IETF Logo Mail Archive

Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4-security

Rick Macklem <rmacklem@uoguelph.ca> Thu, 20 October 2022 01:04 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B091DC15259A; Wed, 19 Oct 2022 18:04:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfbGa27jiI6n; Wed, 19 Oct 2022 18:04:46 -0700 (PDT)
Received: from CAN01-YQB-obe.outbound.protection.outlook.com (mail-yqbcan01on2069.outbound.protection.outlook.com [40.107.116.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06162C152599; Wed, 19 Oct 2022 17:58:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ILNBW5ajQC7QQ3yuAsQ+tROCwUrYNt8sunV/Pg/vjYaOFCLQu0VC5asZLG1T5D0BWHcmsUl4JMo5CcM3mnlD+hNvrp8SNYtyYAAhVI+zc0YYpf4p9QZu6jr3YI/JlUNtbjnm1p/qXj5O5HK2T2UpQhNRxLsWoaE9OZERg5Bq5FLe/yJ/9616Aupv4V8E+77JERrZgSM+MwBkKn/2Ds3w3/sP/Hn0EyAssgotKpAgYasJ6nslLhcPvFA0CsK42qDDDV2sV2dKXLAM/3YGWPasKaehmokarRe8bYhagRWGgYjDOHW9fboNGjc6TrjOqUg6O3VOcWIkwQldM7nU2LCBmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kg5PteDGUPpWniGFgnBc327jUWwJZ+5IjbZ0jbN8OWs=; b=WZJ9Ez+buIozht1267pofFxdl0muuQ2eC+KpmGyHDq5IiTvJ/EHZ/FtPQ/bAlIJt5O9XOJd4OHOxNMb+PUBdl0dE8fT46qVTtyqCnWOSDRl7mngQnG+FYlEYQS7RTxJE2jXGPCqGStqlEpcDtN+p1W3h9kByd2FcdC4yhkPOrHdci9f+tBuKnDq929mnqLo69SvZjgFb5TupWvuT0C6lmIwM2wLvGYSH5iosoFTCy6mali8STcmOMGzFl8CqgwAyXsjb66G1p5vf5u0dPYee4kzxeWaR2ZILllq1QIX0S2CAZTKW6IS9hW4FpgrCSL4fzWYsvYolh+aGY66Wrm5nmw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kg5PteDGUPpWniGFgnBc327jUWwJZ+5IjbZ0jbN8OWs=; b=L+cDaTzfhY2dIh1644TTpVZn3w+cqaLglCzh3EchQ323bUy5ZrMGErj+oMbkGy1hiOMKXBzK729c75d4kmNc4Cx5/QtMBlMbEJmJ1u3ZXW9yTIAfE0xQ1w8fh0KHpZRpGYFrC2LzrRfkGw0rHJwaT6Diqrsa0BsauqaVfb0mZNrko2qSJ8t7mwV2U3AXKFDFxEYBP77vSc8MFgCUmrFjNDZF1to374RhaumgcKyyw7ioUaskNtSHx7saedSguxahT7Eq6jHpW/TkX9Bi2+i1Q7tj7thncepP9d0sXhXYxGo24mhCmcU3F8mx6iNrLh0t8ieAv1XkiPCSuyv1z3bWfg==
Received: from YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:6::7) by YQXPR01MB6430.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:4e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Thu, 20 Oct 2022 00:58:22 +0000
Received: from YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM ([fe80::b4f6:11cc:78:9281]) by YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM ([fe80::b4f6:11cc:78:9281%5]) with mapi id 15.20.5723.033; Thu, 20 Oct 2022 00:58:16 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: David Noveck <davenoveck@gmail.com>, Thomas Haynes <loghyr@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>, "nfsv4-ads@ietf.org" <nfsv4-ads@ietf.org>
Thread-Topic: [nfsv4] Adoption call for draft-dnoveck-nfsv4-security
Thread-Index: AQHY49bXBaKcgaXPOkiLZ+zn+ItX+q4WcWL6
Date: Thu, 20 Oct 2022 00:58:16 +0000
Message-ID: <YQXPR01MB415068A08E4C7D5D7CA350E6DD2A9@YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM>
References: <CADaq8jfi1ApVZeJ6LsGSPY=kRXQ2W_NZ9ixwcOnJJ-A_RH4SPA@mail.gmail.com> <E93D76F0-3604-41ED-A240-60D93C2FA107@gmail.com> <CADaq8jfZP6GTQQXZZ_01xK1wNNn85-wko7kMu+7qG2nfK7G5aw@mail.gmail.com> <F5F9FAC8-3507-431B-8D1D-5667477D65E8@gmail.com> <CADaq8jez8ba3H-2LFtcc+0snDiTPhZ4Ban3w3YDHT-vwDX_X4Q@mail.gmail.com>
In-Reply-To: <CADaq8jez8ba3H-2LFtcc+0snDiTPhZ4Ban3w3YDHT-vwDX_X4Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: YQXPR01MB4150:EE_|YQXPR01MB6430:EE_
x-ms-office365-filtering-correlation-id: 286d6af1-7725-4846-24be-08dab2362c28
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PstaydiV+KGdk49IxykaKjEBFoLN1CGE2yYTyBg1EteCPGtIp2DYH2YTyGCVqValfqVBrJyYo+7GXDZYmv3rQ3M2+iQVd8UmvcDsQBDKiS51AStNPPrS1n2DsUTJvPqO3Zw+d778gDfdAQYqEnMjKCZ3TpKSikRF9WUDBu0jvZWrdfP261v6vW3INL1XpfiizDN3NXwrxwwC32lX5SkYR1Lau0sGM3Kj13vyCygK67oiUJIc2NtRJ1SZo5UBeX1ieZ2fM6TnrHj3dHGp1xi5mRkDmlMyruEjM4e2TjRFfbhZ+RtNkhw7iaCZZVlePq+XcQnc19eHhGWtCb/APjNVkjeozbuAkmnQ9Qp8+m2tJnRpPKrzGjqEfEV2BBbZdyN8JXOykpM1fwBeTIcEK0L6bqzK6bsJA65xxCi2YEz0oWSR354s5zQxHJP84P8YmyjOvwEw+PvSYQH6cVmxQFgjxkVLinzFRegOEBwIkhrS0nlGB/8ZCNMs9py+OJrdNYwl25WMKgedUnvBNbtbfXsRi0CZRUtBC9/fpPJIZpWo7mbILVhnWaegh00vVErMPZtng2YRRswxlIYEax0pZUy5CMIxvGvfkuy1sKH+l7CgfY5wucWRkbW9ZkpKbGkex8TSGIgaCp8e63xavP/FKhHgb7TnxCxVaQKOOxDVlyQCK62ayon6CFYpvPXA925SnZ/kfMCbzEnl3nassZUqg/iG2zszf9eqlQGjV3+xjYWbWje25uP4r23qOFP1EFR/6ZA9I5vCNgADvRi72EZDOC35Kg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(376002)(346002)(136003)(39860400002)(366004)(396003)(451199015)(786003)(316002)(41320700001)(41300700001)(110136005)(54906003)(52536014)(9686003)(8936002)(55016003)(33656002)(66556008)(64756008)(15650500001)(186003)(2906002)(8676002)(66446008)(66476007)(5660300002)(4326008)(76116006)(66946007)(86362001)(91956017)(83380400001)(7696005)(6506007)(38070700005)(71200400001)(122000001)(478600001)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: H/7oOL4fJpPcE7Dk7fsTaBJtO0C8XxeUDUGWRH/Zcz66bTwxvmzygCdAXTFvazB14rPZ2CnRAm6uVyrb0yx56h6diOdK8yzczqlkS2jMBg595kXnlzD+sT5ScB2bB3a+/asb2iDC9+gYRCCvPwHtcv9Hf3iZxXDOfELJExs3q380ylgg5dBdNL1COBNLN/p9eJYyEEkiUqYm9zu4azpWPgJMzr61Fz6ao134+PXbgadekxY0TF0GFQhUGBDb5k9gePbcm37LT7L3bDR/WWmGkoGJ0McgbB7tR1rWZl6ItnI6L0XzKf9u3IzX7a5vGDapEWyXh2j3pWErFGHQYEQBwKcVWYmAcUEOtHfDLy02hP3ao6ZVjE19iouAP3wFMi/SnI9joraI+wwl6lk8/0+2vPVLAdynjSGN2DggItT+WZUAZOnpUdXhiGmUF4doSguVYeFkOsvB1BwAiF7xxCeqaoZcaDMHg9ISZPA7yJ6pF01Hp2ZF+z+wB4tXaWlxBj6RwOo7wkUYdoQNva9Qj9BWq/Pbwm/W++mwUpSc3V3NW+2el6aJ1e7H0i6KEb/neCdbQOUjxgfNgUKdhduv8USdKyUHmao7GON1yV8X5H8qXHhG2HpLVXGl1Ns6ZXbG+7KJ4eTbE5TqKeK67fST3HthW2jQf+lnNJ7VG4tlv6XostA3aXaxn3AzfJY+78o7nzvg2vyEYsMZVNuSkmMAOQKZkAH7jOQugB9bRJhFzt093fg3F9XgYS7JGhSGWfiuMAT9mgVOKDxX0EcEojduMk4vDKsY0cDk10Sq5tlVGiU4xLuJEI5hHNRwJHO1SsJIxY8GNOp7q0/03KYR4jNVjDMuNUCK7LBujzNi01nveu3HKB/quSm07QMh322eX6yZMU2jDS1zcTffrYYSW3CbpozAIkhYszjP2cxAuu0PhNBK0VVx45G9Nx9TzReEa3LCqNWSBAaSpAGJG2WEm4esanAwU7yGPFt328dVDviLd7IxgJiEemGXTlKmNr+xWX2N8SyJSgkPWmNOHvLXCafC+Cm90jzezsbHOEbUSr+gpkhgIN+5x7QXo1tmcy8nT3BEo2aCvr5iZf2LOI1vHmtenOhB4EtZHDvD3RLUyInsJ0f32CzCDNNB1Vef+En3ZWeubgfIJcSzh0Lg7/XdV4ELczTtUn6SHi9gWOpGKOEg/OjxRzse6iAdWZf5SQVWFJarSq0ECFo12wLfH8zApAu2q7XyhN8EZe7eEa8CxLAn2wdDzi2Q+WLAEOYWQgChWX8lIMWLm0NThfHVV6o+DjFUdDmzpCbumqASrTEkw8pgb5KntBQzg/Vk/cf2Ne6x1LLB0g/k32GThIB+j2f+U3DKHlBsCVnr5dki/M7Lmr7Xm/pr7zIc5ZYQhNrr8N2dt+SEIF4ULyFHYaiQcpwVT7Pl2GUsHGvZmXgsln/pd4HrouyHUO/mhbcJxb3HXEM64lp0/S+aXohvFfIMeI46MkgKlci2BiXEtXLpx8M/KqQa5u0EEEzJylR0kkgq7bw7b4d4WL3OlQp7Abb1Jvmq8O/5MzI5+znz9KlhuTjE0Vhm1B1UwGhPNIcRmeI1mw/a8hnB84bFYxy6/gwjE2zPwRz63/AvSOX0SA1iJ7kL03GqqouGI+NZFf16NfGRbNjpOSRsb32o
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR01MB4150.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 286d6af1-7725-4846-24be-08dab2362c28
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2022 00:58:16.4683 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CMT8NabqaKRQpJ9cAFm63kLPkgbek6NmbEV4gR6KveTS7YqPO0AMpwA28w90I68Iw5JUwK03qWPlTEx7xor49Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB6430
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/oSmbiW4kEJo8keaYzCjQ1VzuF4o>
Subject: Re: [nfsv4] Adoption call for draft-dnoveck-nfsv4-security
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 01:04:50 -0000

I am going to stay out of the adoption debate. However, I thought I should comment
on one statement.
David Noveck <davenoveck@gmail.com> wrote:

>As above, there are implementations that require use rpc-with-tls when  AUTH_SYS is used.

The current FreeBSD server implementation allows a requirement for rpc-with-tls to
be used, but it can be applied to RPCSEC_GSS and not just AUTH_SYS.
For example, the combination of:
   -tls -sec=krb5
would specify that clients must use rpc-with-tls and also use Kerberos.
(rpc-with-tls provides the on-the-wire encryption and may be preferable to -sec=krb5p,
 since offload hardware is available for TLS and in encrypts the entire RPC message.)

One case I am planning on doing implementation of soon is..
- Allow the machine credential to be established via the client presenting a verifiable
  X.509 certificate during handshake, so that a Kerberos mount does not have to have
  a valid Kerberos credential at mount time.
  --> This avoids the bother of having a Kerberos host principal in a keytab on the client.

The idea is to allow compounds that consist only of operations like ExchangeID,
CreateSession, Sequence by itself, DestroySession, DestroyClientID to be performed
using AUTH_SYS and the same uid as the initial ExchangeID (since the machine credential
for this is established by the client via their X.509 certificate) even when Kerberos is
required for other compounds.

Other compounds would be required to provide a valid Kerberos credential, but these
compounds would only be done by users after the mount is established, using their
user principal kint'd credential.

I do suspect there will be some "tricks" needed, such as setting a default lease_time
until a successful Getattr acquires the server's lease_time and things like finding
the root directory for the mount will need to be (re)attempted by each user access
attempt until a successful one acquires the file handle for the client.

I do think that one of the reasons Kerberos has not been widely adopted is the
hassle/misuse of "service principals" to establish "machine credentials".

rick

v2.23.0 | Report a Bug | By Email