Re: [nfsv4] Fwd: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

[Rob Thurlow <robert.thurlow@oracle.com>]

Hi Chuck, some feedback on this nice, short draft:

On 11/19/18 08:55 AM, Chuck Lever wrote:

 > URL: 
https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt

 > However, experience has shown that RPCSEC GSS is challenging to
 > deploy, especially in environments where:
 > ...
 >  o  Host identity management is carried out in a security domain that
 >     is distinct from user identity management.

I don't think I understand this sub-bullet; do you have
an example that would clarify?

 > 4.2.  Streams and Datagrams
 >
 >  RPC commonly operates on stream transports and datagram transports.
 >  When operating on a stream transport, using TLS [RFC8446] is
 >  appropriate.  On a datagram transport, RPC can use DTLS [RFC6347].

Do we point to DTLS anywhere else in our NFS documents?  I'm
wondering if we want to support datagram service this way.

 > 4.3.  Authentication

Good start here, but I expect that in practice this will
result in a step down from the state-of-the-art we know -
RPCSEC_GSS w/krb5p - to TLS + AUTH_SYS, and that this is
OK because many deployments do not represent multi-user
clients whose traffic will be multiplexed across one
single connection.  As I hear the request, this is most
interesting for NFS traffic inside a server room, with a
very limited set of user identities in play, and/or with
non-traditional clients.  We should make some effort to
describe the interesting use cases to show that we're not
eviscerating authentication norms for no reason.

> The immediate question I have is whether members of WG feel this
> topic and document are important enough to promote rpc-tls-01 to
> Working Group document status. If yes, I can submit the next
> revision as draft-ietf-nfsv4-rpc-tls-00.

Yes, this looks like a good start to me.

Rob T