IETF Logo Mail Archive

Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-04.txt

Chuck Lever <chuck.lever@oracle.com> Sun, 31 March 2019 15:11 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0C2E1201A2 for <nfsv4@ietfa.amsl.com>; Sun, 31 Mar 2019 08:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YBPfdbzuecW for <nfsv4@ietfa.amsl.com>; Sun, 31 Mar 2019 08:11:04 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0A6B12019E for <nfsv4@ietf.org>; Sun, 31 Mar 2019 08:11:04 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x2VF04vk166566; Sun, 31 Mar 2019 15:11:03 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=V8qt/fPhZn7RzaDnDSXbkIiaF8bqzxxUUSxHbtoemhY=; b=qqgcbuA0zp4tzNc//8Gkj93yLIZ7QZvg1LkYRbEAxGUosdyFhJmEvzQtFz6uXUZA5+O7 xrzXGGW2K9Kfg1F8wgM2ZHWCIyZdkaRVnXzIPjrjRaDpQ1GAl4VeHJcV6C/EbdbCcG/J qe//Ux4fGY8SaRafEBaOUNvdhQIXVT7HKbPFAQBHzcjCgPd85ii4LqiPF1dK2xjGkTq5 FGj8EkajBkzWVH7zTvGvKpIuKWbyyhg9bfplKCKEk+5H5HgsiR378stIK5jDCc/of/xB 6n1cGPBdituKDv42VNYxgXgDNiN+29tGp96jzblbUSF20gQxGGGWTia9c/cE6mOzLxPP zA==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2rj13pu8uv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 31 Mar 2019 15:11:03 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x2VFB2nm019452 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 31 Mar 2019 15:11:03 GMT
Received: from abhmp0013.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x2VFB1HD022389; Sun, 31 Mar 2019 15:11:01 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 31 Mar 2019 08:11:01 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <20190330171931.GE35679@kduck.mit.edu>
Date: Sun, 31 Mar 2019 11:10:59 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <384E2861-4BFB-45C6-8A8A-F59DC1EB4000@oracle.com>
References: <155369706351.10340.6533824804685956005@ietfa.amsl.com> <D8F72FA0-A29B-49A8-B21D-7D696D0A35FD@oracle.com> <FABC29C7-7632-4489-968D-C2D2776D5861@netapp.com> <DFC8BF18-DF6B-4FB3-95C6-7F95AFDE3E34@oracle.com> <078FEDA0-589E-498B-BB92-82AB38524378@netapp.com> <A2D5F556-0759-4955-AB54-6938FAF10801@oracle.com> <20190330171931.GE35679@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>, "Everhart, Craig" <Craig.Everhart@netapp.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9213 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903310114
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/r7brpDwWlwj0hzoUR3pHMRqDNgw>
Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2019 15:11:08 -0000


> On Mar 30, 2019, at 1:19 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> This seems to have gotten a bit heated.  Let's try to stick to the
> technical factors, please.

I apologize. I will try to keep the discourse civil and technical.


> On Wed, Mar 27, 2019 at 12:34:03PM -0400, Chuck Lever wrote:
>> 
>> 
>>> On Mar 27, 2019, at 11:58 AM, Everhart, Craig <Craig.Everhart@netapp.com> wrote:
>>> 
>>> Please leave my employer out of this.  They don't speak for me, and I don't speak for them.
>> 
>> I'm trying to understand the context of your remarks. Until now,
>> I haven't seen any disclaimer on e-mails from you at your NetApp
> 
> In particular, you shouldn't need to see any disclaimer: the BCPs are
> pretty clear that we make our IETF contributions in an individual capacity.
> 
>> address. So be it: you are interested in understanding the whole
>> stack.
> 
> Putting my IESG hat on briefly, we also need to have some understanding of
> the complete stack in order to review documents.  External references are
> unavoidable sometimes, of course, but when a brief summary can avoid the
> need for them, that does save us time.
> 
>> 
>>> Solely as an individual, I really want to know the answers to whether this proposal makes sense for the broadest interconnected NFS community; ideally the answers would be in this document and not in cited material.
>> 
>> I've been specifically told not to repeat what appears in cited
>> material. If there's a brief summary that can be added, I can do
>> that, but I prefer to let referenced material speak for itself.
> 
> I think it's a bit more subtle than this blanket admonition would indicate;
> I'm also a bit curious exactly what you were told  (and by whom), though
> perhaps I should not worry about that.
> 
>> This document specifies NFS protocol, not implementation of IMA.
>> I can be somewhat flexible about an explanation of IMA, but it
>> does not seem appropriate to provide an explicit description of
>> IMA metadata content and format -- just as it is out of scope
>> for RFC 7862 to be specific about the exact format of Security
>> Labels. I'm describing a transport and storage mechanism for
>> an application-defined data format.
> 
> With apologies for commenting on a document I have not yet read, you  do
> need to document what is and is not allowed in this container (and external
> references will of course play abig part in that).
> 
> -Ben
> 
>> 
>>> Last I looked at the documents, if I recall correctly, they referred to an authority on a single machine, and not an authority that was expected to serve a broader community, let alone a collection of machines larger than a classic workgroup.  The discussion of "identity" is along the same lines: a 32-bit userid is no longer an identifier for a principal.  NFS4 generally realizes this, but there is no indication that the IMA world does.
>> 
>> The identities in question are not 32-bit UIDs and are not users
>> or file owners. The document does not mention AUTH_SYS or
>> traditional Unix UIDs anywhere. Cryptographic signatures, which
>> are discussed here, are performed using large keys or x.509
>> certificates that are generated by global trust authorities.
>> 
>> The Introduction outlines several use cases that ought to provide
>> appropriate context for understanding the architecture -- that
>> the signers are typically global software vendors.
>> 
>> 
>>> 		Craig Everhart
>>> 
>>> 
>>> On 3/27/19, 11:49 AM, "Chuck Lever" <chuck.lever@oracle.com> wrote:
>>> 
>>>   NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>> 
>>> 
>>> 
>>> 
>>>> On Mar 27, 2019, at 11:23 AM, Everhart, Craig <Craig.Everhart@netapp.com> wrote:
>>>> 
>>>> This version of the draft is at least more honest that it is simply an NFSv4 wrapper around one platform's implementation.  I admire the intellectual honesty.
>>>> 
>>>> At the same time, a large amount is left unspecified:
>>>>     - how keyed hashes are applied or interpreted
>>>>     - what agents create or interpret "IMA metadata"
>>>>     - format and semantics for "IMA metadata"
>>>> 
>>>> Because of this and other issues, the reader of this draft has no idea whether "IMA metadata" is portable from one Linux machine to another, or perhaps portable within some unspecified community boundary, or how to participate in this standard other than simply standing aside and hoping that Linux implementations do what one wishes that they would do.  For example, what is "the identity of the last modifier of a file's content"--is that an attribute that has meaning beyond a single machine's boundary?  How would one tell?  Even if assertions were made about it in prose, how would one tell in practice?  Does it even have meaning to carry one machine's "IMA metadata" to another participating machine?
>>>> 
>>>> This is a set of semantic questions beyond the "IMA metadata format" question that is alluded to in the prose.
>>>> 
>>>> I do not understand how the proposed extension is useful, and what use this OPTIONAL facility would have beyond a private community.
>>> 
>>>   I don't find your criticism to be fair. The Security Labels implementation
>>>   added in NFSv4.2 takes the same approach, as does the proposed extension
>>>   to support Linux extended attributes. I haven't heard any similar
>>>   objection ("beyond a private community") to either precedent. OPTIONAL
>>>   means you don't have to implement it if you don't agree with it.
>>> 
>>>   The document has unambiguous citations of material that explains how IMA
>>>   works. Indeed, if you have questions beyond that, the implementation
>>>   of IMA in Linux is open source, and there is an open mailing list where
>>>   questions can be answered: linux-integrity@vger.kernel.org. I can't
>>>   force you to read the cited material, but I also can't answer your
>>>   questions any more clearly than that material already does.
>>> 
>>>   What's more, as your employer makes only NFS servers, and the responsibility
>>>   of an NFS server is simply to store IMA metadata just as it stores file
>>>   content and file names without interpretation, I haven't a clue what
>>>   possible issue you could have with the current revision of this document
>>>   and why you refuse to look at the references to further your understanding.
>>> 
>>>   Therefore I question whether you are truly interested in improving this
>>>   proposal. Perhaps your only interest is in vetoing it? If it isn't, please
>>>   make specific suggestions as to how I can resolve your concerns.
>>> 
>>> 
>>>>             Craig Everhart
>>>> 
>>>> 
>>>> On 3/27/19, 10:40 AM, "nfsv4 on behalf of Chuck Lever" <nfsv4-bounces@ietf.org on behalf of chuck.lever@oracle.com> wrote:
>>>> 
>>>>  NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On Mar 27, 2019, at 10:31 AM, internet-drafts@ietf.org wrote:
>>>>> 
>>>>> 
>>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>>> This draft is a work item of the Network File System Version 4 WG of the IETF.
>>>>> 
>>>>>     Title           : Integrity Measurement for Network File System version 4
>>>>>     Author          : Charles Lever
>>>>>    Filename        : draft-ietf-nfsv4-integrity-measurement-04.txt
>>>>>    Pages           : 13
>>>>>    Date            : 2019-03-27
>>>>> 
>>>>> Abstract:
>>>>> This document specifies an OPTIONAL extension to NFS version 4 minor
>>>>> version 2 that enables Linux Integrity Measurement Architecture
>>>>> metadata (IMA) to be conveyed between NFS version 4.2 servers and
>>>>> clients.  Integrity measurement authenticates the creator of a file's
>>>>> content and helps guarantee the content's integrity end-to-end from
>>>>> creation to use.
>>>>> 
>>>>> 
>>>>> The IETF datatracker status page for this draft is:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-integrity-measurement/
>>>>> 
>>>>> There are also htmlized versions available at:
>>>>> https://tools.ietf.org/html/draft-ietf-nfsv4-integrity-measurement-04
>>>>> https://datatracker.ietf.org/doc/html/draft-ietf-nfsv4-integrity-measurement-04
>>>>> 
>>>>> A diff from the previous version is available at:
>>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-integrity-measurement-04
>>>>> 
>>>>> 
>>>>> Please note that it may take a couple of minutes from the time of submission
>>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>> 
>>>>> Internet-Drafts are also available by anonymous FTP at:
>>>>> ftp://ftp.ietf.org/internet-drafts/
>>>> 
>>>>  I recently created a prototype implementation in the Linux NFS
>>>>  server and client which can be found in the nfs-ima-prototype
>>>>  topic branch of
>>>> 
>>>>  git://git.linux-nfs.org/projects/cel/cel-2.6.git
>>>> 
>>>> 
>>>>  Commenters seem to prefer a "Linux IMA" specific implementation
>>>>  over a generic file provenance implementation. Thus the prototype
>>>>  I created is specific to Linux IMA. The draft has been updated to
>>>>  reflect what the prototype implements.
>>>> 
>>>>  All references to "file provenance" have been replaced with the
>>>>  original text that referred specifically to Linux IMA. The request
>>>>  to create a file provenance registry has been removed. The XDR
>>>>  definition has been updated likewise.
>>>> 
>>>>  I've added an "Implementation Status" section that documents the
>>>>  existence of the Linux prototype.
>>>> 
>>>> 
>>>>  --
>>>>  Chuck Lever
>>>> 
>>>> 
>>>> 
>>>>  _______________________________________________
>>>>  nfsv4 mailing list
>>>>  nfsv4@ietf.org
>>>>  https://www.ietf.org/mailman/listinfo/nfsv4
>>>> 
>>>> 
>>> 
>>>   --
>>>   Chuck Lever
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> --
>> Chuck Lever
>> 
>> 
>> 
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4

--
Chuck Lever

v2.23.0 | Report a Bug | By Email