Re: [nfsv4] Proposal: Registered port numbers for NFS-related daemons
Nils Steinger <nst@voidptr.de> Sun, 17 September 2017 12:45 UTC
Return-Path: <nst@voidptr.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAA3F132026 for <nfsv4@ietfa.amsl.com>; Sun, 17 Sep 2017 05:45:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nBerJvLh-5-R for <nfsv4@ietfa.amsl.com>; Sun, 17 Sep 2017 05:45:56 -0700 (PDT)
Received: from rho.voidptr.de (rho.voidptr.de [84.200.43.138]) by ietfa.amsl.com (Postfix) with ESMTP id 587FF1320BD for <nfsv4@ietf.org>; Sun, 17 Sep 2017 05:45:56 -0700 (PDT)
To: nfsv4@ietf.org
References: <d425d70c-eb30-6ef7-c278-5143a3b81b48@voidptr.de> <ead7eb3c-466d-222f-9b83-1c63ead24c9f@talpey.com>
From: Nils Steinger <nst@voidptr.de>
Openpgp: id=01795F52941E8169E359C173EECBF7FA485586E8; url=https://voidptr.de/pubkey.asc
Message-ID: <30656d41-0ed5-a0e0-5726-65935490279b@voidptr.de>
Date: Sun, 17 Sep 2017 14:45:46 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <ead7eb3c-466d-222f-9b83-1c63ead24c9f@talpey.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="RAHxkDkXBFmHpF6PisTFgagC4cMUStUbN"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/qHx4eP26WdYuna93xlWDEhV59Kw>
Subject: Re: [nfsv4] Proposal: Registered port numbers for NFS-related daemons
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Sep 2017 12:45:59 -0000
On 2017-09-16 18:35, Tom Talpey wrote: > Properly implemented RPC clients will use the RPC Portmapper (RFC1833) > on port 111 to resolve the port of each RPC service, for instance NFS, > statd, lockd, mountd, etc. For this reason, there's been no need to > standardize the port numbers for each of the services you mention; each > one is free to choose any local port, as long as the server advertises > via portmap. The need for fixed port numbers arises when using a firewall between the NFS server and client. I have yet to find a firewall that can talk to the portmapper to dynamically configure ACCEPT rules for the ports currently in use, so the only option is to configure away the dynamic behaviour. The client will of course still ask the portmapper for the port numbers, but the response will always be the same. I'm very uncomfortable with just choosing any arbitrary port number that happens to be unregistered *now*, since it might be registered at some point in the future, perhaps to a service that I wish to use. Hence the request to get some officially sanctioned port numbers to avoid any future double use scenarios. > This situation changes in NFSv4.x. In these versions, there are no > "side protocols" and the NFS port is used for all client-to-server > communications. Additionally, the registered port 2049 (or 20049 for > NFS/RDMA) is used without required lookups to the portmapper. In > NFSv4.0, however, the callback channel is dynamically allocated and > requires explicit firewall configuration to allow the server to connect > to the client (note the opposite polarity). This was corrected in > NFSv4.1 and all recent NFS minor versions use the single port. I have to admit I have very little experience with NFSv4 at this time. From what I've gathered, it no longer should (or can) use raw numeric user/group IDs on the wire. My small environment doesn't have a central user database (yet), so it was my impression that using v4 instead of v3 would break things. > You should think very carefully before exposing NFSv3 services to > the internet. I assume you are considering this only in private > network settings. The firewall sits between the fileserver on the main network and a VPN for "road warriors". Technically, I could just grant unrestricted access from the VPN to the main network, but (again planning for potential future services), I'd rather specify what services the VPN users have access to.
- [nfsv4] Proposal: Registered port numbers for NFS… Nils Steinger
- Re: [nfsv4] Proposal: Registered port numbers for… Tom Talpey
- Re: [nfsv4] Proposal: Registered port numbers for… Nils Steinger