Re: [nfsv4] New wording of Security Section for Flex Files
Benjamin Kaduk <kaduk@mit.edu> Fri, 28 July 2017 02:23 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A8D131F04 for <nfsv4@ietfa.amsl.com>; Thu, 27 Jul 2017 19:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOdMjV1sKVbf for <nfsv4@ietfa.amsl.com>; Thu, 27 Jul 2017 19:23:40 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5452B131EFE for <nfsv4@ietf.org>; Thu, 27 Jul 2017 19:23:40 -0700 (PDT)
X-AuditID: 1209190f-049ff70000006b3f-e2-597aa02960a3
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id B3.69.27455.920AA795; Thu, 27 Jul 2017 22:23:39 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v6S2NaCf030284; Thu, 27 Jul 2017 22:23:37 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v6S2NXf2015087 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 27 Jul 2017 22:23:35 -0400
Date: Thu, 27 Jul 2017 21:23:33 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Thomas Haynes <loghyr@primarydata.com>
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>, Olga Kornievskaia <aglo@citi.umich.edu>
Message-ID: <20170728022333.GI58771@kduck.kaduk.org>
References: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrIIsWRmVeSWpSXmKPExsUixG6noqu9oCrS4ORRbou1j56yWyzfs5Xd Yvb7R6wOzB5rWjtZPJYs+cnkMX+uXABzFJdNSmpOZllqkb5dAlfG/qctLAWz1Cr+3f7P2sB4 V7aLkZNDQsBE4s+KbcwgtpDAYiaJnz85uhi5gOyNjBLTLnYyQThXmSSmn5zF1sXIwcEioCpx 7GMBSAObgIpEQ/dlsGYRAS2J2Tca2UFsZgE/id6jZ5hAbGEBa4n3FyeAtfICLVvQaw6xy0li +rRGRhCbV0BQ4uTMJywQrVoSN/69ZAIpZxaQllj+jwMkzCngLNG59wTYRFEBZYl5+1axTWAU mIWkexaS7lkI3QsYmVcxyqbkVunmJmbmFKcm6xYnJ+blpRbpmujlZpbopaaUbmIEhSynJP8O xjkN3ocYBTgYlXh4O95XRgqxJpYVV+YeYpTkYFIS5Z1kWhEpxJeUn1KZkVicEV9UmpNafIhR goNZSYT39eSqSCHelMTKqtSifJiUNAeLkjivuEZjhJBAemJJanZqakFqEUxWhoNDSYL30zyg RsGi1PTUirTMnBKENBMHJ8hwHqDhkvNBhhcXJOYWZ6ZD5E8xKkqJ83aCNAuAJDJK8+B6QSlF Int/zStGcaBXhHmPgVTxANMRXPcroMFMQIMnNlWCDC5JREhJNTBulZT3eah8xnvdQhXhn/9/ Mc+1qxEzL2OpeWz4WHiKckHCldk7NsxcYnI77Vdt25I4lvuvLk5eL6J6Nm6VUIQzu0/VOsW/ Cq2vp4j0yCduzYqfImmS9iv0qsDew7LOyvcYVjXwO+/98zFFJjP8ZuHhJecdjJ+4H72wSvS0 qI8li/I/q85U73glluKMREMt5qLiRABRP6EjBAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/qjeX8Rzrnb1e4Yqv9tTTEpZKJ0I>
Subject: Re: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 02:23:42 -0000
On Tue, Jul 25, 2017 at 01:07:02AM +0000, Thomas Haynes wrote: > I hope the following addresses the issues brought up by Ben and Olga; I think it does, thanks. A couple notes inline. > First paragraph of Section 15 is replaced by: > > The pNFS extension partitions the NFSv4.1+ file system protocol into > two parts, the control path and the data path (storage protocol). > The control path contains all the new operations described by this > extension; all existing NFSv4 security mechanisms and features apply > to the control path (see Sections 1.7.1 and 2.2.1 of [RFC5661]). The > combination of components in a pNFS system is required to preserve > the security properties of NFSv4.1+ with respect to an entity > accessing data via a client, including security countermeasures to > defend against threats that NFSv4.1+ provides defenses for in > environments where these threats are considered significant. > > Replace Section 15.1 with: > > RPCSEC_GSS version 3 (RPCSEC_GSSv3) [RFC7861] could be used to > authorize the client to the storage device on behalf of the metadata > server. This would require that each of the metadata server, storage > device, and client would have to implement RPCSEC_GSSv3. The second > requirement does not match the intent of the loosely coupled model > that the storage device need not be modified. (Note that this does > not preclude the use of RPCSEC_GSSv3 in a loosely coupled model.) > > Under this coupling model, the principal used to authenticate the > metadata file is different than that used to authenticate the data > file. For the metadata server, the RPC credentials would be > generated by the same source as the client. For RPC credentials to "by the same source as" feels like a slightly awkward phrasing that leaves me wondering if I don't quite properly understand the intended sentiment. Isn't it basically required that the client has RPC credentials to talk to the metadata server in order to do anything? > the data on the storage device, the metadata server would be > responsible for their generation. Such "credentials" SHOULD be > limited to just the data file be accessed. Using Kerberos V5 GSS-API > [RFC4121], some possible approaches would be: > > o a dedicated/throwaway client principal name akin to the synthetic > uid/gid schemes. > > o authorization data in the ticket. > > o an out-of-band scheme between the client and metadata server. Now I feel like I should have spent more time to carefully word the listing in my original email :) Though I think this text is fine to convey the needed information, at least. > [[AI15: Editorial Note: I have *SHOULD* and not *MUST* because there > might be some limit on the number of outstanding credentials due to > either the number of files or the number of client. Feel free to > correct me. --TH]] I can think of schemes where there are no limits, but I am not prepared to guarantee that all schemes one might want to use would be free of limits. So the SHOULD seems fine to me. Semi-relatedly, I forget exactly how much trust/coupling there is supposed to be between the data and metadata servers/operators in this scheme. In particular, if the metadata server is sufficiently trusted that it can have a copy of the data server's kerberos credentials (the nfs/ keytab), then there is quite a lot of flexibility, since the metadata server can literally construct an arbitrary ticket and encrypt it to "itself" (i.e., the data server's keytab). But I don't know whether it's appropriate to mention this example in the document or not. > Depending on the implementation details, fencing would then be > controlled either by expiring the credential or by modifying the Kerberos doesn't have a revocation (expiry prior to the original expiry) story at all. But since we are talking about RPCSEC_GSS, this text is fine, since other GSS mechanisms might allow it :) -Ben > synthetic uid or gid on the data file. I.e., if the credentials are > at a finer granularity than the synthetic ids, it might be possible > to also fence just one client from the file. > > Replace 15.1.2 with: > > With tight coupling, the principal used to access the metadata file > is exactly the same as used to access the data file. The storage > device can use the control protocol to validate any RPC credentials. > As a result there are no security issues related to using RPCSEC_GSS > with a tightly coupled system. For example, if Kerberos V5 GSS-API > [RFC4121] is used as the security mechanism, then the storage device > could use a control protocol to validate the RPC credentials to the > metadata server. >
- [nfsv4] New wording of Security Section for Flex … Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Benjamin Kaduk
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… David Noveck
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Rick Macklem
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia