[nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 07 July 2020 03:24 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: nfsv4@ietf.org
Delivered-To: nfsv4@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B690D3A09D3; Mon, 6 Jul 2020 20:24:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs@ietf.org, nfsv4@ietf.org, David Noveck <davenoveck@gmail.com>, davenoveck@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.7.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <159409225571.12966.1097397622994927028@ietfa.amsl.com>
Date: Mon, 06 Jul 2020 20:24:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/pWA3Ab02jTu8QBEAOEKr6VyS1lQ>
Subject: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 03:24:16 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-nfsv4-rpc-tls-08: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpc-tls/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- ** Despite Section 5.0 stating that only TLS v1.3+ can be used, there are two references to TLS v1.2 mechanisms: -- Section 5.0. Per “Implementations MUST support certificate-based mutual authentication. Support for TLS-PSK mutual authentication [RFC4279] is OPTIONAL”. Shouldn’t Section 2.2.2 or 4.2.11 of RFC8446 be used instead? -- Section 5.2.4. The token binding mechanism suggested here, RFC8471, only applies to TLS v1.2. The expired draft-ietf-tokbind-tls13 provides the TLS v1.3 mechanism. ** Section 7.4. Per “When using AUTH_NULL or AUTH_SYS, both peers are required to have DNS TLSA records and certificate material …”, what is “certificate materials”? Can this guidance please be clarified (and perhaps related to the options specified in Section 5.2). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for addressing the early SECDIR review items (and thank you Derrell Piper and Alan Alan DeKok for doing them) ** Section 1. Per “Encryption by Default: Transport encryption can be enabled without … generating additional keying materials”, I’m not sure that this is accurate if the server and clients need to be keyed with certificates or PSK for TLS ** Section 4.1. Per “Policy settings on the RPC-over-TLS-enabled peer determine whether RPC operation continues without the use of TLS or RPC operation is not permitted.”, I had trouble parsing this sentence. ** Section 4.1. Per “RPC operation can continue …”, it might be worth repeating what was stated earlier that “[t]he RPC operation can continue if permitted by local policy …” ** Section 5.2.1. Per “For services accessed by their network identifiers (netids) and universal network addresses (uaddr), the iPAddress subjectAltName SHOULD be present in the certificate and must exactly …”, why not a normative MUST? ** Section 5.2.1. Per “For example, if the Issuer is not in a trusted set of Issuers, the RPC server may decline to perform RPC transactions with this client.”, wouldn’t the TLS connection fail in this case and not even get to whatever authorization logic the RPC server might have? ** Section 5.2.1. Per “As a suggestion, at least the following parameters of the X.509 client certificate SHOULD be exposed … Originating IP address”, how exactly should this IP address be exposed in the certificate, or is this intended to be the IP address of the peer which presented the certificate? ** Section 5.2.2 and 5.2.4. Both 5.2.1 and 5.2.3 described what information should be exposed by implementations. These sections omit that information. For example, I would have expected Section 5.2.4 to discuss Token Binding IDs ** Section 5.2.2. Is there any MTI guidance on the kinds of digests to support for these fingerprints? ** Section 5.2.4. Are there any MTI parameters for the token binding to specify? ** Section 7.3. Per “… it is RECOMMENDED that when AUTH_SYS is used, every RPC client should present authentication materials to RPC servers …”, is this the same thing as saying that when AUTH_SYS is used a mutual authentication TLS-scheme is RECOMMENDED? I concur with this approach. I would just recommended saying that explicitly. ** Section 7.4. Is there a reason not to use normative language in this section? Specifically, RECOMMENDED for the first bullet and SHOULD for the second. ** Editorial Nits: -- Section 5. Typo. s/Similary/Similarly/ -- Section 7.1.2. Typo. s/connnection/connection/
- [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfs… Roman Danyliw via Datatracker
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Mkrtchyan, Tigran
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever