Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls

Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 22 April 2020 15:57 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F33ED3A0F80 for <nfsv4@ietfa.amsl.com>; Wed, 22 Apr 2020 08:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEfM1Yrhd9zN for <nfsv4@ietfa.amsl.com>; Wed, 22 Apr 2020 08:57:33 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2071.outbound.protection.outlook.com [40.107.21.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B953A0F6A for <nfsv4@ietf.org>; Wed, 22 Apr 2020 08:57:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WLxR4oEPfs5R/erq0ifm0Er+SKb7D+Za9mA2N4yWDgnA8hgDGqmlZTe2vm5J7nmYAoH/4UbtHsHqti4NRW4X+jwv7oZaAIASFq+4Qy6cRXjsSzQAMSf3Doi5YkIpV3cD5YV99eaohkG1XZ7wiN9emStnbA4OlKcn1uoGkTwN7kNT+Gvxl614Ydxwqyqbv4v3cxb5kpUf5EAGoNWAUeRg+U4KemjDtrbUaJ2HagXPXzwLwwClDOTbcwuCLwo5aKGPQ6htss7qA2sTAnpv+33ggXhzVBdLu8LygK6zBgHAWJCk8Vbr+CXh+ySaHyLg69lO63wrYxfjsWqBV2kqIDPnyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uE54f4FZ+May+qReuVvI4WYIIp3Xy1rx2UZYOFeY3mw=; b=I81HYNX/nnEXjf3xvUCmoDbMgO9k3lgza4yuY1a9uocvfNlw1DB6su2WDrT5/EqTOIQhSH/tamJCH2s5KSvjlV/r98PRW1LBeWqRrXdcn4zu5GSohlvccveL6QQA5hG13xTonLsi7K/lCRaNSmxIl8tS4tU8LusKCRvVw5rR/FAnHOLo+suI0BiCqCKN7L5VDN6WnNPPvPYBXKbjjB0Lz2ukXaQwxzBKWyy4gYyrn7yv+jS8dA8UO6LJLH4ChD7Ywczj/NFz1XQGUPYhFYO3XP35u1qq2JEEftU4kU/QIEFpAkOo+6aJwU8Z2z4+7Ropz6OumIKoA0NwxY7lkN9yCA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uE54f4FZ+May+qReuVvI4WYIIp3Xy1rx2UZYOFeY3mw=; b=ZqfW1+HaoMj5tPRWxD3oNfM2VLpFFjinZL/MUwa2PRewzDu7aaxyxnq7BgNcsZbiduPuG4+mbxc+rfAh50JGfENVbRVlROEwFcS0ELmQa2fwDeJW637Mc4YPx8ynfa11kitz08BXDbxbbHHgFpnxZ/Hy9PCyaBv6xr/uVuof05E=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3819.eurprd07.prod.outlook.com (2603:10a6:7:83::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.11; Wed, 22 Apr 2020 15:57:29 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a%2]) with mapi id 15.20.2937.012; Wed, 22 Apr 2020 15:57:29 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "chuck.lever@oracle.com" <chuck.lever@oracle.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>, "trondmy@gmail.com" <trondmy@gmail.com>
Thread-Topic: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
Thread-Index: AdYH+TZCYEUSPG/KThqZ8Tp9CcZenQGq9Z4AAAL5cwAAAEtAgAABZXsAAACq6oAAAcUlAADsXEAAAG67FAAAjMMIgABUBmyAAA+teoAAMTWuIA==
Date: Wed, 22 Apr 2020 15:57:28 +0000
Message-ID: <HE1PR0702MB3772D2EF118A844C6527171995D20@HE1PR0702MB3772.eurprd07.prod.outlook.com>
References: <VI1PR0702MB3775838FD12AB8A89392C17B95C90@VI1PR0702MB3775.eurprd07.prod.outlook.com> <FA2D661E-A787-4772-8F9D-A7594AE82F38@oracle.com> <CADaq8jciLWhL_FMmPcsdrVVS=9Gee8SYAsqi36H5v9iuNo7Pgw@mail.gmail.com> <E414F060-532B-4017-AC7E-5869884B2153@oracle.com> <e5796752c6204ffdd78503b1a9c9045cfd761e52.camel@gmail.com> <F9AC44CE-750E-416A-944D-E2382524020E@oracle.com> <19d2513b1093fc71223e361afca90d1a1ad6183a.camel@gmail.com> <E8D24949-C2A3-463A-953F-FAE7F46D4D23@oracle.com> <4e7912c6c55680f50b05aaa2cdc98f59733cd5b2.camel@ericsson.com> <C89BF8F3-7F65-4995-9CDB-CC1673E01463@oracle.com> <7833b21f09aaffdb35e1a578e2a07b533002d318.camel@ericsson.com> <7B26B15B-DE0C-4B6C-BBB0-D8F7B00EF328@oracle.com>
In-Reply-To: <7B26B15B-DE0C-4B6C-BBB0-D8F7B00EF328@oracle.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [192.176.1.105]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ff7f75df-52ff-4ec5-745d-08d7e6d5dc0b
x-ms-traffictypediagnostic: HE1PR0702MB3819:
x-microsoft-antispam-prvs: <HE1PR0702MB38192C7CB2425BE8201FBE6895D20@HE1PR0702MB3819.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03818C953D
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(366004)(396003)(376002)(39860400002)(136003)(86362001)(26005)(8936002)(33656002)(6506007)(7696005)(478600001)(44832011)(5660300002)(2906002)(81156014)(8676002)(6916009)(52536014)(4326008)(316002)(71200400001)(99936003)(9686003)(186003)(64756008)(66446008)(54906003)(55016002)(66556008)(66946007)(66616009)(76116006)(66476007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Og1s89tyPxChjH3/lpvI9yMbeoAfMeFrrvPizhaifmDxRxmNzqgPR0GbxSnD47MAl8Zax1agFyqoyYPxYE/+NnO1E653V5DV/i97vwEmDkGzt9dy8cCp5A6h11nVY8/TOhEEmB7EI9jEDQ55uvDD3cz9iLlNllr0zOgnabF0xNGQluFGms3JNzauvTko69spDEph4/xQSatrR/xgVk9drFWqpK5uxStiWUWHuLFqI06XIy++EfQKUi79VR1sCL+pMGKMYvODEvN5Y6VffXIkxxtpwkWQ13nZp7mRpUoA001RUiZXLCnRHp9C7htynYZnriW8Lho5RbRQ8/VPDX7+DU5GsBJBCrribL3waa1n7HDSbLaYlBfH+wnztC5WMLUob/Wt95DAvBJNLgg20jOLvEyCLBhKzOHKnFA/LS4lObch2BJb9Rpq9y46V12E9sEC
x-ms-exchange-antispam-messagedata: e6+E2v0r5pYx3W6lp72qx+M4gDSezFp+e986CfZ7YvWnAzd5XHAhZQDTawdlame1DGOWSbKhYhnFASldFNk5pTg5LJJi/dQSU/gWKn6rUjarxa0c+C04TiqYRe7N8Ao8RWMlsw+APDQYjQc1fKDHipith9XwaZmXebxqpzGad997Uftijtf6P8/N8mq4lXtWQyxLkunsHMUapwdehyfVd4t+HTuInUYOlV81itpitUUdC+MsEC+YHcPFOTYEDeeOs1l7DVbYcmPeHrDhaJqKzdr9DQvck9D9xVUF/VakAMS0Euj6F6RKoW1W5UIofBfO4Oaqyhanj2n3SKlAwrzk2xn4JedHLogctts7rksroEsRYYcXRKdSCVbemFOt7bkDFU/y97lO/d6BmRNiHpYpHag2312Y1nyFnqja9e8sU69wTGMDRii30trGBzsTEs0MLJQeLX+AjEl1uhqVNc7RIBBXPJtK57t/0AbvU3kfEsKvdWrVfqMrv3TTo6OraYkR1ZjpXgxpGwfbLKYBo3yrEFDuANfFssPKsg+JsRW1tCGyDkFX9TnOXKkPwu5/IYjs5GnvXyOhb7vKOKTWEe75EW2XXteCpNiq4W8YrG5mEihC0kMp6D4H5GB2R9ktcRxr0Rz5XBWO31NQgXjsr3wiM5yLe/bMFY72KaCCv3tg9qVfMC7KTtNvfAskZ4ydWDdtyY32hXq9WZrySt96xh4/o+j9xlwp6FyaVuHcu5a/PfjNCuNi+lHH5y7FX5gPNSrzPWEcPCDFlAfCWg8KCO9uv7Gpu83dRA1dViw06ctPeuo=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00AA_01D618CF.8184F6C0"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ff7f75df-52ff-4ec5-745d-08d7e6d5dc0b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2020 15:57:28.8975 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: P5dTKVJsH15+9uKIZZ1o2tHsTz5PSWXTeBdhnbol2Qk+zyhpSuOv69J2qJW9TE1lgPEpRC9C5U+8lUdoBant46ygSFCF1SgeSTyCFdNsBaU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3819
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/N-WsYoJ-wsg7DUMTf2EMQIuw8eA>
Subject: Re: [nfsv4] AD review of draft-ietf-nfsv4-rpc-tls
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 15:57:36 -0000

Hi,

I have reviewed the diff for the editor's copy and have the below comments. 
Only E I think needs any more significant consideration. My evaluation is that 
all my previous AD comments has been resolved or answered. Thanks for the 
work.

A. Section 4.1:

RPC operation can continue, but in the clear.

I would propose that this sentence is reformulated to make it even more 
evident that there are no security protection.

NEW:

RPC operation can continue, however it will be without any confidentiality, 
integrity or authentication protection from (D)TLS.

B. Section 4.2.1:

RPCSEC GSS can also protect per-request integrity or confidentiality.

I think the language is botched here. I guess something like this was 
intended:

NEW: RPCSEC GSS can also perform per-request integrity or confidentiality 
protection.

C. Section 5.

Implementations MUST NOT negotiate TLS versions prior to v1.3 ([RFC8446] or 
[I-D.ietf-tls-dtls13]).

I think it need to be more explicit about that the second reference is DTLS 
1.3. Propose

Implementations MUST NOT negotiate TLS versions prior to v1.3 (for TLS 
[RFC8446] or DTLS [I-D.ietf-tls-dtls13] respectively).

D. Section 5.:

Client implementations MUST include the 
"application_layer_protocol_negotiation(16)" extension in their "ClientHello" 
message and MUST include the protocol identifier defined in Section 8.2 in 
that message's ProtocolNameList value.

I propose to include an reference here to what the 
"application_layer_protocol_negotiation(16)" is. So proposed wording:

Client implementations MUST include the 
"application_layer_protocol_negotiation(16)" extension [RFC7301] in their 
"ClientHello" message and MUST include the protocol identifier defined in 
Section 8.2 in that message's ProtocolNameList value.

Likely it makes sense to make a similar change to the next sentence to:

Similary, in response to the "ClientHello" message, server implementations 
MUST include the "application_layer_protocol_negotiation(16)" extension 
[RFC7301] in their "ServerHello" message and MUST include only the protocol 
identifier defined in Section 8.2 in that message's ProtocolNameList value.

E. Section 5.1.2:

When using connectionless operation, each DTLS session endpoint is identified 
by its 5-tuple -- the source and destination IP address and port numbers, 
along with the UDP transport protocol number (17). When using connected 
operation, the DTLS session endpoints are identified by connection ID (CID), 
as described in [I-D.ietf-tls-dtls-connection-id]. Connected operation is 
strongly RECOMMENDED.

So I don't know if I looked to quickly at DTLS 1.3 and the dtls-connection-id 
draft. However, I don't see any discussion of a connectionless operation. This 
might be a terminology issue primarily. However, my understanding which might 
be flawed are that the DTLS connection is created by the DTLS handshake. That 
DTLS connection can either be identified by the 5-tuple or use this CID 
extension.

The primary goal of the CID extension is to avoid need for a new DTLS 
handshake and creating a new DTLS connection if the 5-tuple changes, for 
example due to NAT port rebinding.

In addition my understanding is that [I-D.ietf-tls-dtls-connection-id] is 
defining the extension for CID for DTLS 1.2. Section 9 in the DTLS1.3 
specification imports that extension into DTSL 1.3. Thus, if you want to 
recommend its usage it might be better to point to Section 9 and only use 
[I-D.ietf-tls-dtls-connection-id] informationally.

Cheers

Magnus