Re: [nfsv4] New wording of Security Section for Flex Files
Olga Kornievskaia <aglo@citi.umich.edu> Mon, 07 August 2017 16:06 UTC
Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23231325D6 for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 09:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLfspyXyIVfm for <nfsv4@ietfa.amsl.com>; Mon, 7 Aug 2017 09:06:32 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2980813260A for <nfsv4@ietf.org>; Mon, 7 Aug 2017 09:06:32 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id t201so10776674wmt.0 for <nfsv4@ietf.org>; Mon, 07 Aug 2017 09:06:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=F2OqeElcQ7B5shvKaXbye1Px6M72QmXWCaS+fBFW1EY=; b=CpaAx02uS87RWVHegzoQZJ9J5On6QvP6xiVgoiMhblMAVV9pqMwTxMMl48yvHs6WLK qxaOM6oPfNL/7n9r8vuCHyFPskzPYkOKy43WSNj8UW+F0THHOtS8xRrEPBroSePXXXJG KkZcDXROnsQSmu8y9tBpb60E/pYVz1NenMJw4dLR55VU8Hkd3Eb5p5H72FUblG7Oywyg 7Qdg6jKQn2126xla0/F2GXmnsxDJZuuozI+dFJN1bXrDDAStsPT/W7vhjuc+BtLTidu2 +puV9VHAR6Uw856oBtsqw4h0D18cBR7RmElvLuAZWdDBAAduSfWfwerba+nBnlNhzvMy coiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=F2OqeElcQ7B5shvKaXbye1Px6M72QmXWCaS+fBFW1EY=; b=iBiDAVQf8VvIwl5Fnuy6yOpONHrdA67ALwwIJfg2mFN0Xkf9MwuJC8IrMbygIlR+/H xufsw+e+1nc2F7oUpQoOp3k+wLoYZHyksraCSKemL+W5w/HRYJ6+bQLFzOWeMp/dfR8X rNkNg0iVyKAZjuh3OpLZTAnLqyPzq8NRQ4jhIIjq8YDpZmWjIS95pOW0uHJCPG2aLl5p Vbkkay0Y6Y8OwkumZFb/YtIz5pU2nctuia6FF3TyRGH7XnegLalxFI/H7n8T17jfFZAT gfaOSSZqxDrArw5P4mUiAKMvx1JBTCMNaF22KOO3Xs0T7aZ3x+TMRZ4Icp2f63Hy8i6d 6VeQ==
X-Gm-Message-State: AHYfb5j/yuwoRVAyS2jzp0eqFK9S2dFW5HZLb8ZIDk23/+zrhSB7hDm4 h9cq3Giok0pIN4T0tla88mZNVg/Afg==
X-Received: by 10.80.146.209 with SMTP id l17mr1497275eda.160.1502121990711; Mon, 07 Aug 2017 09:06:30 -0700 (PDT)
MIME-Version: 1.0
Sender: olga.kornievskaia@gmail.com
Received: by 10.80.136.44 with HTTP; Mon, 7 Aug 2017 09:06:30 -0700 (PDT)
In-Reply-To: <CAFAFD9C-DF89-4867-8880-1EA43FD4095F@primarydata.com>
References: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com> <20170728022333.GI58771@kduck.kaduk.org> <CAN-5tyG9cE9JhccW7Fnho10jVE-5YnpoArZ=3DZuz79dFFD9sQ@mail.gmail.com> <CADaq8jc=K5f4cia-jFKjDMAtNhZntFE+Xa0=Lb=LSXOy+sc7Ww@mail.gmail.com> <37BF354D-CF56-4A1C-B391-8565F0E38E72@primarydata.com> <CAN-5tyH-j937PPA=nRSA5iEHOTKynryQjwfKui9dgVdZa3oQrQ@mail.gmail.com> <CAFAFD9C-DF89-4867-8880-1EA43FD4095F@primarydata.com>
From: Olga Kornievskaia <aglo@citi.umich.edu>
Date: Mon, 07 Aug 2017 12:06:30 -0400
X-Google-Sender-Auth: vCSG4vOdt3nkyZ8li3agQENG_WM
Message-ID: <CAN-5tyEKO1WVFXZAmW-bxX7bLXUtt2NM97rQi0QsrFpK70M9hw@mail.gmail.com>
To: Thomas Haynes <loghyr@primarydata.com>
Cc: Dave Noveck <davenoveck@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c2b08aa6d1505562c0764"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/qkdHZWKaPjO5LiBHDroTwsaoQqc>
Subject: Re: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 16:06:36 -0000
Sorry might be a stupid question but why do you need to wait for another version to add back "opaque_auth/or something" that carries the security information? On Fri, Aug 4, 2017 at 4:43 PM, Thomas Haynes <loghyr@primarydata.com> wrote: > Hi, > > I’m going to top post to keep the focus on the problem at hand. > > In a nutshell, Olga is correct that we are not going to be able to secure > loosely coupled flex files. > The removal of “opaque_auth” prevents this from occurring. > > And while I have a bastardized approach using RPCSEC_GSSv3 structured > privilege assertions, > like we did for SSC - see Section 4.9.1. in RFC 7862, I think a better > approach is to > document the failure of securing loosely coupled flex files v1 and create > a flex files v2 > which addresses a minor change in the XDR to: > > (a) Fix the stateid issue for loosely coupled NFSv4.x > (b) Fix this issue for “opaque_auth” - which includes the issues raised by > Olga at the end of > her email. > > As to how we go about that, I see two scenarios: > > (1) We produce a single standards track document with a request for: > > +-----------------------+-------+----------+-----+----------------+ > | Layout Type Name | Value | RFC | How | Minor Versions | > +-----------------------+-------+----------+-----+----------------+ > | LAYOUT4_FLEX_FILES | 0x4 | RFCTBD10 | L | 1 | > | LAYOUT4_FLEX_FILES_v2 | 0x6 | RFCTBD10 | L | 1 | > +-----------------------+-------+----------+-----+----------------+ > > (2) We produce two standards track documents, the first for > LAYOUT4_FLEX_FILES > and the second much smaller document which would have a normative > reference to the first and encompass LAYOUT4_FLEX_FILES_v2. It would > have the delta XDR and the new required text. > > What I am approaching the WG for is consensus on which approach to take. > For > me, the first is less administrative headache and the second preserves a > much > cleaner separation of the minor versioning. > > Oh, and in case it is not clear, I am very appreciative of Olga’s review in > getting me to see the flaw in this document. > > Thanks, > Tom > > > On Aug 2, 2017, at 9:03 AM, Olga Kornievskaia <aglo@citi.umich.edu> wrote: > > > > On Tue, Aug 1, 2017 at 3:59 PM, Thomas Haynes <loghyr@primarydata.com> > wrote: > >> >> On Aug 1, 2017, at 11:29 AM, David Noveck <davenoveck@gmail.com> wrote: >> >> > Is stating that an out-of-band scheme >> > is used satisfies the "MUST" of semantics for managing security? >> >> Probably not, but the "MUST" can always be changed to a "SHOULD" :-) >> >> The problem is deeper here. The job of a standards-track document that >> defines a protocol or layout type is to clearly tell the implementer what >> must be done to implement the protool or layout type. Despite the possble >> issues with the specificity of any of these three possible alternatives, >> the big problem is the fact that there is more than one. If the client and >> MDS do not pick the same one, or they do and that one is not fully >> specfied, they will not nteroperate. If that is the case, then the >> document is not ready. >> >> I think the treatment of security with tight coupling is sufficiently >> clear to implement from and has been for a while. With regard to security >> for loose coupluing, what you have is essentially a promise to provide a >> specfication at some later date. I don't think the IESG is going to be OK >> with that. >> >> You have focusing on it being plausible in the sense of convincing people >> that this can be done >> (i.e. that a definition along these lines can be produced) which it can, >> but I think the IESG is going to want you to show them that it has been >> done (i.e. that the definiton has been arrived at), and you are a ways away >> from being there. >> >> >> The problem isn’t that we are pushing off a specification to a later >> date, but rather that the security is implementation specific. The client >> and MDS are forced to pick the same one. >> >> Section 1.7.1 RFC 5661 is quite clear that: >> >> As with previous versions of NFS, the External Data Representation >> (XDR) and Remote Procedure Call (RPC) mechanisms used for the NFSv4.1 >> protocol are those defined in [2] and [3]. To meet end-to-end >> security requirements, the RPCSEC_GSS framework [4] is used to extend >> the basic RPC security. With the use of RPCSEC_GSS, various >> mechanisms can be provided to offer authentication, integrity, and >> privacy to the NFSv4 protocol. Kerberos V5 is used as described in >> [5] to provide one security framework. With the use of RPCSEC_GSS, >> other mechanisms may also be specified and used for NFSv4.1 security. >> >> Note that nothing is stated as to how the TGT are constructed, so Ben’s >> approach: >> >> Semi-relatedly, I forget exactly how much trust/coupling there is supposed >> to be between the data and metadata servers/operators in this scheme. >> In particular, if the metadata server is sufficiently trusted that it can >> have a copy of the data server's kerberos credentials (the nfs/ keytab), >> then there is quite a lot of flexibility, since the metadata server can >> literally construct an arbitrary ticket and encrypt it to "itself" (i.e., >> the data server's keytab). But I don't know whether it's appropriate >> to mention this example in the document or not. >> >> >> meets the requirements of RFC 5661 and the loosely coupled model. The >> details >> of how the mds gets the storage device’s keytab are up to the >> implementation >> (just as how the storage device gets the keytab in the first place). >> >> >> We could wait until the first implementation and then make that a >> standard, but I >> don’t like that approach. >> > > I think you would agree that implementations frequently find issues with > this spec. But yes, all the previous specs when ahead prior to full > implementations. And that's why we have versions, right? It'll be fixed > later. > > I'm thinking like an implementor and I have questions that cause me > problems. Let's for the moment assume that metadata server will be running > on the same machine as the normal KDC and have access to the principals > database. To construct these tickets you need a new service as it will not > be a part of the (existing) KDC. Let's assume it is practical. > > Let's talk about of the fact that user doesn't know the password for the > synthetic identity. > > Metadata server gets a flexile layout request. It, at some point, > constructs a service ticket (session key, "synthetic identity", ... > )encrypted with data server's key. It needs to encrypt the "session key" > with the client's TGT key so that the client can then use the service > ticket against the data server. How doest the client gets this ticket? > > In normal kerberos, the client would initiate request for a service > ticket. But here the client doesn't know the "synthetic identity" ahead of > time. And even if the intent is that once the ffds_owner is returned, then > the client would request a service ticket for the specified identity. Well > in that case, the client would need to provide the password for the > synthetic identity. But he doesn't know the password so that's not going to > work. So at this point we can't use normal kerberos to get a service ticket > for the synthetic identity. > > Initially, in some earlier drafts of the spec the creds was "opaque_auth" > but it's not no longer there so I don't see a way of passing the service > ticket, encrypted session key. So I think if you want to pass the service > ticket back, then you need to add the "opaque_auth" back to the structure? > Ok now, we are just passing them back, how are we going to protect against > replay attacks? typically there is a challenge response. So perhaps require > that LAYOUTGET is always done with krb5i/p? > > Also on the (linux) client side I would suspect you won't be able to use > standard krb5 libraries to deal with the processing the "service ticket". > You might have issues getting the gssd given that the identity inside the > ticket doesn't "match" the running identity of the user (I'm not 100%sure > here). *i understand that this comment is really implementation specific > and not specs job* > > Having said all that, I still feel like we are proposing an "SPKM" > security here. It will not be practical and later on would be removed. I'd > say AUTH_SYS or GSSv3 should be used. > > And if you still want to keep Kerberos then I guess I'm proposing (a) add > "opaque_auth cred" back to the ff_data_server_4 and (b) require that > LAYOUTGET much be done with krb5i/p. (c) as suggested by Ben, issue > "service tickets" and explicitly specify what is being passed back, need to > dig out the Kerberos spec and write out how the "synthetic identity" > information is fitted into those Kerberos structures. I feel that you need > to do this because the spec isn't use standard Kerberos so can't just say > see Kerberos spec. (d) explicitly specify that metadata must have access > to the principal database for the non-synthetic client and the storage > servers. > > I wonder is "opaque_auth" the right structure? I think the spec defines it > upto 400bytes. Is that sufficient to capture service ticket + the encrypted > stuff for the client. I dunno. > > You mentioned that RFC5661 doesn't state anything as to how TGT are > constructed. That's only true because it states the Kerberos v5 and cites > the spec is used. This proposal does not follow Kerberos v5 spec -- the > proposal does not engage in KRB_AP/REP sequence which is what kerberos is > -- and thus i feel it must specify what goes into the service ticket. > > >
- [nfsv4] New wording of Security Section for Flex … Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Benjamin Kaduk
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… David Noveck
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Rick Macklem
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia
- Re: [nfsv4] New wording of Security Section for F… Thomas Haynes
- Re: [nfsv4] New wording of Security Section for F… Olga Kornievskaia