Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Olga Kornievskaia <aglo@umich.edu> Tue, 26 March 2019 16:19 UTC
Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B720120571 for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 09:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6AKmc8m2LtS for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 09:19:48 -0700 (PDT)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AEB12056C for <nfsv4@ietf.org>; Tue, 26 Mar 2019 09:19:48 -0700 (PDT)
Received: by mail-ua1-x935.google.com with SMTP id 46so763656uan.8 for <nfsv4@ietf.org>; Tue, 26 Mar 2019 09:19:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6cDYU/dYynUIRJoeTXuhPdFib2OrESxb/aZB1rmR/EQ=; b=nif7BeWufMf2YBktPiTULsnjGY3pOi5Fp16kWBOIALLDDB6ZYnAu7Hu7jp6ziMexif YgV2mKbD2eqa7s2Ls6BkcuQY1B+wNapH0t/cuy/96TMjrNN+AcmmXWt8K873QKW0E5bk A+oalyUNf8MPUqXKi8kXJLWvIHMw5QoxxaCJd5jcFSzMccg86MlweRmS7FQISEg7JznF nVbLWMk1FEPdlHTCWrWJwqDCNZY7fC0EY4dspmFWNH9trJkgA3m03uOjbySw3eEWCEdp DI4yTt1VOG9m4RTZKe/F1mfyQ1z8oZd1xqu2iTFaDcIt3HxcB/5p9XIBcEmO/HFli/R8 0JcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6cDYU/dYynUIRJoeTXuhPdFib2OrESxb/aZB1rmR/EQ=; b=RbKBiNvAy774VjeYFkP8kFtSZ8V5RdUatrGMGlSJRoVkW5enh892ZqIc+aK6gIa9Ud 1jRBzjlaHn5PD9qyhY2NHxGRX+hmQ4QD2Qcv7sGd6UXWyG9/quYCjLtTKowC3tcg6Z2c nOU5arJ2+PcjQR/shH8kgAJMGZRVbPAl/2C29BngiE9jxNabwdRROfCISLM3FMofj4y9 RNNd+ttBJfeWQ2aUQxQT4fEwcqzWlvF87c2BAGLR5Cxm+Jcmsj3AEiUIkGhW2+o53rX2 s4wLt5JFn3lnVNKOJ9kVBBTjB7bsADRyZF9AEcaP/bLq4y17n+vso+mWImZ0vQwWR2q0 2kXA==
X-Gm-Message-State: APjAAAX+vkIxXDEFQBgKbtqeVbc/U8Y06BmkHg4yg7gFoDoQWwcSWegE 893urR6mye8pgfyn5AXVd8PZzrz7ulsRn+mByyI=
X-Google-Smtp-Source: APXvYqzlO3aPYCzDR++R9glAba+RyVRwyxF6eJ1HTaMn2hl6FqZIBJmvzpbV1p3GlsEuUlwkgvtsfhieacm30wFD+/4=
X-Received: by 2002:ab0:2886:: with SMTP id s6mr17658057uap.93.1553617187019; Tue, 26 Mar 2019 09:19:47 -0700 (PDT)
MIME-Version: 1.0
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com> <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de>
In-Reply-To: <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de>
From: Olga Kornievskaia <aglo@umich.edu>
Date: Tue, 26 Mar 2019 12:19:35 -0400
Message-ID: <CAN-5tyGggDUe2DNSjRc6vAyXgGo4LVwYVK5zmTOyr0soPFVKrQ@mail.gmail.com>
To: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
Cc: Chuck Lever <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/uuQ2Wvd8BwzF_xjHJ1jIXfx2G48>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 16:19:51 -0000
On Tue, Mar 26, 2019 at 11:05 AM Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote: > > > > ----- Original Message ----- > > From: "Chuck Lever" <chuck.lever@oracle.com> > > To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de> > > Cc: "NFSv4" <nfsv4@ietf.org> > > Sent: Tuesday, March 26, 2019 2:56:10 PM > > Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt > > >> On Mar 25, 2019, at 4:44 PM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote: > >> > >> > >> > >> ----- Original Message ----- > >>> From: "Chuck Lever" <chuck.lever@oracle.com> > >>> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de> > >>> Cc: "NFSv4" <nfsv4@ietf.org> > >>> Sent: Monday, March 25, 2019 2:44:32 PM > >>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt > >> > >>>> On Mar 25, 2019, at 4:53 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote: > >>>> > >>>> > >>>> > >>>> Hi Chuck, > >>>> > >>>> By working on our implementation we got a following questions: > >>>> > >>>> what should server do when a client requests startTLS twice? Fail > >>>> with an auth error or just ignore? > >>> > >>> I don't have a ready answer, but seems to me your TLS library > >>> might have an opinion. Can a web browser be made to generate > >>> a second STARTTLS to see what the behavior is like? > >>> > >>> Is there any guidance in RFC 8446 or its antecedants? > >> > >> Looks like LDAP have that case clearly specified rfc2830: > >> > >> 2.3: > >> > >> ... > >> > >> If the Start TLS extended request was not successful, the resultCode > >> will be one of: > >> > >> operationsError (operations sequencing incorrect; e.g. TLS already > >> established) > >> > >> 3.1: > >> > >> ... > >> > >> The client MAY send the Start TLS extended request at any time after > >> establishing an LDAP association, except that in the following cases > >> the client MUST NOT send a Start TLS extended request: > >> > >> - if TLS is currently established on the connection, or > >> > >> You may adopt a similar wording to rpc-over-tls. However, what about UDP and > >> retransmits? > > > > UDP will use DTLS. > > > > My hesitance is that STARTTLS is part of the TLS protocol, and we're > > not specifying that here, we're only using it. Surely TLS has a proper > > mechanism for managing this situation. > > > > I would like to see a recent RFC that covers your case. RFC 6614 appears > > to require TLS negotiation to occur immediately after the underlying > > transport connection is established, and never later. Is that what you > > want? > > I have my doubts, that STARTTLS is a part of TLS protocol. Anyway, what I want to > see is a clear statement about what server is suppoed to do if it sees multiple > STARTTLS requests on the same connection. Our current implementation will just > ignore the second request if TLS is already enabled. > To add to Tigran's comments... STARTTLS is not a part of the TLS RFC. Other protocols that use TLS have RFCs for STARTTLS for that protocol which I think NFS needs to have too either as a part of this document or a separate document. Taken from a wiki (https://en.wikipedia.org/wiki/Opportunistic_TLS) The STARTTLS command for IMAP and POP3 is defined in RFC 2595, for SMTP in RFC 3207, for XMPP in RFC 6120 and for NNTP in RFC 4642... > Tigran. > > > > > > > >> Tigran. > >>> > >>> > >>>> It would be nice if spec will > >>>> explicitly define this situation. > >>>> > >>>> Thanks, > >>>> Tigran. > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Dave Noveck" <davenoveck@gmail.com> > >>>>> To: "Chuck Lever" <chuck.lever@oracle.com> > >>>>> Cc: "NFSv4" <nfsv4@ietf.org> > >>>>> Sent: Friday, January 4, 2019 5:25:18 PM > >>>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt > >>>> > >>>>>> I've been studying RFC 8471 to understand what would be needed to support > >>>>>> TLS token binding with RPC. It appears there are two components: > >>>>> > >>>>>> - The TLS handshake is extended to indicate support for token binding > >>>>>> and negotiate the supported version > >>>>> > >>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token > >>>>>> Binding message as the first message > >>>>> > >>>>>> We would need to provide a mechanism for encapsulating this message in > >>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, > >>>>>> RPCSEC GSS could provide a mechanism for transporting this message. > >>>>> > >>>>> As I understand things, one of the potential goals here is to satisfactorily > >>>>> authenticate the client so that AUTH_SYS can reasonably used. For that use > >>>>> case, I'm not sure how depending on RPCSEC GSS would fit in. > >>>>> > >>>>>> It appears to me that there is a natural boundary between what we have > >>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token > >>>>>> Binding, such that Token Binding could be handled by a separate document. > >>>>> > >>>>> That makes sense. > >>>>> > >>>>>> That would allow the quick completion > >>>>> > >>>>> Since this is the IETF, let's just say "quicker completion". > >>>>> > >>>>>> of rpc-tls to enable encryption by > >>>>>> default using self-signed certificates, with support for Token Binding > >>>>>> to appear later. > >>>>> > >>>>> It depens on how much later. I don't see how it would be necessary to get > >>>>> through the RFC process, including that rigorous search for split > >>>>> infinitives, cycles > >>>>> of discussion of RFC2119 terms before starting the follow-up work on token > >>>>> binding. Once rpc-tls is accepted as a working group document, the group > >>>>> would > >>>>> be in a position to make plans for the follow-on work that seems to be > >>>>> warranted. > >>>>> > >>>>>> Thoughts, comments... > >>>>> > >>>>> If work on client autehentication is to be punted, then the document will > >>>>> need to reflect that. > >>>>> In particular, if you, as a server, are prepared to accept an > >>>>> unauthenticatted client's user > >>>>> identifications, then your security is pretty much non-existent, despite > >>>>> the fact that > >>>>> enryption prevents eavesdropping. In that case, it probably best to say > >>>>> nothing about use > >>>>> of AUTH_SYS. > >>>>> > >>>>>> Am I on the wrong track? > >>>>> > >>>>> No. > >>>>> > >>>>> On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote: > >>>>> > >>>>>> > >>>>>>> On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote: > >>>>>>> > >>>>>>> Hi Chuck > >>>>>>> > >>>>>>> Apologies for top posting, blame MS > >>>>>>> > >>>>>>> I was interested in the comment "We believe the combination of host > >>>>>> authentication via TLS and user authentication via RPC provides optimal > >>>>>> security, efficiency, and flexibility,". There's been a huge amount of > >>>>>> negative press for TLS client auth, but there's been a push for TLS token > >>>>>> binding as a basis for better client/server authentication. Does the > >>>>>> proposal need to consider work in this area? > >>>>>> > >>>>>> I've been studying RFC 8471 to understand what would be needed to support > >>>>>> TLS token binding with RPC. It appears there are two components: > >>>>>> > >>>>>> - The TLS handshake is extended to indicate support for token binding > >>>>>> and negotiate the supported version > >>>>>> > >>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token > >>>>>> Binding message as the first message > >>>>>> > >>>>>> We would need to provide a mechanism for encapsulating this message in > >>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially, > >>>>>> RPCSEC GSS could provide a mechanism for transporting this message. > >>>>>> > >>>>>> It appears to me that there is a natural boundary between what we have > >>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token > >>>>>> Binding, such that Token Binding could be handled by a separate document. > >>>>>> That would allow the quick completion of rpc-tls to enable encryption by > >>>>>> default using self-signed certificates, with support for Token Binding > >>>>>> to appear later. > >>>>>> > >>>>>> Thoughts, comments... Am I on the wrong track? > >>>>>> > >>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever > >>>>>>> Sent: Monday, November 19, 2018 15:56 > >>>>>>> To: NFSv4 <nfsv4@ietf.org> > >>>>>>> Subject: [nfsv4] Fwd: New Version Notification for > >>>>>> draft-cel-nfsv4-rpc-tls-01.txt > >>>>>>> > >>>>>>> > >>>>>>> Hi- > >>>>>>> > >>>>>>>> Begin forwarded message: > >>>>>>>> > >>>>>>>> From: internet-drafts@ietf.org > >>>>>>>> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt > >>>>>>>> Date: November 19, 2018 at 10:52:07 AM EST > >>>>>>>> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles > >>>>>>>> Lever" <chuck.lever@oracle.com>, "Chuck Lever" > >>>>>>>> <chuck.lever@oracle.com> > >>>>>>>> > >>>>>>>> > >>>>>>>> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been > >>>>>>>> successfully submitted by Charles Lever and posted to the IETF > >>>>>>>> repository. > >>>>>>>> > >>>>>>>> Name: draft-cel-nfsv4-rpc-tls > >>>>>>>> Revision: 01 > >>>>>>>> Title: Remote Procedure Call Encryption By Default > >>>>>>>> Document date: 2018-11-19 > >>>>>>>> Group: Individual Submission > >>>>>>>> Pages: 9 > >>>>>>>> URL: > >>>>>> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt > >>>>>>>> Status: > >>>>>> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/ > >>>>>>>> Htmlized: https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01 > >>>>>>>> Htmlized: > >>>>>> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls > >>>>>>>> Diff: > >>>>>> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01 > >>>>>>>> > >>>>>>>> Abstract: > >>>>>>>> This document describes a mechanism that enables encryption of in- > >>>>>>>> transit Remote Procedure Call (RPC) transactions with little > >>>>>>>> administrative overhead and full interoperation with RPC > >>>>>>>> implementations that do not support this mechanism. This document > >>>>>>>> updates RFC 5531. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> Please note that it may take a couple of minutes from the time of > >>>>>>>> submission until the htmlized version and diff are available at > >>>>>> tools.ietf.org. > >>>>>>>> > >>>>>>>> The IETF Secretariat > >>>>>>> > >>>>>>> Minor changes in revision 01: > >>>>>>> - Correct a legal issue reported by idnits > >>>>>>> - Clarify terminology throughout document > >>>>>>> - Add editor's note in Section 4.3 "Authentication" > >>>>>>> - Wordsmithing throughout > >>>>>>> > >>>>>>> > >>>>>>> The immediate question I have is whether members of WG feel this topic > >>>>>> and document are important enough to promote rpc-tls-01 to Working Group > >>>>>> document status. If yes, I can submit the next revision as > >>>>>> draft-ietf-nfsv4-rpc-tls-00. > >>>>>> > >>>>>> -- > >>>>>> Chuck Lever > >>>>>> > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> nfsv4 mailing list > >>>>>> nfsv4@ietf.org > >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4 > >>>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> nfsv4 mailing list > >>>>> nfsv4@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/nfsv4 > >>> > >>> -- > >>> Chuck Lever > > > > -- > > Chuck Lever > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Fwd: New Version Notification for draft-c… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Rob Thurlow
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… McDonald, Alex
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever
- Re: [nfsv4] Fwd: New Version Notification for dra… Tom Talpey
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… David Noveck
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Lars Eggert
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Trond Myklebust
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Olga Kornievskaia
- Re: [nfsv4] New Version Notification for draft-ce… Tom Talpey
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran
- Re: [nfsv4] New Version Notification for draft-ce… Chuck Lever
- Re: [nfsv4] New Version Notification for draft-ce… Benjamin Kaduk
- Re: [nfsv4] New Version Notification for draft-ce… Mkrtchyan, Tigran