Re: [nfsv4] SECDIR Review of draft-ietf-nfsv4-umask-03

Spencer Dawkins at IETF <> Fri, 26 May 2017 16:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F3D31296B3; Fri, 26 May 2017 09:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OF2CSu1837Mu; Fri, 26 May 2017 09:00:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A624612EA5A; Fri, 26 May 2017 09:00:52 -0700 (PDT)
Received: by with SMTP id 130so3303809ybl.3; Fri, 26 May 2017 09:00:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wwa+S03nNCYOF2RPvOLaLui+JhjJeCZusKEBQtTujRs=; b=sjZvO0AGQXybvwOtI5GjPqqn92o2aXKdrb1HYPSVgsQjENsIIhKjVLolGfzG93NoBd t+t30yUT8BznYMjcLsSFGN38Ptv1hUyIHk48JsgOyDq1P8Pt/B85qizM8UrkYlDcwfAm V7NTpdCA0w/H77k39Vwu5lyw0ml7r9xRZ8oz0f6ba6xCkJ7GMYbTk7bbvDXiYh3mVAAX MeUPnEJcaS2N8ENTjwVGB7S1TQd6BZ7ow/8sNbNu9WikCLFGFMRs49lKRFmjv9g51PP3 sjz0truRQ8M8RUeoUK72yCOudqK7fCdTFMkYwn2jXnfK4dsydIruoTd4o50+jkID3VZx iwPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wwa+S03nNCYOF2RPvOLaLui+JhjJeCZusKEBQtTujRs=; b=dfj6OL1ly5J67+1HxdWv6IL5kJS+7x569r1eyX1+1jBczT+kxi0lUctMT15ZHIQ4Zh nvDgShZQErPJY+V18qPK/zeS6aann5lFPJU9ivLNFQzjcMCCXMStaiDZTuvs/SrzaBTI l/Ir8pn4bXufbU+lyUFtJvfo1aZ7oA8VO2F5ZoZsBN7nfRwdcJ0OFRoeRE5VEMDbm/EQ dClf729+7g1V02A2V5sFi/yUAVPO1G0P67A6YOLWss2IAfFwYfffmoOgZorRg6LGhYPx y0yjl/YEccQRPSgZc3mGuCXyIvB0bI5JkcTsJ1beEGE4zw2i1wmGsqxXyQEjzol0o6vc oGoA==
X-Gm-Message-State: AODbwcA+fo0gQq2rkzqSqrdPAvj6dBKaEhYXjaByUMKq332Xm5yaoE2A LigLSa40kgh25xb2SKIlqtHEGVb50A==
X-Received: by with SMTP id v10mr32644977ybj.82.1495814451837; Fri, 26 May 2017 09:00:51 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 26 May 2017 09:00:51 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Spencer Dawkins at IETF <>
Date: Fri, 26 May 2017 12:00:51 -0400
Message-ID: <>
To: Phillip Hallam-Baker <>
Cc: "" <>,, IETF Discussion Mailing List <>, NFSv4 <>
Content-Type: multipart/alternative; boundary="089e0822e59c0d5b5e05506f719c"
Archived-At: <>
Subject: Re: [nfsv4] SECDIR Review of draft-ietf-nfsv4-umask-03
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 May 2017 16:00:54 -0000

Hi, Phillip,

(adding the NFSv4 working group mailing list, because the issue you raised
in this review is relevant to pretty much all of NFSv4)

On Thu, May 18, 2017 at 12:10 PM, Phillip Hallam-Baker <> wrote:

> Reviewer:
> ​Phillip Hallam-Baker
> Review result:
> ​OK but...​
> I reviewed this document as part of the Security Directorate's
> ongoing
> effort to review all IETF documents being processed by the IESG.
> These
> comments were written primarily for the benefit of the Security Area
> Directors.  Document authors, document editors, and WG chairs should
> treat these comments just like any other IETF Last Call comments.
> Document: Review of draft-ietf-nfsv4-umask-03
> Reviewer:
> ​Phillip Hallam-Baker
> Review result:
> ​OK but...​
> This particular draft looks OK to me. Aligning the semantics of NFS with
> the semantics of the file system seems to me to be absolutely the way to go
> forward. I am not sufficiently experienced in the semantics of NFS or Unix
> as deployed to be able to offer an opinion on whether the draft achieves
> that. However it appears that the author does.
> ​What is problematic here is that the Security Considerations in the draft
> are essentially relying on those in rfc7530 which are woefully inadequate
> given the critical role of NFS in Internet security. They are not so much a
> security plan as a collection of random thoughts jotted down in haphazard
> fashion.​
> There is clearly no coherent model of what NFS security should achieve,
> what the threats are, what controls are deployed to control them. Also note
> that the main reason this review is late is that I have been dealing with
> issues arising from WannaCry which used an SMB:1 exploit. Re-reading
> RFC7530 in the light of that experience gives me grave concern.

This is very interesting ...

Speaking as the responsible AD, I'm thinking that the right thing to do, is
for me to ask the NFSv4 working group to consider the issue you're raising,
with the high-order bit question being whether it's time to revisit NFS
security. The working group is actively discussing a recharter, likely to
be discussed in Prague, so it's the right time to ask the question.

Given that RFC 7530 is the umbrella RFC for all of NFSv4, I'm thinking
that's the right place to fix anything that needs fixing.

And thanks for your review.