IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

Olga Kornievskaia <aglo@umich.edu> Tue, 26 March 2019 16:19 UTC

Return-Path: <olga.kornievskaia@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B720120571 for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 09:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6AKmc8m2LtS for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 09:19:48 -0700 (PDT)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AEB12056C for <nfsv4@ietf.org>; Tue, 26 Mar 2019 09:19:48 -0700 (PDT)
Received: by mail-ua1-x935.google.com with SMTP id 46so763656uan.8 for <nfsv4@ietf.org>; Tue, 26 Mar 2019 09:19:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6cDYU/dYynUIRJoeTXuhPdFib2OrESxb/aZB1rmR/EQ=; b=nif7BeWufMf2YBktPiTULsnjGY3pOi5Fp16kWBOIALLDDB6ZYnAu7Hu7jp6ziMexif YgV2mKbD2eqa7s2Ls6BkcuQY1B+wNapH0t/cuy/96TMjrNN+AcmmXWt8K873QKW0E5bk A+oalyUNf8MPUqXKi8kXJLWvIHMw5QoxxaCJd5jcFSzMccg86MlweRmS7FQISEg7JznF nVbLWMk1FEPdlHTCWrWJwqDCNZY7fC0EY4dspmFWNH9trJkgA3m03uOjbySw3eEWCEdp DI4yTt1VOG9m4RTZKe/F1mfyQ1z8oZd1xqu2iTFaDcIt3HxcB/5p9XIBcEmO/HFli/R8 0JcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6cDYU/dYynUIRJoeTXuhPdFib2OrESxb/aZB1rmR/EQ=; b=RbKBiNvAy774VjeYFkP8kFtSZ8V5RdUatrGMGlSJRoVkW5enh892ZqIc+aK6gIa9Ud 1jRBzjlaHn5PD9qyhY2NHxGRX+hmQ4QD2Qcv7sGd6UXWyG9/quYCjLtTKowC3tcg6Z2c nOU5arJ2+PcjQR/shH8kgAJMGZRVbPAl/2C29BngiE9jxNabwdRROfCISLM3FMofj4y9 RNNd+ttBJfeWQ2aUQxQT4fEwcqzWlvF87c2BAGLR5Cxm+Jcmsj3AEiUIkGhW2+o53rX2 s4wLt5JFn3lnVNKOJ9kVBBTjB7bsADRyZF9AEcaP/bLq4y17n+vso+mWImZ0vQwWR2q0 2kXA==
X-Gm-Message-State: APjAAAX+vkIxXDEFQBgKbtqeVbc/U8Y06BmkHg4yg7gFoDoQWwcSWegE 893urR6mye8pgfyn5AXVd8PZzrz7ulsRn+mByyI=
X-Google-Smtp-Source: APXvYqzlO3aPYCzDR++R9glAba+RyVRwyxF6eJ1HTaMn2hl6FqZIBJmvzpbV1p3GlsEuUlwkgvtsfhieacm30wFD+/4=
X-Received: by 2002:ab0:2886:: with SMTP id s6mr17658057uap.93.1553617187019; Tue, 26 Mar 2019 09:19:47 -0700 (PDT)
MIME-Version: 1.0
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com> <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de>
In-Reply-To: <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de>
From: Olga Kornievskaia <aglo@umich.edu>
Date: Tue, 26 Mar 2019 12:19:35 -0400
Message-ID: <CAN-5tyGggDUe2DNSjRc6vAyXgGo4LVwYVK5zmTOyr0soPFVKrQ@mail.gmail.com>
To: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
Cc: Chuck Lever <chuck.lever@oracle.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/uuQ2Wvd8BwzF_xjHJ1jIXfx2G48>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 16:19:51 -0000

On Tue, Mar 26, 2019 at 11:05 AM Mkrtchyan, Tigran
<tigran.mkrtchyan@desy.de> wrote:
>
>
>
> ----- Original Message -----
> > From: "Chuck Lever" <chuck.lever@oracle.com>
> > To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>
> > Cc: "NFSv4" <nfsv4@ietf.org>
> > Sent: Tuesday, March 26, 2019 2:56:10 PM
> > Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>
> >> On Mar 25, 2019, at 4:44 PM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
> >>
> >>
> >>
> >> ----- Original Message -----
> >>> From: "Chuck Lever" <chuck.lever@oracle.com>
> >>> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>
> >>> Cc: "NFSv4" <nfsv4@ietf.org>
> >>> Sent: Monday, March 25, 2019 2:44:32 PM
> >>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> >>
> >>>> On Mar 25, 2019, at 4:53 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
> >>>>
> >>>>
> >>>>
> >>>> Hi Chuck,
> >>>>
> >>>> By working on our implementation we got a following questions:
> >>>>
> >>>> what should server do when a client requests startTLS twice? Fail
> >>>> with an auth error or just ignore?
> >>>
> >>> I don't have a ready answer, but seems to me your TLS library
> >>> might have an opinion. Can a web browser be made to generate
> >>> a second STARTTLS to see what the behavior is like?
> >>>
> >>> Is there any guidance in RFC 8446 or its antecedants?
> >>
> >> Looks like LDAP have that case clearly specified rfc2830:
> >>
> >> 2.3:
> >>
> >> ...
> >>
> >>   If the Start TLS extended request was not successful, the resultCode
> >>   will be one of:
> >>
> >>   operationsError  (operations sequencing incorrect; e.g. TLS already
> >>                    established)
> >>
> >> 3.1:
> >>
> >> ...
> >>
> >>   The client MAY send the Start TLS extended request at any time after
> >>   establishing an LDAP association, except that in the following cases
> >>   the client MUST NOT send a Start TLS extended request:
> >>
> >>     - if TLS is currently established on the connection, or
> >>
> >> You may adopt a similar wording to rpc-over-tls. However, what about UDP and
> >> retransmits?
> >
> > UDP will use DTLS.
> >
> > My hesitance is that STARTTLS is part of the TLS protocol, and we're
> > not specifying that here, we're only using it. Surely TLS has a proper
> > mechanism for managing this situation.
> >
> > I would like to see a recent RFC that covers your case. RFC 6614 appears
> > to require TLS negotiation to occur immediately after the underlying
> > transport connection is established, and never later. Is that what you
> > want?
>
> I have my doubts, that STARTTLS is a part of TLS protocol. Anyway, what I want to
> see is a clear statement about what server is suppoed to do if it sees multiple
> STARTTLS requests on the same connection. Our current implementation will just
> ignore the second request if TLS is already enabled.
>

To add to Tigran's comments...

STARTTLS is not a part of the TLS RFC. Other protocols that use TLS
have RFCs for STARTTLS for that protocol which I think NFS needs to
have too either as a part of this document or a separate document.

Taken from a wiki (https://en.wikipedia.org/wiki/Opportunistic_TLS)
The STARTTLS command for IMAP and POP3 is defined in RFC 2595, for
SMTP in RFC 3207, for XMPP in RFC 6120 and for NNTP in RFC 4642...

> Tigran.
>
>
> >
> >
> >> Tigran.
> >>>
> >>>
> >>>> It would be nice if spec will
> >>>> explicitly define this situation.
> >>>>
> >>>> Thanks,
> >>>>  Tigran.
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Dave Noveck" <davenoveck@gmail.com>
> >>>>> To: "Chuck Lever" <chuck.lever@oracle.com>
> >>>>> Cc: "NFSv4" <nfsv4@ietf.org>
> >>>>> Sent: Friday, January 4, 2019 5:25:18 PM
> >>>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> >>>>
> >>>>>> I've been studying RFC 8471 to understand what would be needed to support
> >>>>>> TLS token binding with RPC. It appears there are two components:
> >>>>>
> >>>>>> - The TLS handshake is extended to indicate support for token binding
> >>>>>> and negotiate the supported version
> >>>>>
> >>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
> >>>>>> Binding message as the first message
> >>>>>
> >>>>>> We would need to provide a mechanism for encapsulating this message in
> >>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
> >>>>>> RPCSEC GSS could provide a mechanism for transporting this message.
> >>>>>
> >>>>> As I understand things, one of the potential goals here is to satisfactorily
> >>>>> authenticate the client so that AUTH_SYS can reasonably used.  For that use
> >>>>> case, I'm not sure how depending on RPCSEC GSS would fit in.
> >>>>>
> >>>>>> It appears to me that there is a natural boundary between what we have
> >>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
> >>>>>> Binding, such that Token Binding could be handled by a separate document.
> >>>>>
> >>>>> That makes sense.
> >>>>>
> >>>>>> That would allow the quick completion
> >>>>>
> >>>>> Since this is the IETF, let's just say "quicker completion".
> >>>>>
> >>>>>> of rpc-tls to enable encryption by
> >>>>>> default using self-signed certificates, with support for Token Binding
> >>>>>> to appear later.
> >>>>>
> >>>>> It depens on how much later.  I don't see how it would be necessary to get
> >>>>> through the RFC process, including that rigorous search for split
> >>>>> infinitives, cycles
> >>>>> of discussion of RFC2119 terms before starting the follow-up work on token
> >>>>> binding.   Once rpc-tls is accepted as a working group document, the group
> >>>>> would
> >>>>> be in a position to make plans for the follow-on  work that seems to be
> >>>>> warranted.
> >>>>>
> >>>>>> Thoughts, comments...
> >>>>>
> >>>>> If work on client autehentication is to be punted, then the document will
> >>>>> need to reflect that.
> >>>>> In particular, if you, as a server, are prepared to accept an
> >>>>> unauthenticatted client's user
> >>>>> identifications, then your security is pretty much non-existent, despite
> >>>>> the fact that
> >>>>> enryption prevents eavesdropping.  In that case, it probably best to say
> >>>>> nothing about use
> >>>>> of AUTH_SYS.
> >>>>>
> >>>>>> Am I on the wrong track?
> >>>>>
> >>>>> No.
> >>>>>
> >>>>> On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> >>>>>
> >>>>>>
> >>>>>>> On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote:
> >>>>>>>
> >>>>>>> Hi Chuck
> >>>>>>>
> >>>>>>> Apologies for top posting, blame MS
> >>>>>>>
> >>>>>>> I was interested in the comment "We believe the combination of host
> >>>>>> authentication via TLS and user authentication via RPC provides optimal
> >>>>>> security, efficiency, and flexibility,". There's been a huge amount of
> >>>>>> negative press for TLS client auth, but there's been a push for TLS token
> >>>>>> binding as a basis for better client/server authentication. Does the
> >>>>>> proposal need to consider work in this area?
> >>>>>>
> >>>>>> I've been studying RFC 8471 to understand what would be needed to support
> >>>>>> TLS token binding with RPC. It appears there are two components:
> >>>>>>
> >>>>>> - The TLS handshake is extended to indicate support for token binding
> >>>>>>  and negotiate the supported version
> >>>>>>
> >>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
> >>>>>>  Binding message as the first message
> >>>>>>
> >>>>>> We would need to provide a mechanism for encapsulating this message in
> >>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
> >>>>>> RPCSEC GSS could provide a mechanism for transporting this message.
> >>>>>>
> >>>>>> It appears to me that there is a natural boundary between what we have
> >>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
> >>>>>> Binding, such that Token Binding could be handled by a separate document.
> >>>>>> That would allow the quick completion of rpc-tls to enable encryption by
> >>>>>> default using self-signed certificates, with support for Token Binding
> >>>>>> to appear later.
> >>>>>>
> >>>>>> Thoughts, comments... Am I on the wrong track?
> >>>>>>
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
> >>>>>>> Sent: Monday, November 19, 2018 15:56
> >>>>>>> To: NFSv4 <nfsv4@ietf.org>
> >>>>>>> Subject: [nfsv4] Fwd: New Version Notification for
> >>>>>> draft-cel-nfsv4-rpc-tls-01.txt
> >>>>>>>
> >>>>>>>
> >>>>>>> Hi-
> >>>>>>>
> >>>>>>>> Begin forwarded message:
> >>>>>>>>
> >>>>>>>> From: internet-drafts@ietf.org
> >>>>>>>> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> >>>>>>>> Date: November 19, 2018 at 10:52:07 AM EST
> >>>>>>>> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles
> >>>>>>>> Lever" <chuck.lever@oracle.com>, "Chuck Lever"
> >>>>>>>> <chuck.lever@oracle.com>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been
> >>>>>>>> successfully submitted by Charles Lever and posted to the IETF
> >>>>>>>> repository.
> >>>>>>>>
> >>>>>>>> Name:         draft-cel-nfsv4-rpc-tls
> >>>>>>>> Revision:     01
> >>>>>>>> Title:                Remote Procedure Call Encryption By Default
> >>>>>>>> Document date:        2018-11-19
> >>>>>>>> Group:                Individual Submission
> >>>>>>>> Pages:                9
> >>>>>>>> URL:
> >>>>>> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt
> >>>>>>>> Status:
> >>>>>> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/
> >>>>>>>> Htmlized:       https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01
> >>>>>>>> Htmlized:
> >>>>>> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls
> >>>>>>>> Diff:
> >>>>>> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01
> >>>>>>>>
> >>>>>>>> Abstract:
> >>>>>>>> This document describes a mechanism that enables encryption of in-
> >>>>>>>> transit Remote Procedure Call (RPC) transactions with little
> >>>>>>>> administrative overhead and full interoperation with RPC
> >>>>>>>> implementations that do not support this mechanism.  This document
> >>>>>>>> updates RFC 5531.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Please note that it may take a couple of minutes from the time of
> >>>>>>>> submission until the htmlized version and diff are available at
> >>>>>> tools.ietf.org.
> >>>>>>>>
> >>>>>>>> The IETF Secretariat
> >>>>>>>
> >>>>>>> Minor changes in revision 01:
> >>>>>>> - Correct a legal issue reported by idnits
> >>>>>>> - Clarify terminology throughout document
> >>>>>>> - Add editor's note in Section 4.3 "Authentication"
> >>>>>>> - Wordsmithing throughout
> >>>>>>>
> >>>>>>>
> >>>>>>> The immediate question I have is whether members of WG feel this topic
> >>>>>> and document are important enough to promote rpc-tls-01 to Working Group
> >>>>>> document status. If yes, I can submit the next revision as
> >>>>>> draft-ietf-nfsv4-rpc-tls-00.
> >>>>>>
> >>>>>> --
> >>>>>> Chuck Lever
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfsv4 mailing list
> >>>>>> nfsv4@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> nfsv4 mailing list
> >>>>> nfsv4@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>
> >>> --
> >>> Chuck Lever
> >
> > --
> > Chuck Lever
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email