IETF Logo Mail Archive

Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Chuck Lever <chuck.lever@oracle.com> Thu, 09 April 2020 21:02 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B35E3A0E82 for <nfsv4@ietfa.amsl.com>; Thu, 9 Apr 2020 14:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mk0S0FEU1ARS for <nfsv4@ietfa.amsl.com>; Thu, 9 Apr 2020 14:02:10 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82B853A0E7E for <nfsv4@ietf.org>; Thu, 9 Apr 2020 14:02:10 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 039Ks51b078917; Thu, 9 Apr 2020 21:02:08 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=h2yz1f3mDAiaJq0PkGfjWg8NN6MjXFx6LsvYsY+NbYk=; b=e1p9quNptxn4D1a62iIGpLz/T+mo8eOunAcQk5kX3J0XslGHQL4rZfDyqL1h+50Jc13S 0Y4ehpGOKhQzFVdxPFMN49Mp9pa6UpSYFSlJ4ZwlnoveajDGd6uiaU/hNYQJg5dp9LpT zGWPng6tJje7aMDz5KyeG8Uj5Y/P5T7WJYCnJsK+tErNWWnQ4hMltYJ+mjbaW7HVt3N0 11MzYz1LddK9zNS0yrBEwA7Fbpxwysqz/i+Bta0V0F5yuWD+BS4SjpXH1DSZPOMnacVD tXZOS5yAzFscHOQMtjXvSqLCtFJqXDl9DyG9sCNGzprFTDu9aCCwAgyMssOHkP111nYR WQ==
Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2120.oracle.com with ESMTP id 3091m13tff-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 09 Apr 2020 21:02:08 +0000
Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 039Kucvn193672; Thu, 9 Apr 2020 21:02:08 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 309gdctnq1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 09 Apr 2020 21:02:07 +0000
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 039L27pk031894; Thu, 9 Apr 2020 21:02:07 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 09 Apr 2020 14:02:07 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com>
Date: Thu, 09 Apr 2020 17:02:05 -0400
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E414F060-532B-4017-AC7E-5869884B2153@oracle.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9586 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 malwarescore=0 adultscore=0 mlxscore=0 spamscore=0 bulkscore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004090147
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9586 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxlogscore=999 mlxscore=0 priorityscore=1501 phishscore=0 suspectscore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 malwarescore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004090147
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/rtmJeMSMsTpRbOBUQQJviL9fYb0>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 21:02:12 -0000


> On Apr 9, 2020, at 4:53 PM, David Noveck <davenoveck@gmail.com> wrote:
> 
> >Therefore with RPC-on-TLS we do not allow multiple RPC programs to share
> > a TLS session. And we do not allow multiple RPC-on-TLS sessions per TCP
> > connection.
> 
> That was my impression reading the document.  However, as you point out, the
> document never clearly atated that. 
> 
> > For DTLS, the STARTTLS probe has to be done for each RPC program on each
> > server. Only that one RPC program can use the established DTLS session.
> 
> OK with me.
> 
> > This means RPC-on-TLS robs us of some TCP connection sharing opportunities.
> 
> I'm unaware of any actual use of these opportunities, in the absence of RPC-TLS .  If there
> is little use of these, than the deprivation of sharing opportunities is purely formal.

The particular use case is that both the Linux and Solaris NFSv3
implementations use the same connection for NFS and NFSACL traffic,
which are two distinct RPC programs.

It's an ongoing concern for NFS clients that use privileged source
ports to conserve the number of connections they make to a
particular server.

Not a problem for NFSv4, or NFS with Kerberos which can use an
ephemeral source port without any consequences. We could probably
even stipulate in an NFS-on-TLS or NFS security document that an
NFS server should not require a privileged source port, but that's
a rat hole.


> > Is there consensus on this, or should these design points be revisited? 
> 
> I'd prefer not but we need to give working group members who feel differently, the
> opportunity to raise their concerns.

+1


> if there is no objection, why don't you include
> explicit langusge about your non-sharing model in the next revision and the
> working group discssion of the chamges in that document will serve as the basis
> for determining whether we have a continued onsensus on those point.    

Excellent suggestion, I will do that.


> On Thu, Apr 9, 2020 at 3:28 PM Chuck Lever <chuck.lever@oracle.com> wrote:
> 
> > On Apr 1, 2020, at 4:27 AM, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:
> > 
> > 8. Section 5.1.2:
> >  
> >    As soon as a client
> >    initializes a socket for use with an unfamiliar server, it uses the
> >    mechanism described in Section 4.1 to discover DTLS support and then
> >    negotiate a DTLS session.
> >  
> > So first of all is the usage of TLS for TCP completely separate from using DTLS over UDP? So having determined TLS support for TCP does not indicate the same for UDP? And is it in any cases possible to skip the initial RPC null request with AUTH_TLS authentication and go directly to negotiate TLS after support has been determined with a server? 
> 
> There seems to be a high-order bit here that rpc-tls does not currently
> address. Leaving it unaddressed could introduce significant
> interoperability issues.
> 
> Our new STARTTLS RPC NULL probe carries an RPC program. Does a successful
> probe mean that the RPC server supports TLS for every RPC program on that
> that host? on that port? Or just for the program used in the probe? I think
> it means TLS can be used only with the RPC program used in that probe,
> and only for the lifetime of that connection. (ie each connection has to
> do the probe).
> 
> Since the STARTTLS RPC NULL probe is always done in clear-text, that means
> a second probe cannot be done once a TLS session has been established on
> a connection. (A separate connection must be established to initiate a
> second TLS session).
> 
> Therefore with RPC-on-TLS we do not allow multiple RPC programs to share
> a TLS session. And we do not allow multiple RPC-on-TLS sessions per TCP
> connection.
> 
> For DTLS, the STARTTLS probe has to be done for each RPC program on each
> server. Only that one RPC program can use the established DTLS session.
> 
> 
> This means RPC-on-TLS robs us of some TCP connection sharing opportunities.
> Is there consensus on this, or should these design points be revisited?
> 
> 
> --
> Chuck Lever
> 
> 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

--
Chuck Lever

v2.23.0 | Report a Bug | By Email