Re: [nfsv4] questions w.r.t RPC-over-TLS draft
Chuck Lever <chuck.lever@oracle.com> Mon, 27 January 2020 19:23 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E957C3A0A2C for <nfsv4@ietfa.amsl.com>; Mon, 27 Jan 2020 11:23:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWr82uxz_32z for <nfsv4@ietfa.amsl.com>; Mon, 27 Jan 2020 11:23:13 -0800 (PST)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F0683A0A27 for <nfsv4@ietf.org>; Mon, 27 Jan 2020 11:23:00 -0800 (PST)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00RJDoxf004702; Mon, 27 Jan 2020 19:22:53 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2019-08-05; bh=zXlKhC5I4hLK2XBV7aRalDUB7Swspp2PQE4ne3goIoA=; b=BU1P2F5YJ0btAm3Gi5iMmxUu/1Z7GU5Iaf01LisJmBjHCRBP7GeT8L93rLxecvtxvsqM 41NakXofMdVACxtbgsE5ZSr34vHA8o1xXBjBD/uRKyeemJmG72ChN9bJutedLGF0/ZfT faaXSrq1oW16gypRkYKAl7InE0czmzemXui/NEEnk4AbgFdRg76RkY5Asba/plBZPpAf Qpa9nII8lubd02tIJN/eOwC67JwINbXLvDr3fgGamCX7R4wVe211OXiqys/haQGAybyy RzNfa3hWEx3CgYe5QgwgfivaVOa8lQE0Ci8A/xdB2ZzQGNhOW0eQuzE/7UN57Am8L3yy GQ==
Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2120.oracle.com with ESMTP id 2xrear1daj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 27 Jan 2020 19:22:53 +0000
Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00RJDFHP186656; Mon, 27 Jan 2020 19:22:53 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 2xrytqmha3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 27 Jan 2020 19:22:53 +0000
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 00RJMqtq032212; Mon, 27 Jan 2020 19:22:52 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 27 Jan 2020 11:22:51 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <YQBPR0101MB1427EC1765AEBD08A2C55A09DD0E0@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM>
Date: Mon, 27 Jan 2020 14:22:50 -0500
Cc: Benjamin Kaduk <kaduk@mit.edu>, NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EB385200-1A85-42F7-967C-ADC24875232C@oracle.com>
References: <YQBPR0101MB142761C64D6A842CB99EADC0DD320@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM> <0E8060A0-B8DA-462E-915E-9121824A7A3D@oracle.com> <YQBPR0101MB1427364BAFED4564FD0FD67BDD320@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM> <0FF8087F-E4C6-4ABB-8F92-6224724939FC@oracle.com> <YQBPR0101MB1427D05C02E7B056BFB59244DD0D0@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM> <632009682.1567555.1579693972041.JavaMail.zimbra@desy.de> <YQBPR0101MB14278E78602567233ADE90D1DD0C0@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM> <20200124015406.GF90660@kduck.mit.edu> <YQBPR0101MB1427EC1765AEBD08A2C55A09DD0E0@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM>
To: Rick Macklem <rmacklem@uoguelph.ca>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9513 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001270153
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9513 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001270153
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/qzrkCCZZI4Qr6bYsh6ihLtpSTsQ>
Subject: Re: [nfsv4] questions w.r.t RPC-over-TLS draft
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 19:23:15 -0000
> On Jan 24, 2020, at 6:03 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote: > > Benjamin Kaduk wrote: >> On Wed, Jan 22, 2020 at 10:51:04PM +0000, Rick Macklem wrote: >>> Mkrtchyan, Tigran wrote: >>> [stuff snipped] >>>>> Chuck Lever wrote: >>>>>> It seems to me the new text clearly allows an unencrypted NULL RPC at any >>>>>> time. I'm not sure that's even feasible, but it's an implementer's choice. >>>>> I wrote: >>>>> Yea. I'm not sure if this is feasible either (at least for TCP), but NULL RPCs >>>>> seem >>>>> harmless, so I think the current wording is ok, at least for reliable ordered >>>>> transports >>>>> like TCP. >>>> >>>> >>>> I am pretty sure, that once TLS session is established, you can't sent any other >>>> requests outside of it. >>> Yea, the only case I can think of where it might be possible for TCP is after an >>> SSL_shutdown is done on the socket. I also haven't looked at the RFC enough to figure out >> >> "SSL_shutdown is done on the socket" translates (roughly) to TLS-speak as >> "both endpoints send and receive "close_notify" alerts from the peer", and >> in theory the protocol can support this but evidence of real-world >> functionality is quite sparse. (Many implementations do not really do >> "close_notify" quite according to the spec, and trying to wait for it from >> the peer is pretty dicey.) > Yes. According to the OpenSSL doc, you can check for a 0 return from the first SSL_shutdown() > call and do a second one in that case, to make sure you get the close_notify from the peer. > None of the sample code I've found (some in the OpenSSL doc) does that, or even checks > the return value from the SSL_shutdown() calls. > > Just to be clear, I don't see any need for unencrypted RPC traffic to work on the socket > after the TLS handshake starts. > > I also don't care if NULL RPCs with AUTH_NULL are allowed before the NULL RPC with > AUTH_TLS is done. > The draft said "no unencrypted RPC traffic", whereas the NULL RPC with AUTH_TLS is > just that, so it seems there needs to be some rewording done. > > I do think that the draft should clearly state: > 1 - A NULL RPC with AUTH_TLS that gets a successful reply with "STARTTLS" in the > reply verifier is a "STARTTLS command, with the TLS handshake following immediately > after this". > 2 - What, if any, unencrypted RPC traffic is allowed to precede the NULL RPC with AUTH_TLS. I'm willing to make some alterations. I don't think we're changing any consensus decisions here, so probably the best approach would be for me to submit another revision after we resolve the wording issues. Does that sound right, NFSv4 chairs? >>> if unencrypted (I think it calls them cleartext) TLS records can be mixed into encrypted >ones. >> >> They can't. (If there was a severe need a way could be found, e.g., with a >> new record type, but there would be a lot o... > I can't see any reason to do this. Mixing might not be an issue on TCP connections, but I'm wondering how to deal with DTLS. -- Chuck Lever
- [nfsv4] questions w.r.t RPC-over-TLS draft Rick Macklem
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Rick Macklem
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Mkrtchyan, Tigran
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Chuck Lever
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Rick Macklem
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Chuck Lever
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Rick Macklem
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Benjamin Kaduk
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Mkrtchyan, Tigran
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Rick Macklem
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Benjamin Kaduk
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Rick Macklem
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Chuck Lever
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft Chuck Lever
- Re: [nfsv4] questions w.r.t RPC-over-TLS draft David Noveck