Re: [nfsv4] New wording of Security Section for Flex Files

Olga Kornievskaia <aglo@citi.umich.edu> Mon, 07 August 2017 16:06 UTC

Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23231325D6 for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 09:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLfspyXyIVfm for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 09:06:32 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2980813260A for <nfsv4@ietf.org>; Mon, 7 Aug 2017 09:06:32 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id t201so10776674wmt.0 for <nfsv4@ietf.org>; Mon, 07 Aug 2017 09:06:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=F2OqeElcQ7B5shvKaXbye1Px6M72QmXWCaS+fBFW1EY=; b=CpaAx02uS87RWVHegzoQZJ9J5On6QvP6xiVgoiMhblMAVV9pqMwTxMMl48yvHs6WLK qxaOM6oPfNL/7n9r8vuCHyFPskzPYkOKy43WSNj8UW+F0THHOtS8xRrEPBroSePXXXJG KkZcDXROnsQSmu8y9tBpb60E/pYVz1NenMJw4dLR55VU8Hkd3Eb5p5H72FUblG7Oywyg 7Qdg6jKQn2126xla0/F2GXmnsxDJZuuozI+dFJN1bXrDDAStsPT/W7vhjuc+BtLTidu2 +puV9VHAR6Uw856oBtsqw4h0D18cBR7RmElvLuAZWdDBAAduSfWfwerba+nBnlNhzvMy coiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=F2OqeElcQ7B5shvKaXbye1Px6M72QmXWCaS+fBFW1EY=; b=iBiDAVQf8VvIwl5Fnuy6yOpONHrdA67ALwwIJfg2mFN0Xkf9MwuJC8IrMbygIlR+/H xufsw+e+1nc2F7oUpQoOp3k+wLoYZHyksraCSKemL+W5w/HRYJ6+bQLFzOWeMp/dfR8X rNkNg0iVyKAZjuh3OpLZTAnLqyPzq8NRQ4jhIIjq8YDpZmWjIS95pOW0uHJCPG2aLl5p Vbkkay0Y6Y8OwkumZFb/YtIz5pU2nctuia6FF3TyRGH7XnegLalxFI/H7n8T17jfFZAT gfaOSSZqxDrArw5P4mUiAKMvx1JBTCMNaF22KOO3Xs0T7aZ3x+TMRZ4Icp2f63Hy8i6d 6VeQ==
X-Gm-Message-State: AHYfb5j/yuwoRVAyS2jzp0eqFK9S2dFW5HZLb8ZIDk23/+zrhSB7hDm4 h9cq3Giok0pIN4T0tla88mZNVg/Afg==
X-Received: by 10.80.146.209 with SMTP id l17mr1497275eda.160.1502121990711; Mon, 07 Aug 2017 09:06:30 -0700 (PDT)
MIME-Version: 1.0
Sender: olga.kornievskaia@gmail.com
Received: by 10.80.136.44 with HTTP; Mon, 7 Aug 2017 09:06:30 -0700 (PDT)
In-Reply-To: <CAFAFD9C-DF89-4867-8880-1EA43FD4095F@primarydata.com>
References: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com> <20170728022333.GI58771@kduck.kaduk.org> <CAN-5tyG9cE9JhccW7Fnho10jVE-5YnpoArZ=3DZuz79dFFD9sQ@mail.gmail.com> <CADaq8jc=K5f4cia-jFKjDMAtNhZntFE+Xa0=Lb=LSXOy+sc7Ww@mail.gmail.com> <37BF354D-CF56-4A1C-B391-8565F0E38E72@primarydata.com> <CAN-5tyH-j937PPA=nRSA5iEHOTKynryQjwfKui9dgVdZa3oQrQ@mail.gmail.com> <CAFAFD9C-DF89-4867-8880-1EA43FD4095F@primarydata.com>
From: Olga Kornievskaia <aglo@citi.umich.edu>
Date: Mon, 07 Aug 2017 12:06:30 -0400
X-Google-Sender-Auth: vCSG4vOdt3nkyZ8li3agQENG_WM
Message-ID: <CAN-5tyEKO1WVFXZAmW-bxX7bLXUtt2NM97rQi0QsrFpK70M9hw@mail.gmail.com>
To: Thomas Haynes <loghyr@primarydata.com>
Cc: Dave Noveck <davenoveck@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c2b08aa6d1505562c0764"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/qkdHZWKaPjO5LiBHDroTwsaoQqc>
Subject: Re: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 16:06:36 -0000

Sorry might be a stupid question but why do you need to wait for another
version to add back "opaque_auth/or something" that carries the security
information?

On Fri, Aug 4, 2017 at 4:43 PM, Thomas Haynes <loghyr@primarydata.com>
wrote:

> Hi,
>
> I’m going to top post to keep the focus on the problem at hand.
>
> In a nutshell, Olga is correct that we are not going to be able to secure
> loosely coupled flex files.
> The removal of “opaque_auth” prevents this from occurring.
>
> And while I have a bastardized approach using RPCSEC_GSSv3 structured
> privilege assertions,
> like we did for SSC - see Section 4.9.1. in RFC 7862, I think a better
> approach is to
> document the failure of securing loosely coupled flex files v1 and create
> a flex files v2
> which addresses a minor change in the XDR to:
>
> (a) Fix the stateid issue for loosely coupled NFSv4.x
> (b) Fix this issue for “opaque_auth” - which includes the issues raised by
> Olga at the end of
> her email.
>
> As to how we go about that, I see two scenarios:
>
> (1) We produce a single standards track document with a request for:
>
>      +-----------------------+-------+----------+-----+----------------+
>      | Layout Type Name      | Value | RFC      | How | Minor Versions |
>      +-----------------------+-------+----------+-----+----------------+
>      | LAYOUT4_FLEX_FILES    | 0x4   | RFCTBD10 | L   | 1              |
>      | LAYOUT4_FLEX_FILES_v2 | 0x6   | RFCTBD10 | L   | 1              |
>      +-----------------------+-------+----------+-----+----------------+
>
> (2) We produce two standards track documents, the first for
> LAYOUT4_FLEX_FILES
> and the second much smaller document which would have a normative
> reference to the first and encompass LAYOUT4_FLEX_FILES_v2. It would
> have the delta XDR and the new required text.
>
> What I am approaching the WG for is consensus on which approach to take.
> For
> me, the first is less administrative headache and the second preserves a
> much
> cleaner separation of the minor versioning.
>
> Oh, and in case it is not clear, I am very appreciative of Olga’s review in
> getting me to see the flaw in this document.
>
> Thanks,
> Tom
>
>
> On Aug 2, 2017, at 9:03 AM, Olga Kornievskaia <aglo@citi.umich.edu> wrote:
>
>
>
> On Tue, Aug 1, 2017 at 3:59 PM, Thomas Haynes <loghyr@primarydata.com>
> wrote:
>
>>
>> On Aug 1, 2017, at 11:29 AM, David Noveck <davenoveck@gmail.com> wrote:
>>
>> > Is stating that an out-of-band scheme
>> > is used satisfies the "MUST" of semantics for managing security?
>>
>> Probably not, but the "MUST" can always be changed to a "SHOULD" :-)
>>
>> The problem is deeper here.   The job of a standards-track document that
>> defines a protocol or layout type is to clearly tell the implementer what
>> must be done to implement the protool or layout type.  Despite the possble
>> issues with the specificity of any of these three possible alternatives,
>> the big problem is the fact that there is more than one.  If the client and
>>  MDS do not pick the same one, or they do and that one is not fully
>> specfied, they will not nteroperate.  If that is the case, then the
>> document is not ready.
>>
>> I think the treatment of security with tight coupling is sufficiently
>> clear to implement from and has been for a while.  With regard to security
>> for loose coupluing, what you have is essentially a promise to provide a
>> specfication at some later date.  I don't think the IESG is going to be OK
>> with that.
>>
>> You have focusing on it being plausible in the sense of convincing people
>> that this can be done
>> (i.e. that a definition along these lines can be produced) which it can,
>> but I think the IESG is going to want you to show them that it has been
>> done (i.e. that the definiton has been arrived at), and you are a ways away
>> from being there.
>>
>>
>> The problem isn’t that we are pushing off a specification to a later
>> date, but rather that the security is implementation specific. The client
>> and MDS are forced to pick the same one.
>>
>> Section 1.7.1 RFC 5661 is quite clear that:
>>
>>    As with previous versions of NFS, the External Data Representation
>>    (XDR) and Remote Procedure Call (RPC) mechanisms used for the NFSv4.1
>>    protocol are those defined in [2] and [3].  To meet end-to-end
>>    security requirements, the RPCSEC_GSS framework [4] is used to extend
>>    the basic RPC security.  With the use of RPCSEC_GSS, various
>>    mechanisms can be provided to offer authentication, integrity, and
>>    privacy to the NFSv4 protocol.  Kerberos V5 is used as described in
>>    [5] to provide one security framework.  With the use of RPCSEC_GSS,
>>    other mechanisms may also be specified and used for NFSv4.1 security.
>>
>> Note that nothing is stated as to how the TGT are constructed, so Ben’s
>> approach:
>>
>> Semi-relatedly, I forget exactly how much trust/coupling there is supposed
>> to be between the data and metadata servers/operators in this scheme.
>> In particular, if the metadata server is sufficiently trusted that it can
>> have a copy of the data server's kerberos credentials (the nfs/ keytab),
>> then there is quite a lot of flexibility, since the metadata server can
>> literally construct an arbitrary ticket and encrypt it to "itself" (i.e.,
>> the data server's keytab).  But I don't know whether it's appropriate
>> to mention this example in the document or not.
>>
>>
>> meets the requirements of RFC 5661 and the loosely coupled model. The
>> details
>> of how the mds gets the storage device’s keytab are up to the
>> implementation
>> (just as how the storage device gets the keytab in the first place).
>>
>>
>> We could wait until the first implementation and then make that a
>> standard, but I
>> don’t like that approach.
>>
>
> I think you would agree that implementations frequently find issues with
> this spec. But yes, all the previous specs when ahead prior to full
> implementations. And that's why we have versions, right? It'll be fixed
> later.
>
> I'm thinking like an implementor and I have questions that cause me
> problems. Let's for the moment assume that metadata server will be running
> on the same machine as the normal KDC and have access to the principals
> database. To construct these tickets you need a new service as it will not
> be a part of the (existing) KDC. Let's assume it is practical.
>
> Let's talk about of the fact that user doesn't know the password for the
> synthetic identity.
>
> Metadata server gets a flexile layout request. It, at some point,
> constructs a service ticket  (session key, "synthetic identity", ...
> )encrypted with data server's key. It needs to encrypt the "session key"
> with the client's TGT key so that the client can then use the service
> ticket against the data server. How doest the client gets this ticket?
>
> In normal kerberos, the client would initiate request for a service
> ticket. But here the client doesn't know the "synthetic identity" ahead of
> time.  And even if the intent is that once the ffds_owner is returned, then
> the client would request a service ticket for the specified identity. Well
> in that case, the client would need to provide the password for the
> synthetic identity. But he doesn't know the password so that's not going to
> work. So at this point we can't use normal kerberos to get a service ticket
> for the synthetic identity.
>
> Initially, in some earlier drafts of the spec the creds was "opaque_auth"
> but it's not no longer there so I don't see a way of passing the service
> ticket, encrypted session key. So I think if you want to pass the service
> ticket back, then you need to add the "opaque_auth" back to the structure?
> Ok now, we are just passing them back, how are we going to protect against
> replay attacks? typically there is a challenge response. So perhaps require
> that LAYOUTGET is always done with krb5i/p?
>
> Also on the (linux) client side I would suspect you won't be able to use
> standard krb5 libraries to deal with the processing the "service ticket".
> You might have issues getting the gssd given that the identity inside the
> ticket doesn't "match" the running identity of the user (I'm not 100%sure
> here). *i understand that this comment is really implementation specific
> and not specs job*
>
> Having said all that, I still feel like we are proposing an "SPKM"
> security here. It will not be practical and later on would be removed. I'd
> say AUTH_SYS or GSSv3 should be used.
>
> And if you still want to keep Kerberos then I guess I'm proposing (a) add
> "opaque_auth cred" back to the ff_data_server_4 and (b) require that
> LAYOUTGET much be done with krb5i/p. (c) as suggested by Ben, issue
> "service tickets" and explicitly specify what is being passed back, need to
> dig out the Kerberos spec and write out how the "synthetic identity"
> information is fitted into those Kerberos structures. I feel that you need
> to do this because the spec isn't use standard Kerberos so can't just say
> see Kerberos spec.  (d) explicitly specify that metadata must have access
> to the principal database for the non-synthetic client and the storage
> servers.
>
> I wonder is "opaque_auth" the right structure? I think the spec defines it
> upto 400bytes. Is that sufficient to capture service ticket + the encrypted
> stuff for the client. I dunno.
>
> You mentioned that RFC5661 doesn't state anything as to how TGT are
> constructed. That's only true because it states the Kerberos v5 and cites
> the spec is used. This proposal does not follow Kerberos v5 spec -- the
> proposal does not engage in KRB_AP/REP sequence which is what kerberos is
> -- and thus i feel it must specify what goes into the service ticket.
>
>
>