Re: [nfsv4] NFS over TLS for laptops
David Noveck <davenoveck@gmail.com> Sun, 13 December 2020 12:08 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 693253A16C4 for <nfsv4@ietfa.amsl.com>; Sun, 13 Dec 2020 04:08:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9tBYBTqjB97 for <nfsv4@ietfa.amsl.com>; Sun, 13 Dec 2020 04:08:54 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65B913A16C3 for <nfsv4@ietf.org>; Sun, 13 Dec 2020 04:08:54 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id dk8so14219486edb.1 for <nfsv4@ietf.org>; Sun, 13 Dec 2020 04:08:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vWY1r0HDm0sl4ejHm1t/jqIua0xy6gQNqTsN8ZVqqpA=; b=QVZGIKnMFxyYsMRWKytQJWCz+ayeRadrKKVhJlwuYBNL0hcfWTPMmCfz8vyVT8xBHH pV5M3aX74KrP28urLG1dqYDJffoJNxgcp2W5w2ocGmniCkZH2NZgZDwimlWI4s2b7A91 OsEcu919H8Py0Xa3nfNnGA25MUPtUDecd2NasekGkS78mTLANHUFPp2slN0hlLgoG8UD deu5Scx2yO+ZYxvsA2I3wdtFvW0O4NA9PNaL2fBC4HdN/wYCKftJeZ2XguAHjqFlDUmX FqVwBYdzv3skiHbtDb6HiiBWxjFTMINKEO7FJgzS7MpaLFYVeFeLgPcpiZPDvHm6vmNA D2zQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vWY1r0HDm0sl4ejHm1t/jqIua0xy6gQNqTsN8ZVqqpA=; b=MC/Cg4HOt0ITZP+kzCgbMR10s3veaWJaBOxEQHAv7sP6EMNBoN3JjuiAf8lhx+wlc+ 3IWhoSBAb1/IOM0aaFY1TZ5M7UoDjzCBi5USpoTgyfs2UA8uBvlvGnPHVQMEIs8Y+iA3 5wCyP4RCz/1P/W9t0KRD35jQ/iFQlWpRtL5xV59KcN25Ep9r3wHtK39aZwq9ahASqiYH HR85VKdOcwWxyGu94ffFWT7q6Xb8Zpex2eVcrwVN2vFrB/Yba+jRCimHPRwtZqxLOA9V YNv8Kgc72mFVlzLaTJPVQ2+qMdclvxlSOS7IkUPfK/5Hz1dUvXli2K0+mJc73kWkG/9M 92Ag==
X-Gm-Message-State: AOAM531ORaBYzuzi0oNAIE5Gw5MdkbY6hBZBxAmrSo63cZeasZGmRlRU 2pRILNMGxzSntMFn9ol31zPvc52qH1xDyhxIQPw=
X-Google-Smtp-Source: ABdhPJyHU9whboUn2iUWn/3F8NxBs7R/wLN3z692WEiD1oYoTN2Hhi0Q7yH6HBMAEB0llIB3tNvkJMunePe9SGxpFgI=
X-Received: by 2002:aa7:d74f:: with SMTP id a15mr20702570eds.344.1607861332991; Sun, 13 Dec 2020 04:08:52 -0800 (PST)
MIME-Version: 1.0
References: <YQXPR0101MB0968F7BF5A6D7E97F39CC739DDC90@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YQXPR0101MB0968F7BF5A6D7E97F39CC739DDC90@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
From: David Noveck <davenoveck@gmail.com>
Date: Sun, 13 Dec 2020 07:08:40 -0500
Message-ID: <CADaq8jdbn8U27c5VThX4YSE170dY-CEV5HCwjqKUMFboEfkLvA@mail.gmail.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000099e43405b6576326"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/vZpU77dCAbnFk4Oyq83d-NCoE8I>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 12:08:56 -0000
On Sat, Dec 12, 2020, 7:02 PM Rick Macklem <rmacklem@uoguelph.ca> wrote: > Hi, > > David Noveck emailed me w.r.t talking about this at a future meeting. > This sounds rather scary to me, Not sure why we you think we are so scary. sooooo I figured I'd post here and then, if > others want me to, I can try to attend a "virtual meeting". > I'd like to have your proposal discussed, but, if you don't want to actually present, it is ok. I just need you to decide in the next week so I can put together an agenda. First off, the disclaimer that I am neither a security guy nor TLS guy. > That's not a problem. A security guy would just tell us we suck. A TLS guy is going to be attending tls meetings, but will be needed to review your proposal if the working group decides to pursue it. > > The case I was trying to address was mobile device (aka laptop) > mounts to an NFS server using TLS. These devices are assumed to > have two properties: > - Used by a single user. > - Connecting to the Internet from anywhere (ie. no fixed IP nor > DNS name). > Secure use on the internet was an official goal of RFC 3530 published 4/2003. Sigh! > Typical filtering at the NFS server via client IP address obviously cannot > work, so > what can be done? > The old answer was RPCSECGSS but we seem to be stuck with AUTH_SYS which is one reason security people tell us we suck. > The working group has to decide how to retain AUTH_SYS, with acceptable security. As I see it your proposal has a possible role in that > > Now, for the part that might be considered a violation of the "soon > to be an RFC" draft. > Unless you are quoting someone else, you are misquoting me. I never said "soon". Rpc-tls is in rfc-editor state and so is an rfc-to-be. Whether your proposal is in conflict with rpc-tls should be first addressed with its editor > > > > > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 >
- [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops David Noveck
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Craig Everhart
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever
- Re: [nfsv4] NFS over TLS for laptops Craig Everhart
- Re: [nfsv4] NFS over TLS for laptops Benjamin Kaduk
- Re: [nfsv4] NFS over TLS for laptops Rick Macklem
- Re: [nfsv4] NFS over TLS for laptops David Noveck
- Re: [nfsv4] NFS over TLS for laptops Magnus Westerlund
- Re: [nfsv4] NFS over TLS for laptops Chuck Lever