Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
Chuck Lever III <chuck.lever@oracle.com> Tue, 07 December 2021 02:29 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD2243A0EC6 for <nfsv4@ietfa.amsl.com>; Mon, 6 Dec 2021 18:29:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com header.b=xD2C9BOv; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.b=wltPwL3R
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExnGGYBI_vnk for <nfsv4@ietfa.amsl.com>; Mon, 6 Dec 2021 18:29:14 -0800 (PST)
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 388083A0EC4 for <nfsv4@ietf.org>; Mon, 6 Dec 2021 18:29:14 -0800 (PST)
Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B6M5CpY004496; Tue, 7 Dec 2021 02:29:13 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2021-07-09; bh=rp629qfeDB38V1v1++KD2Ni75EP5OLPY+BkCM02GLEI=; b=xD2C9BOvawmdl8TV6Z2PX8CzY/SkGGhc3xJSKulx58yrrwvJHod4iK/puE3vmhQPXfxh IonEDEyQcfiHBXP597rrLqgEHv2jxAaH9+rtaP9x8wxS6x35kYFN2qKcQNOAIpPr3kfb Lk+Y41X+B4jZtTLRmg7MmjMg1zh2uai+ir2DSYrsgl3RvpJQ+tOocL9gpaHYCO5ZI9wc HgeOqFW8dP3O4g7OjLz7I5qlA94Q0OTNu5vwYfk7SwFGq59llhWiouazH4Cmjd2o653j 1/u83KUlqvRMDl3/MiLNndBk8rryTjttvGHMgsaSa365NFjY3Yy3gP7MEP+WLgzAAfA+ hA==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3csdfjbw10-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Dec 2021 02:29:13 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 1B72FEZC066172; Tue, 7 Dec 2021 02:29:12 GMT
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2173.outbound.protection.outlook.com [104.47.58.173]) by aserp3030.oracle.com with ESMTP id 3csc4sn5e7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Dec 2021 02:29:12 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BSGPoMI9wRDIiY0g6OxueJv77W18T8K0C1seLXMN08f51FhNjFnVKTpDd8mQOeh7vxtho/V/htl+DWchexAR2jZv4ey7vCk9rpT9OeXT1kZhagcHTqO0uoYlwuW1a2JTRvaiKjmGjiRQ1Z8jPuQ7p9JZX8EHgI8ICUxBn0B4WovjI4F2tafrsRz82V3n4XhXNgyj0EKHkPscfVc1MSUzfZkBD5pdrVPB/jg8BQYyUYm2Q72fovI1fdEIkIXlW3cGw7gJ97xEbFCSdwMYwWe+5xRvOzaRmsuw4yBoPcISV6haAAsZRE6DTY/lvGcklkOtKo1HlZ0lTwOY4a0Dfp2IFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rp629qfeDB38V1v1++KD2Ni75EP5OLPY+BkCM02GLEI=; b=SyA36mrgNpJRfSLoSSZF0PcucP2Fcq6Tn0ACRIY/JpVzwMlZgUVTUgTQZuosuRfaTsc61LeBQ+Kqfab+9/bcEn0eO4DORrbuTuIHi++zvdsiaHbKxyUhAc/vBN/JBcoxJlHNajYgcBwhR+bhicIBeB24nW0aJvv7XO8xOA+TwM/n0MZ7HPfe+yc8XDqj4cbAqjOBNakBM7MKBXeGeqwQWJFCMfqmNNtkG55N1ocs9Jw51k3BTg87mtW5NKG4te+bluokgaLe8lCJVihcwydQDQsfiAEZqLTL/gea1q5S0BYlf8DlEXUI60GWTXTPEIVOHGHPRB/HRikassZTw+koJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rp629qfeDB38V1v1++KD2Ni75EP5OLPY+BkCM02GLEI=; b=wltPwL3RWo7L9zFFVyPbkPcaNE3rRGO9fUGAveLgxtaXYXM7QOBvni+kFsFlC5/MhuY9HLqRUBcZah+qSDUAtEVlIPaO1ZyV04nn2h0KBsFeu7Nq5OnP88gCa265IeRH06jbMLIJ+d5v9gx4wcDpEUM+o4/j1mpmOYCcs44ZwvI=
Received: from CH0PR10MB4858.namprd10.prod.outlook.com (2603:10b6:610:cb::17) by CH2PR10MB4359.namprd10.prod.outlook.com (2603:10b6:610:af::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.21; Tue, 7 Dec 2021 02:29:10 +0000
Received: from CH0PR10MB4858.namprd10.prod.outlook.com ([fe80::a4f2:aef4:d02b:9bde]) by CH0PR10MB4858.namprd10.prod.outlook.com ([fe80::a4f2:aef4:d02b:9bde%9]) with mapi id 15.20.4755.021; Tue, 7 Dec 2021 02:29:10 +0000
From: Chuck Lever III <chuck.lever@oracle.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
Thread-Index: AQHX6hAa5Iy4UaEkKUeUmSSqi5G97awktqlCgADjywCAAG4ZaoAAHAuAgAAM2JmAAB7eAA==
Date: Tue, 07 Dec 2021 02:29:10 +0000
Message-ID: <066986E6-FCC6-40A8-BEED-D898B1EB2519@oracle.com>
References: <163873328734.5490.15468230922208392053@ietfa.amsl.com> <856F08E9-CDFD-43B5-B8B1-278BE0DA7339@oracle.com> <YQXPR0101MB0968E2DC868A17423FF8D8B7DD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <56914C1D-97BC-4225-AFD3-01F2CE096C8A@oracle.com> <YQXPR0101MB096887BF90B0107899DBDBC8DD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <C1CB89D1-1D5B-4CC8-ACC9-27AFAE73F538@oracle.com> <YQXPR0101MB096809E7D3A34CE1FAA0D484DD6E9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YQXPR0101MB096809E7D3A34CE1FAA0D484DD6E9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 85172821-d28d-4095-7a3c-08d9b9295a2e
x-ms-traffictypediagnostic: CH2PR10MB4359:EE_
x-microsoft-antispam-prvs: <CH2PR10MB4359AAF017CE20D4D1AFAFD9936E9@CH2PR10MB4359.namprd10.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TWwXoB1i8DgVyjx5t4NT0+kg4vPdguPyXYY8Y9lMg1VROQqIDBoNQedYuLvWiHt3zclDQL8txKg9altWF9+y+uSIeInoHdBWui3l+XiZ5VyVgJZdOa/C/igFe6OwZSI9o++jQtyTofwCqvhaqY6EYPl3cO35RfHlB82zQje5tXAopI118nLAwAVgkCuzf8AIeqe4Io6tebK5UA7/gqkDUKOWD6ct7wTnWLZB82lTnW5uTUXLLmxUwMCdNqujGyhyUpH1jJ6Dm6v20RpOO0UNeSQHKQbKO7x5cwoyjkSVyDQnm6GK7Po+yQFyqA1S6GM0n5wg+N32r2Bd6LfhwjCxG9RR1XuZF0enOJLLsnqF3huBTrLt616Lq+U4Vrbd6X80BHXhyQ/qNTT0iSQ75blNT32tyQ72iYQklA05FScgdiG1745sEiPN6l7zAT5JpnKHgTPJk9SlSufCt0b+GkKaRDaVglg1zxuM2GO07Dh7Hpgtqkg+k/vhRpf+5Me36XPnkqhSnZlJrskx0gkmO6d34JR0WFrDQFgPXomxzDmq6uSKNNyxL5W+MfQxODTZOcLVjo0gDGGBOAEL2ZZTentQs19/rUduJMYr2ZEA/+V5O2/fBA2zO31+frhpbI7U2DfzqgXWa2sq05YLfNTpZ2JdRewk1poGz7gNc/Rrw56rbqTrXjZazosso1LHgk37qLrSr6Efi0xZvRJnEauoC8XRhCBphf/CxI3mmsrim2xrxpgTu7KfBmuHYR48fgXoES41
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR10MB4858.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(71200400001)(2616005)(6916009)(86362001)(5660300002)(38070700005)(6512007)(508600001)(36756003)(38100700002)(76116006)(66476007)(66556008)(64756008)(66446008)(66946007)(4326008)(122000001)(33656002)(53546011)(8936002)(6506007)(8676002)(6486002)(26005)(186003)(2906002)(316002)(296002)(15650500001)(83380400001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZbbAOVOaKRs89VUK0YD3tqNhw4Hk/3ni9SALbtJlKe2cLY3fB2Jf+Nx3nl0ghWsPOu4xnmGTFjfGaPrBWfHmb9z+cB11lxmQ4ij7Jf3tTkWDO4nGUpT8thfUIoAqLBckm3HrpcugkeVE/bYK4JTf/JDW9qV5tOmknYZ2ADRTetzomCL+NSHuNhNY3IOw+i6fQndBVW/4knrke6taR7BcrlFF0CuvDtJF+s/yYJii3cX/ED0ODkEjHmHwH2WR2QxeAoZKshbiEv3SOgIFpQIeWdaMVvfNDbqb7ANsTHOfh+oiNSyecE0c0mDMk8Z6a8UKXCIgYmvw7kolQvT9pAW2rQqBEHGuvZ+1eA1ncny09UM4OImaCFzXwVkJLGJUtHbkLGM8P6pi4jfi4D+qxLuSJsVf+4W+bVQ69N54AkMsq6xaYdVDJyGxfzcNd2BBEeNkTOFX2wy2Hcjppm4VOBTztwVKT3wlTDz07h7epN/ZpJDSmtk3E8JulVaPp4o348lSYC/KOUeFqZDL5lnQlyHlLGORqMyL9/IaKvnI9UMms3jrvMenZsBAUKMj/V4iDtjCNyn2CCW2Ees8DM7mmOKC73rDv2pPKQoXALNBWjZ1IRmbxIpPgvsRQObb/3G+GUnE1wuLahTtTxh3q/6GIbFUeBJw2Q9vxa9SEPJe7oVCBSp1CicJ6paZ0VIFLfpk8fAfsdVolnp7JIh7Feqxbmwq3tkL/rbSeW9Rx2cUA/lCxdg0/7m0n7Y1wH4h4K8IcFVdTqg+uLRZ1bBdSV0zWYk/Qe7hs8s32AFvhhidVbG4l1XTWyOutp4EKTml/ZerW4hyVj/g1goozDYE889c+aA3JR7owt0wkGf9Mq1inLp01I3Y0b04FlLFw4qxLY82DSKR1Isw/APwAw/u5rJ3q3kp5VlBPpEr/GK/r9Rd2ek3RX9EjEPO51HXN/sLPiP0XXmB1T6wI7xymP6ItCsMYbxS6Sk6Wm/AwwrUGgpNg2r89q169cwThCi3mwUdSdr9/hvx6d8zZp0UDjjARaV+Fgz7A4OB1bQJDMq+J/qSz/6w0gVEj27qFsSGXIVGAh6emr8O5gzlNzJv8G5C1rVSADbnFJfoKyZfF40I4rRGqcePr4M6dmmjnpcQeIAiniL7CY1bBKC2DRN3Pq4ZJoT1oO+sKOQbYoWf06M/NUU5V2XL+pgP+hNUH/Tg418jnLpnK5qnJ0I+hU9vFUK7Q2IGb5Oq4C2hP2I7zxFSFj4iRGn8NRFFj8JKN+qPyYLLcKf29xmMGaa7lKgtbo9yDLcTnVgmafubIKvePhQ6nET+V7SyawvpuFfC9SV68uq+FJQwt4yN4DECN43bU/NiKsKbG5emGmDGn8BxVXxaiMi+4dU/n9t1YxYDQeQEsT7soxi4S5WnyNTcfbHBTrAHTtTVz2vHVbrqrN/CBwCe6Dc/PfKaSBc6zqqPteTrP7G1T4EUOVDbc2b31aLaEh/OzdKxuVmrv4cfxZF7ejGlwGVYjBHm8zVUOAkMM5bqUl8izaAt9n64d3xp0sRp8nk/FPvFTSz4x9wQkhCQRoECjifrP6QY1aUSDRFa7L5YmlMjxrfZRCmAkNOYD6wzQfZaJTJuIQToDwtTZGU3TAVAqBUtM1pJD8w=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3A56109BD7589D43BB5F4866BA94CE88@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR10MB4858.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 85172821-d28d-4095-7a3c-08d9b9295a2e
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2021 02:29:10.6164 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BQVhWw3yWdoy6sHqzDLI+UaJRAPJIkE5kTewXisBWcUjLL6l0JgiM0dhV3gofCIxiSXiAhPqGfvGJlJClVTWaA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4359
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10190 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxlogscore=999 phishscore=0 bulkscore=0 malwarescore=0 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112070014
X-Proofpoint-GUID: Pah00tCP8G-iNz5ujIa-mja_bcxSmJ9i
X-Proofpoint-ORIG-GUID: Pah00tCP8G-iNz5ujIa-mja_bcxSmJ9i
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/l0pUGdJNufEBKugqLj3qg3aVbig>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-pseudoflavors-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 02:29:19 -0000
Hi Rick- > On Dec 6, 2021, at 7:56 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote: > > Chuck Lever III wrote: > Hi Rick- > [stuff snipped] >> Let me try an example. >> >> Sending AUTH_SYS_ENC to a server on an unencrypted connection >> is just wrong. > Ok, so now you've completely confused me. > I thought that these pseudo-flavors were meant to be used in the reply > to SECINFO/SECINFO_NONAME (and in the reply to the MNT RPC for NFSv3) > to indicate what the NFS server required. Yes, they are exactly for that purpose. Those procedures return a result that contains a list of RPC auth flavors (and for SECINFO, there is also some extra metadata that goes along with each GSS- related list entry). But then the client has to use those pseudo-flavors properly. There has to be some mechanism at the RPC layer, just as there is with GSS pseudo-flavors, that makes the new pseudo-flavors secure. Listing them in SECINFO would be pointless if the RPC protocol can't enforce the basic security requirements of each pseudo-flavor. So, the spec has to explain how the client forms requests with these pseudo-flavors, how the server verifies that the client has met the pseudo-flavor's security requirements, and what to do if the client hasn't met those requirements. Only after all that is said and done can the NFS server accept and trust an RPC Call using one of these new pseudo-flavors and decide whether it wants to authorize the request. The fundamental purpose of the new pseudoflavors is to ensure that if the client presents AUTH_SYS user and group credentials, it is doing so on a protected channel whenever the server requires that level of security. If the server doesn't care, it can still add plain old AUTH_SYS to the flavor list, and the client can send AUTH_SYS credentials on any channel it likes. >> The upper layer server (NFS) should not even >> see that request because the client sent a message that is >> insecure and cannot be trusted. > So, how does the RPC layer know that AUTH_SYS_ENC is required, > unless the RPC program server (NFS server for our case) tells it > that that is the case? Consider how Kerberos 5 works today. The RPC layer doesn't know if the local security policy requires GSS. It knows only how to ensure a message is sent with integrity. When an integrity- protected RPC message gets to the NFS layer, that layer knows the message was transmitted correctly, and then decides whether it accepts requests using that security level (and replies WRONGSEC if not). I'm not adding anything new here except the ability to convey an AUTH_SYS user and group credential and ensure that it was sent from a trusted client over an encrypted channel. > --> And as I noted before, I think the NFS server will want to look > at the RPC request before it decides what it requires. I don't understand this remark. The RPC layer has to parse the incoming network bytes to ensure that they form a sensible message before it passes the message along to the NFS server, who then applies appropriate policy to determine whether that user and client are permitted to use the filehandle that the operation is bearing. XDR decoding and security checking come first, right? > (per file system via file handle or NFSv4 state operation not > associated with a file handle) >> The point of AUTH_TOOWEAK is to forbid clients from sending >> AUTH_SYS_XYZZY requests on unprotected connections. If that >> happens, the server is supposed to bat that request down >> immediately. The transport layer security has to match the >> pseudo-flavor. > Again, what do you mean by "match the pseudo-flavor"? > Or, put another way, how does the RPC layer know what this > pseudo-flavor is supposed to be? The pseudo-flavor value is placed in the RPC header, just like with GSS flavors. RFC 5531 Section 8.2 defines this part of the RPC header: enum auth_flavor { AUTH_NONE = 0, AUTH_SYS = 1, AUTH_SHORT = 2, AUTH_DH = 3, RPCSEC_GSS = 6 /* and more to be defined */ }; struct opaque_auth { auth_flavor flavor; opaque body<400>; }; We're adding additional items to the auth_flavor enum. To send an AUTH_SYS_ENC request, the flavor field of the opaque_auth structure would contain a value to be assigned by IANA, let's say 400001, and the body field would contain this structure: struct authsys_parms { unsigned int stamp; string machinename<255>; unsigned int uid; unsigned int gid; unsigned int gids<16>; }; This is the same structure as AUTH_SYS. But the pseudo-flavor would require that the receiving end verify that this message is arriving via an encrypted transport channel. In this way, when SECINFO tells a client "I want AUTH_SYS_ENC", the RPC layer can guarantee for the NFS server that the RPC message was delivered on an encrypted transport. If it wasn't, the RPC layer rejects the message with AUTH_TOOWEAK. So if the client sends an AUTH_SYS_ENC request on a plain TCP connection with no transport layer security, the RPC layer on the server can see immediately that the pseudo-flavor's security requirements have not been met. >> Nothing more than that is going on. > It seems that you are assuming some pseudo-flavor will apply to all > NFS server access from all clients. > And, as I already stated, I do not think that is going to be the case. I don't really understand this remark, sorry. -- Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Rick Macklem
- [nfsv4] Fwd: New Version Notification for draft-c… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-ce… David Noveck
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-ce… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-ce… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-ce… David Noveck
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-ce… David Noveck
- Re: [nfsv4] New Version Notification for draft-ce… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-ce… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever III
- Re: [nfsv4] New Version Notification for draft-ce… Rick Macklem
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever III