IETF Logo Mail Archive

Re: [nfsv4] New wording of Security Section for Flex Files

Benjamin Kaduk <kaduk@mit.edu> Fri, 28 July 2017 02:23 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A8D131F04 for <nfsv4@ietfa.amsl.com>; Thu, 27 Jul 2017 19:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOdMjV1sKVbf for <nfsv4@ietfa.amsl.com>; Thu, 27 Jul 2017 19:23:40 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5452B131EFE for <nfsv4@ietf.org>; Thu, 27 Jul 2017 19:23:40 -0700 (PDT)
X-AuditID: 1209190f-049ff70000006b3f-e2-597aa02960a3
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id B3.69.27455.920AA795; Thu, 27 Jul 2017 22:23:39 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v6S2NaCf030284; Thu, 27 Jul 2017 22:23:37 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v6S2NXf2015087 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 27 Jul 2017 22:23:35 -0400
Date: Thu, 27 Jul 2017 21:23:33 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Thomas Haynes <loghyr@primarydata.com>
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>, Olga Kornievskaia <aglo@citi.umich.edu>
Message-ID: <20170728022333.GI58771@kduck.kaduk.org>
References: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrIIsWRmVeSWpSXmKPExsUixG6noqu9oCrS4ORRbou1j56yWyzfs5Xd Yvb7R6wOzB5rWjtZPJYs+cnkMX+uXABzFJdNSmpOZllqkb5dAlfG/qctLAWz1Cr+3f7P2sB4 V7aLkZNDQsBE4s+KbcwgtpDAYiaJnz85uhi5gOyNjBLTLnYyQThXmSSmn5zF1sXIwcEioCpx 7GMBSAObgIpEQ/dlsGYRAS2J2Tca2UFsZgE/id6jZ5hAbGEBa4n3FyeAtfICLVvQaw6xy0li +rRGRhCbV0BQ4uTMJywQrVoSN/69ZAIpZxaQllj+jwMkzCngLNG59wTYRFEBZYl5+1axTWAU mIWkexaS7lkI3QsYmVcxyqbkVunmJmbmFKcm6xYnJ+blpRbpmujlZpbopaaUbmIEhSynJP8O xjkN3ocYBTgYlXh4O95XRgqxJpYVV+YeYpTkYFIS5Z1kWhEpxJeUn1KZkVicEV9UmpNafIhR goNZSYT39eSqSCHelMTKqtSifJiUNAeLkjivuEZjhJBAemJJanZqakFqEUxWhoNDSYL30zyg RsGi1PTUirTMnBKENBMHJ8hwHqDhkvNBhhcXJOYWZ6ZD5E8xKkqJ83aCNAuAJDJK8+B6QSlF Int/zStGcaBXhHmPgVTxANMRXPcroMFMQIMnNlWCDC5JREhJNTBulZT3eah8xnvdQhXhn/9/ Mc+1qxEzL2OpeWz4WHiKckHCldk7NsxcYnI77Vdt25I4lvuvLk5eL6J6Nm6VUIQzu0/VOsW/ Cq2vp4j0yCduzYqfImmS9iv0qsDew7LOyvcYVjXwO+/98zFFJjP8ZuHhJecdjJ+4H72wSvS0 qI8li/I/q85U73glluKMREMt5qLiRABRP6EjBAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/qjeX8Rzrnb1e4Yqv9tTTEpZKJ0I>
Subject: Re: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 02:23:42 -0000

On Tue, Jul 25, 2017 at 01:07:02AM +0000, Thomas Haynes wrote:
> I hope the following addresses the issues brought up by Ben and Olga;

I think it does, thanks.  A couple notes inline.

> First paragraph of Section 15 is replaced by:
> 
>    The pNFS extension partitions the NFSv4.1+ file system protocol into
>    two parts, the control path and the data path (storage protocol).
>    The control path contains all the new operations described by this
>    extension; all existing NFSv4 security mechanisms and features apply
>    to the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]).  The
>    combination of components in a pNFS system is required to preserve
>    the security properties of NFSv4.1+ with respect to an entity
>    accessing data via a client, including security countermeasures to
>    defend against threats that NFSv4.1+ provides defenses for in
>    environments where these threats are considered significant.
> 
> Replace Section 15.1 with:
> 
>    RPCSEC_GSS version 3 (RPCSEC_GSSv3) [RFC7861] could be used to
>    authorize the client to the storage device on behalf of the metadata
>    server.  This would require that each of the metadata server, storage
>    device, and client would have to implement RPCSEC_GSSv3.  The second
>    requirement does not match the intent of the loosely coupled model
>    that the storage device need not be modified.  (Note that this does
>    not preclude the use of RPCSEC_GSSv3 in a loosely coupled model.)
> 
>    Under this coupling model, the principal used to authenticate the
>    metadata file is different than that used to authenticate the data
>    file.  For the metadata server, the RPC credentials would be
>    generated by the same source as the client.  For RPC credentials to

"by the same source as" feels like a slightly awkward phrasing that leaves
me wondering if I don't quite properly understand the intended sentiment.
Isn't it basically required that the client has RPC credentials to talk
to the metadata server in order to do anything?

>    the data on the storage device, the metadata server would be
>    responsible for their generation.  Such "credentials" SHOULD be
>    limited to just the data file be accessed.  Using Kerberos V5 GSS-API
>    [RFC4121], some possible approaches would be:
> 
>    o  a dedicated/throwaway client principal name akin to the synthetic
>       uid/gid schemes.
> 
>    o  authorization data in the ticket.
> 
>    o  an out-of-band scheme between the client and metadata server.

Now I feel like I should have spent more time to carefully word the listing
in my original email :)
Though I think this text is fine to convey the needed information, at least.


>    [[AI15: Editorial Note: I have *SHOULD* and not *MUST* because there
>    might be some limit on the number of outstanding credentials due to
>    either the number of files or the number of client.  Feel free to
>    correct me.  --TH]]

I can think of schemes where there are no limits, but I am not prepared
to guarantee that all schemes one might want to use would be free of limits.
So the SHOULD seems fine to me.

Semi-relatedly, I forget exactly how much trust/coupling there is supposed
to be between the data and metadata servers/operators in this scheme.
In particular, if the metadata server is sufficiently trusted that it can
have a copy of the data server's kerberos credentials (the nfs/ keytab),
then there is quite a lot of flexibility, since the metadata server can
literally construct an arbitrary ticket and encrypt it to "itself" (i.e.,
the data server's keytab).  But I don't know whether it's appropriate
to mention this example in the document or not.

>    Depending on the implementation details, fencing would then be
>    controlled either by expiring the credential or by modifying the

Kerberos doesn't have a revocation (expiry prior to the original expiry)
story at all.  But since we are talking about RPCSEC_GSS, this text
is fine, since other GSS mechanisms might allow it :)

-Ben

>    synthetic uid or gid on the data file.  I.e., if the credentials are
>    at a finer granularity than the synthetic ids, it might be possible
>    to also fence just one client from the file.
> 
> Replace 15.1.2 with:
> 
>    With tight coupling, the principal used to access the metadata file
>    is exactly the same as used to access the data file.  The storage
>    device can use the control protocol to validate any RPC credentials.
>    As a result there are no security issues related to using RPCSEC_GSS
>    with a tightly coupled system.  For example, if Kerberos V5 GSS-API
>    [RFC4121] is used as the security mechanism, then the storage device
>    could use a control protocol to validate the RPC credentials to the
>    metadata server.
>

v2.23.0 | Report a Bug | By Email