IETF Logo Mail Archive

Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 03 December 2009 22:53 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D450328C0EE for <nfsv4@core3.amsl.com>; Thu, 3 Dec 2009 14:53:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.836
X-Spam-Level:
X-Spam-Status: No, score=-5.836 tagged_above=-999 required=5 tests=[AWL=0.210, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLSKLa1jGFt7 for <nfsv4@core3.amsl.com>; Thu, 3 Dec 2009 14:53:56 -0800 (PST)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id CC62E3A6809 for <nfsv4@ietf.org>; Thu, 3 Dec 2009 14:53:55 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nB3Mrl8G021250 for <nfsv4@ietf.org>; Thu, 3 Dec 2009 22:53:47 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nB3Mrkqt026278 for <nfsv4@ietf.org>; Thu, 3 Dec 2009 15:53:46 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nB3Mg1KN009305; Thu, 3 Dec 2009 16:42:01 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nB3Mfxgg009304; Thu, 3 Dec 2009 16:41:59 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 03 Dec 2009 16:41:59 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: James Lentini <jlentini@netapp.com>
Message-ID: <20091203224158.GB773@Sun.COM>
References: <alpine.LFD.2.00.0912031553170.11932@jlentini-linux.nane.netapp.com> <20091203211232.GS773@Sun.COM> <alpine.LFD.2.00.0912031707380.11932@jlentini-linux.nane.netapp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.00.0912031707380.11932@jlentini-linux.nane.netapp.com>
User-Agent: Mutt/1.5.7i
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] [FedFS] Meeting Minutes, 12/03/2009
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 22:53:56 -0000

On Thu, Dec 03, 2009 at 05:32:35PM -0500, James Lentini wrote:
> > As for SASL... you have these choices:
> > 
> 
> What about these other SASL authentication mechanisms:
> 
> http://www.iana.org/assignments/sasl-mechanisms

They are clearly not applicable:

 - KERBEROS_V4 is obsolete.
 - SKEY is obsolete.
 - EXTERNAL means "look at the secure channel we're using, likely TLS"
 - CRAM-MD5 is of limited applicability, and anyways fails to be useful
   here for the same reasons as DIGEST-MD5 and SCRAM
 - ANONYMOUS clearly doesn't help
 - OTP doesn't help
 - GSS-SPNEGO isn't relevant (you don't want to use it, ever)
 - SECURID clearly doesn't help
 - NTLM is like Kerberos, but with obviously much more limited
   applicability
 - NMAS_* -- I've no clue what they are, and I doubt they are
   applicable, and they are listed as having LIMITED use
 - 9798-* are for authenticating clients, while we want to authenticate
   servers
 - KERBEROS_V5 is not really in use, and anyways we have "GSSAPI" and
   GS2-KRB5 (see previous e-mail), which are applicable

> > So we really only have two choices for server authentication:
> > 
> >  - TLS with server certs (and TA mgmt, since we're NOT going to have a
> >    global PKI)
> > 
> >  - Kerberos V5 (via SASL/GSSAPI or SASL/GS2-KRB5)
> 
> This is great information, but we were discussing a different question 
> than what security mechanism are possible.

You have to take into account what's actually available.  And my post
did address the issue of what properties are desired.

> In the current Admin protocol, the client can request a fileserver to 
> create a junction but does not have a mechanism for indicating the 
> authentication,integrity,and privacy mechanisms to use when resolving 
> the junction. The question is therefore, should the Admin protocol's 
> JUNCTION_CREATE arguments include a parameter that indicates how the 
> junction should be resolved in the future?

To me it makes no sense to talk about TA mgmt in the ADMIN protocol if
we don't either a) require TLS with confidentiality protection and
server certs, or b) make NSDB LDAP connection security parameters
configurable via the ADMIN protocol.  To me this is an obvious yes.
(I've not actually reviewed the ADMIN protocol in detail though.)

> > By far the most likely case in actual federated deployments will be "TLS
> > with server certs".  It's just simpler (e.g., no need to talk to
> > Kerberos realm administrators).
> 
> Doesn't Active Directory use SASL with Kerberos? 

That's one way to use it (you have to in order to access non-public data
-- object attributes that have ACLs that don't grant read permission to
Everyone).

Nico
--

v2.23.0 | Report a Bug | By Email