Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Mon, 25 March 2019 20:44 UTC
Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE67A1200A0 for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 13:44:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U2CEci-MTaL3 for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 13:44:30 -0700 (PDT)
Received: from smtp-o-3.desy.de (smtp-o-3.desy.de [IPv6:2001:638:700:1038::1:9c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4EE7120075 for <nfsv4@ietf.org>; Mon, 25 Mar 2019 13:44:29 -0700 (PDT)
Received: from smtp-buf-2.desy.de (smtp-buf-2.desy.de [131.169.56.165]) by smtp-o-3.desy.de (DESY-O-3) with ESMTP id 9A215280C16 for <nfsv4@ietf.org>; Mon, 25 Mar 2019 21:44:26 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-3.desy.de 9A215280C16
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1553546666; bh=n2QacAidP7lV1ov3HD/FbXH1VRVUUZBbfyBUPIKQvQQ=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=pjAJ3FsleFIoc0yBExhXRwk2JWEunulg7F2Pb3vMtHw/0eaHs4+2XSovBgfqJzdlr MeH2PwsRIbKOomr6cIt/mvnyQq4JbnQvDMKeJ0VL9pWCU7rRhSQ5P5ehNAne5hV/Ts jBzX7JMsb00tygdy9JI+ldeyYHawppeixDV6n2ag=
Received: from smtp-m-2.desy.de (smtp-m-2.desy.de [IPv6:2001:638:700:1038::1:82]) by smtp-buf-2.desy.de (Postfix) with ESMTP id 9544F1A00E3; Mon, 25 Mar 2019 21:44:26 +0100 (CET)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (DESY-INTRA-1) with ESMTP id 435AC3E901; Mon, 25 Mar 2019 21:44:26 +0100 (MET)
Date: Mon, 25 Mar 2019 21:44:26 +0100
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Message-ID: <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de>
In-Reply-To: <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.10_GA_3781 (ZimbraWebClient - FF66 (Linux)/8.8.10_GA_3786)
Thread-Topic: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: 7/kEzJ5c9RMOf7pUUMo1mlApYaV2FQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/nRCdoNY3PI_X4HyP6_mt8ervmzE>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 20:44:34 -0000
----- Original Message ----- > From: "Chuck Lever" <chuck.lever@oracle.com> > To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de> > Cc: "NFSv4" <nfsv4@ietf.org> > Sent: Monday, March 25, 2019 2:44:32 PM > Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt >> On Mar 25, 2019, at 4:53 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote: >> >> >> >> Hi Chuck, >> >> By working on our implementation we got a following questions: >> >> what should server do when a client requests startTLS twice? Fail >> with an auth error or just ignore? > > I don't have a ready answer, but seems to me your TLS library > might have an opinion. Can a web browser be made to generate > a second STARTTLS to see what the behavior is like? > > Is there any guidance in RFC 8446 or its antecedants? Looks like LDAP have that case clearly specified rfc2830: 2.3: ... If the Start TLS extended request was not successful, the resultCode will be one of: operationsError (operations sequencing incorrect; e.g. TLS already established) 3.1: ... The client MAY send the Start TLS extended request at any time after establishing an LDAP association, except that in the following cases the client MUST NOT send a Start TLS extended request: - if TLS is currently established on the connection, or You may adopt a similar wording to rpc-over-tls. However, what about UDP and retransmits? Tigran. > > >> It would be nice if spec will >> explicitly define this situation. >> >> Thanks, >> Tigran. >> >> ----- Original Message ----- >>> From: "Dave Noveck" <davenoveck@gmail.com> >>> To: "Chuck Lever" <chuck.lever@oracle.com> >>> Cc: "NFSv4" <nfsv4@ietf.org> >>> Sent: Friday, January 4, 2019 5:25:18 PM >>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt >> >>>> I've been studying RFC 8471 to understand what would be needed to support >>>> TLS token binding with RPC. It appears there are two components: >>> >>>> - The TLS handshake is extended to indicate support for token binding >>>> and negotiate the supported version >>> >>>> - The upper layer protocol (RPC, in our case) is required to send a Token >>>> Binding message as the first message >>> >>>> We would need to provide a mechanism for encapsulating this message in >>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, >>>> RPCSEC GSS could provide a mechanism for transporting this message. >>> >>> As I understand things, one of the potential goals here is to satisfactorily >>> authenticate the client so that AUTH_SYS can reasonably used. For that use >>> case, I'm not sure how depending on RPCSEC GSS would fit in. >>> >>>> It appears to me that there is a natural boundary between what we have >>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token >>>> Binding, such that Token Binding could be handled by a separate document. >>> >>> That makes sense. >>> >>>> That would allow the quick completion >>> >>> Since this is the IETF, let's just say "quicker completion". >>> >>>> of rpc-tls to enable encryption by >>>> default using self-signed certificates, with support for Token Binding >>>> to appear later. >>> >>> It depens on how much later. I don't see how it would be necessary to get >>> through the RFC process, including that rigorous search for split >>> infinitives, cycles >>> of discussion of RFC2119 terms before starting the follow-up work on token >>> binding. Once rpc-tls is accepted as a working group document, the group >>> would >>> be in a position to make plans for the follow-on work that seems to be >>> warranted. >>> >>>> Thoughts, comments... >>> >>> If work on client autehentication is to be punted, then the document will >>> need to reflect that. >>> In particular, if you, as a server, are prepared to accept an >>> unauthenticatted client's user >>> identifications, then your security is pretty much non-existent, despite >>> the fact that >>> enryption prevents eavesdropping. In that case, it probably best to say >>> nothing about use >>> of AUTH_SYS. >>> >>>> Am I on the wrong track? >>> >>> No. >>> >>> On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote: >>> >>>> >>>>> On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote: >>>>> >>>>> Hi Chuck >>>>> >>>>> Apologies for top posting, blame MS >>>>> >>>>> I was interested in the comment "We believe the combination of host >>>> authentication via TLS and user authentication via RPC provides optimal >>>> security, efficiency, and flexibility,". There's been a huge amount of >>>> negative press for TLS client auth, but there's been a push for TLS token >>>> binding as a basis for better client/server authentication. Does the >>>> proposal need to consider work in this area? >>>> >>>> I've been studying RFC 8471 to understand what would be needed to support >>>> TLS token binding with RPC. It appears there are two components: >>>> >>>> - The TLS handshake is extended to indicate support for token binding >>>> and negotiate the supported version >>>> >>>> - The upper layer protocol (RPC, in our case) is required to send a Token >>>> Binding message as the first message >>>> >>>> We would need to provide a mechanism for encapsulating this message in >>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, >>>> RPCSEC GSS could provide a mechanism for transporting this message. >>>> >>>> It appears to me that there is a natural boundary between what we have >>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token >>>> Binding, such that Token Binding could be handled by a separate document. >>>> That would allow the quick completion of rpc-tls to enable encryption by >>>> default using self-signed certificates, with support for Token Binding >>>> to appear later. >>>> >>>> Thoughts, comments... Am I on the wrong track? >>>> >>>> >>>>> -----Original Message----- >>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever >>>>> Sent: Monday, November 19, 2018 15:56 >>>>> To: NFSv4 <nfsv4@ietf.org> >>>>> Subject: [nfsv4] Fwd: New Version Notification for >>>> draft-cel-nfsv4-rpc-tls-01.txt >>>>> >>>>> >>>>> Hi- >>>>> >>>>>> Begin forwarded message: >>>>>> >>>>>> From: internet-drafts@ietf.org >>>>>> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt >>>>>> Date: November 19, 2018 at 10:52:07 AM EST >>>>>> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles >>>>>> Lever" <chuck.lever@oracle.com>, "Chuck Lever" >>>>>> <chuck.lever@oracle.com> >>>>>> >>>>>> >>>>>> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been >>>>>> successfully submitted by Charles Lever and posted to the IETF >>>>>> repository. >>>>>> >>>>>> Name: draft-cel-nfsv4-rpc-tls >>>>>> Revision: 01 >>>>>> Title: Remote Procedure Call Encryption By Default >>>>>> Document date: 2018-11-19 >>>>>> Group: Individual Submission >>>>>> Pages: 9 >>>>>> URL: >>>> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt >>>>>> Status: >>>> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/ >>>>>> Htmlized: https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01 >>>>>> Htmlized: >>>> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls >>>>>> Diff: >>>> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01 >>>>>> >>>>>> Abstract: >>>>>> This document describes a mechanism that enables encryption of in- >>>>>> transit Remote Procedure Call (RPC) transactions with little >>>>>> administrative overhead and full interoperation with RPC >>>>>> implementations that do not support this mechanism. This document >>>>>> updates RFC 5531. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Please note that it may take a couple of minutes from the time of >>>>>> submission until the htmlized version and diff are available at >>>> tools.ietf.org. >>>>>> >>>>>> The IETF Secretariat >>>>> >>>>> Minor changes in revision 01: >>>>> - Correct a legal issue reported by idnits >>>>> - Clarify terminology throughout document >>>>> - Add editor's note in Section 4.3 "Authentication" >>>>> - Wordsmithing throughout >>>>> >>>>> >>>>> The immediate question I have is whether members of WG feel this topic >>>> and document are important enough to promote rpc-tls-01 to Working Group >>>> document status. If yes, I can submit the next revision as >>>> draft-ietf-nfsv4-rpc-tls-00. >>>> >>>> -- >>>> Chuck Lever >>>> >>>> >>>> >>>> _______________________________________________ >>>> nfsv4 mailing list >>>> nfsv4@ietf.org >>>> https://www.ietf.org/mailman/listinfo/nfsv4 >>>> >>> >>> _______________________________________________ >>> nfsv4 mailing list >>> nfsv4@ietf.org >>> https://www.ietf.org/mailman/listinfo/nfsv4 > > -- > Chuck Lever
- [nfsv4] Fwd: New Version Notification for draft-c… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Rob Thurlow
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… McDonald, Alex
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Tom Talpey
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… David Noveck
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran