Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-02.txt
Chuck Lever <chucklever@gmail.com> Tue, 09 October 2018 15:24 UTC
Return-Path: <chucklever@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C83C713133D for <nfsv4@ietfa.amsl.com>; Tue, 9 Oct 2018 08:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w36OvIBGNCf2 for <nfsv4@ietfa.amsl.com>; Tue, 9 Oct 2018 08:24:20 -0700 (PDT)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECF15131347 for <nfsv4@ietf.org>; Tue, 9 Oct 2018 08:24:16 -0700 (PDT)
Received: by mail-io1-xd43.google.com with SMTP id w16-v6so1457444iom.7 for <nfsv4@ietf.org>; Tue, 09 Oct 2018 08:24:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2dDuk/t4Oge3dBMcb6YowZCT3oT3stlPtLmDLy+1OTM=; b=QzYovb2J5n2N6JncrjjSzn1ASOeTsAxNyM2r95C3Ea/VDtYHjGPhBYojOLlV7sVCLb 115AVOOQiIuXI94NcTdzz0oVUr4FBEygvMxdodHrWeMX1wYv4xHeeHYru+6t5Bi4z7CA o1OSKRzUbYVcJJbcu4tywgMNTqJo7uttWAz+Bav+Ot6wNHKbpTEADkAFewvsBWNKIFVA fsZS/xfRAu1T7XMOZOEE28vqfUvflYS3m+DzRIqxk5tL5hxDH7JvxpcC1HYl1W/Ch2rY bA9A1D5tNgOB5lu3aexaMj2tuOBnt0llzTmdFrbczELX1wIGZ5fsyCJ5o1gI4OmymrFl bzXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2dDuk/t4Oge3dBMcb6YowZCT3oT3stlPtLmDLy+1OTM=; b=ARyC6CNLF9OLsPXtWkyFq9it63JMs2spXVunckYWs8stoxg6E3z549W4VWRJervWde kmcgnM1I0cjdlspfJqtz/0YC3oPVkMF92i0sY+3aSmjqut0HcuIud6m6h1vl+vDcfm0e qGUgSN8rE7h12o5ZroMJJne5djRr07lCuP5nFbQamB7iMlstif/3FhxzErBG67wbbTlU 7sJdCoxL4Ynna8zG4RkS6xCrYc126ce6+SrSFD5khMngkW7Aznh0XCp0rEhyjGJmedku vZ7TOBY55gztxZqnLdUZs29WWpcq2JCbK3LxtGLwlRZ9VuLTOim5hN1BJqZLLe08gPfl eQyg==
X-Gm-Message-State: ABuFfohSuEAssfJl1MHFI9VB+d77DV4FdZ6LtWKc/wgOD5a56voSHh7b 4Brp+a5g1z1kwXRcsVcY1sU=
X-Google-Smtp-Source: ACcGV61mcXipjfMiOMA/aZ5l+c3ZWvbY1GVcJTuKT0hXxuoh6QDBk+Ux+CglbQSJpVnLEHTYdmum5g==
X-Received: by 2002:a6b:ce11:: with SMTP id p17-v6mr19100925iob.129.1539098656224; Tue, 09 Oct 2018 08:24:16 -0700 (PDT)
Received: from anon-dhcp-171.1015granger.net (c-68-61-232-219.hsd1.mi.comcast.net. [68.61.232.219]) by smtp.gmail.com with ESMTPSA id p128-v6sm8170017itp.5.2018.10.09.08.24.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Oct 2018 08:24:14 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Chuck Lever <chucklever@gmail.com>
In-Reply-To: <080D3CB4-1120-4BA5-9ED1-037589BCB0CF@netapp.com>
Date: Tue, 09 Oct 2018 11:24:13 -0400
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B7D2395-5E79-48CD-ADA1-E80A7C6F2073@gmail.com>
References: <153901060913.16390.8389561648327812120@ietfa.amsl.com> <23D33FE9-54F9-40CB-AC41-23EC15603E47@netapp.com> <BACFE07D-B843-485F-97EE-4D36ABAB356F@gmail.com> <55FF4CA0-BB68-44F1-AFAC-DD1E0F9443C2@netapp.com> <B89BBD1B-C06B-4694-BB78-8BFE3B04EC36@gmail.com> <080D3CB4-1120-4BA5-9ED1-037589BCB0CF@netapp.com>
To: "Everhart, Craig" <Craig.Everhart@netapp.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/sdnPbmtqir86qlOTi7jM7XU8O1g>
Subject: Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-measurement-02.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2018 15:24:22 -0000
> On Oct 8, 2018, at 5:17 PM, Everhart, Craig <Craig.Everhart@netapp.com> wrote: > > Hi Chuck, I guess I don't understand this. > > On 10/8/18, 3:50 PM, "nfsv4 on behalf of Chuck Lever" <nfsv4-bounces@ietf.org on behalf of chucklever@gmail.com> wrote: > >> You're declaring that kind of interaction to be not well-defined. Why? > > This is precisely because the file system plays no part in provenance > assessment. > > If you want the server to do the assessment for all clients that access > it, there's no need to expose FPI via NFS. A trust relationship must > exist between the clients and server, of course, > > And, because of the opaque nature of the specification, I have no reason to understand why this "of course" would have to be the case--or, for that matter, why the first sentence is true. Intuitively, it's not obvious. Actually, I think it is pretty obvious based on your earlier construction of the use case: >> you couldn't have the server do assessment once and for all, for all its clients, for all future uses of a file. In fact, you normally don't want to do this if end-to-end, point-of-use integrity checking is the goal. But let's entertain this use case for a moment. If an NFS server is performing provenance assessment for its clients, why would the clients have any use for FPI? They would not need to perform the assessment again, unless I have grossly misunderstood your words. Thus, there is no need to expose any file's FPI to the NFS server's clients whether they are participating or not. In addition, provenance assessment is expensive in terms of memory, CPU utilization, and network bandwidth. An obvious purpose of having the server perform provenance assessment is to act as an offload service so that clients do not have to bear the repeated assessment costs. Now, related to the clause preceding "of course". The very first sentence of Section 1.1 states: A keyed hash authenticates the identity of the last modifier of a file’s content and serves as a strong check of the content’s integrity. In other words, there are two value-adds. First, the hash serves as a check of the content's integrity. Second, the signature preserves the hash cryptographically, and it authenticates the provenance authority. In other words, the authority plus the checksum guarantee the contents of the file by attaching an agent who is responsible for that content. If FPI is not presented to the client, then the client has to trust that the server has authenticated the FPI properly in order that the trust chain is not broken. The client must authenticate the server to guarantee that it is a well-known NFS server, possibly one within the same administrative and security domain. > If there's a defect in my intuition, I believe that the document has done little to correct my defects. There's a tradition of avoiding duplication of material that is already found in referenced documents. The Introduction is pretty clear now about where the FPI format and policies are defined. If you have any questions about those things, you need to consult documentation for that mechanism. > and there would need > to be a strong guarantee that the network between the server and clients > is of very high integrity. Perhaps the use of a GSS integrity service > would be required in such a use case. > > Why does this impose additional requirements on this OPTIONAL, but otherwise completely opaque, service? What additional requirements does it levy? Why wouldn't, for example, it be totally adequate to apply other techniques for recovering incompatibility? For example, if the provenance information were to include, effectively, a checksum of the content, what is the range of meaningful actions available to the provenance assessor if the file object's checksum were not to match that in the provenance's checksum? Again, "meaningful actions" are policy to be determined by the provenance assessor. This is a separate, independent security module that is not a part of the storage or file system stack. If you have any questions about the assessor, have a look at the IMA reference cited at the end of the document, or review the IMA implementation in the Linux kernel. > ----- > > My point in most of this is that one gives up a huge amount of understanding when the content semantics is completely opaque, as in this case. Fine--it can be optional--but if it is present, what does it mean? How should an implementation treat it? What kind of implementation can someone write if they look only at the specification? Why would an implementor have only this specification to look at? An NFS implementor would have not only this document, but also the cited materials, and very likely a provenance assessor already built into the OS and used by local file systems. Otherwise there is no purpose for implementing this extension. The extension enables provenance assessment at point-of-use (which is typically on NFS clients). The extension does not provide a full assessment mechanism. I find the bar you have set is unreasonably high. An implementer of an NFS server is not responsible for deep understanding of the underlying file system or the physical materials used to implement durable storage, nor is the implementer responsible for the security policies implemented by the operating system or 3rd party security modules. I don't see this extension as being any different. -- Chuck Lever chucklever@gmail.com
- [nfsv4] I-D Action: draft-ietf-nfsv4-integrity-me… internet-drafts
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Everhart, Craig
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Everhart, Craig
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Everhart, Craig
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Chuck Lever
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Everhart, Craig
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Benjamin Kaduk
- Re: [nfsv4] I-D Action: draft-ietf-nfsv4-integrit… Chuck Lever