IETF Logo Mail Archive

Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt

Rick Macklem <rmacklem@uoguelph.ca> Wed, 29 December 2021 04:32 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06823A0CCF for <nfsv4@ietfa.amsl.com>; Tue, 28 Dec 2021 20:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Be5c-2epYkA6 for <nfsv4@ietfa.amsl.com>; Tue, 28 Dec 2021 20:32:17 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on061e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::61e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31C2B3A0CCE for <nfsv4@ietf.org>; Tue, 28 Dec 2021 20:32:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IIb1rbktMd1kBupG8eCWQ/89Lb5kfHIY/mmsrx0TyhU2gDkTHi7wlyxk0Pun1y3UApQkTdHooXOOAdJ0HhAl4Rir2j5n5dFZN8egnBaxQ3rugeWPAsKV030+CGoo+8g/rkcOAA9Mpu63ayBHeapDTQhq9eeC5Gf9Cz6D3Ejw2XaNnkv/zX1OrqHf59uCy/xZnoVk170dmRrye833V3fbhAg/YMfxbA/rZ98LrW0yB1dMAAyLXwVrZlfEDUB/ra/K2JB4Ho0xJbC+7MgDWycxIHCTNxRGsLNS8Nod08UBQkut9Q4Bmtsd307Sc+NtYuvEMQeG22ZiBzBqWWte6HhG8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5BHsvAFYYwNm9RmtQMhOA7xJF5lDbzBOi9AyBRD1nXY=; b=CeqOgQQnHkfwctkPUoOTT4IaXcE+hCEifTEYHvmya0vbXOi8A9Rl8j2VMg72r7lvkkuXp9rQ8F2dH7umlzwO3GsKosV/X7cuqA+8hXVsWzMiGZN7Kvwnqjds0kEWoaT5QKikWHaT6E3Awoq+uO7VZlhtO1P8YWNfVCTFu7NQfGsV6fA8XI5AjNbtg8vBJ+W5uKHYtRrtBZGY+LgreZ+KYabuS4s6TluX+IdOpVJ/01DlQaraYDfxsDSKCMlWRuJfCR+MgkNdyn0+cri7+a23+tJ/KdFxKFLwBbZtZMdPcZihZ5RJ1wfpxIkhVP05HVz9qUuyM7Y2yz/GIPMWhMrztg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5BHsvAFYYwNm9RmtQMhOA7xJF5lDbzBOi9AyBRD1nXY=; b=dOAuYoIpVE0uP1ldXecom45tVgR8u+/QQeUlh0leRWEIE50nd6cIaZ1va0JGOiU8zzk3BBaleiktmJjSRfQJ0b8MQxLf4gu+Xnmtww0NifgSL+rWO2THvbdk1RcJER4P5rz270S5ehSGQvVSSIAccWcYGmTnt6mTCciK8JuIms1lj4Ha5s2W2WYYyPaGOqU0XLkM0W2SkSbZjk02u6P8icY0A9dCy4pXuGflhMu7TxAtzB/7DDtCGCXACBY1CBCiWgWvdj7j7nGKPiULWvoWpqoZheQgY2HswEeh5wvpYINn8PkNKg9hRSldCB00eRZ0KTlS0daP/lfy9si/tgBE/Q==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQBPR0101MB6489.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:48::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4823.19; Wed, 29 Dec 2021 04:32:10 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::50bf:ecf6:9d13:fd03]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::50bf:ecf6:9d13:fd03%4]) with mapi id 15.20.4823.023; Wed, 29 Dec 2021 04:32:10 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: David Noveck <davenoveck@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
Thread-Index: AQHX+M0Zr/DOM25hTke40cIHszU7L6xCR9G8gAAn2JeAAeFnAIAAqW1pgAK93wCAASksyw==
Date: Wed, 29 Dec 2021 04:32:10 +0000
Message-ID: <YQXPR0101MB096891D69ED7E94A526223A0DD449@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com> <YQXPR0101MB096858749741A1191DE75279DD7F9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YTOPR0101MB09702834BC7C51CE9146389EDD409@YTOPR0101MB0970.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jc44Ua9CABd3tznCgqv4du6thfo7RAGmn_nA_jjQ-boDw@mail.gmail.com> <YQXPR0101MB09681E0D9ADE96C7C9A493DDDD419@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jcy4kE3+JQ2FBvWqDVZv+e+e21tWBgcJ8EywfnNWLrh4w@mail.gmail.com>
In-Reply-To: <CADaq8jcy4kE3+JQ2FBvWqDVZv+e+e21tWBgcJ8EywfnNWLrh4w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: bbda1716-7d49-5618-04fc-2e917997f67b
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8409c6c1-7208-4300-d431-08d9ca842df6
x-ms-traffictypediagnostic: YQBPR0101MB6489:EE_
x-microsoft-antispam-prvs: <YQBPR0101MB648964B5750EB5FD5B751A7ADD449@YQBPR0101MB6489.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:93;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8Y3GgNBw527wLtklxR2u42CqDdFoyMUovCqu4FmchmlvJfTfHe92wn++kchMO1hzxdK2xS4Sl/S7cqqnQkmrVnKDEPPkvuXwEhSzJYCxGDuMuf+zJ6GqxDOdm0BzT8Xusv2kILhmdoB81hLWVjTkjFWcNijlt3QhGlgFXSHaLv9k1hRQ9bltpWcU2xYFTpl9YwnDECP6NJvVNEUARWYWqN4U+wag06ojaO0AxgngwHfBWQwPM6a4HCwCJOAvPQJQfe2wJ8PWI4oo4BDm4CDWaT7UNNh8nTex06bmiSIEWJL5NRXmjYfrcZbzTgTRLkrH6ygxzIPZd3NMgs51fhqlT9aS3IeN7RXbLTVrScAScPc6khHWSI9j7zfMApb7hUs2zHeq0ptm1Njbh0RzIEE30WLzdqiSkbXKgdDcRvQbjkIT8/+VcTwSU8XvyTHBqA1CzPhBMVRbd53u8FpC7yZmUpWlDUTQAUaEAih3arn3HtXTVivX5Iacnay+flhoAarUw8AjdiUKjH/22+WThM8gCT1lp+bbZRcGhDlojZ1RU/XEW+GF+6dLD8w0gMOD+JgDhntm8Sf17VOR2gzP5/1V473HRNCuEJuuV5xRdmHhimu6auA8Gb+b2KWlDerRXrbIhnz4lha3skVVQrmXTTYSl67jgKVizfodUpijH5S/w1KMFuh0R3Xzp/zfxiG2oqYXInVN38knvqbklJnXMHjQWOnyPWT6PfXcxjCtSZ5apb8IiAYZIPL9uECC6uAeZcCs22KIOsHYfBpkKFRF2iMwAk4edFbBhs13VuTwbUQxMAwcD6Y8PIVa3299OM3a/PJI
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(122000001)(66556008)(38100700002)(55016003)(6916009)(53546011)(6506007)(9686003)(786003)(316002)(5660300002)(508600001)(15650500001)(966005)(91956017)(66946007)(52536014)(66476007)(64756008)(66446008)(7696005)(4001150100001)(76116006)(4326008)(8936002)(83380400001)(8676002)(71200400001)(38070700005)(2906002)(33656002)(186003)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VC6Cz/XMZDlooLtOxBYlIqun+hGUpAw2qgNWqHprYh64YRLvqOKPscZJ5yJU8aV7/8wFE3efNtmhP9bqpX95YlgoslLrsW0ahZvuG9hIStaMd/ht2mwvNVj3q6+LbQGIzfdtvZv1b/4PjIrliJ11ZmW8ttCRUvYYinGCJQaJ1SpnWXf847r0xHuL9psfhRWtLeOOkURqtHMYtouwGQ2CfQZH1Lk0gRobg4NiMECNZtyBFomoRN0S5lx00p5S4bqFYvlFAangtoRQ/J5A6uWauT5BlsuYGbxHsUixm2wesNFakohKO9IyoMhokDkg8Vp1QaPpSQ/EgAWRGD1F/07/hiae10vVAiC+bN1CmUeRvmxy0VvMmloTT+3yVeGRnV20G9WXUXroqVng0OTkF0wT7cEciLeiUP7SYL9m+fqXQkTkP+UBZkWSoEzZAZ8XfqLIsc3U5C0u4hxm97CPwyCLF8uumcr6adfofzfmCBDkEYzy8v5FQGGrggcHP6iPhCkn2gMpC6ggmg6HeM7jCXFUiGo1exCVOU8UuW8qzuUi7oLR9N4zPD7BUjz9L6oDlLFy7K3PgLv0QIWcHVScLgMmXz6mnY3sbi+wF1uTPcFJrIjiUaT6JGcXcVk3UlyWpGfL95+gM1LdUrII5QhlWg3SGh48O3QUjYWva7+EW6EulwPR46WKVAUaPHAKYR4Y7Y+C/ZMydoZATq9FCb/B+296MKbY7Og7Ss2RUAYZKXVqdkQOhMUwAKOUx7DnvTk3/pozzwItwA6dbLeWi2rdzoyTpkXJhJeHzcr64VmSCx5hczV76eBEn9wL/hmqafQZ/YL4Nx9LuNSkTSe7Z+bPBMN/DPWqWtneUEsrNv3NkKWg25QXiQY4ljmFez+6YH3rk95ckuVdrppWMczTfwTpK/nMgDJdJj89Eo85QLdWBZMxOgXO5WXZJxQwjTx/yISUA75oTMf9695RrjdyvnsdODjmFS5m80siX9oH9ckixIZ11gOH0fvpgRMLeV7jbwm3QJXEHZBVNNmSkeVYO4ppWCNblqIuCXaAlx0bPL1gEdRFDFalms6Smee1iATuqIccBg8TLzYXSflidlT8QHsxj4vA5H52tqIYxdara2pGksoyzogbrbLLv8iJOCKDuzZ/sOSh1TN43vf9+m5XWPyBmkPhIqXjvdffilcyrj5BhvAlUXOnbu8lEifW9327vwzdu60jb8vOsfcAU3IbENwZLnSEUW1jlsfidPx9PASwbUGTkZyAXgLX3pQmQ54BGuHyXRV5VyaBK5PEL/jHKrEWLR7WZ5/YQ6p8IXxr6njOAREfHSbWo3huYAfCCSGQIRoumljR/LVUnrohzVJbczhF4/2tVdSIoZEri/xuVC1+HVOjS4DoS5ImCVZGGAOW6Au2Qpt0wv8cQqR6wc5fGKUTA02QcNQLRUnKrfTSooXVXVR6BJgLHiV2GWPQk7xHuZwsVcYDSuGhftxjwSDwPbdrqBhANGg/40Zc2oIZ2xCBS9hzeku+FYWPmeHy50tQyJz/soMHlkpSYwEpumw7rCA6RCsAxN5s6ViH+Cvh1HOguL9fQgDCLOB2zL3uGvNH8roZyTh9COK7WqzZY5YJhnW7WkiL9UAaYzH0Kv8rorDcaowy+hTKIUFAY69QcOaNprU90sQP5AHYdCuOCeB9U2Gv6k2q1A==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8409c6c1-7208-4300-d431-08d9ca842df6
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Dec 2021 04:32:10.4499 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bjoyQhMEZY+gFybViqROf5PXjeUsYPwZ05XVZqXWdnPJyYqjB5gFrjymcQe0bsJ+6WbocR8j2+0hm6JJeHF7Fg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB6489
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/sN7DGnvTG8USGzsbijZ9_sZBLao>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Dec 2021 04:32:22 -0000

David Noveck wrote:
> On Sun, Dec 26, 2021, 11:45 AM Rick Macklem wrote:
> > David Noveck wrote:
> > > Rick Macklem wrote:
> > > [stuff snipped]
> > > > Does the Linux client expect "owner-override"?
> > > >If no one familiar with the Linux client answers this, I'll run a test on a Linux
> > > > mount.
> > > I ran the following little test program. It ran fine on local file systems and on
> > > an NFSv4 mount for both the FreeBSD and Linux-5.15.1 clients, if
> > > "owner-override" was applied to Read/Write.
> >
> > > Is there documentation for this option?  I have googled for these words several
> > > times and come up empty.  We need a clear definition of these semantics to
> > > resolve this issue in -05 and that documentation might be helpful.   If it isn't,
> > > could you point me to code, preferably in bsd, implementing that option.
> > Well, I'm not sure if/when the term "owner-override" cropped up, but here is
> >a description of it from RFC 1813 pg. 98:
>
> Thanks.  This is helpful.

> >   Another problem arises due to the usually stateful open
> >   operation.  Most operating systems check permission at open
> >   time, and then check that the file is open on each read and
> >   write request. With stateless servers, the server cannot
> >   detect that the file is open and must do permission checking
> >   on each read and write call. UNIX client semantics of access
> >   permission checking on open can be provided with the ACCESS
> >   procedure call in this revision, which allows a client to
> >   explicitly check access permissions without resorting to
> >   trying the operation. On a local file system, a user can open
> >   a file and then change the permissions so that no one is
> >   allowed to touch it, but will still be able to write to the
> >   file because it is open. On a remote file system, by
> >   contrast, the write would fail. To get around this problem,
> >   the server's permission checking algorithm should allow the
> >   owner of a file to access it regardless of the permission
> >   setting. This is needed in a practical NFS version 3 protocol
> >   server implementation, but it does depart from correct local
> >   file system semantics. This should not affect the return
> >   result of access permissions as returned by the ACCESS.
> >
> > See the 3rd sentence from the end.
> >
> > As far as I know, servers implement the same thing for Read/Write
> > for NFSv4.
>
> From your description and the testing you have done, it seems there is a
> significant difference in that this special handling of the owner permissions only
> applies to an open file in v4.  Is there a v4 server that does this v3-like thing even
> for files that are not open?
The FreeBSD server does. It does the "owner-override" for Read/Write using
special stateids (which is what I assume you mean by "not open"?).
It only uses the stateid to check for a conflicting Open_Share_Deny. (For special
stateids, any Open_Share_Deny for the type of I/O would be considered
conflicting.

> > (FreeBSD does it for Read as well as Write, although the
> > above only refers to Write.)
>
> I don't have a problem with that as long as:
>  - it is limited to open files
I can see an argument for not doing "owner-override" for special stateids.
The counter argument would be along the lines of "nothing in the RFCs
says that it cannot be done for special stateids and defining that in this
draft changes the protocol.

To be honest, I am not aware of any extant clients that do Read/Write with
special stateids at this time.

> - It does not apply to the execute bit
Not sure why execute would be handled differently that Read?

> > For NFSv4 over encryption with client peer authentication, I think you
> > can argue the following:
> >
> Although I don't want to get into arguing in a standards-track document,
> I think you have the essence of the matter right.
>
> Since v4 is  stateful protocol, and now has reasonable security, we can reasonably
> allow the server to rely on permission checking on open, if it chooses.  Doing this
> only for the owner would also be covered.
>
> > - Since the client can be trusted.
> > and
> > - Encryption subverts "man in the middle attacks" and the ability to
> >   "sniff to acquire valid stateids".
> > that an appropriate Open/Lock/Delegation stateid is sufficient to
> > permission check the Read/Write and, as such, checking of mode/ACL
> > is not required.
> >
> > --> Appropriate stateid would refer to a current one issued to that client
> >      where either the Open associated with the Open/Lock stateid includes
> >       the needed OPEN_SHARE_ACCESS or the Delegation is of the correct
> >     type (READ_DELEGATION or WRITE_DELEGATION).
>
> I will do something similar in -05.
>
> > The above *might* be preferred to "owner-override" for Read/Write
> > operations?
> >
> > rick
> > ps: I am not sure if any NFSv4 server uses the stateid in Read/Write in
> >       the way described above.  At this time, FreeBSD only uses these
> >       stateids to check for conflicting Open/shares (byte range locks are
> >      always advisory).
This was simply meant to say "I do not know if any extant server does what
I argued could be reasonable, above.

> >
> > If that's the case, then, for v4, the it and uw bits would be ignored and your test
> > program would behave the same if you closed it and re-opened it before the
> > write.
Not sure what you mean? The permission checking would not change for Opens.
If done locally on the client, due to a delegation being issued, an Access operation
would be used.

> Of that's the case, let me know so that I can address that issue for -05.
rick




If "owner-override" is turned off on the server, it fails for both the FreeBSD
and Linux-5.15.1 client NFSv4 mounts. (The write(2) fails for FreeBSD and the
close(2) fails for Linux, but that's ok. Unless there is an fsync(2), flushing writes
to the server can be delayed until close(2). Both had empty files after the
failure.)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <err.h>
#include <unistd.h>

char buf[1024 * 1024];

int
main(int argc, char *argv[])
{
        int fd, i;

        fd = open(argv[1], O_CREAT | O_RDWR, 0666);
        if (fd < 0)
                err(1, "cannot open %s", argv[1]);
        if (fchmod(fd, 0) < 0)
                err(1, "cannot chmod %s", argv[1]);
        for (i = 0; i < 10; i++)
                if (write(fd, buf, sizeof(buf)) != sizeof(buf))
                        err(1, "cannot write");
        if (lseek(fd, SEEK_SET, 0) < 0)
                err(1, "cannot seek");
        for (i = 0; i < 10; i++)
                if (read(fd, buf, sizeof(buf)) != sizeof(buf))
                        err(1, "cannot read");
        if (close(fd) < 0)
                err(1, "cannot close");
}

I do not have access to a Solaris or Mac OSX client to test, rick

________________________________________
From: nfsv4 <nfsv4-bounces@ietf.org<mailto:nfsv4-bounces@ietf.org><mailto:nfsv4-bounces@ietf.org<mailto:nfsv4-bounces@ietf.org>>> on behalf of David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com>>>
Sent: Friday, December 24, 2021 8:49 AM
To: NFSv4; nfsv4-chairs; nfsv4-ads@ietf.org<mailto:nfsv4-ads@ietf.org><mailto:nfsv4-ads@ietf.org<mailto:nfsv4-ads@ietf.org>>
Subject: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca><mailto:IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>>


I've just posted security-04.   Thanks to Rick Macklem and Chuck Lever who made important suggestions that I hope are correctly addressed in this version.  An rfcdiff with -03 is not small but it is helpful to see what has changed.

As previously discussed, I am proposing that the working group adopt this draft as a working group document.   I expect Brian and Zahed to set the timeline for that discussion.

Please let me know about your suggestions for -05.

---------- Forwarded message ---------
From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org><mailto:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>><mailto:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org><mailto:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>>>
Date: Fri, Dec 24, 2021 at 8:31 AM
Subject: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
To: David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com>><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com>>>>



A new version of I-D, draft-dnoveck-nfsv4-security-04.txt
has been successfully submitted by David Noveck and posted to the
IETF repository.

Name:           draft-dnoveck-nfsv4-security
Revision:       04
Title:          Security for the NFSv4 Protocols
Document date:  2021-12-24
Group:          Individual Submission
Pages:          129
URL:            https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.txt
Status:         https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/
Html:           https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.html
Htmlized:       https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security
Diff:           https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-04

Abstract:
   This document describes the core security features of the NFSv4
   family of protocols, applying to all minor versions.  The discussion
   includes the use of security features provided by RPC on a per-
   connection basis.

   This preliminary version of the document, is intended, in large part,
   to result in working group discussion regarding existing NFSv4
   security issues and to provide a framework for addressing these
   issues and obtaining working group consensus regarding necessary
   changes.

   When a successor document is eventually published as an RFC, it will
   supersede the description of security appearing in existing minor
   version specification documents such as RFC 7530 and RFC 8881.




The IETF Secretariat


_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org<mailto:nfsv4@ietf.org><mailto:nfsv4@ietf.org<mailto:nfsv4@ietf.org>>
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email