Re: [nfsv4] Erik Kline's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)
Chuck Lever <chuck.lever@oracle.com> Fri, 03 July 2020 15:57 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD773A096C; Fri, 3 Jul 2020 08:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_TEMPERROR=0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auWlZejpm4F3; Fri, 3 Jul 2020 08:57:40 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DBEC3A0996; Fri, 3 Jul 2020 08:57:38 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 063FmJP1160136; Fri, 3 Jul 2020 15:57:37 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=ShjaaEz/l2v8wUzR1uiQs3prH5AQae5wNkNMvDaW2Bk=; b=JfjuXoVfeiSdIlnBhFwvJLi7EUJnvk3hCHfrnGmaODf5QterggyvtDxFgLZ6u5X1g2Ol 4/AE0jk32j9u6l8oToxsbsB0jeQaA7YiSGThBQpCCTgJuKzeYXAMOzKbMCw8Og4PvvRo yGofpyjRBlCTf8n2v4QyWIdOE5Mb41ZlGeI8xEO4/B6kjqARQf7b0mNPFDR9TZKkVeM8 cIGmW2gcjTxlChD/Yu2i/kKOpvpp7czWlXR7Q8WXX6yrq5Sm/rYX9QRK6j7u6TbvOUbo Jo9bOYF7SqXrhvKCCdCUARsj7uQdVWqGIiTOsFEzZll4abc/t7P6rqrxfmdc3EfMSkeS +w==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by userp2120.oracle.com with ESMTP id 31wxrnpakp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 03 Jul 2020 15:57:37 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 063FqvbH005612; Fri, 3 Jul 2020 15:57:36 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3030.oracle.com with ESMTP id 31y52pht32-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 03 Jul 2020 15:57:36 +0000
Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 063FvZIf011933; Fri, 3 Jul 2020 15:57:35 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 03 Jul 2020 15:57:34 +0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <37E9EC4E-938D-4986-895F-8EFA85469DB1@oracle.com>
Date: Fri, 03 Jul 2020 11:57:33 -0400
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs@ietf.org, nfsv4@ietf.org, David Noveck <davenoveck@gmail.com>
Content-Transfer-Encoding: 7bit
Message-Id: <A70A21D0-D54F-4259-9D13-B7123BFBA928@oracle.com>
References: <159349149991.12516.12036430886387047884@ietfa.amsl.com> <FEE410F9-240F-4401-99CF-A2FC54DFE095@oracle.com> <CAMGpriWpER-pzH+Nfer=OSZKbU-cUJ9Arqsk1rxZU-72dWy1sg@mail.gmail.com> <AA6DCFBF-2B7E-45FE-B770-22B4E3B68446@oracle.com> <CAMGpriV3F2f+Tk8QWaWie4DB55on0rG7Knip+bAvZzZyBR+T3Q@mail.gmail.com> <37E9EC4E-938D-4986-895F-8EFA85469DB1@oracle.com>
To: Erik Kline <ek.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9671 signatures=668680
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 mlxscore=0 adultscore=0 suspectscore=0 bulkscore=0 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007030108
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9671 signatures=668680
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 mlxlogscore=999 priorityscore=1501 impostorscore=0 bulkscore=0 clxscore=1015 malwarescore=0 phishscore=0 adultscore=0 cotscore=-2147483648 lowpriorityscore=0 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007030108
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/umqv2XoSQTwlyrs3vtbH9Nkc4WA>
Subject: Re: [nfsv4] Erik Kline's No Objection on draft-ietf-nfsv4-rpc-tls-08: (with COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 15:57:45 -0000
> On Jul 2, 2020, at 2:26 PM, Chuck Lever <chuck.lever@oracle.com> wrote: > >> On Jul 2, 2020, at 2:08 PM, Erik Kline <ek.ietf@gmail.com> wrote: >> >> I was more curious about text for how a TCP RPC server identifies TLS >> ClientHello from the first of possibly several unencrypted RPCs after >> the 3WHS. And it seems like the same "try to parse a ClientHello else >> try to parse an ONC RPC message" is the recommended approach >> (analogous to DTLS above)? It was a statement to this effect that I >> was after. I propose updating the first paragraph of Section 5.1.1: OLD: The use of the Transport Layer Security (TLS) protocol [RFC8446] protects RPC on TCP connections. Typically, once an RPC client completes the TCP handshake, it uses the mechanism described in Section 4.1 to discover RPC-over-TLS support for that connection. If spurious traffic appears on a TCP connection between the initial clear-text AUTH_TLS probe and the TLS session handshake, receivers MUST discard that data without response and then SHOULD drop the connection. NEW: The use of the Transport Layer Security (TLS) protocol [RFC8446] protects RPC on TCP connections. Typically, once an RPC client completes the TCP handshake, it uses the mechanism described in Section 4.1 to discover RPC-over-TLS support for that connection. Until an AUTH_TLS probe is done on a connection, the RPC server treats all traffic as RPC messages. If spurious traffic appears on a TCP connection between the initial clear-text AUTH_TLS probe and the TLS session handshake, receivers MUST discard that data without response and then SHOULD drop the connection. -- Chuck Lever
- [nfsv4] Erik Kline's No Objection on draft-ietf-n… Erik Kline via Datatracker
- Re: [nfsv4] Erik Kline's No Objection on draft-ie… Chuck Lever
- Re: [nfsv4] Erik Kline's No Objection on draft-ie… Erik Kline
- Re: [nfsv4] Erik Kline's No Objection on draft-ie… Chuck Lever
- Re: [nfsv4] Erik Kline's No Objection on draft-ie… Erik Kline
- Re: [nfsv4] Erik Kline's No Objection on draft-ie… Chuck Lever
- Re: [nfsv4] Erik Kline's No Objection on draft-ie… Chuck Lever
- Re: [nfsv4] Erik Kline's No Objection on draft-ie… Erik Kline