IETF Logo Mail Archive

Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)

Tom Haynes <loghyr@gmail.com> Wed, 11 April 2018 21:26 UTC

Return-Path: <loghyr@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2BA012F4C5; Wed, 11 Apr 2018 14:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCCi1oeu89Sx; Wed, 11 Apr 2018 14:26:08 -0700 (PDT)
Received: from mail-pl0-x229.google.com (mail-pl0-x229.google.com [IPv6:2607:f8b0:400e:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE84312F4C3; Wed, 11 Apr 2018 14:25:40 -0700 (PDT)
Received: by mail-pl0-x229.google.com with SMTP id a39-v6so2318445pla.10; Wed, 11 Apr 2018 14:25:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=57lavJMgxQTD+ocZDTxsNHwdXP+7cy4MY45wzDc27V0=; b=inr+WFD8YTh3ndqF5d3jVmU3tAlMH1/VtowKNGMjMKc1lroYL0CWYBhE3S4JM4Ue85 PmTheV800YUpNbNtxoRGT6Fr16gNC7W2c3qMYL8EXofqk8uPBEIuMnJRq15OQ1gUzwvZ Rp5LlF1zkjo1WNKiIILfPVckSWS7aCTk7883vqo7egDWitn23Mlcbaf/WNr7diJvFClx tQ6qlTZkY/QnUjqUTzm43O/XZSKdPbqqsalh168iw0EtkziaDdhZcaxPX1BC8nKdQo3O +dCGI7kLRIygAuF+NAn7Tt/EtA27xxe7YB9isYNmz77vlE54rO/8fdbH90sCJPJhYUJz nvaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=57lavJMgxQTD+ocZDTxsNHwdXP+7cy4MY45wzDc27V0=; b=K8y3dh9Hvha4NCDIv57gYdC7QmDC72kSRMD4os/MjbikKfZS/LSeLJIssswszIX0Zr yE3YDpqssKRPQ4cNRCItmlwW0VzWsSPPYzP0yD5KCPH1T5QzP465spdsn10vyRYaTTaN EjwDRxcHIE2+qQPtkFetS2y9PXmYmybTP/H6NPs4fgk9OtNxFNHopXUtAn0RK5uqbG2c OmlrNIAXM5Yxe9gUkHxoY3xFEt5BHgIy2P/nEY3u8LORIExXopFwA/cqpxEaFa015O67 vNSpgkkMaIvcxYgjGH+UdqUlkPSELlbGkdrZ+IcGIgsoqShg2JZCTj745ft8XRsOxLos jnpg==
X-Gm-Message-State: ALQs6tCRzs5eJzbuBfqQP1faqW6SuXjbYOFfh2eO0kLeteWpbHs29hDs a0Xru52leBHA0PDBNekY578=
X-Google-Smtp-Source: AIpwx4/OJ5wGsJ/zdzR5RPPvkkDgiiwqqXweJb4gg7EnoIbBmj44yj0Wye1JKmaA1kkOUlltnrvnZA==
X-Received: by 2002:a17:902:5681:: with SMTP id j1-v6mr6788575pli.383.1523481940230; Wed, 11 Apr 2018 14:25:40 -0700 (PDT)
Received: from kinslayer.corp.primarydata.com (63-157-6-18.dia.static.qwest.net. [63.157.6.18]) by smtp.gmail.com with ESMTPSA id x17sm4164744pfm.161.2018.04.11.14.25.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Apr 2018 14:25:39 -0700 (PDT)
From: Tom Haynes <loghyr@gmail.com>
Message-Id: <897972F7-E7B8-4C6D-9470-CBD44B229CE7@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_02E8F8C2-9F9D-4C83-9183-86A6C7EC633A"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Wed, 11 Apr 2018 14:25:38 -0700
In-Reply-To: <CABcZeBMNQKV8m3Z46rsMKjraaHH5zCcKEe-Vo-b+Yo2SRQjTYg@mail.gmail.com>
Cc: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, draft-ietf-nfsv4-flex-files@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
To: Eric Rescorla <ekr@rtfm.com>
References: <151683050192.22597.10931170494891133045.idtracker@ietfa.amsl.com> <9FD918F5-D08C-45FC-B6BB-30CBB3D4EC51@gmail.com> <CABcZeBPE5gV3KPpRpRxAtYRSSCZh8+3-fcf-1VsxF3AxmomnwQ@mail.gmail.com> <F2ADAD73-6AB3-45EF-B6FE-033E01F58D8E@gmail.com> <CAKKJt-e=81qyR3YXNb9imu8kzk6+nCYgMjeZqHNwt3xi4CfNxQ@mail.gmail.com> <CABcZeBPM_Rnb0QZvbvBpUCNd6yurtz0ipexUQscmnG_samb2RA@mail.gmail.com> <FD8AF7AF-632A-461C-A82A-BC0711B2F8D0@gmail.com> <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com> <5C013DFE-96E3-4B74-B597-5F3FE1D314C6@gmail.com> <CAKKJt-deRBop1n8sv6dNaqUL_RUWxWMELutWubRdTOovKXEHwg@mail.gmail.com> <3670A5DF-4E11-4848-AE28-354F45F50D2B@gmail.com> <CAKKJt-dmcqLULhe_92wwOqVTcxKweB4YqiPKxoePRZAiQfv-Mg@mail.gmail.com> <CABcZeBMNQKV8m3Z46rsMKjraaHH5zCcKEe-Vo-b+Yo2SRQjTYg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/knhOcT1SqBLhClOgt32FaM_wIho>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 21:26:14 -0000

Hi Eric,

It is the same. 

Section 2.2:

   It is RECOMMENDED to implement common access control methods at the
   storage device filesystem to allow only the metadata server root
   (super user) access to the storage device, and to set the owner of
   all directories holding data files to the root user.  This approach
   provides a practical model to enforce access control and fence off
   cooperative clients, but it can not protect against malicious
   clients; hence it provides a level of security equivalent to
   AUTH_SYS.  It is RECOMMENDED that the communication between the
   metadata server and storage device be secure from eavesdroppers and
   man-in-the-middle protocol tampering.  The security measure could be
   due to physical security (e.g., the servers are co-located in a
   physically secure area), from encrypted communications, or some other
   technique.

(By the way, this contradicts the original text in my first paragraph below
and is why we needed a change.)

And as for why, Section 15.1.1 discusses why RPCSEC_GSS is not
provided in this version of the Flex File Layout Type.

Thanks,
Tom

> On Apr 11, 2018, at 1:52 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Hi Tom.
> 
> This text is clear, but I fear it doesn't answer the question I asked in my discuss: how does the security here compare to ordinary NFS and why.
> 
> -Ekr
> 
> 
> On Wed, Apr 11, 2018 at 11:08 AM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> wrote:
> Hi, Tom,
> 
> On Wed, Apr 11, 2018 at 12:38 PM, Tom Haynes <loghyr@gmail.com <mailto:loghyr@gmail.com>> wrote:
> So actually, after thinking about, the discussion about securing the namespace on
> the storage device is wrong.
> 
> The current text is:
> 
> 
>    The combination of file handle, synthetic uid, and gid in the layout
>    are the way that the metadata server enforces access control to the
>    data server.  The directory namespace on the storage device SHOULD
>    only be accessible to the metadata server and not the clients.  In
>    that case, the client only has access to file handles of file objects
>    and not directory objects.  Thus, given a file handle in a layout, it
>    is not possible to guess the parent directory file handle.  Further,
>    as the data file permissions only allow the given synthetic uid read/
>    write permission and the given synthetic gid read permission, knowing
>    the synthetic ids of one file does not necessarily allow access to
>    any other data file on the storage device.
> 
>    The metadata server can also deny access at any time by fencing the
>    data file, which means changing the synthetic ids.  In turn, that
>    forces the client to return its current layout and get a new layout
>    if it wants to continue IO to the data file.
> 
>    If the configuration of the storage device is such that clients can
>    access the directory namespace, then the access control degrades to
>    that of a typical NFS server with exports with a security flavor of
>    AUTH_SYS.  Any client which is allowed access can forge credentials
>    to access any data file.  The caveat is that the rogue client might
>    have no knowledge of the data file's type or position in the metadata
>    directory namespace.
> 
> My replacement would be:
> 
>    The combination of file handle, synthetic uid, and gid in the layout
>    are the way that the metadata server enforces access control to the
>    data server.  The client only has access to file handles of file
>    objects and not directory objects.  Thus, given a file handle in a
>    layout, it is not possible to guess the parent directory file handle.
>    Further, as the data file permissions only allow the given synthetic
>    uid read/write permission and the given synthetic gid read
>    permission, knowing the synthetic ids of one file does not
>    necessarily allow access to any other data file on the storage
>    device.
> 
>    The metadata server can also deny access at any time by fencing the
>    data file, which means changing the synthetic ids.  In turn, that
>    forces the client to return its current layout and get a new layout
>    if it wants to continue IO to the data file.
> 
> Thanks for proposing new text here.
> 
> Spencer (S) as shepherd and WG co-chair, does this look like something that would come as a surprise to the working group?
> 
> Spencer (D) as AD
>

v2.23.0 | Report a Bug | By Email