IETF Logo Mail Archive

Re: [nfsv4] Thinking about an RFC5661bis.

David Noveck <davenoveck@gmail.com> Thu, 28 February 2019 21:16 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB1E130FD7 for <nfsv4@ietfa.amsl.com>; Thu, 28 Feb 2019 13:16:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8BNJbjCC00O for <nfsv4@ietfa.amsl.com>; Thu, 28 Feb 2019 13:16:14 -0800 (PST)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EF09130FD6 for <nfsv4@ietf.org>; Thu, 28 Feb 2019 13:16:11 -0800 (PST)
Received: by mail-oi1-x230.google.com with SMTP id j135so17745019oib.13 for <nfsv4@ietf.org>; Thu, 28 Feb 2019 13:16:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UBZ8WMdXmNi7HfE+cBc1VmIl2EitOHHRmq3tVg6drus=; b=iexiOR+k9zrM9XL39LEm2f39OqS//h+MaKd8PpixyYI5yNJfYd7gCfoO6hN1Unipb5 PJpChu+nWEjoKNQXNtltYJHhMpRur8Pa+qhN6g+32sIscNosKwY3YJkfF/25t2Ge+CZJ EfnWli2Fb5pqyyp9xUNH0UWZTKlGKvPJ1C4/EnafVmy8ijd2xGMyFa/LXDDQJLCu0OxL 9WFtExv5Tfx/C3fhq6HdbWIyTtPcsCaJwjy/PKe07YezojYp1Nn8hU0A/lVsgUp/npUx 6//yav3fm1Atc72sghB2UmaU81W7VzOSCKd11ktiuluOnRAhKJQTBDpNUoU8uslO79sK jCvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UBZ8WMdXmNi7HfE+cBc1VmIl2EitOHHRmq3tVg6drus=; b=t11gGjPXTIbxtMQbCZ22p/ftdMFHbwXD97ZtLXyt9LyRLj9T1GBEj1aFUjmw834FDl vIQxsCyyv4694bqK/EvKw31Es4qAnnPWU2CKnsOsCUkU6ZGCFDfCBbupRs4lL8s5o9Du igw0B0Mx3/YboiNzr3QDC9queHLy7Sl+IBKigZ0ub6J+mWYPAvFffxcDqrIF+kZIcQw3 zaZbeVTN/skCw4U8NUmD25IaScUxeZWmfAGb+ihbpKBrh2R+2a4TxIBBd860h4QmfVmS uuMCbGCt/xxIwfRKPpu05WK0866sOyYQLhpRMv0wRLj67x5EFZk3XoOtQCNAWcigNEC5 gMSg==
X-Gm-Message-State: AHQUAuZqiTZP6g0PUi1TJDUdUjesUrkPAo4vCNTvcVD6EuP3L9tB7yHx HuGMc015f1TqgnDuDvXJvKYJQZniM92ijPwLAQY=
X-Google-Smtp-Source: AHgI3IYpiEAszsSZJzILunNLbHibNSPpo0Z7lr0mTy5ZACUyVFl9+5xRcEM3FV8IvCzcsYZNj4tLRucDxUTI1RGyD0M=
X-Received: by 2002:aca:c691:: with SMTP id w139mr1155538oif.82.1551388570549; Thu, 28 Feb 2019 13:16:10 -0800 (PST)
MIME-Version: 1.0
References: <CADaq8je5pzF7m+4oVCNfSeeBDQ98kBwAdCN_o1hBrfDob=SBaA@mail.gmail.com> <A37CB4B9-F445-4A9A-9347-DA4976F053E9@oracle.com>
In-Reply-To: <A37CB4B9-F445-4A9A-9347-DA4976F053E9@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Thu, 28 Feb 2019 16:15:59 -0500
Message-ID: <CADaq8jf0WKXDcE6NbFnymnVRXpmR1a7pZ6THSfzoG7hE2qq+vg@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a8018b0582facc19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/oPWoxvKZyO-IXLdnkSxwpeZvpFw>
Subject: Re: [nfsv4] Thinking about an RFC5661bis.
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 21:16:18 -0000

>Before proceeding we need to reach a
> consensus that our current charter supports this work.

Let's start with what the charter says:

To maintain NFS Version 4's utility and currency, the NFSv4 working
group is chartered to maintain the existing NFSv4.0, NFSv4.1, and
NFSv4.2 protocols and specifications of related ONC components, such as
those defining RPC, XDR, and RPCSECGSS.

It is true that bis documents are not mentioned explicitly but I would say
that if a group is charged with maintaining the specification for a
protocol, it is really stretching things to argue that production of bis
documents is somehow out of the scope of the group's charter.

Of course, if there is someone who believes that this would be outside the
group's charter, that issue can be raised on the mailing list.

With regard to the process of reaching a consensus *before  *proceding,
let's proceed as follows:  When there is a  proposal to adopt a
draft-nfsv4-rfc5661bis-00 as a working group document, this issue can be
discussed as part of the decission on working group adoption.   The time
allocated for the discussion should be long enough so that there i s
adequate time to resolves any doubts about the suitability of the group
doing this work, given its current carter.



On Thu, Feb 28, 2019 at 12:09 PM Chuck Lever <chuck.lever@oracle.com> wrote:

>
>
> > On Feb 28, 2019, at 9:37 AM, David Noveck <davenoveck@gmail.com> wrote:
> >
> > A number of review comments regarding draft-ietf-nfsv4-mv1-msns-update
> have raised the issue of a possible bis document for NFSv4.1.   These range
> all the way from those assuming that mv1-msns-update is a stepping stone on
> the way to the bis document, which I agree with, to those that are asking
> us to explain why we haven't already done that..   I will have to respond
> to that latter comment, but I'm hoping to delay that until after the
> telechat.
> >
> > In any case, it seems that we have accumulated enough changes to and
> issues with RFC5661 that we need to start thinking about producing a bis
> document.  These include:
> >       • All the material in mv1-msns-update modiying Section 11 and
> other parts of RFC5661.
> >       • The need to replace Section 14 (Internationalization) of RFC5661
> with something like Section 12 of RFC7530.
> >       • Revising Section 2.4 of RFC5661 so it no longer contradicts
> RFC8178.
> >       • Updating Section 12 of RFC5661 to be in line with RFC8434.
> >       • Reflecting all of the verified RFC5661 erratta.  There were
> seventeen last time I checked.  There may also be things discussed as
> possible erratta, that were considered to big for the erratta process, but
> could be done as part of a bis document.
> > If anyone knows of other material that should go into such a document,
> or has concerns about the working group starting on this, now is a good
> time to raise your issue on the list.
>
> I agree that a bis would be very helpful for potential
> implementers, and there is enough backlog to warrant
> the effort. Before proceeding we need to reach a
> consensus that our current charter supports this work.
>
>
> > The joker in this particular pack is the Security Considerations
> section.   While we have to address the Security Directorate's notorious,
> "collection of random observations" comment, I think we need to do so in a
> way that is compatible with the expected draft-nfsv4-rpc-tls (hint, hint),
> even though we want to be able to publish without waiting for rpc-tls to
> become an RFC.  While draft-cel-rpc-tls-02 states that use of AUTH_SYS is
> currently "discouraged" and that is a fair summary, I don't think RF5661
> ever does that explicitly.   It may be that we will need to explicitly
> discourage use of AUTH_SYS  in an rfc5661bis (without, I hope, going so far
> as "SHOULD NOT").  I think we need to frame the discussion around the three
> big security deficits present using AUTH_SYS in the clear (exposing your
> data to prying eves, using  data that has traversed the newtwork without
> integrity protection, acting on unauthenticated requests) and not on the
> use of AUTH_SYS per se.  If we do this, we can publish and implement
> rpc-tls without needng to further deal with the security considerations
> section of the NFSv4.1 spec.
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
>
> --
> Chuck Lever
>
>
>
>

v2.23.0 | Report a Bug | By Email