IETF Logo Mail Archive

Re: [nfsv4] New wording of Security Section for Flex Files

Thomas Haynes <loghyr@primarydata.com> Tue, 01 August 2017 19:59 UTC

Return-Path: <loghyr@primarydata.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C58B13230E for <nfsv4@ietfa.amsl.com>; Tue, 1 Aug 2017 12:59:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.49
X-Spam-Level:
X-Spam-Status: No, score=-2.49 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=primarydata.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JBsc_CNou7ct for <nfsv4@ietfa.amsl.com>; Tue, 1 Aug 2017 12:59:09 -0700 (PDT)
Received: from us-smtp-delivery-194.mimecast.com (us-smtp-delivery-194.mimecast.com [63.128.21.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9F4D1322FC for <nfsv4@ietf.org>; Tue, 1 Aug 2017 12:59:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=PrimaryData.onmicrosoft.com; s=selector1-primarydata-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+exkLaNTfl4XQOWgu5nhm9wDUCosrFzZ+Y/NH7xi4Pk=; b=CSU4F3A9UaQzlfirRORNANtfsosaH1tXFALPVSUfh80vW/PuPoe7iNz+lDLXnwNG+sCEoaJ3qVCb2XNedMTxZocT5w5adL2tWQeo+QwsIJy49nhCwun6QbuXHeOEQ71QoVqvFLi4x3i/DyUPX6moCoz7zF7tgHA+/ATaAZYDnuo=
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01lp0116.outbound.protection.outlook.com [207.46.163.116]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-10-uMQRIeSRPruoOgglM4NaaA-1; Tue, 01 Aug 2017 15:59:05 -0400
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com (10.164.166.21) by BY2PR1101MB1095.namprd11.prod.outlook.com (10.164.166.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.22; Tue, 1 Aug 2017 19:59:02 +0000
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) by BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) with mapi id 15.01.1304.023; Tue, 1 Aug 2017 19:59:02 +0000
From: Thomas Haynes <loghyr@primarydata.com>
To: Dave Noveck <davenoveck@gmail.com>
CC: Olga Kornievskaia <aglo@citi.umich.edu>, Benjamin Kaduk <kaduk@mit.edu>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] New wording of Security Section for Flex Files
Thread-Index: AQHTBOJTubmEu3G57EqvOqsgsMtAEKJoh0CAgAdGdgCAABDDgIAAGPyA
Date: Tue, 01 Aug 2017 19:59:02 +0000
Message-ID: <37BF354D-CF56-4A1C-B391-8565F0E38E72@primarydata.com>
References: <9E3B8A6F-E27C-4A65-A0F7-6E0275B0616A@primarydata.com> <20170728022333.GI58771@kduck.kaduk.org> <CAN-5tyG9cE9JhccW7Fnho10jVE-5YnpoArZ=3DZuz79dFFD9sQ@mail.gmail.com> <CADaq8jc=K5f4cia-jFKjDMAtNhZntFE+Xa0=Lb=LSXOy+sc7Ww@mail.gmail.com>
In-Reply-To: <CADaq8jc=K5f4cia-jFKjDMAtNhZntFE+Xa0=Lb=LSXOy+sc7Ww@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [63.157.6.18]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR1101MB1095; 20:Lzxtg0QIP1NDtnRLywmtSPlIn4v9ODxZCZgxK5Sf7SfAIOgJwVVbMfU/NayVCS9LlTEhbFS7P82tArktCxOlcUiIPSyu4i18p1qYKjOEbxLWi6F1hYVJrdS7/sAafRDLFlgLi8qTHUhgf6pCH5ULvgxdnGqVoozIqguJ1LGbmIc=
x-ms-office365-filtering-correlation-id: 79a1a94e-e449-4b0a-0b30-08d4d917c1a4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(2017082002075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR1101MB1095;
x-ms-traffictypediagnostic: BY2PR1101MB1095:
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(6911010853514)(225473673943800);
x-microsoft-antispam-prvs: <BY2PR1101MB1095F4CE4A8B31761DAA67B7CEB30@BY2PR1101MB1095.namprd11.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123564025)(20161123558100)(20161123562025)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(2016111802025)(6072148)(6043046)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR1101MB1095; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR1101MB1095;
x-forefront-prvs: 0386B406AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39840400002)(39450400003)(189002)(199003)(377454003)(24454002)(99286003)(68736007)(54356999)(66066001)(6436002)(106356001)(733005)(86362001)(478600001)(105586002)(6246003)(33656002)(189998001)(110136004)(6916009)(53546010)(2950100002)(6116002)(101416001)(102836003)(38730400002)(3846002)(6486002)(81156014)(82746002)(81166006)(76176999)(39060400002)(77096006)(15650500001)(6506006)(93886004)(2906002)(3280700002)(1411001)(3660700001)(8676002)(517774005)(229853002)(5660300001)(53936002)(14454004)(236005)(97736004)(25786009)(2900100001)(50986999)(4326008)(7736002)(83716003)(6512007)(54896002)(6306002)(36756003)(54906002)(8936002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR1101MB1095; H:BY2PR1101MB1093.namprd11.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: primarydata.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2017 19:59:02.1373 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 03193ed6-8726-4bb3-a832-18ab0d28adb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR1101MB1095
X-MC-Unique: uMQRIeSRPruoOgglM4NaaA-1
Content-Type: multipart/alternative; boundary="_000_37BF354DCF564A1CB3918565F0E38E72primarydatacom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/rkk8yreYkPoULLq1sxfEl8I8MSQ>
Subject: Re: [nfsv4] New wording of Security Section for Flex Files
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 19:59:11 -0000

On Aug 1, 2017, at 11:29 AM, David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com>> wrote:

> Is stating that an out-of-band scheme
> is used satisfies the "MUST" of semantics for managing security?

Probably not, but the "MUST" can always be changed to a "SHOULD" :-)

The problem is deeper here.   The job of a standards-track document that defines a protocol or layout type is to clearly tell the implementer what must be done to implement the protool or layout type.  Despite the possble issues with the specificity of any of these three possible alternatives, the big problem is the fact that there is more than one.  If the client and  MDS do not pick the same one, or they do and that one is not fully specfied, they will not nteroperate.  If that is the case, then the document is not ready[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif].

I think the treatment of security with tight coupling is sufficiently clear to implement from and has been for a while.  With regard to security for loose coupluing, what you have is essentially a promise to provide a specfication at some later date.  I don't think the IESG is going to be OK with that.

You have focusing on it being plausible in the sense of convincing people that this can be done
(i.e. that a definition along these lines can be produced) which it can, but I think the IESG is going to want you to show them that it has been done (i.e. that the definiton has been arrived at), and you are a ways away from being there.


The problem isn’t that we are pushing off a specification to a later date, but rather that the security is implementation specific. The client and MDS are forced to pick the same one.

Section 1.7.1 RFC 5661 is quite clear that:

   As with previous versions of NFS, the External Data Representation
   (XDR) and Remote Procedure Call (RPC) mechanisms used for the NFSv4.1
   protocol are those defined in [2] and [3].  To meet end-to-end
   security requirements, the RPCSEC_GSS framework [4] is used to extend
   the basic RPC security.  With the use of RPCSEC_GSS, various
   mechanisms can be provided to offer authentication, integrity, and
   privacy to the NFSv4 protocol.  Kerberos V5 is used as described in
   [5] to provide one security framework.  With the use of RPCSEC_GSS,
   other mechanisms may also be specified and used for NFSv4.1 security.

Note that nothing is stated as to how the TGT are constructed, so Ben’s approach:

Semi-relatedly, I forget exactly how much trust/coupling there is supposed
to be between the data and metadata servers/operators in this scheme.
In particular, if the metadata server is sufficiently trusted that it can
have a copy of the data server's kerberos credentials (the nfs/ keytab),
then there is quite a lot of flexibility, since the metadata server can
literally construct an arbitrary ticket and encrypt it to "itself" (i.e.,
the data server's keytab).  But I don't know whether it's appropriate
to mention this example in the document or not.

meets the requirements of RFC 5661 and the loosely coupled model. The details
of how the mds gets the storage device’s keytab are up to the implementation
(just as how the storage device gets the keytab in the first place).


We could wait until the first implementation and then make that a standard, but I
don’t like that approach.

v2.23.0 | Report a Bug | By Email