IETF Logo Mail Archive

Re: [nfsv4] Secdir last call review of draft-ietf-nfsv4-rpcrdma-cm-pvt-data-06

Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 29 January 2020 21:01 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1D91120045; Wed, 29 Jan 2020 13:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MALFORMED_FREEMAIL=1.152, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwXgf6ccGsz8; Wed, 29 Jan 2020 13:01:17 -0800 (PST)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE47D120024; Wed, 29 Jan 2020 13:01:16 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id p17so1580278wma.1; Wed, 29 Jan 2020 13:01:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=nsnUM8zpuqjxHLncNdMCPxhBCeJ9v/ZqJFagoslDOsk=; b=VrC+E9E1plI3Q2S6l10dB9CzHN54byeoMSbJpXFmRZ4/sZNx6G1QaR7Hfr1mhJVVmD Bjtv7QsOTNugF9Mbocwm+aEQjfzQ/isaQi0I6kV36uH6Jk6Js7ZJX1TnIl32Zri3t0yB NBNwnulw5IPOYNUPpyI2xAWwZ8/9QkfNUjgSWkg8ZTkcOY7ueZptaWBVJyy5m13k5LcX U0yYhF2F5DZlBGElCytngRXEb1diC+9BCTW63+CAHYpuD7YJNdsimd3cNn68tXyGKJfw HEdLgi5raZCr0xnTcDz2ht6PGSFpkh9/8pc/eSMxwCO+UTfHRik67oiTBGqGli7SQuuc oTxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=nsnUM8zpuqjxHLncNdMCPxhBCeJ9v/ZqJFagoslDOsk=; b=H5+AR3258sur0h/6cc4cV4LuWOe0PjqlUN6Z+U3nnc4KTfDlx5JDz5KpTyms/h6cmu SUx+SnMZv/DLzFP/UiD2LKYexLAwRkI1ifbFWE5UR3EuE2yyyhGMF9VeCo/BFWV85jCJ OjR9sXzSiqMIh022QQh+Bd0dSUqUHMwq0qxER/qMzWKf1AnzZSj+B+dwRGrC+ClXzJLg 6fPT64swTm318REoq/Bc/1RcADBq2BKJwG6wPwrGQXEUlghn8lIUyf28JLq9vo7hUGMo 6UMWrqArb0hq8fguv/bHDhu8oI2qa2zoJI1U3rem8OM6tW5yMOKGZp17yX2wdfV5NFAJ 3vsw==
X-Gm-Message-State: APjAAAUZLH8HMnJNwHLw8dU6Mho05mpZwXKiujX5jdPEl57A4pr3YMvW Vp5KJWS20l7dj9QpGqAFAdiElZXD
X-Google-Smtp-Source: APXvYqzZfxWKZF1jVrJ91qmSz889OVUm5tAYFg8BDoAWgxiCoCaGLt3C0gbKNnoEAUR2AWbxfWJ+LQ==
X-Received: by 2002:a05:600c:2409:: with SMTP id 9mr1076414wmp.109.1580331674848; Wed, 29 Jan 2020 13:01:14 -0800 (PST)
Received: from [10.0.0.141] (bzq-109-65-61-207.red.bezeqint.net. [109.65.61.207]) by smtp.gmail.com with ESMTPSA id 5sm191413wrc.75.2020.01.29.13.01.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Jan 2020 13:01:13 -0800 (PST)
User-Agent: Microsoft-MacOutlook/10.21.0.200113
Date: Wed, 29 Jan 2020 23:01:12 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
CC: secdir@ietf.org, last-call@ietf.org, nfsv4@ietf.org, draft-ietf-nfsv4-rpcrdma-cm-pvt-data.all@ietf.org
Message-ID: <85F5B476-8720-488B-9262-CBA9B322BFD3@gmail.com>
Thread-Topic: [nfsv4] Secdir last call review of draft-ietf-nfsv4-rpcrdma-cm-pvt-data-06
References: <158007038921.30641.13334124837519126164@ietfa.amsl.com> <80F557DD-BD17-4119-98B9-614B7A9FDDFB@oracle.com>
In-Reply-To: <80F557DD-BD17-4119-98B9-614B7A9FDDFB@oracle.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/pjfLRnVoWsEEtICY2vYHU6t1g8M>
Subject: Re: [nfsv4] Secdir last call review of draft-ietf-nfsv4-rpcrdma-cm-pvt-data-06
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 21:01:20 -0000

Hi Chuck,

Please see below. Sorry for the delay.

Thanks,
	Yaron

On 1/27/20, 17:01, "Chuck Lever" <chuck.lever@oracle.com> wrote:

    Hello Yaron-
    
    Thanks for your review and comments. I will respond to your comments
    below, then we can determine how to clarify the text to improve matters.
    
    
    > On Jan 26, 2020, at 3:26 PM, Yaron Sheffer via Datatracker <noreply@ietf.org> wrote:
    > 
    > Reviewer: Yaron Sheffer
    > Review result: Has Issues
    > 
    > The document defines limited parameter negotiation for RPC-RDMAv1, using a
    > private message sent over the underlying transport protocol (e.g., InfiniBand).
    > 
    > The document is clear enough, until it comes to the Security Considerations. As
    > a newcomer to this domain, there are several points that I fail to understand:
    > 
    > - The CM Private Data described here is not one of the messages of the RPC-RDMA
    > protocol. So how can it "inherit the security considerations of the protocols
    > it extends," - where this refers to RPC-RDMA?
    
    The private data is conveyed on the same transport connection as the
    other messages in RPC-over-RDMA. The exchange of private data is part
    of the connection handshake, and does not appear after the connection
    is established.
    
    The intended purpose of this paragraph is introductory, referring the
    reader to the Security Considerations section of RFC 8166 as background
    material.

YS: but "inherits the security considerations" is more specific than merely referring the reader to the RFC. I suggest to reword.
    
    
    > - The next paragraph explains that the integrity is ensured by use of RC QP
    > (whatever that is). But there's no mention of this entity in RFC 8166, which is
    > supposed to define the security for this protocol. (Or in RFC 5042, for that
    > matter).
    
    That does seem to be an omission of background material in these documents.
    
    The queue pair (QP) type used for RPC-over-RDMA is Reliable Connected (RC).
    This is part of the RDMA Verbs API, thus it is not defined in any
    published IETF document.
    
    However, a relevant definition can be found in Section 9.7.7 of
    
    InfiniBand Trade Association, "InfiniBand Architecture Specification Volume
    1", Release 1.3, March 2015. Available from https://www.infinibandta.org/
    
    Section 8.1.1 of RFC 8166 discusses one aspect of Reliable Connected behavior
    but does not provide an adequate citation. The document as a whole does not
    make a specific compliance statement about the use of RC QPs.
    draft-ietf-nfsv4-rpcrdma-version-two rectifies that omission.
    
    However, the protocol framework depends on the semantics of RC QPs, thus
    RPC-over-RDMA version one implementations to date use only the RC QP type.
    That makes it rather a de facto requirement up to this point.

YS: so we can say this is de facto required and include the citation.
    
    
    > - I am usually suspicious of pre-2010 RFCs that recommend IPsec as a
    > per-protocol solution (RFC 5042, Sec. 5.4.3). Is IPsec deployed in real life to
    > protect these protocols, and if so, does it also protect the new CM Private
    > Data?
    
    IPsec is appropriate for iWARP (defined in the RFC 504x series), as iWARP
    can operate on public untrusted networks. Typically IPsec is implemented
    along side iWARP in NIC hardware, and thus is relatively transparent to
    the host (aside from initial configuration).
    
    When deployed, IPsec would establish a protected channel before iWARP
    operations are exchanged, and thus would protect the exchange of private
    data that occurs as each QP connection is established.
    
    IPsec is not used for InfiniBand or RoCE. Deployment of these fabrics is
    typically in monolithic security environments.

YS: so please mention that, something like: RFC 5042 recommends IPsec as the default security solution, however for the InfiniBand and RoCE use cases, typically no transport-level security protocol is implemented.
    
    
    > - And then after saying that integrity protection is ensured, we say that even
    > if integrity was compromised and the parameters were modified anyway, no
    > problem, this would only result in "self imposed denial of service". Even if
    > true for the currently negotiated parameters, this cannot be true for every
    > conceivable parameter that may be added in the future.
    
    That's correct.
    
    Practically speaking, even though we made this private data mechanism
    extensible, we are already busy creating an RPC-over-RDMA version two,
    where the same exchange is done via RPC-over-RDMA messages rather than
    via CM Private Data. It's not likely that cm-pvt-data itself will ever
    be extended.

YS: I am an outsider to this community, but my own experience is that it's very difficult to predict these things. So we should maybe qualify this statement by saying it only refers to the data fields defined here, and not to any potential future extensions.
    
    
    --
    Chuck Lever

v2.23.0 | Report a Bug | By Email