IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Rick Macklem <rmacklem@uoguelph.ca> Thu, 24 December 2020 00:04 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 726F53A044E for <nfsv4@ietfa.amsl.com>; Wed, 23 Dec 2020 16:04:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqX87xBZW9xe for <nfsv4@ietfa.amsl.com>; Wed, 23 Dec 2020 16:04:02 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670062.outbound.protection.outlook.com [40.107.67.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF90D3A040B for <nfsv4@ietf.org>; Wed, 23 Dec 2020 16:04:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FqRjARJ3LAQ7ILu2qJ5aWBvzYldFLVbQm2ygq0Py/oh0eShom3ijp3nxGVyxQEI1IgW8/IoCdSU9hrszCa/x70X5IjJ4vWkyUDcn4+Is/DgAiL9gGy0O0HeUBhEcWBsXWRJI/VY2iAyqzgXdr2rldU6EhVs0rMkF78nsh8B1a+7pEW7D1rbsiXy2IeemsElglnfjftO9IIlg/tKsA80NAW91F88zC8TsoGWrnxgQYmsyv0aca6oxhnOJUCtkSbaPl+p23UL8yZ1MZ58IeadztY4Vv96eOAxQe2jBY/VrU+FZSHsXSPx5Vh3HyvcYcaG4Vi2kWv1iGl0FEj1xNMbnBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f3YquZTMBUG3P/1OKx7QhkgeWF34NYxeqkUF97XaenY=; b=MCvM5KYnvy5gAKQ5zg5RPCKeSvU7KoPPMApWGiziYg84Qnw7Z3w3LNYGFXE0rpMw6kk59EXTYQjhgo/Y9gOAH8ND9h/7wdLoNLT6g+rXMSTOQK+v2Uc1m1+I7kFOKrlZbjZRDbcCo+pOUnb33bIdGW10MUY1IpBJWSF2GW5Q6DMjnUzCDUT0Ts0R5XMxoC11bK4LLSdmKtVhNOvw8E+wZecYxBvNxyNf8hQC3tXS/eEZ5pjYTjNQ4fk0tKctHL28gk34e0hHuiZ/RBOLwSjgJlCya8x/TcZzU9Gzsd7XboqtjF/te24oqLoY5wm88NwQdaoT4mZ7HUe9v0NfC4kctg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f3YquZTMBUG3P/1OKx7QhkgeWF34NYxeqkUF97XaenY=; b=Efd2/aPOeiqKqJhOQ0r97TeRDkaBmCtE16qFlyRaBZfpmuvLQfixFHx+mN9ItazBEuCGCU5PBAUdiMrqjcMMlR+9ZCgQqnML0dNLg72NlGvsoh5IdT9f3/uCNDknbzDiYOjOuaAIwKD97eG8gGgaihvXzaxdnv9bRinked5njXMKRLLtif3FMwlhLw40tIUCrqy2hUvWCLCEybprw3B591EOii6ovmJ7kHp1690qQa6CqVjJaCIlTh6qCWlGMH3x6Qv+gmdebMVn6r6LhW0hHJgwrBzsUlZ41+tYVqroHlV+t6UxKTse0IiVlKydLuHD3ezNaneGQvXeL9Q6K0KxXQ==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by QB1PR01MB3683.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:3d::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.27; Thu, 24 Dec 2020 00:03:58 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94%7]) with mapi id 15.20.3676.034; Thu, 24 Dec 2020 00:03:58 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Chuck Lever <chuck.lever@oracle.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] NFS over TLS for laptops
Thread-Index: AQHW0NppAc3uZqIjgEq2ArIQwELbLqn2yyYAgACS67yAAO+9eYAAHOsAgAN9YtuAAviagIAAMFYUgAGN13OAATNIAIADjnFR
Date: Thu, 24 Dec 2020 00:03:58 +0000
Message-ID: <YQXPR0101MB0968D1AB5DC7A55DE4E5F404DDDE0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <YQXPR0101MB0968F7BF5A6D7E97F39CC739DDC90@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <A7175D1C-BEBB-4557-8123-FA78C9393E72@oracle.com> <YQXPR0101MB096816C0EA985F65FE6562E5DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB0968AA3A97C80B8140BFC845DDC60@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <8B3A77F6-15DE-4F4B-B246-385DD447C743@oracle.com> <YQXPR0101MB09680BC1A27265F81C5B5671DDC40@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <DEBCFB38-9A1A-43BB-A8DF-0C64792AF30F@oracle.com> <YQXPR0101MB09689564C0543291E25FB274DDC20@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YQXPR0101MB09687759005C97725CFC1AFCDDC10@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com>
In-Reply-To: <13B0E10F-0E40-47AC-A6E3-495DF578DCAB@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9b87ed72-c31f-4e8c-0db3-08d8a79f69c1
x-ms-traffictypediagnostic: QB1PR01MB3683:
x-microsoft-antispam-prvs: <QB1PR01MB3683100F2BE3F34006ADE2CFDDDD0@QB1PR01MB3683.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 62QiV/CttvNI7Pzfr8HIlBGTmODvpF5Rt8UGIPBB1QwHNmxIaEG46VMbaSUTujDoqazq7r8vX8Xlqt/slHV8vRP7nOwqBRKQKD0MkxP/Vmuehkbq3zhiivEfCaXuShsMO0Rzu+YCXc6DExPKKUSHJFUK9MiRcyYoTSGvMVoqcC/KNMHpLHY9QVXfpud1huTAv6acp21XOjiR9Yyqku3aXM04+dXS45EeO+O9TX7vI2OF6zG0KwNZ02OOM3CD1G50Gk/wCNJJjyBZWtwbhAi8ijLCfY/ZRLnSX3Xw25gSAQMul0AMJJsMDRpEP6fm0hu6yAvHGaBnGNXXYK1n2aIriZxfHXGbdkiJ3PmoVGVAn8BwtY20XcoyVwG6vWaLtao1Ffqe27k38ExBwWaMd34XVg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(39860400002)(136003)(396003)(366004)(376002)(55016002)(2906002)(4326008)(66556008)(71200400001)(6916009)(66446008)(64756008)(83380400001)(8676002)(52536014)(786003)(33656002)(66476007)(5660300002)(316002)(186003)(478600001)(8936002)(86362001)(76116006)(91956017)(9686003)(66946007)(7696005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Yn0kPa+9sPYcs1+0etR4H6rv6BMfeX3yKUHvLFOqY+wU+khSzMbK+c0e3gKwpikFx/eDF5zOuM74aqr5+I3ZKcP/PSbOw8LV4618zqth6hB9u83RB/0+eGv6HIgJ6iPfw2TShM0YlBKXqIPLRPdtBJAN4Yn2eo+hz4r/aGW58pNPsVpo0hBKdMf8w/mXNzT5s+nGR/up4Skqi40jTPOmrJMTT8J0AVYds3PxNuwCDo0Xl3lKCP1JcV7lNVlrsXJmeDxHCiMsljPZSJoIvmuwqJ0GZGnofdViDNs4SMMMOJgZYzff4DMOY32yR+2Yq804m7rLs09kCVul0giHiaB9yGoclbuTMqDodPs3GKBPudWaU/WX24ncBeAYm+g75Xm/FTnwLi096wa9lnvYoiXfWn8J8lpdDnYLy2GHYtbiASL5D55PMk7LMwDLtE9yJrhaOb2iuN+D8i12OPpd/tU5zGGvtY41GDYZRM2rLLtSaxkRIFCsl7jvyQGFqKV/mQHPEWtZd2JRBPtDLN4Daw38J5yMiIYxsqU7Gg+cvWbocPYk/OTDFr3s8ZypKQETB6dQIjV0HbGopVbXaAYG0xJtL+UvA7V8rd7lwwD8pTojrh9J16u7DqFzj2QnhRKNcSepgeichk3gv/trNE0y1Rqk4o+5aZ921LibsSuPO6M6Odr6kVKwWGhWu5YscRdrmGSw5Ta2Axj1o1yc31F/ERTEKUJprgW54+O9d3A/vlEMdzdGNaM8rA4b8DCcGJ/ugiboCon7vwRq7hPszx+csYcp1o6KcocD8J9+h05m1Us4awNPyD0q5brgNJ3f3tHBkyStI9fbzF5bS8EBz2zGuCcILlTEabZFYNrpsK1KiOPN3J0L85Bgo9TgDnN+kw/maiW3rTVzdFM6StsyWdF0pauraX72jZE/CkviA5E8l2V9GIg+FhXbxBg2YQ3Szg7qSZu/1ukIGAXlv9MKShP55CU4Qolsz2eYmGQud8ew3IRlntAo21wUO4TIptY+Yy3iE7lPzSenxkc/0nZ7aR77lPTe4Y49OB8swzYA8jNGqStvPe4=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b87ed72-c31f-4e8c-0db3-08d8a79f69c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Dec 2020 00:03:58.7904 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dCvMJLLgsSCcpZMx1lI734eLNRqg2JFbarbkQGvW5+BsUvi8A74IhHHB2a3Snfq9/H0UBbtv/5BnbLE9SFI+Ig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB3683
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ECA0DHzzVLXubCVwvwB7KxD8VRQ>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Dec 2020 00:04:04 -0000

Chuck Lever wrote:
[lots of stuff snipped]
>When you have more than one server, some mechanism for sharing
>the squashing information is needed. You have proposed adding
>that information to the certificates, but that would work only
>in the case when each client actually has a certificate.
>
>I expect larger deployments (eg, client fleets in the tens of
>thousands and user populations in the hundreds of thousands,
>with dozens of servers) to have infrastructure that would make
>certificate creation as easy. An administrative host would be
>able to create certificates and update an LDAP directory that
>is consulted by servers. (Think of Red Hat's "IPA" which
>already combines certificate management, Kerberos, and LDAP)
>
>So I still believe that TLS administrative scalability is:
>
>a. better than a Kerberos deployment
>
>b. able to be improved by clever infrastructure and tool chains

If this is going to work for NFS servers from different vendors
(using vendors loosely to include open source projects)
you may have to think about defining a standard format
for the database information and a standard secure way
to distribute the data.
Otherwise, how is a Redhat tool going to manage a Netapp
filer, for example?
--> This could be a lot of work to define and implement
       for all vendors?

Wearing my old sysadmin hat, I'll admit that I was careful to
deploy NFS servers that were not dependent on other services
such as LDAP, DNS.
Why?
Well, after something like a major power failure I did not the
NFS servers stuck waiting for other services to come online.
--> As such, personally, I'd rather not depend on a service
      like LDAPS (note the 'S') to be running for the NFS server to be running.
      But, that's just me.

>You said you are not asking the WG to codify the otherName
>convention. So, right now, you do not care whether other
>implementations interoperate with FreeBSD in this regard. Fair
>enough.
I suspect (although I cannot be 100% sure) that non-FreeBSD
clients will simply handle the X.509 certificate as a blob.
As such, it will work against a FreeBSD server.

For non-FreeBSD servers, they will probably ignore the otherName.
So, for those, the TLS squashing will need to be done with whatever that
server vendor provides.

Dealing with this will probably not be a lot different than dealing with
every server vendor choosing their own data format and distribution
mechanism.

>And, we agree that securing single-user clients is an important
>use case. (paraphrase. My stupid email system cut the text line out.)
>
>I expect other implementers will find the same thing. When they
>deal with this issue, they might see your implementation and
>and copy it. Or they might copy it and add some variations,
>since there is no published specification.
Yes. As above w.r.t a TLS squashing data and distribution mechanism,
I agree.

>And then I can see one or more of them approaching the WG and
>asking us to either update rpc-tls or provide a specification
>to enable proper interoperation.
>
>Or, possibly, at some point in the future, the WG will be tasked
>with updating rpc-tls to reflect implementation practice, part
>of which might be otherName.
And you can simply restate that you do not consider use of the
otherName field this way as acceptable, due to conflagration
of user and machine credentials in the certificate.
(I suppose there is the question of whether or not the "collective"
 working group agrees with the above, but since no one else has
 commented except Ben Kaduk, we do not know the answer to
 that?)

Anyone other implementation who might choose the otherName
approach can easily do so from the FreeBSD doc. and sources.
(Or by simply asking me.)

>At that point, we have a real problem. Or maybe just me, as an
>author of rpc-tls and possibly its descendants, has that problem.
I do not really see the problem. No is a simple answer.

I will make one more generic comment...
There is a cousin to Administrative Hassle called Implementation
Effort.
--> It has been almost 11years since RFC5661 was published and
       I think you can count the number of different NFSv4.1 client
       and server implementations on one hand. Different vendors
       for client vs server, but both about 5 or less?

rick


--
Chuck Lever

v2.23.0 | Report a Bug | By Email