IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

Tom Talpey <ttalpey@microsoft.com> Fri, 29 March 2019 00:35 UTC

Return-Path: <ttalpey@microsoft.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29A1E1200C4 for <nfsv4@ietfa.amsl.com>; Thu, 28 Mar 2019 17:35:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8aV8q4a6hJrt for <nfsv4@ietfa.amsl.com>; Thu, 28 Mar 2019 17:35:33 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800094.outbound.protection.outlook.com [40.107.80.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D4DC1200A0 for <nfsv4@ietf.org>; Thu, 28 Mar 2019 17:35:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x+FW1xh0UD+k+36WAqb2pJfmmyARynFyH8jt6hktXCc=; b=Z4oI0kEISM/hZ+aBRXaNr+dcAqzNAXfOW0lHOT9K/ZiT6yLMguty1e/7W3pkpXXgRT07gRBy3TOlmxbj0Qjib0bGRLexwBU6s6HbYfNDIRDhDXhxiLLZK5+YWDyhJAcb1Zk8glT7q4GEIrtDUFXmcwLPKxjaVA0NF5rE3YCIJMs=
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=XqAkZFHxwejJziRXVXVuEDzi3Nfq82w/9hUlOK4FjpA01Avum1nuLFGZF20Mlz8diRqfU+H/WmtFtHS5R+H9dilcBycI07OJ/tbTtVc4J/aq6KtD673kp2Q/rV8X0BzYDghfP2BR4bCnbt5j+rVmoIqBC46JGYHCPWyL8EfmpPc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x+FW1xh0UD+k+36WAqb2pJfmmyARynFyH8jt6hktXCc=; b=WhlEVDkf5mJMG/ASoZrIUL6M1fS5XmaCpvIeX6uxuSwpJr2LeEaaFuldzn1Ui3LHHRJ0U48Mt5/P078p9b7ROH9K7CiUM6kemHCLCKQ3Qh4QqXEP9XbrdacBye6zi7uGRS939DumDC8yLdgCNvopjtdky+4iaQhoEeI0cv08LN0=
ARC-Authentication-Results: i=1; test.office365.com 1; dmarc=none action=none header.from=microsoft.com; arc=none
Received: from SN4PR2101MB0736.namprd21.prod.outlook.com (10.167.151.155) by SN4PR2101MB0733.namprd21.prod.outlook.com (10.167.150.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.3; Fri, 29 Mar 2019 00:35:31 +0000
Received: from SN4PR2101MB0736.namprd21.prod.outlook.com ([fe80::804d:6cd0:c000:791c]) by SN4PR2101MB0736.namprd21.prod.outlook.com ([fe80::804d:6cd0:c000:791c%3]) with mapi id 15.20.1771.003; Fri, 29 Mar 2019 00:35:31 +0000
From: Tom Talpey <ttalpey@microsoft.com>
To: Chuck Lever <chuck.lever@oracle.com>
CC: Lars Eggert <lars@eggert.org>, NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
Thread-Index: AQHU4+Vn/M2YRfR8/UyeHEaGBO4iYKYeF5yAgAAD8ICAAAB/gIAAFWuAgAABC8CAA0J/gIAAUK5Q
Date: Fri, 29 Mar 2019 00:35:31 +0000
Message-ID: <SN4PR2101MB073663820F28F2AAA8766E38A05A0@SN4PR2101MB0736.namprd21.prod.outlook.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de> <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com> <2020506870.740381.1553612716598.JavaMail.zimbra@desy.de> <CAN-5tyGggDUe2DNSjRc6vAyXgGo4LVwYVK5zmTOyr0soPFVKrQ@mail.gmail.com> <3705AA25-10DF-43BF-BE1D-B0BE27F705DE@eggert.org> <0E00BED9-74D4-4594-A7AC-FCD624461DD7@eggert.org> <880CC259-A82A-401F-A81D-5FCD6A9758B3@oracle.com> <SN4PR2101MB0736EF7A385F5D95107D4118A05F0@SN4PR2101MB0736.namprd21.prod.outlook.com> <3A634328-B190-473B-A6D7-C5878CC2654B@oracle.com>
In-Reply-To: <3A634328-B190-473B-A6D7-C5878CC2654B@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=ttalpey@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-29T00:35:27.5947747Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=1f3c9641-7d7e-40d5-a35f-236f12b9197c; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
x-originating-ip: [2601:18f:981:12f8::1003]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 75c8061a-b354-4266-18f2-08d6b3de730d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:SN4PR2101MB0733;
x-ms-traffictypediagnostic: SN4PR2101MB0733:
x-microsoft-antispam-prvs: <SN4PR2101MB073389FEF9735BAC203E40E8A05A0@SN4PR2101MB0733.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0991CAB7B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(376002)(346002)(366004)(136003)(39860400002)(396003)(199004)(13464003)(189003)(71200400001)(81156014)(4326008)(14444005)(53936002)(8990500004)(186003)(54906003)(6436002)(6506007)(478600001)(6246003)(6346003)(316002)(52536014)(229853002)(10090500001)(6916009)(93886005)(102836004)(46003)(2906002)(53546011)(8936002)(105586002)(7696005)(22452003)(68736007)(256004)(25786009)(97736004)(74316002)(33656002)(486006)(4001150100001)(11346002)(8676002)(15650500001)(76176011)(305945005)(10290500003)(476003)(99286004)(81166006)(86362001)(55016002)(86612001)(106356001)(14454004)(446003)(6116002)(7736002)(9686003)(71190400001)(5660300002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN4PR2101MB0733; H:SN4PR2101MB0736.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ttalpey@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: LgIUu+Z0lvPCNI0Mbd25MgEILH8hL9hL1o7g6xgSNJ+wYD/LS8Amrab0Pt8RsnCobrz2p8eFw6W0s2riI19TZVV8dzxFRgamKnGMENW9LTvUitoBbJ2XHWaZKL+qZIAfupfb048XGHZSf7EetGBnV296ndKJ8cKHMYXHuroVrzDm+I6ckOEt5phQH3Lx75/Dt3NojOylRI8F65T4gyNdrC4EudnYa3ktRhlEIos55ud9lhjL6MuLQhSk9HbM8/LlI9e1YpG3hjEChLiMqdFev2hZxlwaqecWOZUGR8YQfzRKS1IK1uIvFxQ51Acchh/Cju0LDkX3usjRG9f7p2mNyJXY+qVoj2Qz7ef5zV7Q3aL5ojaYTdkhBlzdXyYZD1M173YKK6XinYhjcw1w3GDID9vZUG+DKmSS+dLvI7/8hF0=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 75c8061a-b354-4266-18f2-08d6b3de730d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 00:35:31.2186 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR2101MB0733
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/s0FgKbMVG_KT5FaSu1L9qU3K8O4>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 00:35:36 -0000

> -----Original Message-----
> From: Chuck Lever <chuck.lever@oracle.com>
> Sent: Thursday, March 28, 2019 3:43 PM
> To: Tom Talpey <ttalpey@microsoft.com>
> Cc: Lars Eggert <lars@eggert.org>; NFSv4 <nfsv4@ietf.org>
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> 
> 
> > On Mar 26, 2019, at 1:58 PM, Tom Talpey <ttalpey@microsoft.com> wrote:
> >
> >> -----Original Message-----
> >> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
> >> Sent: Tuesday, March 26, 2019 1:52 PM
> >> To: Lars Eggert <lars@eggert.org>
> >> Cc: NFSv4 <nfsv4@ietf.org>
> >> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-
> 01.txt
> >>
> >>
> >>
> >>> On Mar 26, 2019, at 12:35 PM, Lars Eggert <lars@eggert.org> wrote:
> >>>
> >>> On 2019-3-26, at 17:33, Lars Eggert <lars@eggert.org> wrote:
> >>>> Also note that STARTTLS is somewhat less secure than running TLS
> directly.
> >> See for example Section 6 of RFC3207:
> >>>>
> >>>>   A man-in-the-middle attack can be launched by deleting the "250
> >>>>   STARTTLS" response from the server.  This would cause the client not
> >>>>   to try to start a TLS session.  Another man-in-the-middle attack is
> >>>>   to allow the server to announce its STARTTLS capability, but to alter
> >>>>   the client's request to start TLS and the server's response.
> >>>>
> >>>>   ...
> >>>
> >>> And RFC8314 recommends (for mail) that "implicit TLS" should be used
> >> instead of STARTTLS.
> >>
> >> Perhaps that is what we should require for RPC on TLS;
> >> that is, "STARTTLS MUST NOT be used"?
> >
> > It's a fine requirement, but there may need to be a justification for the MUST.
> >
> > It's important to note that such a requirement means you'll need to allocate
> > a new port number for such connections. This would apply to any upper
> > layer using the new RPC flavor, which in turn might impact the portmapper.
> > Note, it may also have implications on the proposed negotiation. If TLS is
> > a "done deal", negotiating the auth flavor may be moot.
> 
> We could create a new netid for this purpose.
> 
> Advertise an RPC program with this new netid, and no STARTTLS would
> be needed. The client simply connects and begins TLS negotiation.

But, the current draft proposes using a new AUTH_TLS exchange, which
if successful allows the client to perform a STARTTLS. If you define a netid
and/or port number, the client would simply start in TLS, prior to even
sending its first RPC.

Would that not simply make the whole draft unnecessary?

Tom.

v2.23.0 | Report a Bug | By Email