IETF Logo Mail Archive

Re: [nfsv4] NFSv4 on TLS

Trond Myklebust <trondmy@gmail.com> Tue, 16 October 2018 21:04 UTC

Return-Path: <trondmy@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92AD8130E35 for <nfsv4@ietfa.amsl.com>; Tue, 16 Oct 2018 14:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VwyL8pl7ahSG for <nfsv4@ietfa.amsl.com>; Tue, 16 Oct 2018 14:04:12 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBAEA130E44 for <nfsv4@ietf.org>; Tue, 16 Oct 2018 14:04:11 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id q4-v6so17483576iob.8 for <nfsv4@ietf.org>; Tue, 16 Oct 2018 14:04:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nWs/aEwUMCk+LaEIjgmUzWUKdhtYZo+zWMg2amzORDw=; b=kca/7uJwEaSbIeb5WiBiaSUxQ9eLE9UeiTee9tOBkY8J6xjvtJfIEGa4T3494gfjTU hmPijsXAAm+GqH0w8EJ46mHUJkTv2IOeH5WUIcudQFcmN8rHnVP9SHgRjQ91NbeVYPEk w9uYxzJiJ1zDOiJfr7VZxket+0O+D26+yeQCH767PRbcWnec9Com741XJYhxdzbY6/wu qp646r8rc+jXjaI5dth+IrdpKRPV/tD7pWM29ZyFuQsKKjDhUq6Ei14Mh2SgouLk2e1D y77PWsrwHi91Y/CbQ3FQ7Io6JXloPY3AZmibOUteSTBd0kIGBBEffoDarp6N7MgLTKaA IBMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nWs/aEwUMCk+LaEIjgmUzWUKdhtYZo+zWMg2amzORDw=; b=jMgNR5dJnswiqJ5+XI6X/RfdOZPprBeXkiMu8gHLwfzDzniXeLp88vU5pdOU9dvKrX m9/XLn54H7tgg+XjOzBUmAhVOzRIBRnXu/Y96InMIMOFoLf2adBYuw8IgLuTT536cnLt V5DrNIdbZaifQFOWmewkrpUWv9RB7RZ/29btWm25Yo3m6YgjAo5Q/xItr0mPhDTnA7Kp h5QfB2VRu5C753boOoxOwpLNuP2PjqbV3CNEEv8gQ/c7K2Q6WGgiBeuWoq3b4WoRCCRJ Z6MbK+Hx9I8d9WQlgryw+T5rE1mNrC4Gfosk0etEptog3LxmsOMfo4N374TcUxZufOOI 2dOA==
X-Gm-Message-State: ABuFfogsuStqvwhKbv/kOmJKxIFA4DazYOGAWTDrXRoOgyersEApnX48 hp1afRqdfMNgQ1Ng+uP2NeCcRzQNaKXHvZb/dg==
X-Google-Smtp-Source: ACcGV63jqRTXAGTllwRI2cgh/8LTNTqxSqVGS6ak4TRGU4O+YViBJDn3UWu8ofy4LEzCTbksyXu6QpUQOZSl5iyVvG4=
X-Received: by 2002:a6b:7f48:: with SMTP id m8-v6mr15262816ioq.16.1539723850793; Tue, 16 Oct 2018 14:04:10 -0700 (PDT)
MIME-Version: 1.0
References: <FD3EEC6C-887F-4F3A-AB9E-87AB9EE34ABD@oracle.com> <20180826214725.GA10368@localhost> <9A8DAFF1-C837-4AFA-99CB-863C09091608@oracle.com> <20180827185325.GB10368@localhost> <CADaq8jdr0w74J9db-AZTQ_dAP5ngT53R=KvLuK7xnVpptpbOCw@mail.gmail.com> <YTOPR0101MB182075AD5B7E864C48FF6324DD0A0@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM> <CAABAsM5FatQmorZpTu4MGCwZMahRSJdhJu9gEPgjDEepcjjHfQ@mail.gmail.com> <20181016200243.GX19309@kduck.kaduk.org>
In-Reply-To: <20181016200243.GX19309@kduck.kaduk.org>
From: Trond Myklebust <trondmy@gmail.com>
Date: Tue, 16 Oct 2018 17:03:59 -0400
Message-ID: <CAABAsM4OazaMxkDgoJZ7vV8R1HWW=jJQHwQwSEyxCryRFJDJpw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Rick Macklem <rmacklem@uoguelph.ca>, nico@cryptonector.com, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002dc8b305785ee5c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/oCi9qkpqD2D4ugPzLOdaxCKPLCE>
Subject: Re: [nfsv4] NFSv4 on TLS
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 21:04:15 -0000

On Tue, 16 Oct 2018 at 16:02, Benjamin Kaduk <kaduk@mit.edu> wrote:

> I'm not really in a position to speak of the level of demand for such a
> proposal, but...
>
> On Tue, Oct 16, 2018 at 03:53:32PM -0400, Trond Myklebust wrote:
> > So here is a quick proposal: we add a new security type AUTH_TLS, which
> can
> > act as the equivalent of a "STARTTLS command" to signal that we want to
> > initiate TLS security negotiation if the server supports it.
> >
> > When the client has set up the TCP connection, and is ready to initiate
> the
> > TLS negotiation, it pings the server with a NULL RPC request with an
> > auth_flavor of AUTH_TLS. If the server doesn't recognise that flavour,
> and
> > returns AUTH_ERROR (+AUTH_BADCRED?), then the client knows that the
> server
> > is unlikely to support stepping up to TLS on this connection.
> >
> > There should be no need for the credential to carry any form of
> > authentication payload, so just model it on AUTH_NONE, but have the
> server
> > return a payload of "STARTTLS" in the body of the verifier. That
> > differentiates it from AUTH_NONE, and allows the client to distinguish
> > servers that recognise AUTH_TLS, and servers that just ignore the
> > authentication header altogether in NULL RPC calls. If the payload
> matches,
> > then the client kicks off TLS negotiation before sending any further RPC
> > calls on this connection.
> >
> > If the client tries to use AUTH_TLS for anything other than a NULL RPC
> > ping, then a server would presumably be expected to return AUTH_ERROR
> with
> > AUTH_TOOWEAK.
> >
> > Once the TLS negotiation is complete, then the client and server will
> have
> > established a secure channel for communicating, and can then use the
>
> Any such document would need to discuss the client authentication semantics
> for the TLS connection, whether a single per-host client cert is used vs.
> per-user certs, etc.  BCP 195/RFC 7525 would of course play a role, too.
>

This is transport level security, so in order to have per-user certs, we'd
presumably have to have a TCP connection per user? That is certainly not
something that I can envision wanting to ever implement for a kernel NFS
client.
IOW: As far as this working group is concerned, I'd see TLS as mainly
practical for providing machine level authentication, not user level.

I agree that there are issues addressed by RFC7525 that we may want to
discuss.


>
> > standard security flavours on top of that channel (presumably after
> > negotiating down the irrelevant RPCSEC_GSS privacy and integrity
> mechanisms
> > and applying channel binding).
>
> Anyone considering GSSAPI channel binding should probably consider the
> issues that
> https://tools.ietf.org/html/draft-ietf-kitten-channel-bound-flag-03 tries
> to address, and also that the tls-unique-based binding value in RFC 5929 is
> rather overtaken by events.  There would probably be a need to define a new
> TLS exporter-based value that requires the use of TLS 1.3 or
> extended-master-secret.
>
>
Is that discussion relevant to the NFSv4 working group though? NFSv4 only
requires servers to support RPCSEC_GSSv2 (or RPCSEC_GSSv3 for NFSv4.2).
Both those protocols have explicit channel binding RPC calls that return
success/failure, and a separate service type (rpc_gss_svc_channel_prot)
that as far as I can tell should meet the requirements in the above
document. Am I wrong?



-Ben
>
> > Is this a proposal that might be of interest to members of this group,
> and
> > hence be worth documenting in an RFC?
> >
> > Cheers
> >   Trond
> >
> > On Tue, 28 Aug 2018 at 07:57, Rick Macklem <rmacklem@uoguelph.ca> wrote:
> >
> > > David Noveck wrote:
> > > [stuff snipped]
> > > >> AUTH_SYS with UIDs/GIDs is too limited.
> > > >
> > > >As far as I know, AUTH_SYS includes 32-bit UIDs/GIDs.   Those seemed
> > > ample when
> > > >AUTH_SYS was designed.
> > > >
> > > >It certainly is too limited now, but it is difficult to change. Even
> more
> > > of a
> > > >barrier than the existiing OTW formats, is the fact that most flle
> systems
> > > >used with NFS reserve 32 bits in the inode for each of owner and
> group.
> > > >Further complicating matters is that in-kernel VFS's and POSIX API's
> are
> > > >built around this very limited approach to user identity.
> > > >
> > > >> I have no objection to a mechanism like AUTH_SYS-over-TLS
> > > >
> > > >I don't know of any AUTH_SYS mechanism that uses anything other than
> > > >32-bit ids.
> > > >
> > > >> that uses name@domain to be consistent with the rest of NFSv4.
> > > I think he was referring to a new authentication flavour that had the
> > > "user@domain" string as the authenticator. (There is a 400byte limit,
> but
> > > that might be sufficient.) I might have called it AUTH_NAME or
> AUTH_OWNER.
> > >
> > > I'd guess that 99.9% of FreeBSD NFS usage is AUTH_SYS, although
> Kerberos is
> > > in the system. I do think a way to use TLS (or similar) to encrypt at
> the
> > > transport
> > > level would be a good thing and would get used more widely.
> > >
> > > Many of the FreeBSD sites (I won't guess the %) use AUTH_SYS but
> ignore the
> > > gid list and generate a gid list on the server from the uid. As such, I
> > > don't think
> > > putting gids/owner_group names in a new authentication mechanism is
> needed.
> > >
> > > For folks that have a 32bit uniform uid space, AUTH_SYS in transport
> > > encryption
> > > seems ok to me.
> > > For sites where the uid space isn't uniform or doesn't fit in 32bits, a
> > > "user@domaim"
> > > to uid/gid list mapping in the server can be done using this new one.
> > >
> > > >Within NFSv4 proper, you could use name@domain, but there is really
> no
> > > >point if you are using AUTH_SYS.    You are allowed to use numeric ids
> > > >as attributes and most people using AUTH_SYS choose to do so, to avoid
> > > >the overhead of a translation that provides no benefits.
> > > They could use this mapping with AUTH_OWNER when AUTH_SYS won't
> > > work for them.
> > >
> > > rick
> > > ps: I, for one, am not interested in implementing a new GSSAPI
> mechanism
> > > that
> > >       isn't in the open source Kerberos distros. As such, any
> complicated
> > > setup
> > >       involving writing of a lot of new code probably wouldn't make it
> in
> > > FreeBSD
> > >       for a long time. However, something that mostly uses the extant
> code
> > > for
> > >       supporting "https" should be doable.
> > > [more stuff snipped]
> > >
> > > _______________________________________________
> > > nfsv4 mailing list
> > > nfsv4@ietf.org
> > > https://www.ietf.org/mailman/listinfo/nfsv4
> > >
>
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
>
>

v2.23.0 | Report a Bug | By Email