IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt

Chuck Lever <chuck.lever@oracle.com> Tue, 26 March 2019 13:56 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0DB11202D1 for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 06:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2gLWy9qc4A6 for <nfsv4@ietfa.amsl.com>; Tue, 26 Mar 2019 06:56:18 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DCC8120283 for <nfsv4@ietf.org>; Tue, 26 Mar 2019 06:56:18 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x2QDrvq4035326; Tue, 26 Mar 2019 13:56:14 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=XaOwj/1WP6WaDnPKBmNbiyaQD5sg9JLnkn65JPts1Ts=; b=NIDew5FfWaOFqVyhyjroArB/lcHWB73vgWK3u9eNw5OXTQFFgdJji1waIAdKUkZLMwUA IE0OK4LasjSaEmG2zv9Yxtebokh7vBwYo8WKldufrnSCJvH16yJjoNwz1FgCn7Wi2gRm Hf5U44QYjJBOCkXB2yRfObeWSGq6hnGXi906n1HKQzxD6N9EZ+Va1wIdVF8dCIbS49/s C1VL+irtAIdtht/Obj/suEidmSs8xuF+b35IjGCyx0zbGpI7mRM4mKRYKKgh6ItEsID/ GQlc8m6+jBRPb+GgWsgGW/1gecgtN12+Pe7PHgqUjhm0bf6Ek56BEjiup8pIiNdsu7mt Rw==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2130.oracle.com with ESMTP id 2re6g0th6d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 26 Mar 2019 13:56:14 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x2QDuCL7026739 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 26 Mar 2019 13:56:13 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x2QDuBRS005649; Tue, 26 Mar 2019 13:56:11 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 26 Mar 2019 06:56:11 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de>
Date: Tue, 26 Mar 2019 09:56:10 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <946EFDD8-F04D-49CD-A1C8-D8E8A6D5EE35@oracle.com>
References: <154264272736.5235.8955444239583271708.idtracker@ietfa.amsl.com> <50A96C3A-DBA4-4A6C-B883-664E59E24534@oracle.com> <CO2PR0601MB7597A7490C43DAE5A3268E6B5D80@CO2PR0601MB759.namprd06.prod.outlook.com> <39802AA5-3F70-48C7-824B-CAC0FB871016@oracle.com> <CADaq8jc82bfxpjxz_f6Uy-4c0yazJujOrKo+TejPkx-q6qq_3Q@mail.gmail.com> <1480794517.422703.1553504031783.JavaMail.zimbra@desy.de> <4F7BC6A0-50F9-47BC-8465-28833835E7F6@oracle.com> <1119874674.601037.1553546666143.JavaMail.zimbra@desy.de>
To: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
X-Mailer: Apple Mail (2.3445.102.3)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9206 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903260098
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/xvbYIbqA4k4So5-qqoChBe_o_II>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 13:56:21 -0000


> On Mar 25, 2019, at 4:44 PM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
> 
> 
> 
> ----- Original Message -----
>> From: "Chuck Lever" <chuck.lever@oracle.com>
>> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de>
>> Cc: "NFSv4" <nfsv4@ietf.org>
>> Sent: Monday, March 25, 2019 2:44:32 PM
>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
> 
>>> On Mar 25, 2019, at 4:53 AM, Mkrtchyan, Tigran <tigran.mkrtchyan@desy.de> wrote:
>>> 
>>> 
>>> 
>>> Hi Chuck,
>>> 
>>> By working on our implementation we got a following questions:
>>> 
>>> what should server do when a client requests startTLS twice? Fail
>>> with an auth error or just ignore?
>> 
>> I don't have a ready answer, but seems to me your TLS library
>> might have an opinion. Can a web browser be made to generate
>> a second STARTTLS to see what the behavior is like?
>> 
>> Is there any guidance in RFC 8446 or its antecedants?
> 
> Looks like LDAP have that case clearly specified rfc2830:
> 
> 2.3:
> 
> ...
> 
>   If the Start TLS extended request was not successful, the resultCode
>   will be one of:
> 
>   operationsError  (operations sequencing incorrect; e.g. TLS already
>                    established)
> 
> 3.1:
> 
> ...
> 
>   The client MAY send the Start TLS extended request at any time after
>   establishing an LDAP association, except that in the following cases
>   the client MUST NOT send a Start TLS extended request:
> 
>     - if TLS is currently established on the connection, or
> 
> You may adopt a similar wording to rpc-over-tls. However, what about UDP and
> retransmits?

UDP will use DTLS.

My hesitance is that STARTTLS is part of the TLS protocol, and we're
not specifying that here, we're only using it. Surely TLS has a proper
mechanism for managing this situation.

I would like to see a recent RFC that covers your case. RFC 6614 appears
to require TLS negotiation to occur immediately after the underlying
transport connection is established, and never later. Is that what you
want?


> Tigran.
>> 
>> 
>>> It would be nice if spec will
>>> explicitly define this situation.
>>> 
>>> Thanks,
>>>  Tigran.
>>> 
>>> ----- Original Message -----
>>>> From: "Dave Noveck" <davenoveck@gmail.com>
>>>> To: "Chuck Lever" <chuck.lever@oracle.com>
>>>> Cc: "NFSv4" <nfsv4@ietf.org>
>>>> Sent: Friday, January 4, 2019 5:25:18 PM
>>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>>> 
>>>>> I've been studying RFC 8471 to understand what would be needed to support
>>>>> TLS token binding with RPC. It appears there are two components:
>>>> 
>>>>> - The TLS handshake is extended to indicate support for token binding
>>>>> and negotiate the supported version
>>>> 
>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
>>>>> Binding message as the first message
>>>> 
>>>>> We would need to provide a mechanism for encapsulating this message in
>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>>>>> RPCSEC GSS could provide a mechanism for transporting this message.
>>>> 
>>>> As I understand things, one of the potential goals here is to satisfactorily
>>>> authenticate the client so that AUTH_SYS can reasonably used.  For that use
>>>> case, I'm not sure how depending on RPCSEC GSS would fit in.
>>>> 
>>>>> It appears to me that there is a natural boundary between what we have
>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>>>>> Binding, such that Token Binding could be handled by a separate document.
>>>> 
>>>> That makes sense.
>>>> 
>>>>> That would allow the quick completion
>>>> 
>>>> Since this is the IETF, let's just say "quicker completion".
>>>> 
>>>>> of rpc-tls to enable encryption by
>>>>> default using self-signed certificates, with support for Token Binding
>>>>> to appear later.
>>>> 
>>>> It depens on how much later.  I don't see how it would be necessary to get
>>>> through the RFC process, including that rigorous search for split
>>>> infinitives, cycles
>>>> of discussion of RFC2119 terms before starting the follow-up work on token
>>>> binding.   Once rpc-tls is accepted as a working group document, the group
>>>> would
>>>> be in a position to make plans for the follow-on  work that seems to be
>>>> warranted.
>>>> 
>>>>> Thoughts, comments...
>>>> 
>>>> If work on client autehentication is to be punted, then the document will
>>>> need to reflect that.
>>>> In particular, if you, as a server, are prepared to accept an
>>>> unauthenticatted client's user
>>>> identifications, then your security is pretty much non-existent, despite
>>>> the fact that
>>>> enryption prevents eavesdropping.  In that case, it probably best to say
>>>> nothing about use
>>>> of AUTH_SYS.
>>>> 
>>>>> Am I on the wrong track?
>>>> 
>>>> No.
>>>> 
>>>> On Fri, Jan 4, 2019 at 10:53 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>>> 
>>>>> 
>>>>>> On Nov 19, 2018, at 5:33 PM, McDonald, Alex <alexmc@netapp.com> wrote:
>>>>>> 
>>>>>> Hi Chuck
>>>>>> 
>>>>>> Apologies for top posting, blame MS
>>>>>> 
>>>>>> I was interested in the comment "We believe the combination of host
>>>>> authentication via TLS and user authentication via RPC provides optimal
>>>>> security, efficiency, and flexibility,". There's been a huge amount of
>>>>> negative press for TLS client auth, but there's been a push for TLS token
>>>>> binding as a basis for better client/server authentication. Does the
>>>>> proposal need to consider work in this area?
>>>>> 
>>>>> I've been studying RFC 8471 to understand what would be needed to support
>>>>> TLS token binding with RPC. It appears there are two components:
>>>>> 
>>>>> - The TLS handshake is extended to indicate support for token binding
>>>>>  and negotiate the supported version
>>>>> 
>>>>> - The upper layer protocol (RPC, in our case) is required to send a Token
>>>>>  Binding message as the first message
>>>>> 
>>>>> We would need to provide a mechanism for encapsulating this message in
>>>>> the RPC protocol similar to what RFC 8473 does for HTTPS. Potentially,
>>>>> RPCSEC GSS could provide a mechanism for transporting this message.
>>>>> 
>>>>> It appears to me that there is a natural boundary between what we have
>>>>> already described in draft-cel-nfsv4-rpc-tls and support for TLS Token
>>>>> Binding, such that Token Binding could be handled by a separate document.
>>>>> That would allow the quick completion of rpc-tls to enable encryption by
>>>>> default using self-signed certificates, with support for Token Binding
>>>>> to appear later.
>>>>> 
>>>>> Thoughts, comments... Am I on the wrong track?
>>>>> 
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever
>>>>>> Sent: Monday, November 19, 2018 15:56
>>>>>> To: NFSv4 <nfsv4@ietf.org>
>>>>>> Subject: [nfsv4] Fwd: New Version Notification for
>>>>> draft-cel-nfsv4-rpc-tls-01.txt
>>>>>> 
>>>>>> 
>>>>>> Hi-
>>>>>> 
>>>>>>> Begin forwarded message:
>>>>>>> 
>>>>>>> From: internet-drafts@ietf.org
>>>>>>> Subject: New Version Notification for draft-cel-nfsv4-rpc-tls-01.txt
>>>>>>> Date: November 19, 2018 at 10:52:07 AM EST
>>>>>>> To: "Trond Myklebust" <trond.myklebust@hammerspace.com>, "Charles
>>>>>>> Lever" <chuck.lever@oracle.com>, "Chuck Lever"
>>>>>>> <chuck.lever@oracle.com>
>>>>>>> 
>>>>>>> 
>>>>>>> A new version of I-D, draft-cel-nfsv4-rpc-tls-01.txt has been
>>>>>>> successfully submitted by Charles Lever and posted to the IETF
>>>>>>> repository.
>>>>>>> 
>>>>>>> Name:         draft-cel-nfsv4-rpc-tls
>>>>>>> Revision:     01
>>>>>>> Title:                Remote Procedure Call Encryption By Default
>>>>>>> Document date:        2018-11-19
>>>>>>> Group:                Individual Submission
>>>>>>> Pages:                9
>>>>>>> URL:
>>>>> https://www.ietf.org/internet-drafts/draft-cel-nfsv4-rpc-tls-01.txt
>>>>>>> Status:
>>>>> https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/
>>>>>>> Htmlized:       https://tools.ietf.org/html/draft-cel-nfsv4-rpc-tls-01
>>>>>>> Htmlized:
>>>>> https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-rpc-tls
>>>>>>> Diff:
>>>>> https://www.ietf.org/rfcdiff?url2=draft-cel-nfsv4-rpc-tls-01
>>>>>>> 
>>>>>>> Abstract:
>>>>>>> This document describes a mechanism that enables encryption of in-
>>>>>>> transit Remote Procedure Call (RPC) transactions with little
>>>>>>> administrative overhead and full interoperation with RPC
>>>>>>> implementations that do not support this mechanism.  This document
>>>>>>> updates RFC 5531.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Please note that it may take a couple of minutes from the time of
>>>>>>> submission until the htmlized version and diff are available at
>>>>> tools.ietf.org.
>>>>>>> 
>>>>>>> The IETF Secretariat
>>>>>> 
>>>>>> Minor changes in revision 01:
>>>>>> - Correct a legal issue reported by idnits
>>>>>> - Clarify terminology throughout document
>>>>>> - Add editor's note in Section 4.3 "Authentication"
>>>>>> - Wordsmithing throughout
>>>>>> 
>>>>>> 
>>>>>> The immediate question I have is whether members of WG feel this topic
>>>>> and document are important enough to promote rpc-tls-01 to Working Group
>>>>> document status. If yes, I can submit the next revision as
>>>>> draft-ietf-nfsv4-rpc-tls-00.
>>>>> 
>>>>> --
>>>>> Chuck Lever
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> nfsv4 mailing list
>>>>> nfsv4@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> nfsv4 mailing list
>>>> nfsv4@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/nfsv4
>> 
>> --
>> Chuck Lever

--
Chuck Lever

v2.23.0 | Report a Bug | By Email