifies an OPTIONAL extension to NFS version 4 minor
> > >   version 2 that enables file provenance information to be conveyed
> > >   between NFS version 4.2 servers and clients.  File provenance
> > >   information authenticates the creator of a file's content and helps
> > >   guarantee the content's integrity from creation to use.
> > >
> > >
> > > The IETF datatracker status page for this draft is:
> > > https://datatracker.ietf.org/doc/draft-ietf-nfsv4-integrity-measurement/
> > >
> > > There are also htmlized versions available at:
> > > https://tools.ietf.org/html/draft-ietf-nfsv4-integrity-measurement-01
> > >
> > https://datatracker.ietf.org/doc/html/draft-ietf-nfsv4-integrity-measurement-01
> > >
> > > A diff from the previous version is available at:
> > >
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-integrity-measurement-01
> > >
> > >
> > > Please note that it may take a couple of minutes from the time of
> > submission
> > > until the htmlized version and diff are available at tools.ietf.org.
> > >
> > > Internet-Drafts are also available by anonymous FTP at:
> > > ftp://ftp.ietf.org/internet-drafts/
> >
> > As a result of the discussion at IETF 102 and recent follow-ups
> > on this mailing list, I've made substantial changes to this
> > document.
> >
> > - References to and discussion of Linux IMA have been replaced
> > throughout the document, with the exception of a single citation
> > as an informative example in the Introduction. IMA metadata is
> > now referred to generically using the term "file provenance
> > information".
> >
> > - Integrity checking of file attributes is no longer an included
> > feature. There were some issues that made attribute integrity
> > not straightforward for NFS, especially without an existing
> > IMA/EVM standard even for local file systems. Attribute
> > integrity can still be addressed at a later time.
> >
> > - The Introduction now makes a problem statement and discusses
> > use cases instead of explaining the mechanism of file integrity
> > checking. The new Introduction addresses the most common
> > questions I've received during previous review.
> >
> > Spencer D. and other reviewers:
> > - Have previously stated interoperability concerns been addressed?
> > - Have normative citation requirements been sufficiently met?
> >
> 
> Recognizing that I haven't done an AD Evaluation of this draft, but looking
> at the responses to my previous questions, I think dropping down to one
> explicit mention of IMA pointing to the best available reference is about
> right.

	"A keyed hash authenticates the identity of the last modifier of
	a file's content and serves as a strong check of the content's
	integrity.  For the purposes of this document, we will refer to
	this as file provenance information.  The Linux Integrity
	Measurement Architecture (IMA) is an example of a mechanism for
	assessing file content provenance [IMA-WP]."

I think it's also true that this draft is sufficient to allow a client
to support IMA?  That also seems worth mentioning.

	"To ensure interoperability among accessors of this information
	when it is stored on NFS version 4.2 servers, this information
	MUST be self- describing."

How do you propose that an implementation would make the information
self-describing?

--b.

> 
> Thanks for making that change. It will be helpful during Last Call and IESG
> Evaluation.
> 
> Spencer (D)
> 
> 
> >
> > I know time is precious, but even a cursory review of this new
> > revision would be helpful. It's wafer-thin!
> >
> > --
> > Chuck Lever
> >
> >
> >
> >

> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email