IETF Logo Mail Archive

Re: [nfsv4] NFSv4 on TLS

"Black, David" <David.Black@dell.com> Tue, 16 October 2018 21:11 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7788130E2F for <nfsv4@ietfa.amsl.com>; Tue, 16 Oct 2018 14:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Level:
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.064, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=xLNleyRb; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=tr9Xd+rx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcI6uAGBHfU8 for <nfsv4@ietfa.amsl.com>; Tue, 16 Oct 2018 14:11:21 -0700 (PDT)
Received: from esa8.dell-outbound.iphmx.com (esa8.dell-outbound.iphmx.com [68.232.149.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17D7A130E35 for <nfsv4@ietf.org>; Tue, 16 Oct 2018 14:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1539724281; x=1571260281; h=from:cc:to:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=B0QSM07edmO3pVsYAHC/fpQy2YWuLpbmIrKw/BxKm9A=; b=xLNleyRbPMwGeFBo5d/KTQfs43HFgNO6YV8+jZOpLPLB/R7CHhMO7k1c wUJK2f6glG/zl7wTG7NmC5VePshHrsG1Q9dZYhySEFp1iy+QEeo841JRJ kkL15/NzT9ppU5Ccz7X1Pey4Zlu/1V+oEdvvbpn27pYA53Sz5crOASDe0 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2EAAAAhU8ZbhyeV50NaCQ4LAQEBAQEBAQEBAQEBBwEBAQEBAYFRBAEBAQEBCwGBLyqBEH8oCowCX4tPgg16lg0UgSs7CwEBGAsLhD4ChGghNA0NAQMBAQIBAQIBAQIQAQEBFQkIKSMMgjYkAQ4vHC8JBgEBAQEBAScBAQEBAQEBAQEBAQEBAQEBAQEXAkMBEgIYAQEBAwEBARAoBh8PCwEEBwQCAQgRBAEBAQoUCQcnCxQJCAIEARIIGoJ+AYEbXggBDptfiVcBAQGCG4J9gTMChWQDBYowfh6BWT6BEkaCFzWDGwEBA4ErAQgDAQYBCQQUgzKCJohGGQiFWI9tAwQCAoZTih2BT4RwiV+MQ4lDAgQCBAUCFIFDN2ZxcFCCbIImDgl8AQiCQoUUhQQ6b4koAQENFweBAYEfAQE
X-IPAS-Result: A2EAAAAhU8ZbhyeV50NaCQ4LAQEBAQEBAQEBAQEBBwEBAQEBAYFRBAEBAQEBCwGBLyqBEH8oCowCX4tPgg16lg0UgSs7CwEBGAsLhD4ChGghNA0NAQMBAQIBAQIBAQIQAQEBFQkIKSMMgjYkAQ4vHC8JBgEBAQEBAScBAQEBAQEBAQEBAQEBAQEBAQEXAkMBEgIYAQEBAwEBARAoBh8PCwEEBwQCAQgRBAEBAQoUCQcnCxQJCAIEARIIGoJ+AYEbXggBDptfiVcBAQGCG4J9gTMChWQDBYowfh6BWT6BEkaCFzWDGwEBA4ErAQgDAQYBCQQUgzKCJohGGQiFWI9tAwQCAoZTih2BT4RwiV+MQ4lDAgQCBAUCFIFDN2ZxcFCCbIImDgl8AQiCQoUUhQQ6b4koAQENFweBAYEfAQE
Received: from mx0a-00154901.pphosted.com ([67.231.149.39]) by esa8.dell-outbound.iphmx.com with ESMTP/TLS/AES256-SHA256; 16 Oct 2018 16:11:20 -0500
Received: from pps.filterd (m0090351.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9GL7Zpb136559 for <nfsv4@ietf.org>; Tue, 16 Oct 2018 17:11:19 -0400
Received: from esa2.dell-outbound2.iphmx.com (esa2.dell-outbound2.iphmx.com [68.232.153.202]) by mx0b-00154901.pphosted.com with ESMTP id 2n5pyb86ws-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <nfsv4@ietf.org>; Tue, 16 Oct 2018 17:11:19 -0400
From: "Black, David" <David.Black@dell.com>
Cc: "nico@cryptonector.com" <nico@cryptonector.com>, Rick Macklem <rmacklem@uoguelph.ca>, "nfsv4@ietf.org" <nfsv4@ietf.org>, "Black, David" <David.Black@dell.com>
Received: from mailuogwdur.emc.com ([128.221.224.79]) by esa2.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA256; 17 Oct 2018 03:11:04 +0600
Received: from maildlpprd55.lss.emc.com (maildlpprd55.lss.emc.com [10.106.48.159]) by mailuogwprd51.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w9GLBABh032623 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 16 Oct 2018 17:11:17 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com w9GLBABh032623
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1539724277; bh=zImAp+azHElDzIkmytUlOX0XdN0=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=tr9Xd+rx6VkUtgaRkV5v8ylHTbfBL2MAMQHmO7fxNLWdtSWk3pwn8VEu3ldNu4i08 t4a7QRc98741/UEvrEpmgWXggQ45NYq4wf0NSqcxZoiRCH5vhGK9n6qcq0YlK9gSwF M8/95T0waP+o82kecm/EBM8KYnEzS5yjbsx8ArRE=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com w9GLBABh032623
Received: from mailusrhubprd53.lss.emc.com (mailusrhubprd53.lss.emc.com [10.106.48.18]) by maildlpprd55.lss.emc.com (RSA Interceptor); Tue, 16 Oct 2018 17:10:50 -0400
Received: from MXHUB321.corp.emc.com (MXHUB321.corp.emc.com [10.146.3.99]) by mailusrhubprd53.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w9GLAnp8012845 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Tue, 16 Oct 2018 17:10:50 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB321.corp.emc.com ([10.146.3.99]) with mapi id 14.03.0399.000; Tue, 16 Oct 2018 17:10:49 -0400
To: Benjamin Kaduk <kaduk@mit.edu>, Trond Myklebust <trondmy@gmail.com>
Thread-Topic: [nfsv4] NFSv4 on TLS
Thread-Index: AQHUZYn7wdvhrIDwK0eAI+4TU2hhh6UijmCA///IFwA=
Date: Tue, 16 Oct 2018 21:10:48 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949363030838E@MX307CL04.corp.emc.com>
References: <FD3EEC6C-887F-4F3A-AB9E-87AB9EE34ABD@oracle.com> <20180826214725.GA10368@localhost> <9A8DAFF1-C837-4AFA-99CB-863C09091608@oracle.com> <20180827185325.GB10368@localhost> <CADaq8jdr0w74J9db-AZTQ_dAP5ngT53R=KvLuK7xnVpptpbOCw@mail.gmail.com> <YTOPR0101MB182075AD5B7E864C48FF6324DD0A0@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM> <CAABAsM5FatQmorZpTu4MGCwZMahRSJdhJu9gEPgjDEepcjjHfQ@mail.gmail.com> <20181016200243.GX19309@kduck.kaduk.org>
In-Reply-To: <20181016200243.GX19309@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.21.34]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd53.lss.emc.com
X-RSA-Classifications: public, GIS Solicitation
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-16_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810160176
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/rFahDaBIKJighnnJScwBjIXt3ko>
Subject: Re: [nfsv4] NFSv4 on TLS
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 21:11:24 -0000

> Any such document would need to discuss the client authentication semantics
> for the TLS connection, whether a single per-host client cert is used vs.
> per-user certs, etc.  BCP 195/RFC 7525 would of course play a role, too.

+1 on RFC 7525 - very useful.

OTOH, I think per-user certs are not a good idea for NFS, because NFS already has a notion of user identity, channel binding has been difficult to deploy in practice, and there's value in separating user authentication (and identities) from machine/device authentication (and identities) in this context.

Starting with authentication separation, the baseline for this mechanism ought to be "AUTH_SYS-over-TLS" where the TLS per-host certs are for machine/device authentication and user "authentication" (well, for AUTH_SYS, it's more authorization than authentication) is initially handled via AUTH_SYS UIDs/GIDs over a TLS connection.  In this scenario, TLS secures the machine-to-machine connection enabling the AUTH_SYS UIDs/GIDs to be trusted by the server - Keeping that security property/goal in mind helps in figuring out what to do for TLS client authentication.

One possibility, TLS certs could be used as part of selecting a "domain" or "space" for AUTH_SYS UIDs/GIDs - one way to do that would be to run a separate NFS server instance per "domain" or "space" where the client uses the TLS Server Name indication to select the server that it wants to talk to.  Client validation of the server's TLS certificate then assures the client that it's talking to the intended AUTH_SYS "domain" or "space" and server TLS authentication of the client can establish whether or not the client is authorized to access that AUTH_SYS "domain" or "space".  That may involve TLS client certs, but this is machine-to-machine authorization (no humans) where that's definitely feasible.

Thanks, --David

> -----Original Message-----
> From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Benjamin Kaduk
> Sent: Tuesday, October 16, 2018 4:03 PM
> To: Trond Myklebust
> Cc: nico@cryptonector.com; Rick Macklem; nfsv4@ietf.org
> Subject: Re: [nfsv4] NFSv4 on TLS
> 
> 
> [EXTERNAL EMAIL]
> Please report any suspicious attachments, links, or requests for sensitive
> information.
> 
> 
> I'm not really in a position to speak of the level of demand for such a
> proposal, but...
> 
> On Tue, Oct 16, 2018 at 03:53:32PM -0400, Trond Myklebust wrote:
> > So here is a quick proposal: we add a new security type AUTH_TLS, which
> can
> > act as the equivalent of a "STARTTLS command" to signal that we want to
> > initiate TLS security negotiation if the server supports it.
> >
> > When the client has set up the TCP connection, and is ready to initiate the
> > TLS negotiation, it pings the server with a NULL RPC request with an
> > auth_flavor of AUTH_TLS. If the server doesn't recognise that flavour, and
> > returns AUTH_ERROR (+AUTH_BADCRED?), then the client knows that the
> server
> > is unlikely to support stepping up to TLS on this connection.
> >
> > There should be no need for the credential to carry any form of
> > authentication payload, so just model it on AUTH_NONE, but have the
> server
> > return a payload of "STARTTLS" in the body of the verifier. That
> > differentiates it from AUTH_NONE, and allows the client to distinguish
> > servers that recognise AUTH_TLS, and servers that just ignore the
> > authentication header altogether in NULL RPC calls. If the payload matches,
> > then the client kicks off TLS negotiation before sending any further RPC
> > calls on this connection.
> >
> > If the client tries to use AUTH_TLS for anything other than a NULL RPC
> > ping, then a server would presumably be expected to return AUTH_ERROR
> with
> > AUTH_TOOWEAK.
> >
> > Once the TLS negotiation is complete, then the client and server will have
> > established a secure channel for communicating, and can then use the
> 
> Any such document would need to discuss the client authentication
> semantics
> for the TLS connection, whether a single per-host client cert is used vs.
> per-user certs, etc.  BCP 195/RFC 7525 would of course play a role, too.
> 
> > standard security flavours on top of that channel (presumably after
> > negotiating down the irrelevant RPCSEC_GSS privacy and integrity
> mechanisms
> > and applying channel binding).
> 
> Anyone considering GSSAPI channel binding should probably consider the
> issues that
> https://tools.ietf.org/html/draft-ietf-kitten-channel-bound-flag-03 tries
> to address, and also that the tls-unique-based binding value in RFC 5929 is
> rather overtaken by events.  There would probably be a need to define a
> new
> TLS exporter-based value that requires the use of TLS 1.3 or
> extended-master-secret.
> 
> -Ben
> 
> > Is this a proposal that might be of interest to members of this group, and
> > hence be worth documenting in an RFC?
> >
> > Cheers
> >   Trond
> >
> > On Tue, 28 Aug 2018 at 07:57, Rick Macklem <rmacklem@uoguelph.ca>
> wrote:
> >
> > > David Noveck wrote:
> > > [stuff snipped]
> > > >> AUTH_SYS with UIDs/GIDs is too limited.
> > > >
> > > >As far as I know, AUTH_SYS includes 32-bit UIDs/GIDs.   Those seemed
> > > ample when
> > > >AUTH_SYS was designed.
> > > >
> > > >It certainly is too limited now, but it is difficult to change. Even more
> > > of a
> > > >barrier than the existiing OTW formats, is the fact that most flle systems
> > > >used with NFS reserve 32 bits in the inode for each of owner and group.
> > > >Further complicating matters is that in-kernel VFS's and POSIX API's are
> > > >built around this very limited approach to user identity.
> > > >
> > > >> I have no objection to a mechanism like AUTH_SYS-over-TLS
> > > >
> > > >I don't know of any AUTH_SYS mechanism that uses anything other than
> > > >32-bit ids.
> > > >
> > > >> that uses name@domain to be consistent with the rest of NFSv4.
> > > I think he was referring to a new authentication flavour that had the
> > > "user@domain" string as the authenticator. (There is a 400byte limit, but
> > > that might be sufficient.) I might have called it AUTH_NAME or
> AUTH_OWNER.
> > >
> > > I'd guess that 99.9% of FreeBSD NFS usage is AUTH_SYS, although
> Kerberos is
> > > in the system. I do think a way to use TLS (or similar) to encrypt at the
> > > transport
> > > level would be a good thing and would get used more widely.
> > >
> > > Many of the FreeBSD sites (I won't guess the %) use AUTH_SYS but
> ignore the
> > > gid list and generate a gid list on the server from the uid. As such, I
> > > don't think
> > > putting gids/owner_group names in a new authentication mechanism is
> needed.
> > >
> > > For folks that have a 32bit uniform uid space, AUTH_SYS in transport
> > > encryption
> > > seems ok to me.
> > > For sites where the uid space isn't uniform or doesn't fit in 32bits, a
> > > "user@domaim"
> > > to uid/gid list mapping in the server can be done using this new one.
> > >
> > > >Within NFSv4 proper, you could use name@domain, but there is really
> no
> > > >point if you are using AUTH_SYS.    You are allowed to use numeric ids
> > > >as attributes and most people using AUTH_SYS choose to do so, to avoid
> > > >the overhead of a translation that provides no benefits.
> > > They could use this mapping with AUTH_OWNER when AUTH_SYS won't
> > > work for them.
> > >
> > > rick
> > > ps: I, for one, am not interested in implementing a new GSSAPI
> mechanism
> > > that
> > >       isn't in the open source Kerberos distros. As such, any complicated
> > > setup
> > >       involving writing of a lot of new code probably wouldn't make it in
> > > FreeBSD
> > >       for a long time. However, something that mostly uses the extant code
> > > for
> > >       supporting "https" should be doable.
> > > [more stuff snipped]
> > >
> > > _______________________________________________
> > > nfsv4 mailing list
> > > nfsv4@ietf.org
> > > https://www.ietf.org/mailman/listinfo/nfsv4
> > >
> 
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email