Re: [nfsv4] Fwd: New Version Notification for draft-haynes-nfsv4-flex-filesv2-00.txt
Benjamin Kaduk <kaduk@mit.edu> Tue, 08 August 2017 23:27 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5B5129AD3 for <nfsv4@ietfa.amsl.com>; Tue, 8 Aug 2017 16:27:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5kOq_-bgkO_W for <nfsv4@ietfa.amsl.com>; Tue, 8 Aug 2017 16:27:36 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64B21131D2C for <nfsv4@ietf.org>; Tue, 8 Aug 2017 16:27:36 -0700 (PDT)
X-AuditID: 12074422-05bff70000001445-bd-598a48e7353f
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 91.11.05189.7E84A895; Tue, 8 Aug 2017 19:27:35 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v78NRYhx023215; Tue, 8 Aug 2017 19:27:34 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v78NRUfT018709 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Aug 2017 19:27:32 -0400
Date: Tue, 08 Aug 2017 18:27:30 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Olga Kornievskaia <olga.kornievskaia@gmail.com>
Cc: Trond Myklebust <trondmy@gmail.com>, Olga Kornievskaia <aglo@citi.umich.edu>, "nfsv4@ietf.org" <nfsv4@ietf.org>, Thomas Haynes <loghyr@primarydata.com>
Message-ID: <20170808232729.GU70977@kduck.kaduk.org>
References: <2CA259E3-BD3A-482B-BFBF-3B90425AD3EA@primarydata.com> <CAN-5tyETNMCPVC5wJ-_77vM5+hVB+-uasd37kn+M=hoCeK6P7w@mail.gmail.com> <CAABAsM6rmrDU4BR6Ho7YFjjYA2amEkwuRGtzN537VXUZ-Eh-hg@mail.gmail.com> <20170808185803.GQ70977@kduck.kaduk.org> <CAABAsM7xOpbopPa3v1YMtfcFZbNZ=Jygap37Bg6qGfDDAvRHhQ@mail.gmail.com> <20170808194916.GR70977@kduck.kaduk.org> <CAABAsM5dAUxbrNA754nxN0iJpkJ-Zep37xnbycRsZXbPQi+hwQ@mail.gmail.com> <CAN-5tyGTZUgCDtVGhCbiXt4Hs6iGNKrhaKcQp8Vo8AveEX04hw@mail.gmail.com> <CAABAsM7iB_KRNFVmd8p4UTmEZSBj01uZoDhHt+827DzpmveuHQ@mail.gmail.com> <CC8CD648-2657-4CC1-ACDD-C7FF8B3BEADB@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CC8CD648-2657-4CC1-ACDD-C7FF8B3BEADB@gmail.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleLIzCtJLcpLzFFi42IRYrdT0X3u0RVp8K6NxWLto6fsFsv3bGW3 mP3+EavF/VcnmC3uPf7K6sDqsaa1k8Vj56y77B5Llvxk8pg/Vy6AJYrLJiU1J7MstUjfLoEr Y1vjX9aCT9IVHy89YW1g3CXWxcjJISFgIvH35iGWLkYuDiGBxUwSL99PZoZwNjBKTOvbxArh XGGS6Oz/yQrSwiKgIrH3524WEJsNyG7ovswMYosIGEscvTgVrJtZYBujxIlHK8ESwgLxEutn P2UEsXmB9p0+eJYdYupXFolPG1awQCQEJU7OfAJmMwtoSdz495Kpi5EDyJaWWP6PAyTMKWAr 0f1jPliJqICyxLx9q9gmMArMQtI9C0n3LITuBYzMqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3RN 9XIzS/RSU0o3MYJD20VpB+PEf16HGAU4GJV4eG/s6YwUYk0sK67MPcQoycGkJMq7SRsoxJeU n1KZkVicEV9UmpNafIhRgoNZSYRXAxhRQrwpiZVVqUX5MClpDhYlcV5xjcYIIYH0xJLU7NTU gtQimKwMB4eSBG8ISKNgUWp6akVaZk4JQpqJgxNkOA/QcD2w4cUFibnFmekQ+VOMilLivE4g CQGQREZpHlwvKPVIZO+vecUoDvSKMO8Ld6AqHmDagut+BTSYCWhwhG8nyOCSRISUVAOjlOPd OelLrnRHLCl/ZmbZYLK9s6dT47dfCV/ovshPbef36ZprVl3OWP3a83TS5/Yy2ydrzp36ppR5 4EvauxeCD9VfeWuIfszx5G0q2foqc27goeKpO2Zd45MNnuNlv3J2uaaqHPM/yYjcfJObRkvb jYp+zgniEC84ISNdkS9RNXVt9FVNuSwlluKMREMt5qLiRACg9DjWGAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ksuxlrDsaY4401bg9WunZDQoeEg>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-haynes-nfsv4-flex-filesv2-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2017 23:27:38 -0000
On Tue, Aug 08, 2017 at 06:01:48PM -0400, Olga Kornievskaia wrote: > > > > On Aug 8, 2017, at 5:44 PM, Trond Myklebust <trondmy@gmail.com> wrote: > >> > > >> > >> Since MDS = KDC then it would know which encryption scheme to use. > > > > The client will usually authenticate to the MDS using the corporate KDC. The KDC on the MDS itself is not required to be the same. > > > But mds has access/copy of the principal database so it knows encryption types for the client server keys There is a possible design where the MDS has access to the KDC's database, yes. There are a couple other possible designs, though, and I don't think we've ruled them out yet (whether due to technical constraints that cause them to not actually work, policy decisions, or other). (1) MDS is colocated with KDC or otherwise has access to the KDC database. It's easy to get policy consistency between the KDC and MDS, find out about supported enctypes, etc. Issuing tickets is also easy and can be done with direct database access and reuse a lot of code; the normal policy checks are applied, authorization data can be included as usual, etc. Actual principal entries can be created/destroyed on demand for handing out as synthetic credentials. Access control can be done via synthetic client principal name or authorization data in the tickets. But, it adds more code running on the highly-privileged KDC machine, and a bug in the MDS risks compromising the entire Kerberos realm -- a monstrous rekeying/re-enrolling task. (2) MDS is permitted by the KDC to use S4U2Proxy This has some nice properties, like letting the KDC keep an audit trail from the initial client authentication to the issued synthetic ticket and separating the MDS from the KDC. But, it is harder to create/destroy client principal entries on demand, and most likely access control would need to be done via authorization data in the resulting ticket. (The KDC might need to know to preserve and/or validate that authorization data as part of the S4U2Proxy flow, but generally it should allow unknown authorization data in the request to be preserved in the resulting ticket.) The data server might need modification to use the Kerberos authorization data for access control decisions. (3) MDS knows data server's private key This essentially makes the MDS trusted to emulate/hijack the data server's NFS role, by making the key formerly shared between just the data server and the KDC also shared by the MDS. That key is used for authentication and integrity (source) validation, so the MDS could impersonate the KDC to the data server or vice versa. This is very flexible about ticket "issuance", again allowing arbitrary synthetic client principal names to be used and authorization data to be inserted. But, it causes the KDC to lose visibility into what is happening in the Kerberos protocol and may have weaker auditability properties. It also requires sharing the private key of the data server with another party, which is in general something that should be avoided when using Kerberos -- this sort of problem is one of the things that S4U2Proxy was designed to address. All three of these are only considering how to get a Kerberos ticket that the MDS and/or client can ues to authenticate to the data server using GSS-API; the details of how credentials and/or keys are conveyed from the MDS to the client are a different problem, one that seems independent of which of the above three options is taken. -Ben
- [nfsv4] Fwd: New Version Notification for draft-h… Thomas Haynes
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Olga Kornievskaia
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Benjamin Kaduk
- Re: [nfsv4] Fwd: New Version Notification for dra… Olga Kornievskaia
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Benjamin Kaduk
- Re: [nfsv4] Fwd: New Version Notification for dra… Olga Kornievskaia
- Re: [nfsv4] Fwd: New Version Notification for dra… Benjamin Kaduk
- Re: [nfsv4] Fwd: New Version Notification for dra… Olga Kornievskaia
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Olga Kornievskaia
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ha… Thomas Haynes
- Re: [nfsv4] New Version Notification for draft-ha… Thomas Haynes
- Re: [nfsv4] Fwd: New Version Notification for dra… Benjamin Kaduk
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust
- Re: [nfsv4] Fwd: New Version Notification for dra… Olga Kornievskaia
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust
- [nfsv4] Minorversioning [was Re: New Version Noti… Thomas Haynes
- Re: [nfsv4] Minorversioning [was Re: New Version … David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… J. Bruce Fields
- Re: [nfsv4] Fwd: New Version Notification for dra… Benjamin Kaduk