IETF Logo Mail Archive

Re: [nfsv4] Thinking about an RFC5661bis.

Benjamin Kaduk <kaduk@mit.edu> Fri, 01 March 2019 22:05 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD56129524 for <nfsv4@ietfa.amsl.com>; Fri, 1 Mar 2019 14:05:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4WHE9G3wVdvJ for <nfsv4@ietfa.amsl.com>; Fri, 1 Mar 2019 14:05:00 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800091.outbound.protection.outlook.com [40.107.80.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7611277CC for <nfsv4@ietf.org>; Fri, 1 Mar 2019 14:04:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u3gtzr2zP7y1EIzar9uzQgCS6FGr7jcicf4+pGhDBQo=; b=EUfnsrJRtlZ5UZIrIiOeoSNdyJUcrzr1YxCKXToq51B5m8OArBIVbsUQmar4XALBue/WynM2E1Steqln8yoKAxFZizCBoaBNDvHKq7ZF2IrdPE9NR583l60d95bymNRMwu31efh0TjYZqYT15TUG7sI9NQyAqmPHJBsWV0k0zb0=
Received: from BYAPR01CA0031.prod.exchangelabs.com (2603:10b6:a02:80::44) by BYAPR01MB5175.prod.exchangelabs.com (2603:10b6:a03:7f::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.21; Fri, 1 Mar 2019 22:04:57 +0000
Received: from DM3NAM03FT056.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::205) by BYAPR01CA0031.outlook.office365.com (2603:10b6:a02:80::44) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1665.16 via Frontend Transport; Fri, 1 Mar 2019 22:04:57 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT056.mail.protection.outlook.com (10.152.83.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Fri, 1 Mar 2019 22:04:57 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x21M4rQd017799 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 1 Mar 2019 17:04:55 -0500
Date: Fri, 01 Mar 2019 16:04:53 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: David Noveck <davenoveck@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>
Message-ID: <20190301220453.GW53396@kduck.mit.edu>
References: <CADaq8je5pzF7m+4oVCNfSeeBDQ98kBwAdCN_o1hBrfDob=SBaA@mail.gmail.com> <20190301005957.GK53396@kduck.mit.edu> <CADaq8je2Ec=xM2TiGH0Cj7dJte120=9YauneEUmkf77nHkamVA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CADaq8je2Ec=xM2TiGH0Cj7dJte120=9YauneEUmkf77nHkamVA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(136003)(396003)(2980300002)(189003)(199004)(88552002)(14444005)(6246003)(26826003)(4326008)(76176011)(106466001)(8936002)(478600001)(55016002)(6916009)(106002)(229853002)(23726003)(36906005)(786003)(316002)(33656002)(58126008)(53416004)(75432002)(104016004)(97756001)(16586007)(246002)(7696005)(26005)(11346002)(476003)(126002)(47776003)(186003)(336012)(446003)(956004)(8676002)(486006)(305945005)(1411001)(46406003)(5660300002)(356004)(86362001)(2906002)(1076003)(66574012)(50466002)(426003); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR01MB5175; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c85d4c9a-afa1-4937-55ba-08d69e91f139
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:BYAPR01MB5175;
X-MS-TrafficTypeDiagnostic: BYAPR01MB5175:
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB5175; 20:WCR0mpmKVsQBCoNRn4S2OExsDGYC3c7btLCI/Br/J1UsPeGdWcn47kwwC30oMJpiF94G+XeJV5gOWnIokZ2l1XxPmHyoaTAPv9vcgHh+sX+3oFF+ggb7L/8DV12YRoDOM3jHQNwR1slUVPj0esqx0IU297UhPYLtcnOJrf04Vk7XdffOVOC0K1HIwLqG+bHoTH0T2weN2WByoyNmK06GbzXjrAYo+IMWzW5FW19CKOzdRWifetO9n6CrIhQSTWNVCxclCWgKIs2Kyem2rv37KIoslSQ1PsIXoYWhjxR/RPRw86xJ/Spbw/1wJ/ojoKfR2JXLLBMSORISjT/5exfudFANHrjz0TqQ9LnzHliGjRZdWx93Ffhx+UrRUxljVPna5wvtB6q/2I5lPYJh2hxjucxs7eLIbUFQQEDBLmdI+NlzjwUk1UVFk3sCh9WxUZp/x4DQhm82w9K6EqY1mOBX/hs36fKrByJch9WVLCrBc1iCoGffJsLNr9JsVEaMeSPlAfwrL9YpgaTEKbS8IUYFCcykN1b6EOcfG2V3u49bJQrGFFdrwN69bHktAxZMcBwLeiKrtAfG9oY+jWygdyt2l5nNOLufzcx59VA7ZMVJXG8=
X-Microsoft-Antispam-PRVS: <BYAPR01MB517578994F645C54F581475AA0760@BYAPR01MB5175.prod.exchangelabs.com>
X-Forefront-PRVS: 09634B1196
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB5175; 23:Q+qHl8WfZ8Fh797J/KkNjI9WUltX87fjZt3ieCuzi/2E8H8kp3P8+ruu32Go2PpYyBfS7efFARxSSG8EMPD3AaZ7A4yZc+yJkLTwEjYfOO+ao0dxIupEVV2O/WJFiqk3QLBFhw3E6r9Hi4MrnePLWNTAv5Qz2tHyT2xxDP8QxkZwBbyfamWDbhEfIH+y4lG8lgi4CCthmN4NICokTot0FhE7ooIqwwJNWqLR3421cKKzX+TzLgC6wjpXogGhHSBVsqZ0e+VZHTDxFslhFd3H8w0HyjYN1lSJPdS9vmSF9fur6S2zTABZtRkeXu/GBXY2bY8QHhpkDxH88auWRIPnijTLqrEjnkBOBkxkPsUgEPX3irRy9XwhB1zalraV+aaMWmR6cpNvopvzWAEHbOQ174nDxwYbYbrvXQovItHtdo+kFEJ6JEsXj8Aj+0Xc3gpmooixvm3wh/OZWtRwXYpFr5kfVAc8Z6ecFQgn2nG8J6GQPKH82brggDrtGkhuscNYhwQH9eV03IhUDmenUFO1Yen8aSZy6z/xT8rjEeO5nTOe8AqNySICxfE2vVMwafdKJM+O2d8lGUhdljJmUvnBXQEUigeK8EI8HNFiKC75C8a5O769ON83nb6XvPy2a90ZOeMXkqlBYCgudg8ybjiyNffNLUxVEXmkoBbE8fqa6FDmers34QgS6N1uPUCYOQlyXxQxswiCFhpxS55Wdz0toOFadnDjnJLw50/MAAKF6z3yJCPyEJI23XOwr3P5hoF0WkmiK3E46WdgsCFmz/N5QO1g7fH5t48gyqRzwl4S8J4pZZvnHoKimjqib7OxCj8qycOhwGbzzB9wU/zFnWOsaEPJnauxEG5ZWJQlMdam36PgBY+kD3cQkdFOuufgEmXjb8IPwAvlBFPMKlcOeSXP8J7FontqyRYu/5MjIOoRUn/N0Kdz7sQxwtfLNmElmzAy7CzDaOeLIoRc/Pte5JVYjryWTIN1XkgWXG8yiHsQ3SFu9gCp1YGHV9BNdFGJyeadTY50mKdljiDZ40arL7sSQ7vHAQ7S3vjnMKPdhgtwbjLZS0lhWfx/kNGe1/vIaHFOKqi00n3V0HDLRpbKVBqVBZL34/TAT0JjOByRk9EMetrkR249Arjx/TnDh6CGp2rNsb3uqYUbE/b00PMXC7mdufuu+WOX0b0vVMp2lWMVLc4Xl9GDf9alee3enGDgoZjYGcpLlCklAZ57b3hWKu4YSw==
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: p8ikHpNMCglR11L38FfpTrjak4At+biOdd+rzNXqEcjZqKVltBJXOymhYwjDbpFgX1cnzXdiUEuzjvSivv2skCpMXpX2f9UkRhKGpQ8e2ETsQOMFiw+3n9SRfW2noxD/3UZc1ug2EH4csGldJOU+KOhfeUdNxKZXfz96hE2pU7YejpJlwpE7Feml/zojVceijBcVyoiplUhIgui9kJ2VL17+lYV5yPcvVuzQ1l3jKEHgZEP3Ntdgho7ThTbnpGIQUy4aLjLLMyvF7UxIvVRBtBK0DvWl7dwoTrqG7Qj96qDR5CE9pG+OFwdOshVzXr2u1OC74/vc5b88mD4HYIHecIlDixBwLCAXqz3FPFdVzCp+bugFtX1XuCsYCxr91NX7X8N8gqplH0f71lM3z3ueOusb9wwH0Vhl4gVE7U7LSLY=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2019 22:04:57.1444 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c85d4c9a-afa1-4937-55ba-08d69e91f139
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB5175
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/u4OA-X9cbETN7TE6LCKhsSuPnh8>
Subject: Re: [nfsv4] Thinking about an RFC5661bis.
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 22:05:04 -0000

On Fri, Mar 01, 2019 at 07:17:09AM -0500, David Noveck wrote:
> >>     It may be that we will need to explicitly discourage use
> >> of AUTH_SYS  in an rfc5661bis (without, I hope, going so far as "SHOULD
> >> NOT").
> 
> > It will be interesting to see what the text around that looks like --
> > starting from just the Internet threat model of RFC 3552
> 
> I think I'll have to look at that document intensely.  Thanks for pointing
> me to it.

You're quite welcome!  I am so familiar with it that I end up assuming
everyone else knows about it, which is of course not the case...

> > it's hard for me
> > to imagine that behavior like AUTH_SYS would be anything other than
> "SHOULD
> > NOT".
> 
> You're right it does seem hard to imagine.  However, in this case
> imagination
> is not required.  You just have to look at what happened:
> 
>    - On 9/19/2008, this working group requested publication of
>    draft-ietf-nfsv4-minorversion1-26.txt which presented use of AUTH_SYS as
>    optional/allowed.
>    - On 12/19/2008, the IESG approved publication of
>    draft-ietf-nfsv4minorversion1-29.txt as a Proposed Standard, even though
>    that document still  presented use of AUTH_SYS as optional/allowed.
>    - On 1/14/2010, RFC5661 was published as a Proposed Standard with the
>    treatment of AUTH_SYS intact.
>    - Since then, implementations have been developed and deployed which
>    used AUTH_SYS, including many deployments in environments in which use of
>    AUTH_SYS could reasonably be felt to be imprudent, leading to a troubling
>    security situation for NFSv4.1.
> 
> People may well have different views as to how to assign the
> responsibility/blame for this situation and there is no real point in
> trying to  do so.  Clearly, the authors, the other members of the working
> group, and the IESG all had some role.
> 
> The descision not to say "SHOULD NOT" with regard to NFSv4.1 has already
> been made and I don't see how it can be changed even one thinks that the
> working roup was wrong to write RFC5661 that way or that the IESG was wrong
> to approve publication.   A Security Considerations section can still draw
> attention to the problems that use of AUTH_SYS can give rise to, and the
> steps necessary to mitigate them, where possible.

Well, we did publish some new IETF-consensus document in the intervening
ten (ish) years that could be taken to shift the balance on what behaviors
we do and do not tolerate in standards-track documents, things like BCP 188
("Pervasive Monitoring is an Attack") and BCP 195 ("Recommendations for
Secure use of TLS and DTLS").  So it's not really clear to me that we must
be strict slaves to precedent (but we do need to acknowledge existing
deployments in some fashion, of course).

> > But please to not take this as trying to discourage you from trying,
> > and rather as a chance to educate the security folk.
> 
> I'm not sure what education I can provide.   I'm sure people will want to
> know how this happened but all I can provide are guesses.   I think I can
> learn stuff about security from the exercise.
> 
> >>I think we need to frame the discussion around the three big
> >> security deficits present using AUTH_SYS in the clear (exposing your data
> >> to prying eves, using  data that has traversed the newtwork without
> >> integrity protection, acting on unauthenticated requests) and not on the
> >> use of AUTH_SYS per se.  If we do this, we can publish and implement
> 
> > Dividing things into risks and countermeasures is usually a good strategy,
> 
> Good point.
> 
> > rather than focusing specifically on mechanisms, yes...
> 
> We have had a number of situations in which some particular mechanism was
> felt to be salvific, but turned out not to be so :-(
> 
> >> rpc-tls without needng to further deal with the security considerations
> >> section of the NFSv4.1 spec.
> 
> > ...since once you start talking about *properties* of the protocol
> > components, it's easier to slot different backends into place, provided
> > that they provide the same (or better) properties.
> 
> True.  The conclusion I draw is that rpc-tls will have to be fairly far
> along
> in its development when the bis document is considered, even if it doesn't
> have to be published first.    If it seems that equal (or better) security
> is clearly
> on the horizon, I think the security people will be OK with a treatment
> that
> does not stigmtize AUTH_SYS per se, but instead draws attention to the
> exposure of data in transit, the lack of integrity protection, and the
> execution
> of unautheticated requests.

Speaking just for myself, documents that accurately describe the current
properties and have a path to better properties are generally tolerable,
and I am pragmatic enough to not hold things up for ideological purity.

> Given the need for rpc-tls to be fairly far along, the delays that Tom is
> worried
> about do not seem to be all that troubling, since there is really no rush
> to get
> 5661bis out, even if we think it is needed/desirable.

That said, I'm not sure whether I want to hope that I am or am not still
on the IESG when the purported bis document shows up there :)

-Ben

v2.23.0 | Report a Bug | By Email