Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
Rick Macklem <rmacklem@uoguelph.ca> Wed, 29 December 2021 04:32 UTC
Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06823A0CCF for <nfsv4@ietfa.amsl.com>; Tue, 28 Dec 2021 20:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Be5c-2epYkA6 for <nfsv4@ietfa.amsl.com>; Tue, 28 Dec 2021 20:32:17 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on061e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::61e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31C2B3A0CCE for <nfsv4@ietf.org>; Tue, 28 Dec 2021 20:32:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IIb1rbktMd1kBupG8eCWQ/89Lb5kfHIY/mmsrx0TyhU2gDkTHi7wlyxk0Pun1y3UApQkTdHooXOOAdJ0HhAl4Rir2j5n5dFZN8egnBaxQ3rugeWPAsKV030+CGoo+8g/rkcOAA9Mpu63ayBHeapDTQhq9eeC5Gf9Cz6D3Ejw2XaNnkv/zX1OrqHf59uCy/xZnoVk170dmRrye833V3fbhAg/YMfxbA/rZ98LrW0yB1dMAAyLXwVrZlfEDUB/ra/K2JB4Ho0xJbC+7MgDWycxIHCTNxRGsLNS8Nod08UBQkut9Q4Bmtsd307Sc+NtYuvEMQeG22ZiBzBqWWte6HhG8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5BHsvAFYYwNm9RmtQMhOA7xJF5lDbzBOi9AyBRD1nXY=; b=CeqOgQQnHkfwctkPUoOTT4IaXcE+hCEifTEYHvmya0vbXOi8A9Rl8j2VMg72r7lvkkuXp9rQ8F2dH7umlzwO3GsKosV/X7cuqA+8hXVsWzMiGZN7Kvwnqjds0kEWoaT5QKikWHaT6E3Awoq+uO7VZlhtO1P8YWNfVCTFu7NQfGsV6fA8XI5AjNbtg8vBJ+W5uKHYtRrtBZGY+LgreZ+KYabuS4s6TluX+IdOpVJ/01DlQaraYDfxsDSKCMlWRuJfCR+MgkNdyn0+cri7+a23+tJ/KdFxKFLwBbZtZMdPcZihZ5RJ1wfpxIkhVP05HVz9qUuyM7Y2yz/GIPMWhMrztg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5BHsvAFYYwNm9RmtQMhOA7xJF5lDbzBOi9AyBRD1nXY=; b=dOAuYoIpVE0uP1ldXecom45tVgR8u+/QQeUlh0leRWEIE50nd6cIaZ1va0JGOiU8zzk3BBaleiktmJjSRfQJ0b8MQxLf4gu+Xnmtww0NifgSL+rWO2THvbdk1RcJER4P5rz270S5ehSGQvVSSIAccWcYGmTnt6mTCciK8JuIms1lj4Ha5s2W2WYYyPaGOqU0XLkM0W2SkSbZjk02u6P8icY0A9dCy4pXuGflhMu7TxAtzB/7DDtCGCXACBY1CBCiWgWvdj7j7nGKPiULWvoWpqoZheQgY2HswEeh5wvpYINn8PkNKg9hRSldCB00eRZ0KTlS0daP/lfy9si/tgBE/Q==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQBPR0101MB6489.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:48::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4823.19; Wed, 29 Dec 2021 04:32:10 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::50bf:ecf6:9d13:fd03]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::50bf:ecf6:9d13:fd03%4]) with mapi id 15.20.4823.023; Wed, 29 Dec 2021 04:32:10 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: David Noveck <davenoveck@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
Thread-Index: AQHX+M0Zr/DOM25hTke40cIHszU7L6xCR9G8gAAn2JeAAeFnAIAAqW1pgAK93wCAASksyw==
Date: Wed, 29 Dec 2021 04:32:10 +0000
Message-ID: <YQXPR0101MB096891D69ED7E94A526223A0DD449@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com> <YQXPR0101MB096858749741A1191DE75279DD7F9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YTOPR0101MB09702834BC7C51CE9146389EDD409@YTOPR0101MB0970.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jc44Ua9CABd3tznCgqv4du6thfo7RAGmn_nA_jjQ-boDw@mail.gmail.com> <YQXPR0101MB09681E0D9ADE96C7C9A493DDDD419@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jcy4kE3+JQ2FBvWqDVZv+e+e21tWBgcJ8EywfnNWLrh4w@mail.gmail.com>
In-Reply-To: <CADaq8jcy4kE3+JQ2FBvWqDVZv+e+e21tWBgcJ8EywfnNWLrh4w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: bbda1716-7d49-5618-04fc-2e917997f67b
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8409c6c1-7208-4300-d431-08d9ca842df6
x-ms-traffictypediagnostic: YQBPR0101MB6489:EE_
x-microsoft-antispam-prvs: <YQBPR0101MB648964B5750EB5FD5B751A7ADD449@YQBPR0101MB6489.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:93;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8Y3GgNBw527wLtklxR2u42CqDdFoyMUovCqu4FmchmlvJfTfHe92wn++kchMO1hzxdK2xS4Sl/S7cqqnQkmrVnKDEPPkvuXwEhSzJYCxGDuMuf+zJ6GqxDOdm0BzT8Xusv2kILhmdoB81hLWVjTkjFWcNijlt3QhGlgFXSHaLv9k1hRQ9bltpWcU2xYFTpl9YwnDECP6NJvVNEUARWYWqN4U+wag06ojaO0AxgngwHfBWQwPM6a4HCwCJOAvPQJQfe2wJ8PWI4oo4BDm4CDWaT7UNNh8nTex06bmiSIEWJL5NRXmjYfrcZbzTgTRLkrH6ygxzIPZd3NMgs51fhqlT9aS3IeN7RXbLTVrScAScPc6khHWSI9j7zfMApb7hUs2zHeq0ptm1Njbh0RzIEE30WLzdqiSkbXKgdDcRvQbjkIT8/+VcTwSU8XvyTHBqA1CzPhBMVRbd53u8FpC7yZmUpWlDUTQAUaEAih3arn3HtXTVivX5Iacnay+flhoAarUw8AjdiUKjH/22+WThM8gCT1lp+bbZRcGhDlojZ1RU/XEW+GF+6dLD8w0gMOD+JgDhntm8Sf17VOR2gzP5/1V473HRNCuEJuuV5xRdmHhimu6auA8Gb+b2KWlDerRXrbIhnz4lha3skVVQrmXTTYSl67jgKVizfodUpijH5S/w1KMFuh0R3Xzp/zfxiG2oqYXInVN38knvqbklJnXMHjQWOnyPWT6PfXcxjCtSZ5apb8IiAYZIPL9uECC6uAeZcCs22KIOsHYfBpkKFRF2iMwAk4edFbBhs13VuTwbUQxMAwcD6Y8PIVa3299OM3a/PJI
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(122000001)(66556008)(38100700002)(55016003)(6916009)(53546011)(6506007)(9686003)(786003)(316002)(5660300002)(508600001)(15650500001)(966005)(91956017)(66946007)(52536014)(66476007)(64756008)(66446008)(7696005)(4001150100001)(76116006)(4326008)(8936002)(83380400001)(8676002)(71200400001)(38070700005)(2906002)(33656002)(186003)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VC6Cz/XMZDlooLtOxBYlIqun+hGUpAw2qgNWqHprYh64YRLvqOKPscZJ5yJU8aV7/8wFE3efNtmhP9bqpX95YlgoslLrsW0ahZvuG9hIStaMd/ht2mwvNVj3q6+LbQGIzfdtvZv1b/4PjIrliJ11ZmW8ttCRUvYYinGCJQaJ1SpnWXf847r0xHuL9psfhRWtLeOOkURqtHMYtouwGQ2CfQZH1Lk0gRobg4NiMECNZtyBFomoRN0S5lx00p5S4bqFYvlFAangtoRQ/J5A6uWauT5BlsuYGbxHsUixm2wesNFakohKO9IyoMhokDkg8Vp1QaPpSQ/EgAWRGD1F/07/hiae10vVAiC+bN1CmUeRvmxy0VvMmloTT+3yVeGRnV20G9WXUXroqVng0OTkF0wT7cEciLeiUP7SYL9m+fqXQkTkP+UBZkWSoEzZAZ8XfqLIsc3U5C0u4hxm97CPwyCLF8uumcr6adfofzfmCBDkEYzy8v5FQGGrggcHP6iPhCkn2gMpC6ggmg6HeM7jCXFUiGo1exCVOU8UuW8qzuUi7oLR9N4zPD7BUjz9L6oDlLFy7K3PgLv0QIWcHVScLgMmXz6mnY3sbi+wF1uTPcFJrIjiUaT6JGcXcVk3UlyWpGfL95+gM1LdUrII5QhlWg3SGh48O3QUjYWva7+EW6EulwPR46WKVAUaPHAKYR4Y7Y+C/ZMydoZATq9FCb/B+296MKbY7Og7Ss2RUAYZKXVqdkQOhMUwAKOUx7DnvTk3/pozzwItwA6dbLeWi2rdzoyTpkXJhJeHzcr64VmSCx5hczV76eBEn9wL/hmqafQZ/YL4Nx9LuNSkTSe7Z+bPBMN/DPWqWtneUEsrNv3NkKWg25QXiQY4ljmFez+6YH3rk95ckuVdrppWMczTfwTpK/nMgDJdJj89Eo85QLdWBZMxOgXO5WXZJxQwjTx/yISUA75oTMf9695RrjdyvnsdODjmFS5m80siX9oH9ckixIZ11gOH0fvpgRMLeV7jbwm3QJXEHZBVNNmSkeVYO4ppWCNblqIuCXaAlx0bPL1gEdRFDFalms6Smee1iATuqIccBg8TLzYXSflidlT8QHsxj4vA5H52tqIYxdara2pGksoyzogbrbLLv8iJOCKDuzZ/sOSh1TN43vf9+m5XWPyBmkPhIqXjvdffilcyrj5BhvAlUXOnbu8lEifW9327vwzdu60jb8vOsfcAU3IbENwZLnSEUW1jlsfidPx9PASwbUGTkZyAXgLX3pQmQ54BGuHyXRV5VyaBK5PEL/jHKrEWLR7WZ5/YQ6p8IXxr6njOAREfHSbWo3huYAfCCSGQIRoumljR/LVUnrohzVJbczhF4/2tVdSIoZEri/xuVC1+HVOjS4DoS5ImCVZGGAOW6Au2Qpt0wv8cQqR6wc5fGKUTA02QcNQLRUnKrfTSooXVXVR6BJgLHiV2GWPQk7xHuZwsVcYDSuGhftxjwSDwPbdrqBhANGg/40Zc2oIZ2xCBS9hzeku+FYWPmeHy50tQyJz/soMHlkpSYwEpumw7rCA6RCsAxN5s6ViH+Cvh1HOguL9fQgDCLOB2zL3uGvNH8roZyTh9COK7WqzZY5YJhnW7WkiL9UAaYzH0Kv8rorDcaowy+hTKIUFAY69QcOaNprU90sQP5AHYdCuOCeB9U2Gv6k2q1A==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8409c6c1-7208-4300-d431-08d9ca842df6
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Dec 2021 04:32:10.4499 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bjoyQhMEZY+gFybViqROf5PXjeUsYPwZ05XVZqXWdnPJyYqjB5gFrjymcQe0bsJ+6WbocR8j2+0hm6JJeHF7Fg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB6489
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/sN7DGnvTG8USGzsbijZ9_sZBLao>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Dec 2021 04:32:22 -0000
David Noveck wrote: > On Sun, Dec 26, 2021, 11:45 AM Rick Macklem wrote: > > David Noveck wrote: > > > Rick Macklem wrote: > > > [stuff snipped] > > > > Does the Linux client expect "owner-override"? > > > >If no one familiar with the Linux client answers this, I'll run a test on a Linux > > > > mount. > > > I ran the following little test program. It ran fine on local file systems and on > > > an NFSv4 mount for both the FreeBSD and Linux-5.15.1 clients, if > > > "owner-override" was applied to Read/Write. > > > > > Is there documentation for this option? I have googled for these words several > > > times and come up empty. We need a clear definition of these semantics to > > > resolve this issue in -05 and that documentation might be helpful. If it isn't, > > > could you point me to code, preferably in bsd, implementing that option. > > Well, I'm not sure if/when the term "owner-override" cropped up, but here is > >a description of it from RFC 1813 pg. 98: > > Thanks. This is helpful. > > Another problem arises due to the usually stateful open > > operation. Most operating systems check permission at open > > time, and then check that the file is open on each read and > > write request. With stateless servers, the server cannot > > detect that the file is open and must do permission checking > > on each read and write call. UNIX client semantics of access > > permission checking on open can be provided with the ACCESS > > procedure call in this revision, which allows a client to > > explicitly check access permissions without resorting to > > trying the operation. On a local file system, a user can open > > a file and then change the permissions so that no one is > > allowed to touch it, but will still be able to write to the > > file because it is open. On a remote file system, by > > contrast, the write would fail. To get around this problem, > > the server's permission checking algorithm should allow the > > owner of a file to access it regardless of the permission > > setting. This is needed in a practical NFS version 3 protocol > > server implementation, but it does depart from correct local > > file system semantics. This should not affect the return > > result of access permissions as returned by the ACCESS. > > > > See the 3rd sentence from the end. > > > > As far as I know, servers implement the same thing for Read/Write > > for NFSv4. > > From your description and the testing you have done, it seems there is a > significant difference in that this special handling of the owner permissions only > applies to an open file in v4. Is there a v4 server that does this v3-like thing even > for files that are not open? The FreeBSD server does. It does the "owner-override" for Read/Write using special stateids (which is what I assume you mean by "not open"?). It only uses the stateid to check for a conflicting Open_Share_Deny. (For special stateids, any Open_Share_Deny for the type of I/O would be considered conflicting. > > (FreeBSD does it for Read as well as Write, although the > > above only refers to Write.) > > I don't have a problem with that as long as: > - it is limited to open files I can see an argument for not doing "owner-override" for special stateids. The counter argument would be along the lines of "nothing in the RFCs says that it cannot be done for special stateids and defining that in this draft changes the protocol. To be honest, I am not aware of any extant clients that do Read/Write with special stateids at this time. > - It does not apply to the execute bit Not sure why execute would be handled differently that Read? > > For NFSv4 over encryption with client peer authentication, I think you > > can argue the following: > > > Although I don't want to get into arguing in a standards-track document, > I think you have the essence of the matter right. > > Since v4 is stateful protocol, and now has reasonable security, we can reasonably > allow the server to rely on permission checking on open, if it chooses. Doing this > only for the owner would also be covered. > > > - Since the client can be trusted. > > and > > - Encryption subverts "man in the middle attacks" and the ability to > > "sniff to acquire valid stateids". > > that an appropriate Open/Lock/Delegation stateid is sufficient to > > permission check the Read/Write and, as such, checking of mode/ACL > > is not required. > > > > --> Appropriate stateid would refer to a current one issued to that client > > where either the Open associated with the Open/Lock stateid includes > > the needed OPEN_SHARE_ACCESS or the Delegation is of the correct > > type (READ_DELEGATION or WRITE_DELEGATION). > > I will do something similar in -05. > > > The above *might* be preferred to "owner-override" for Read/Write > > operations? > > > > rick > > ps: I am not sure if any NFSv4 server uses the stateid in Read/Write in > > the way described above. At this time, FreeBSD only uses these > > stateids to check for conflicting Open/shares (byte range locks are > > always advisory). This was simply meant to say "I do not know if any extant server does what I argued could be reasonable, above. > > > > If that's the case, then, for v4, the it and uw bits would be ignored and your test > > program would behave the same if you closed it and re-opened it before the > > write. Not sure what you mean? The permission checking would not change for Opens. If done locally on the client, due to a delegation being issued, an Access operation would be used. > Of that's the case, let me know so that I can address that issue for -05. rick If "owner-override" is turned off on the server, it fails for both the FreeBSD and Linux-5.15.1 client NFSv4 mounts. (The write(2) fails for FreeBSD and the close(2) fails for Linux, but that's ok. Unless there is an fsync(2), flushing writes to the server can be delayed until close(2). Both had empty files after the failure.) #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <sys/param.h> #include <sys/types.h> #include <sys/stat.h> #include <err.h> #include <unistd.h> char buf[1024 * 1024]; int main(int argc, char *argv[]) { int fd, i; fd = open(argv[1], O_CREAT | O_RDWR, 0666); if (fd < 0) err(1, "cannot open %s", argv[1]); if (fchmod(fd, 0) < 0) err(1, "cannot chmod %s", argv[1]); for (i = 0; i < 10; i++) if (write(fd, buf, sizeof(buf)) != sizeof(buf)) err(1, "cannot write"); if (lseek(fd, SEEK_SET, 0) < 0) err(1, "cannot seek"); for (i = 0; i < 10; i++) if (read(fd, buf, sizeof(buf)) != sizeof(buf)) err(1, "cannot read"); if (close(fd) < 0) err(1, "cannot close"); } I do not have access to a Solaris or Mac OSX client to test, rick ________________________________________ From: nfsv4 <nfsv4-bounces@ietf.org<mailto:nfsv4-bounces@ietf.org><mailto:nfsv4-bounces@ietf.org<mailto:nfsv4-bounces@ietf.org>>> on behalf of David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com>>> Sent: Friday, December 24, 2021 8:49 AM To: NFSv4; nfsv4-chairs; nfsv4-ads@ietf.org<mailto:nfsv4-ads@ietf.org><mailto:nfsv4-ads@ietf.org<mailto:nfsv4-ads@ietf.org>> Subject: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca><mailto:IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>> I've just posted security-04. Thanks to Rick Macklem and Chuck Lever who made important suggestions that I hope are correctly addressed in this version. An rfcdiff with -03 is not small but it is helpful to see what has changed. As previously discussed, I am proposing that the working group adopt this draft as a working group document. I expect Brian and Zahed to set the timeline for that discussion. Please let me know about your suggestions for -05. ---------- Forwarded message --------- From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org><mailto:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>><mailto:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org><mailto:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>>> Date: Fri, Dec 24, 2021 at 8:31 AM Subject: New Version Notification for draft-dnoveck-nfsv4-security-04.txt To: David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com>><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com>>>> A new version of I-D, draft-dnoveck-nfsv4-security-04.txt has been successfully submitted by David Noveck and posted to the IETF repository. Name: draft-dnoveck-nfsv4-security Revision: 04 Title: Security for the NFSv4 Protocols Document date: 2021-12-24 Group: Individual Submission Pages: 129 URL: https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.txt Status: https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/ Html: https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.html Htmlized: https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security Diff: https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-04 Abstract: This document describes the core security features of the NFSv4 family of protocols, applying to all minor versions. The discussion includes the use of security features provided by RPC on a per- connection basis. This preliminary version of the document, is intended, in large part, to result in working group discussion regarding existing NFSv4 security issues and to provide a framework for addressing these issues and obtaining working group consensus regarding necessary changes. When a successor document is eventually published as an RFC, it will supersede the description of security appearing in existing minor version specification documents such as RFC 7530 and RFC 8881. The IETF Secretariat _______________________________________________ nfsv4 mailing list nfsv4@ietf.org<mailto:nfsv4@ietf.org><mailto:nfsv4@ietf.org<mailto:nfsv4@ietf.org>> https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] New Version Notification for draft-dn… Brian Pawlowski
- Re: [nfsv4] New Version Notification for draft-dn… Chuck Lever III
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… J. Bruce Fields
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever III
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust