IETF Logo Mail Archive

Re: [nfsv4] Stephen Farrell's No Objection on draft-ietf-nfsv4-minorversion2-40: (with COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 23 January 2016 15:10 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D78F1B37B3; Sat, 23 Jan 2016 07:10:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZjPaizQRFov; Sat, 23 Jan 2016 07:10:10 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E57381B37B2; Sat, 23 Jan 2016 07:10:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 12680BE53; Sat, 23 Jan 2016 15:10:08 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4yG9Lv-J_QNe; Sat, 23 Jan 2016 15:10:06 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.16.108]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8AF5ABE54; Sat, 23 Jan 2016 15:10:04 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1453561806; bh=frhzj8pG2BuxCObk7WOnrgvkELsn8yc8bIBYf8U17vQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=au3brmqJC3mz2f7QzTa3ltyEYJADM0OKcuRTVPscRyy22E2GcZVYx57M5cuqWDKFR 4B0LlgAgv8m5G0Q6y7H3csL5W5BeOGXYDPUnXQI3G7hwEUKGx+hIS/tt3BxH9b6Q9m xtEMk/EA7E1hgJBSuWcBCe/hIPerWXt/qwyW2ZHY=
To: Tom Haynes <thomas.haynes@primarydata.com>
References: <20160121141530.8170.25186.idtracker@ietfa.amsl.com> <166532A7-FDCC-4021-8314-8CCD2DB36703@primarydata.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56A397CB.7060606@cs.tcd.ie>
Date: Sat, 23 Jan 2016 15:10:03 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <166532A7-FDCC-4021-8314-8CCD2DB36703@primarydata.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/nfsv4/rDF3SQ07YMTv_vz-PbxXDXj-bCA>
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-minorversion2@ietf.org, nfsv4@ietf.org, nfsv4-chairs@ietf.org
Subject: Re: [nfsv4] Stephen Farrell's No Objection on draft-ietf-nfsv4-minorversion2-40: (with COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 15:10:12 -0000

Hi Tom,

On 23/01/16 00:13, Tom Haynes wrote:
> Hi Stephen,
> 
> Thanks for the comment, responses inline
> 
>> On Jan 21, 2016, at 6:15 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-nfsv4-minorversion2-40: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-minorversion2/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>>
>>
>> - 1.3.2: I'm just curious, feel free to ignore. Does anyone
>> maintain those posix specs these days? (e.g.
>> [posix_fadvise]).
> 
> No clue :-)
> 
> 
>>
>> - 1.4: "a new arm" isn't clear to this reader, maybe
>> consider re-phrasing if this isn't a common NFS term (if it
>> is, that's fine)
>>
> 
> 
> No, not a NFS term.
> 
> How about this:
> 
>    NFSv4.2, it is possible to add a new arm (i.e., a new entry in the
>    union and a corresponding new field in the structure) in a subsequent
>    minor version.  And it is also possible to move such an operation

That's better (for me) yes, or just refer to rfc1832 maybe
as Chuck suggested.

> 
> 
> 
>> - 4.10: thanks for providing all that!
>>
>> - 4.10: possibly dumb question: does this (or NFSv4) support
>> what a user would perceive as an encrypting file system
>> where the keys are held-by/derived from something on the
>> user's machine? If so, and if the two servers involved use
>> keys known at the user's machine and not by the NFS
>> infrastructure then I'm not sure how this can work. IOW, if
>> there's a decryption and then a re-encryption required in a
>> server-server copy and if that needs any keying material
>> from the client then could that ever work? Note that I'm not
>> talking about securing the file during the server-server
>> copy but de-crypting before sending and then re-encrypting
>> before storing.
> 
> Petty sure that Kerberos provides for this.

Really? I'd be surprised. That probably means I didn't ask
the question well though:-)

Does NFS have any support for an encrypted file system such
that the long term keys protecting those files can be stored
e.g. on a usb dongle that the user keeps?

If so, then I doubt server-server copy can work in such cases
and that probably would need to be documented. If not, then...
not:-)

>> - 9.6: Is it considered a requirement that e.g. a user
>> cleared to secret cannot tell if there is anything stored
>> that is of higher classification?
> 
> 
> In Section 9.2, it states:
> 
>    o  MUST NOT expose an object to either the client or server name
>       space before its security information has been bound to it.
> 
> And the definition of “bound” belongs to
> the security implementation being defined.
> 
> I.e., I mean seLinux, Trusted Solaris, etc.

Sure, but that's not the issue.

> 
> 
>> If so, did anyone go
>> through all NFS interfaces to check if e.g. disk or
>> directory usage information could give away the fact that
>> there is stuff stored that's not visible to this user?
> 
> 
> In a Limited Server, this is clearly not met.

That's fine.

> 
> In a Full Mode implementation, a policy might exist that
> allowed the server to let the client make such decisions.

I'm not sure what decision you mean. The issue I wanted to
ask about relates to information leakage, not a client
decision. Let me try as another way.

Say if a directory has N files labelled secret and one
file labelled top-secret and a user is cleared to secret.
Can the user use NFS to check the size of the directory
and thus deduce the size of the top-secret file? If so,
then I think you ought note that as a security consideration.
If not, it'd maybe be worth saying a few words about that
so that implementers don't get it wrong.

Cheers,
S.

>>  I'm
>> not arguing that this definitely needs to be done
>> exhaustively, but maybe consider adding a caveat emptor
>> sentence somewhere saying that even with MAC, it could be
>> that NFS allows for some minor meta-data leakage such as the
>> above.
>>
>>
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email