[nfsv4] Re: Feedback on user ID for any bis work

Chris Inacio <inacio@cert.org> Fri, 16 August 2024 18:24 UTC

Return-Path: <inacio@cert.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96E3C14F738 for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 11:24:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id INdZo1om3MEh for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 11:24:06 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0085.outbound.protection.office365.us [23.103.208.85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5DC7C14F6A0 for <nfsv4@ietf.org>; Fri, 16 Aug 2024 11:24:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=AG+hLfVngOHCZelr7zlN2bC0iezmiTyf6mAa4MSTaAanKSUz5AOw+9QsUT8j2txvWropcerV+grGgWsoZgY2bwD9BYqL6ChbKqNybJzaninBVfU+R3TEG0w4/uab928+tkPYSavg6MQUmvR6AeV+/Uci3kk51Aw/DowNgb2ANI8jly1uBsxF756WfCxfqNCZinGKz14knZFwRRZbQgvPqo2/AVXMpeYvawq6BslusXSMs/8Vo9St/UzdTrSuBjZQvhl2LSckWSnPeewH/IOmEJ/cbQyNjE34KDH39FpFHbwtf8uQ2jn8ZEcOLrRyJpqrong1b6S+eiNyAlDtTT6WPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DD+0WBVufBgiuhrkDBdddMxNs5PiUuMnMcvLc3OEOP0=; b=aQxf4L/pI9Fm/k6hzkl44wu/HWVlbuPpZ4UJjgbz8u3BV10CT2iMmfC5kHDw+S52aUHgrzyty4W0oaMP0mpv+ArsrqekZnlzGsIdT+rLT0fPI6yfX/oJCXQw39mcDgDeNHpoPaYmuS/FCaJ5NzxR0xyImqjvMrXli7mobmDvoeEp2WGPZDGWCXzexKcgRiAbVMHfztVBu/HyIl7UUn75sywEWQf3SnrOpdqsSm0nTKnKCTIg5yFJpjlGE2k62y2/nqNnYn+ur9JMRkNfuzOHt4LJLnnm83c/C4m1Cc0JT+BDoJqjvrUdewLTP2s8qMUaSi7e483lrr14lbvxlqcE7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DD+0WBVufBgiuhrkDBdddMxNs5PiUuMnMcvLc3OEOP0=; b=WHAkDUCnbEc0lEh+hv7EdXpYB9rrKt8j19BeSj6Nqz3wCYIJsgZXN+r+kr0oQntF1NiK6qvEYcIAh34ixZpIyRBzNzRspxXr9JE5GcQZ4N08J6SUgRzwGMBrd7bxyJZNlXxDW8rxKW6Ti1IaMd9VTb96ibd3npGWMzlrVtPldso=
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:172::5) by SA1P110MB1037.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:170::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33; Fri, 16 Aug 2024 18:24:03 +0000
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::8aff:57ad:83e3:4567]) by SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::8aff:57ad:83e3:4567%7]) with mapi id 15.20.7828.031; Fri, 16 Aug 2024 18:24:03 +0000
From: Chris Inacio <inacio@cert.org>
To: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
Thread-Topic: [nfsv4] Feedback on user ID for any bis work
Thread-Index: AQHa8Al41klCasR23UKR9vaGdwrAvg==
Date: Fri, 16 Aug 2024 18:24:03 +0000
Message-ID: <4E27CF23-576E-46C4-87E0-C9E9A2127D40@cert.org>
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com> <20240816164635.ne5ahjhkjxynlxjx@pali>
In-Reply-To: <20240816164635.ne5ahjhkjxynlxjx@pali>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3776.700.51)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1P110MB0975:EE_|SA1P110MB1037:EE_
x-ms-office365-filtering-correlation-id: f144dbf6-935d-4d53-4ca8-08dcbe209b39
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: BPdOFfs9X0m/URHPBWQnUrs+Le11zHIal3hkXbQT6cqsHP5QyXTRtIImIzC6rjlo9mywCdeDILbB/147SaM7lzX7O30jWHJDDnkGrdoorkcRW42hIsAOndAaEl7VwZOq010csP93B+6CVqoynFNM8SAyTyFhm8XdhBt+wSXf4FcDgJNVecPuQV+KHRvuf3D6ZeSRYaqJuTAtwvy3muwNlxQdeRZYPX4PtfAa21ta0GG3lN765ib1EEC6LCB8urKQbG3bnhrGuTdlyqrZsBKLqJw2XM++2IX6PAB+Ag4OjyPAthqd2n9O9GHOFd2P4omZTi5/D9coj0mdyBywk/IXK/TjzMsDxHq9p+Cpr0I/pZDCfl7I1hIVtO/BJjmVbW+M26xc1g4RwUIjLCRjGtowNqM45ivsExcSzdKmSwKZDHIlGzfMgtNjqqgkDYhjp72G/QXSOTmqs3SYC4SPBuGyD+a4BOZEwMGmFT1xrG8bF08wD0xGfmn1MbI5njCC9SRsssFxQRMfMg68vHttoMAIO0ZjZ0Wk7rquWdMW7ln5o7BtS76WTuvQcIlC9YJMXfmJUsNM9Axr8EOcPSmj0uLlljB0plUaoGNayZCGf/LCSJ+m1dJ6k2b2cAVsNpubae7CiRrZeoHDK3ohVj8bwd1gZZwvEHrwMFA8zm//9+YBeHdx+RpEGkIV3TYaf/NM1hTCtQSwBaY98Lhegta19IlsLH1d4XMJGtTvdDdowqxe7DOniC9d/P3D4ns3RI7EKAyLnUNRktHKYERwIC4zQTjMviGlm2yMorywiZb/uZRCJZuDjf2Q/ynxsgVfkqK8vXoYoyXb6U9IgbH1pdusD2RbQJ3+GCSTt06CxdV8qr4TP4ZQXKuYulSZG1dcU9r6WZixNa0F4exaPk9Clshud3uucIn+mwn13wLwl/53gq7dc5KFOzrsbmRl9TqmBwDmLeiBGvSFALFVY809H/eWMQkhw+aVBaCDatdwlMQpNGZ89bPzYGV2H8GyD/ycpHOZpRRl2taXXb9W+iGXH4OpuzmeMtPIcWxSrh3bdRyb3F2fgVCK7Wmgu+JLim5lrLm3ymMSEfE6lZGIauErXx6xGJFI6+Xf5lIQpAQ3ibgKOJamRdHQdBdJJVOSJr5YOtgfyRw8J/H2dfeWp1bpWgzMQHrFjv7segCrK0S7sLqATj2P1wiTIAz0pIugFwNB5+iKF0E//Xnyzkr+JndKG5DmkbR+UDDsauw+ZBWHYIGFfQecuBfNvOV2hvGkVQjBT52fllGuYBm/QYU3/+zygQNl8hpTOghbiiH7/edfD9yA+DOVBEI/fkHpn7I0p7G5MIWePNT1dT5yH8zGybTLDihd0/U+TeCKgwrTqK5UHeXcUv4SdHnt0E+OZYbDNiu/HDtiEXe6aUd2N2Wnp60IUjxfiVlMmg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mrACB5Td9dbVlt4F6/ax1b/1bhBg+syu3Lx4FR4jGNyupE2y5HVou1TovriJAxi0OHt03CDaGLipah1aMQIC2fr1iCzwk3Jp8oDfdKULovF5s+fk1o6+5CKik0ItrqQ5BZ9Lwi5ho7YRz44EnNn2s9VzOL+fKmc3RJ2UaL4tO5N7jLcy3uS1dDusjBRdJM9DBA6DcTC349ISateMa3Nz9BMO3Hz14THxXtwDNVT/sr3hWD3sZgbigMfbAHwPE1EGIg9HQUfrMG+pnCWDUxH0M03/hk+nYAJJeLp+0stwdPAesi8svgQhjcFOJ9YA0Scl2gbnttlCF9uAXQfDywk+cSufsuG5iw/LyoA/UwnBgYpOwxpiye1eymZ83LXUXfybTe7ODR4G7whqbAoBvw4qbj5dGlv7H8OR19fsCI7H84iuioSXlYKBvc7ljtE8FOuYS84mNcnXKpf2BAv6aJOFuiypXLSTa8eKDD8iP13gu6P4Mbf5co2Rn8viRmALpn0t4qGnp3ojLFxeVLWFIgROXcktbu4ZW+Qm1XAiGZrAJf84WYkqAEYEs7adkirdLVVjkzQEc47X4GuaRvm807OTOxh30AZJO4dyvuHBn7x25xddtlkzB7OfFt6nJTuRazLc9AV/e6wGL12MZLApFqcv6Nojz+JCXXJNCpeIZKNsMweBN+Dqt4LI3ranZ0wN2TIUToQMDM0u1IzmcYdPg5xv7lqzhepIDvlq8xVv1NIHZvHlLjz0XndwlhECcQASIilGpteMSnCmkALFwJH1/MY2VXJonwa6eQH2OG0/P5sFRiqb1BTUznBESZrfv2373917DjLs5JWUZPER2qzNjqLNXyHLvEz5AgLWDRUD4P19WUkOuUklnO3UovSTj4M8T9kNkmszt/8cXoisFWE++kSS0+vNPFQjVBO0KRKEO0EMBNmTtsbdlsyzqHneuTOJB9/VdUG9YE0n4USY3SC93YvnL02XmGZDeNr82m46z95Fi6jSa+DQ6P13Y09MPMFDtgqgHZxa5MVnDBfYs24JEHy+pZ5trL12CqCAjmDgoGLJbIJa+tjnJAYFj9AJhEYMkp+BQNGIj7VsnE0MyB+jLPas/0kIfKTb/IDT/xRt0qacHWMf1BHRiXGkkqPpj8Ie70IwuYE/2glmFq7bSu/4Qlx4hupeAQpf5PlXmLnC+0v9tyqgi03nVNSlj1T19+i5lsQAMp5ha01YQIHZj5juQC+zyzumta7VskRpA9Ws/Y07RqkqfF9cSoJBw1jWhjjtfIvhta0SdkZ99B1C9xF16HCbqlumu7NNpiA5VdXzzoNpfIu3EC1X5wfW28cV4KeV9VOsvazEpPN6Ozznv+ATQ03hR9vmL913g5P5WRSOHPlP3aT+3ulLYbJSG5j3F4Wxd9gi8wN7wD/RChXXV3r+5PHxxta+YZqRdQ3UBpnr4V+PF5VFo+QTjtscufJpIlx2Yq4FjOVLa1/p/GhuMODNTkCKRm5FpeCggg48dFSJjOJ1BXFrTk5avtjYwQS2a8mx9VQO
Content-Type: text/plain; charset="utf-8"
Content-ID: <01F2CB5B30454A4390F9A83D922C095B@NAMP110.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f144dbf6-935d-4d53-4ca8-08dcbe209b39
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2024 18:24:03.1986 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1P110MB1037
Message-ID-Hash: AJ2I3BK7BAHTY6FDFI52LGWZ2LFPV5WL
X-Message-ID-Hash: AJ2I3BK7BAHTY6FDFI52LGWZ2LFPV5WL
X-MailFrom: inacio@cert.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/piV6mx-0BUanR_5pVvZDjR6kirU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>


> On Aug 16, 2024, at 12:46 PM, Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> wrote:
> 
> Warning: External Sender - do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> 
> On Friday 16 August 2024 16:26:09 Chuck Lever III wrote:
>>> On Aug 16, 2024, at 11:39 AM, Chris Inacio <inacio@cert.org> wrote:
>>> 
>>> Dave, All,
>>> 
>>> INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR
>>> 
>>> We need this super brief conversation in one of the interim meetings about how user identity is communicated across NFSv4, and there are 2 options, UID/GID ‘integer's and then loosely defined ‘string’.  So I’ve been digging into this and I would say, most definitely, do NOT remove the string.  So what I can see so far, is that UID/GID numbers are used when auth ‘sys’ is the selected mechanism, where current the string is used when auth is tied to GSS-API.  As far as I can tell, the kerberos principal name should be the string in the field.  I certainly don’t yet have a full understanding about how everything is connected together.  (Just sending the principal is nice and everything, but you want to be able to verify it, and HOLY RAT HOLE ROBIN is that confusing in practice.)
>>> 
>>> So, the thing I’m trying to make sense of, how hard would it be to support TLS identities (X.509 certs really) instead of Kerberos.
>> 
>> A perhaps subtle distinction here:
>> 
>> The current RPC-with-TLS protocol uses x.509 explicitly only for authenticating
>> network peers (ie, hosts). RFC 9289 even says "not for user authentication". So
>> I think the term "TLS" here is probably misplaced.
>> 

[ci] I assumed as much without verifying that; that the TLS would work on the host level.  I’m not entirely sure (as I recall the list traffic) how it would do otherwise at this point.  It /could/ be possible to leverage that into a different security model with different trust assumptions; some bastard version between auth_sys and the current kerberos model.  I like that the kerberos model can strongly authenticate a user principal; if you want trust the host more and leverage a level of trust from the TLS communication - you /might/ consider a trust level for the host to tell you something about the user.  I’m not really a fan of my own idea here – but the tradeoff for management simplification could make it worth it to some users.

>> You instead want to invent a new RPC security flavor or flavors that authenticates
>> users (or, dare I say it, to extend GSSAPI to handle this for us) via an x.509
>> certificate, or OAuth, or such like. Nothing to do with transport layer security,
>> which doesn't know from users.
> 
> Hello,
> There is RFC 7055 which defines EAP as GSS-API mechanism. And IIRC EAP
> has a way for user authentication based on x.509 certificate. So maybe
> this could be a way? EAP is already widely used for wifi authentication.
> But I have never heard about any usage of EAP in GSS-API.

[ci] Thanks for the pointer, I’ll take a look.  Unfortunately, my experience right now is more motivated user exploration than standards reading.  I’m hoping to understand the user workflow and pain points and then understand how it’s all connected together.  Which is the long way of saying, I’m dangerous enough to enough that NFS uses GSS-API when it does security, but not enough to how the where’s and how’s of that happening.  I’ll get there, but I’m not there yet.


chris