IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Mon, 25 March 2019 20:44 UTC

Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE67A1200A0 for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 13:44:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U2CEci-MTaL3 for <nfsv4@ietfa.amsl.com>; Mon, 25 Mar 2019 13:44:30 -0700 (PDT)
Received: from smtp-o-3.desy.de (smtp-o-3.desy.de [IPv6:2001:638:700:1038::1:9c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4EE7120075 for <nfsv4@ietf.org>; Mon, 25 Mar 2019 13:44:29 -0700 (PDT)
Received: from smtp-buf-2.desy.de (smtp-buf-2.desy.de [131.169.56.165]) by smtp-o-3.desy.de (DESY-O-3) with ESMTP id 9A215280C16 for <nfsv4@ietf.org>; Mon, 25 Mar 2019 21:44:26 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-3.desy.de 9A215280C16
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1553546666; bh=n2QacAidP7lV1ov3HD/FbXH1VRVUUZBbfyBUPIKQvQQ=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=pjAJ3FsleFIoc0yBExhXRwk2JWEunulg7F2Pb3vMtHw/0eaHs4+2XSovBgfqJzdlr MeH2PwsRIbKOomr6cIt/mvnyQq4JbnQvDMKeJ0VL9pWCU7rRhSQ5P5ehNAne5hV/Ts jBzX7JMsb00tygdy9JI+ldeyYHawppeixDV6n2ag=
Received: from smtp-m-2.desy.de (smtp-m-2.desy.de [IPv6:2001:638:700:1038::1:82]) by smtp-buf-2.desy.de (Postfix) with ESMTP id 9544F1A00E3; Mon, 25 Mar 2019 21:44:26 +0100 (CET)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-1.desy.de (DESY-INTRA-1) with ESMTP id 435AC3E901; Mon, 25 Mar 2019 21:44:26 +0100 (MET)
Date: Mon, 25 Mar 2019 21:44:26 +0100
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Message-ID: <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de>
In-Reply-To: <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 8.8.10_GA_3781 (ZimbraWebClient - FF66 (Linux)/8.8.10_GA_3786)
Thread-Topic: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: 7/kEzJ5c9RMOf7pUUMo1mlApYaV2FQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/nRCdoNY3PI_X4HyP6_mt8ervmzE>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 20:44:34 -0000


----- Original Message -----
> From: "Chuck Lever" <chuck.lever@oracle.com>
> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>
> Cc: "NFSv4" <nfsv4@ietf.org>
> Sent: Monday, March 25, 2019 2:44:32 PM
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

>> On Mar 25, 2019, at 4:53 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
>> 
>> 
>> 
>> Hi Chuck,
>> 
>> By working on our implementation we got a following questions:
>> 
>> what should server do when a client requests startTLS twice? Fail
>> with an auth error or just ignore?
> 
> I don't have a ready answer, but seems to me your TLS library
> might have an opinion. Can a web browser be made to generate
> a second STARTTLS to see what the behavior is like?
> 
> Is there any guidance in RFC 8446 or its antecedants?

Looks like LDAP have that case clearly specified rfc2830:

2.3:

...

   If the Start TLS extended request was not successful, the resultCode
   will be one of:

   operationsError  (operations sequencing incorrect; e.g. TLS already
                    established)

3.1:

...

   The client MAY send the Start TLS extended request at any time after
   establishing an LDAP association, except that in the following cases
   the client MUST NOT send a Start TLS extended request:

     - if TLS is currently established on the connection, or

You may adopt a similar wording to rpc-over-tls. However, what about UDP and
retransmits?

Tigran.
> 
> 
>> It would be nice if spec will
>> explicitly define this situation.
>> 
>> Thanks,
>>   Tigran.
>> 
>> ----- Original Message -----
>>> From: "Dave Noveck" <davenoveck@gmail.com>
>>> To: "Chuck Lever" <chuck.lever@oracle.com>
>>> Cc: "NFSv4" <nfsv4@ietf.org>
>>> Sent: Friday, January 4, 2019 5:25:18 PM
>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>> 
>>>> I've been studying RFC 8471 to understand what would be needed to support
>>>> TLS token binding with RPC. It appears there are two components:
>>> 
>>>> - The TLS handshake is extended to indicate support for token binding
>>>>  and negotiate the supported version
>>> 
>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
>>>>  Binding message as the first message
>>> 
>>>> We would need to provide a mechanism for encapsulating this message in
>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>>>> RPCSEC GSS could provide a mechanism for transporting this message.
>>> 
>>> As I understand things, one of the potential goals here is to satisfactorily
>>> authenticate the client so that AUTH_SYS can reasonably used.  For that use
>>> case, I'm not sure how depending on RPCSEC GSS would fit in.
>>> 
>>>> It appears to me that there is a natural boundary between what we have
>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>>>> Binding, such that Token Binding could be handled by a separate document.
>>> 
>>> That makes sense.
>>> 
>>>> That would allow the quick completion
>>> 
>>> Since this is the IETF, let's just say "quicker completion".
>>> 
>>>> of rpc-tls to enable encryption by
>>>> default using self-signed certificates, with support for Token Binding
>>>> to appear later.
>>> 
>>> It depens on how much later.  I don't see how it would be necessary to get
>>> through the RFC process, including that rigorous search for split
>>> infinitives, cycles
>>> of discussion of RFC2119 terms before starting the follow-up work on token
>>> binding.   Once rpc-tls is accepted as a working group document, the group
>>> would
>>> be in a position to make plans for the follow-on  work that seems to be
>>> warranted.
>>> 
>>>> Thoughts, comments...
>>> 
>>> If work on client autehentication is to be punted, then the document will
>>> need to reflect that.
>>> In particular, if you, as a server, are prepared to accept an
>>> unauthenticatted client's user
>>> identifications, then your security is pretty much non-existent, despite
>>> the fact that
>>> enryption prevents eavesdropping.  In that case, it probably best to say
>>> nothing about use
>>> of AUTH_SYS.
>>> 
>>>> Am I on the wrong track?
>>> 
>>> No.
>>> 
>>> On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>> 
>>>> 
>>>>> On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote:
>>>>> 
>>>>> Hi Chuck
>>>>> 
>>>>> Apologies for top posting, blame MS
>>>>> 
>>>>> I was interested in the comment "We believe the combination of host
>>>> authentication via TLS and user authentication via RPC provides optimal
>>>> security, efficiency, and flexibility,". There's been a huge amount of
>>>> negative press for TLS client auth, but there's been a push for TLS token
>>>> binding as a basis for better client/server authentication. Does the
>>>> proposal need to consider work in this area?
>>>> 
>>>> I've been studying RFC 8471 to understand what would be needed to support
>>>> TLS token binding with RPC. It appears there are two components:
>>>> 
>>>> - The TLS handshake is extended to indicate support for token binding
>>>>   and negotiate the supported version
>>>> 
>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
>>>>   Binding message as the first message
>>>> 
>>>> We would need to provide a mechanism for encapsulating this message in
>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>>>> RPCSEC GSS could provide a mechanism for transporting this message.
>>>> 
>>>> It appears to me that there is a natural boundary between what we have
>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>>>> Binding, such that Token Binding could be handled by a separate document.
>>>> That would allow the quick completion of rpc-tls to enable encryption by
>>>> default using self-signed certificates, with support for Token Binding
>>>> to appear later.
>>>> 
>>>> Thoughts, comments... Am I on the wrong track?
>>>> 
>>>> 
>>>>> -----Original Message-----
>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
>>>>> Sent: Monday, November 19, 2018 15:56
>>>>> To: NFSv4 <nfsv4@ietf.org>
>>>>> Subject: [nfsv4] Fwd: New Version Notification for
>>>> draft-cel-nfsv4-rpc-tls-01.txt
>>>>> 
>>>>> 
>>>>> Hi-
>>>>> 
>>>>>> Begin forwarded message:
>>>>>> 
>>>>>> From: internet-drafts@ietf.org
>>>>>> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>>>>>> Date: November 19, 2018 at 10:52:07 AM EST
>>>>>> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles
>>>>>> Lever" <chuck.lever@oracle.com>, "Chuck Lever"
>>>>>> <chuck.lever@oracle.com>
>>>>>> 
>>>>>> 
>>>>>> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been
>>>>>> successfully submitted by Charles Lever and posted to the IETF
>>>>>> repository.
>>>>>> 
>>>>>> Name:         draft-cel-nfsv4-rpc-tls
>>>>>> Revision:     01
>>>>>> Title:                Remote Procedure Call Encryption By Default
>>>>>> Document date:        2018-11-19
>>>>>> Group:                Individual Submission
>>>>>> Pages:                9
>>>>>> URL:
>>>> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt
>>>>>> Status:
>>>> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/
>>>>>> Htmlized:       https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01
>>>>>> Htmlized:
>>>> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls
>>>>>> Diff:
>>>> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01
>>>>>> 
>>>>>> Abstract:
>>>>>> This document describes a mechanism that enables encryption of in-
>>>>>> transit Remote Procedure Call (RPC) transactions with little
>>>>>> administrative overhead and full interoperation with RPC
>>>>>> implementations that do not support this mechanism.  This document
>>>>>> updates RFC 5531.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Please note that it may take a couple of minutes from the time of
>>>>>> submission until the htmlized version and diff are available at
>>>> tools.ietf.org.
>>>>>> 
>>>>>> The IETF Secretariat
>>>>> 
>>>>> Minor changes in revision 01:
>>>>> - Correct a legal issue reported by idnits
>>>>> - Clarify terminology throughout document
>>>>> - Add editor's note in Section 4.3 "Authentication"
>>>>> - Wordsmithing throughout
>>>>> 
>>>>> 
>>>>> The immediate question I have is whether members of WG feel this topic
>>>> and document are important enough to promote rpc-tls-01 to Working Group
>>>> document status. If yes, I can submit the next revision as
>>>> draft-ietf-nfsv4-rpc-tls-00.
>>>> 
>>>> --
>>>> Chuck Lever
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> nfsv4 mailing list
>>>> nfsv4@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/nfsv4
>>>> 
>>> 
>>> _______________________________________________
>>> nfsv4 mailing list
>>> nfsv4@ietf.org
>>> https://www.ietf.org/mailman/listinfo/nfsv4
> 
> --
> Chuck Lever

v2.23.0 | Report a Bug | By Email