Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2018 00:43 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04537127735 for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 17:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cA_pWKxOEbbY for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 17:43:41 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A7112704A for <nfsv4@ietf.org>; Thu, 3 May 2018 17:43:41 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id v2-v6so17770586oif.3 for <nfsv4@ietf.org>; Thu, 03 May 2018 17:43:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IiEpvpLWg3aWA8qqWpgX+0Jg9cZgskXGEbaR4lS6O1E=; b=GLlpFcwwGzMIudFDSzbnvgsSlbbwXiQ4BhEJ5UEyQp5Z1L5V8caHDt6dgucr8sZuJR u59MOoY3wwp2o6MzoQlww/a8Wo+mnNVhYP62JjwPmmq0aUqPlT5NmcqF6EFw1yY7kv33 hxvhRVmM59nbL/CQ5EtCdcf2DtIWkTE6dYGBWmfgN4NHuvyCyCCo5/4xgeZrjskfx3YT Qt+UmcUXoBNYrN8RZhLriUfT9a+LIoRupifCBuvWrPMRnEbQIncfMhHieMxrFspGBk2f ibXYEB7gkkLqYOQzTREmYglogpTTCa36aX1pCoUkt+hZTyeRXknXixLYHor5CFWhGAJa YYOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IiEpvpLWg3aWA8qqWpgX+0Jg9cZgskXGEbaR4lS6O1E=; b=gCFPZhZb8NB9d7ZysoHDYhESgGZJ+NK6dAHZWBS3WFVkEwhCkR6X9rBdDnObj9cUkK l5Rk0GUPGBCmc29e5AMudNOz9etjLLzfbNNa+19DIzPn/zovMhAQ0S0yuQ+5NykmR2UQ cfgLYQ1B+3GbUFne65YS0cijnw9sKUiJG1CXmH5M7Jfwa+OsW+yN0Mk+reaF/EvzGVht ggXPrMxX+yLt1b7v92cU5/nw3pdJgggsyhC2p9yNN/JbSzuuc7wln/AFNiypNSv1fb/W YkqE5z7UpdYCFzCq5IvSVJphxCp1VgDHfTlMGi6bl0pbn1co7BYsMsLFdLkBhjYJjTEj XmkQ==
X-Gm-Message-State: ALQs6tCM7D1AV1UtH4xBV4E/NOIE8lwbVwFAtN+aY/CX2aRlQoLbspb+ Jn/hyx15CunML4ghqcEsxX4CAZ/bn+vACcuq1LvVEA==
X-Google-Smtp-Source: AB8JxZqJUgSud4qkk5JcDdunKVs/JuiRxzv5ZmQdWohWEBb+h9IlPB+gCtBzdvc18XDoIuRP72is9+J2FKl6N0UidBw=
X-Received: by 2002:aca:c754:: with SMTP id x81-v6mr15057299oif.43.1525394620956; Thu, 03 May 2018 17:43:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 3 May 2018 17:43:00 -0700 (PDT)
In-Reply-To: <EABDCD68-EB4B-40B5-A711-C1A9B976F911@gmail.com>
References: <151683050192.22597.10931170494891133045.idtracker@ietfa.amsl.com> <9FD918F5-D08C-45FC-B6BB-30CBB3D4EC51@gmail.com> <CABcZeBPE5gV3KPpRpRxAtYRSSCZh8+3-fcf-1VsxF3AxmomnwQ@mail.gmail.com> <F2ADAD73-6AB3-45EF-B6FE-033E01F58D8E@gmail.com> <CAKKJt-e=81qyR3YXNb9imu8kzk6+nCYgMjeZqHNwt3xi4CfNxQ@mail.gmail.com> <CABcZeBPM_Rnb0QZvbvBpUCNd6yurtz0ipexUQscmnG_samb2RA@mail.gmail.com> <FD8AF7AF-632A-461C-A82A-BC0711B2F8D0@gmail.com> <CABcZeBMhEHhV1ie=TNqrj_arupO=kd27houBpZgdqZw1pPMfww@mail.gmail.com> <5C013DFE-96E3-4B74-B597-5F3FE1D314C6@gmail.com> <CAKKJt-deRBop1n8sv6dNaqUL_RUWxWMELutWubRdTOovKXEHwg@mail.gmail.com> <3670A5DF-4E11-4848-AE28-354F45F50D2B@gmail.com> <CAKKJt-dmcqLULhe_92wwOqVTcxKweB4YqiPKxoePRZAiQfv-Mg@mail.gmail.com> <CABcZeBMNQKV8m3Z46rsMKjraaHH5zCcKEe-Vo-b+Yo2SRQjTYg@mail.gmail.com> <897972F7-E7B8-4C6D-9470-CBD44B229CE7@gmail.com> <D64530FC-0FA1-4955-AA8A-31CEB32703BA@gmail.com> <CABcZeBNu+V+qTcw3FB=vDijN3-G-5w17rnDy5xSuativiXpU7g@mail.gmail.com> <9A3E372B-809E-4DA6-81FE-6ABBFC8E8DB6@gmail.com> <CABcZeBNfqyNMvx7h+1_zrM6QoL3-YS=4-3rc80khs-PZBj3D9g@mail.gmail.com> <EABDCD68-EB4B-40B5-A711-C1A9B976F911@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 May 2018 17:43:00 -0700
Message-ID: <CABcZeBPj=fwbFoz0UpW9+waqDYiutFsLPrgm4ULByZey9nv5kQ@mail.gmail.com>
To: Tom Haynes <loghyr@gmail.com>
Cc: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, draft-ietf-nfsv4-flex-files@ietf.org, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000865748056b569c7b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/lkpSV490auySEd-1uqRz4mBFrEo>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-flex-files-15: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 00:43:45 -0000
DISCUSS cleared. On Thu, May 3, 2018 at 5:38 PM, Tom Haynes <loghyr@gmail.com> wrote: > Hi Eric, > > Thanks for bearing with me and the review. The changes are posted here: > > A new version of I-D, draft-ietf-nfsv4-flex-files-19.txt > has been successfully submitted by Thomas Haynes and posted to the > IETF repository. > > Name: draft-ietf-nfsv4-flex-files > Revision: 19 > Title: Parallel NFS (pNFS) Flexible File Layout > Document date: 2018-05-03 > Group: nfsv4 > Pages: 42 > URL: https://www.ietf.org/internet-drafts/draft- > ietf-nfsv4-flex-files-19.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-nfsv4- > flex-files/ > Htmlized: https://tools.ietf.org/html/draft-ietf-nfsv4-flex-files-19 > Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf- > nfsv4-flex-files > Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf- > nfsv4-flex-files-19 > > Abstract: > The Parallel Network File System (pNFS) allows a separation between > the metadata (onto a metadata server) and data (onto a storage > device) for a file. The flexible file layout type is defined in this > document as an extension to pNFS which allows the use of storage > devices in a fashion such that they require only a quite limited > degree of interaction with the metadata server, using already > existing protocols. Client-side mirroring is also added to provide > replication of files. > > > Spencer S. I know Spencer D is going to ask if the WG is okay with the > changes, so I’ll help > him out and ask away! > > Tom > > > On May 3, 2018, at 5:13 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > LGTM > > On Thu, May 3, 2018 at 4:50 PM, Tom Haynes <loghyr@gmail.com> wrote: > >> More in line? >> >> >> The combination of components in a pNFS system is required to >> preserve the security properties of NFSv4.1+ with respect to >> an entity accessing data via a client. The pNFS feature >> partitions the NFSv4.1+ file system protocol into two parts, >> the control protocol and the data protocol. As the control >> protocol in this document is NFS, the security properties are >> equivalent to that version of NFS. The Flexible File >> Layout further divides the data protocol into metadata and data >> paths. The security properties of the metadata path are equivalent >> to those of NFSv4.1x (see Sections 1.7.1 and 2.2.1 of >> [RFC5661]). And the security properties of the data >> path are equivalent to those of the version of NFS used to >> access the storage device, with the provision that the metadata >> server is responsible for authenticating client access to the >> data file. The metadata server provides appropriate credentials >> to the client to access data files on the storage device. It >> is also responsible for revoking access for a client to the >> storage device. >> >> >> On May 3, 2018, at 3:45 PM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> I'm sorry, but I still find this really opaque. >> >> What I'm looking for is a simple statement. Either "The security >> properties of the protocol described in this document are equivalent to >> those of NFS vX" >> or "The security properties of the protocol described in this document >> are equivalent to those of NFS vX if you do X, Y, and Z" or >> "The security properties of the protocol described in this document are >> different from those of NFS vX in the following ways" >> >> -Ekr >> >> >> >> On Wed, May 2, 2018 at 1:43 PM, Tom Haynes <loghyr@gmail.com> wrote: >> >>> Hi Eric, >>> >>> I haven’t seen a reply to this one. >>> >>> The current draft-18 has the changes mentioned in this thread. >>> >>> It has: >>> >>> >>> The pNFS feature partitions the NFSv4.1+ file system protocol into >>> two parts, the control path and the data path (storage protocol). >>> The control path contains all the new operations described by this >>> feature; all existing NFSv4 security mechanisms and features apply to >>> the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]). The >>> combination of components in a pNFS system is required to preserve >>> the security properties of NFSv4.1+ with respect to an entity >>> accessing data via a client, including security countermeasures to >>> defend against threats that NFSv4.1+ provides defenses for in >>> environments where these threats are considered significant. >>> >>> The metadata server is primarily responsible for securing the data >>> path. It has to authenticate the client access and provide >>> appropriate credentials to the client to access data files on the >>> storage device. Finally, it is responsible for revoking access for a >>> client to the storage device. >>> >>> Would having something like: >>> >>> The pNFS feature partitions the NFSv4.1+ file system protocol into >>> two parts, the control path and the data path (storage protocol). >>> The control path contains all the new operations described by this >>> feature; all existing NFSv4 security mechanisms and features apply to >>> the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]). The >>> combination of components in a pNFS system is required to preserve >>> the security properties of NFSv4.1+ with respect to an entity >>> accessing data via a client, including security countermeasures to >>> defend against threats that NFSv4.1+ provides defenses for in >>> environments where these threats are considered significant. >>> >>> The data path is also constrained to security mechanisms of the >>> NFS version being used between the client and the storage >>> device. The metadata server authenticates the client access and >>> provides >>> appropriate credentials to the client to access data files on the >>> storage device. Finally, it is responsible for revoking access for a >>> client to the storage device. >>> >>> be better for you? >>> >>> Thanks, >>> Tom >>> >>> On Apr 11, 2018, at 2:25 PM, Tom Haynes <loghyr@gmail.com> wrote: >>> >>> Hi Eric, >>> >>> It is the same. >>> >>> Section 2.2: >>> >>> It is RECOMMENDED to implement common access control methods at the >>> storage device filesystem to allow only the metadata server root >>> (super user) access to the storage device, and to set the owner of >>> all directories holding data files to the root user. This approach >>> provides a practical model to enforce access control and fence off >>> cooperative clients, but it can not protect against malicious >>> clients; hence it provides a level of security equivalent to >>> AUTH_SYS. It is RECOMMENDED that the communication between the >>> metadata server and storage device be secure from eavesdroppers and >>> man-in-the-middle protocol tampering. The security measure could be >>> due to physical security (e.g., the servers are co-located in a >>> physically secure area), from encrypted communications, or some other >>> technique. >>> >>> (By the way, this contradicts the original text in my first paragraph >>> below >>> and is why we needed a change.) >>> >>> And as for why, Section 15.1.1 discusses why RPCSEC_GSS is not >>> provided in this version of the Flex File Layout Type. >>> >>> Thanks, >>> Tom >>> >>> On Apr 11, 2018, at 1:52 PM, Eric Rescorla <ekr@rtfm.com> wrote: >>> >>> Hi Tom. >>> >>> This text is clear, but I fear it doesn't answer the question I asked in >>> my discuss: how does the security here compare to ordinary NFS and why. >>> >>> -Ekr >>> >>> >>> On Wed, Apr 11, 2018 at 11:08 AM, Spencer Dawkins at IETF < >>> spencerdawkins.ietf@gmail.com> wrote: >>> >>>> Hi, Tom, >>>> >>>> On Wed, Apr 11, 2018 at 12:38 PM, Tom Haynes <loghyr@gmail.com> wrote: >>>> >>>>> So actually, after thinking about, the discussion about securing the >>>>> namespace on >>>>> the storage device is wrong. >>>>> >>>>> The current text is: >>>>> >>>>> >>>>> The combination of file handle, synthetic uid, and gid in the layout >>>>> are the way that the metadata server enforces access control to the >>>>> data server. The directory namespace on the storage device SHOULD >>>>> only be accessible to the metadata server and not the clients. In >>>>> that case, the client only has access to file handles of file >>>>> objects >>>>> and not directory objects. Thus, given a file handle in a layout, >>>>> it >>>>> is not possible to guess the parent directory file handle. Further, >>>>> as the data file permissions only allow the given synthetic uid >>>>> read/ >>>>> write permission and the given synthetic gid read permission, >>>>> knowing >>>>> the synthetic ids of one file does not necessarily allow access to >>>>> any other data file on the storage device. >>>>> >>>>> The metadata server can also deny access at any time by fencing the >>>>> data file, which means changing the synthetic ids. In turn, that >>>>> forces the client to return its current layout and get a new layout >>>>> if it wants to continue IO to the data file. >>>>> >>>>> If the configuration of the storage device is such that clients can >>>>> access the directory namespace, then the access control degrades to >>>>> that of a typical NFS server with exports with a security flavor of >>>>> AUTH_SYS. Any client which is allowed access can forge credentials >>>>> to access any data file. The caveat is that the rogue client might >>>>> have no knowledge of the data file's type or position in the >>>>> metadata >>>>> directory namespace. >>>>> >>>>> My replacement would be: >>>>> >>>>> The combination of file handle, synthetic uid, and gid in the layout >>>>> are the way that the metadata server enforces access control to the >>>>> data server. The client only has access to file handles of file >>>>> objects and not directory objects. Thus, given a file handle in a >>>>> layout, it is not possible to guess the parent directory file >>>>> handle. >>>>> Further, as the data file permissions only allow the given synthetic >>>>> uid read/write permission and the given synthetic gid read >>>>> permission, knowing the synthetic ids of one file does not >>>>> necessarily allow access to any other data file on the storage >>>>> device. >>>>> >>>>> The metadata server can also deny access at any time by fencing the >>>>> data file, which means changing the synthetic ids. In turn, that >>>>> forces the client to return its current layout and get a new layout >>>>> if it wants to continue IO to the data file. >>>>> >>>> >>>> Thanks for proposing new text here. >>>> >>>> Spencer (S) as shepherd and WG co-chair, does this look like something >>>> that would come as a surprise to the working group? >>>> >>>> Spencer (D) as AD >>>> >>> >>> >>> >>> >> >> > >
- [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfs… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Thomas Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… spencer shepler
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Tom Haynes
- Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf… Eric Rescorla