IETF Logo Mail Archive

Re: [nfsv4] WG last call complete for Requirements for Labeled NFS (still needs review)

Jarrett Lu <jarrett.lu@oracle.com> Tue, 01 May 2012 20:51 UTC

Return-Path: <jarrett.lu@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866CC21E8053 for <nfsv4@ietfa.amsl.com>; Tue, 1 May 2012 13:51:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.901
X-Spam-Level:
X-Spam-Status: No, score=-9.901 tagged_above=-999 required=5 tests=[AWL=0.698, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDBz8NXrnb8h for <nfsv4@ietfa.amsl.com>; Tue, 1 May 2012 13:51:38 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 5B77021E8045 for <nfsv4@ietf.org>; Tue, 1 May 2012 13:51:37 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q41KpYJA001557 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 1 May 2012 20:51:35 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q41KpXNJ022352 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 May 2012 20:51:33 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q41KpXbl032198; Tue, 1 May 2012 15:51:33 -0500
Received: from [10.132.149.245] (/10.132.149.245) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 01 May 2012 13:51:32 -0700
Message-ID: <4FA04D62.3050401@oracle.com>
Date: Tue, 01 May 2012 13:53:54 -0700
From: Jarrett Lu <jarrett.lu@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.2) Gecko/20120223 Thunderbird/10.0.2
MIME-Version: 1.0
To: Spencer Shepler <sshepler@microsoft.com>
References: <039D3CB813A4D544863BB7D4F46A1857040AAC3C@TK5EX14MBXC253.redmond.corp.microsoft.com> <4F9E81FF.5020806@davequigley.com> <04CBC703-2786-4C19-9990-FA93F9BB9753@oracle.com> <039D3CB813A4D544863BB7D4F46A1857040ABB9D@TK5EX14MBXC253.redmond.corp.microsoft.com>
In-Reply-To: <039D3CB813A4D544863BB7D4F46A1857040ABB9D@TK5EX14MBXC253.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Subject: Re: [nfsv4] WG last call complete for Requirements for Labeled NFS (still needs review)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 20:51:39 -0000

Tom, Spencer,

The document is in pretty good shape. My review comments and questions 
are as follows:

1. Section 3.3 list the following Security Services:
- Authentication
- Integrity
- Privacy

I'd expect Confidentiality be listed as well, as many MAC systems do 
provide confidentiality. Is Privacy used here to mean Confidentiality?

2. Through out the document, "local server policy" and "local client 
policy" are used. It may be better to eliminate the word "local" and 
just use "server policy" and "client policy". Server and client policies 
may not be strictly "local" as the policies can reside in a centralized, 
networked database, which could make policy configuration and 
administration easier.

3. Section 3.4,
In "If the LFS of a system changes", it's probably more clear to state 
"If the LFS supported on a system changes".
An LFS, i.e. the label format mapping, probably won't change. A system 
may be reconfigured to support more or less LFSs.

4. Section 3.6,
    The content of the paragraph seems to suggest that the section title 
should be "Label Checking" instead of "Labeling".

5. Section 3.9,
The example usage of LFS here is incorrect. LFS indicates what label 
format is used and how labels should be interpreted. It is not meant to 
be used to indicate server capability or its smartness in handling 
labels, such as "I'm only capable of storing and returning labels".

6. Section 4.2,
double word "able to to protect".

7. Section 4.5,
The reference to case (a) should be removed.

8. The draft referenced by this doc, "Registry Specification for MAC 
Security Label Formats", just expired. David Q and I should move that 
draft forward.

Thanks.

- Jarrett


On 04/30/12 12:43 PM, Spencer Shepler wrote:
> Thanks, Jarrett and Dave.  Please go ahead with the review and let me know when you are finished.
>
> I would like to have one more volunteer that has been at least once removed from the material for a read of flow of the document and to see if there are any "missing"pieces.
>
> Volunteers?
>
> Spencer
>
> -----Original Message-----
> From: nfsv4-bounces@ietf.org [mailto:nfsv4-bounces@ietf.org] On Behalf Of Jarrett Lu
> Sent: Monday, April 30, 2012 6:15 AM
> To: Dave Quigley
> Cc: nfsv4@ietf.org
> Subject: Re: [nfsv4] WG last call complete for Requirements for Labeled NFS (still needs review)
>
>
> On Apr 30, 2012, at 5:13 AM, Dave Quigley<dpquigl@davequigley.com>  wrote:
>
>> On 4/30/2012 2:55 AM, Spencer Shepler wrote:
>>> We have completed the last call for the Labeled NFS.
>>>
>>> While this is a short document and certainly has had a lot of
>>> feedback over its lifetime, I do not believe this particular version
>>> is ready to forward to our AD.
>>>
>>> I need to have at least two reviewers for this version before I will
>>> shepherd it forward. Given this is a requirements document and it
>>> deals with security and it is providing a path for our NFSv4.2 work,
>>> I want it to be ready for the broader IESG review.
>>>
>>> Thanks in advance for the help.
>>>
>>> Spencer
>>>
>>>
>>>
>>> _______________________________________________
>>> nfsv4 mailing list
>>> nfsv4@ietf.org
>>> https://www.ietf.org/mailman/listinfo/nfsv4
>> Does this have to be revewiers besides myself? I can be one of them and we've had a review from Casey Schaufler on the SELinux list that I had forgotten to forward over here. If you'd like We could be the two. If someone else besides me needs to do it I'll get Steve Smalley to chime in on the draft.
> I can be one of the reviewer too.
>
> - Jarrett
>
>
>> Dave
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>
>

v2.23.0 | Report a Bug | By Email