IETF Logo Mail Archive

Re: [nfsv4] NFS over TLS for laptops

Rick Macklem <rmacklem@uoguelph.ca> Sun, 13 December 2020 17:30 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 770453A0808 for <nfsv4@ietfa.amsl.com>; Sun, 13 Dec 2020 09:30:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFDs04fTkyqa for <nfsv4@ietfa.amsl.com>; Sun, 13 Dec 2020 09:30:34 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660066.outbound.protection.outlook.com [40.107.66.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D58963A0803 for <nfsv4@ietf.org>; Sun, 13 Dec 2020 09:30:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I15T1esIda+1ofJj/wa5vaEq45aYf+o//tg+yNSd+bxH5ngBIbhxo5xVIbWA4dhO1ecJ55I1iuvjOjc/im7xZJlrop3h82ojbKundG8gYNCAxIRWkXjA8WmqxvZ8qvyizMjH8hobgzHqR+ah7LMZpwZI7jMMK84+EQ0MNwvBlAOXkkwdiVgl0FrOZXMNI9lDFAF3XKTvLIAwHGRTwBUkZxJwW+Ci/tyzD3h7QSqPUrZgE5WU5t35oy2XOFIvxFHihfavRbc/i/b42MRBI5IBU/MMlpVfedcG0hnZyJTjs4fbFlxeus+s5nABjDrK+5t8Mcj/1vaDEY097ruImB4fUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZHv1JpIzVKCN+Dg4R8QgELjX2QAdQ6FXPYQqBLHhHdg=; b=PJAlwErgddLYwUHRNHUNjyEWYEPfiVs4joGhwVmmu3N9LljTMKgRwqiLlTX0pzFGGh+u8wBsPZf0+d7+toq2NULnZnmgIECx6EsxSD1HCDR/jduUx8FfiNnI7BsylTakzZ2xokZq1658cBoDtGHjzqAsrwavWqpH2Pa0hp4xIhyfHr6cXd28vrPhQsS6NUiIMCFOHO3QsR/JsIG6QDwqnGi3biJ1dTPI44LA/M4Wg/J+K8djdxI6I6TIzxN3rXSXfu48ghBheMBoV91dgSe92tyOgKPCA2AGxsgpnooFSPtuQsOtM5dMr0H+xUfzvZ8o9wrgGxtZnb/6bTQbvQzaog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZHv1JpIzVKCN+Dg4R8QgELjX2QAdQ6FXPYQqBLHhHdg=; b=hFyPcBZl5+AH3KQ4INvyx5xtbn2nusvmLekQcgq1cKin6Ut/BifRiQdVFvGTtdSEo7ucs3Fv76u/lAPN12+6sG2k6HPQ1RdPRQkZ3ymhpyNSgVz+FnUkV4H5ho4sn7ayW7SCGyI67e3AeQv5Ca6a+V1r+C3eHuLa/O73PakJT4194B6eYRkY1hjICc0dNhtPMIn6IOi9pelQlpI9PrcY4vDRAiwIWpzIgSX8vsYw4P61DGXed91if4EAXe3od8ZLVpDYRgASqsCWmnI9p/AO9OhS2kQUrBKlUm5t3W1iME6WQPqYShKhxa7qRBSemt5mUoE0nUlL+ZHYPNB8ieCAXQ==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR0101MB1622.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:1a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Sun, 13 Dec 2020 17:30:27 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94%7]) with mapi id 15.20.3654.024; Sun, 13 Dec 2020 17:30:27 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: David Noveck <davenoveck@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] NFS over TLS for laptops
Thread-Index: AQHW0NppAc3uZqIjgEq2ArIQwELbLqn0764AgABWEfg=
Date: Sun, 13 Dec 2020 17:30:27 +0000
Message-ID: <YQXPR0101MB0968B42D41CCD0EC056CE718DDC80@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <YQXPR0101MB0968F7BF5A6D7E97F39CC739DDC90@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <CADaq8jdbn8U27c5VThX4YSE170dY-CEV5HCwjqKUMFboEfkLvA@mail.gmail.com>
In-Reply-To: <CADaq8jdbn8U27c5VThX4YSE170dY-CEV5HCwjqKUMFboEfkLvA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6f82320c-3f8a-4753-ccd7-08d89f8cc847
x-ms-traffictypediagnostic: YQXPR0101MB1622:
x-microsoft-antispam-prvs: <YQXPR0101MB1622D96F8012C837B6CEF2D6DDC80@YQXPR0101MB1622.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:4941;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DgT5lnFSY3Jx2P1TkqPo1T2nvCpUq3hRtsAPxPcrn1JqA+ReIgafnfQIfyr0+/tSHsBl7A0CXABtIa9Sr/yEtp3b1JMU6wIW/4zDedfUwbu/K/xmzaF7jihrRF6KtKBpEPysVd092+79waTIqzMsI7pQDsY1TRQtiZ1VdwRsF399xPlGWZbjZV2MDq0dq1RumtZmJ4vtvETJ9Kz6SyOM0L0nDEp7SeXJfC0iKuQgclHd5s2/GYloLy5nevD8UUxs6NpKTsX9mUFoH0EBPgMzCKyxHBCR4ICXLsuiRp/YV4tC8MzglAs5klctHbSy2Sa178S9C/uupQwqGs0xWn/vUtqqsL7HnceJ81CKWWK2WScCBjrnEBrpNlph0OTsq9wrcLGUFC4z1N3wYsG6Z3l/3w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(136003)(346002)(376002)(366004)(86362001)(33656002)(66476007)(66946007)(52536014)(4326008)(66446008)(6916009)(5660300002)(786003)(9686003)(66574015)(83380400001)(64756008)(66556008)(6506007)(2906002)(76116006)(91956017)(508600001)(55016002)(8676002)(8936002)(186003)(7696005)(966005)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: agHCWAygB8mf/UH6dzuqVcX9tNTytoUhjPxKYGglWb7Vmaw64LWSKJIxMjy2mNz8LeeW8CovP+c4MLKEVXwZ01nOj4+8JDSvfgaVD9y5MhQaG2zXGJ/SBxgrWJR2zj1m/4mbdc4FLwy6vG9np14Furx5+mC8K6w0cya84MuxVGsu2mixCIv6fVqmUxrqEidgY7dW24BxXs/6M9KAkXl8cWK0GtC3mcjjU8IUzGa8W+eEmAVyICyRM/j8Eiuq19TUjAr5pezkt4PoIRMOeLaK9HnfDx+v/CBxCdAAxeyQuAd5WUMHtWOgtRj/dKcXnOlwRwlyZJxRmDlwMW4U8qYO4vCJUTirPe4W3KvYwjoR+OnkYCPQzsP2iDUTLYYXnZeQkiT3MnfaPkmDiMGrxJL0jK116sjB++TpR3JMD+yVpBuueZO8xOlnWAkhZWDk1DkZfkMdbcZByqfd07A1QIB47r9ZB2z3wVZ+JlNRk3gQV5AI3LbOf1uSFexCQ+OQoLYNV2cuhdjyb6rZn8ETzEsejMRr5DcHMemgRSZNvWSlK2/2Tw6ghgCHJE5PbB2J7a8IcdLuEwkieUxw/BCE5uaWeox7InPYaCc3Ic570GkOByPlEpjtAV2mM2uO1SMBbJvcUoagrWb8TSi6TQq4LJm81a+FKa4S8DCfn6MFAhQBQ7im4lsRMJKTcZrR/HGV6dxT/LYWbkNy/GDB140jWeafqxjx+4IFRelyc0jgV8HNsapNvj1YciLSEbrNfEPQ0Q9ma5aj1O3INH6h1+35tmbP5T5vqCqKoxJ32etsmIFJnvgDUNIl7Yxy8OgFsNP6xct23PVnv0vk1khmG1lBFMeWHpt1TC2MFR0CGAI5HqWJH4cxgdvR7+JRSlOErZKqPDIIfa/09DT3MQu8QaOwIs56FJEBI/ukiqjHm8zKs+Ml4oBzfixcOuwlskaNfa2f0PPAQxvZ1SKTe2vXEENJy+P8mkN8yIGwpRt+G98FvgNuQdSb8CJUrTSciypNh1z9qwkPrtzKxLeBr7rTKvsLCbBV1sxbHqQZo3z+7Kpoa5ybxqc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6f82320c-3f8a-4753-ccd7-08d89f8cc847
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2020 17:30:27.6752 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: e4Vg3IS1G/AlL8UPJpVMRrGriamC5/p4FLBbPFyC9WKPGcPCDoIrPA//5o4nzEg1vnn0uz4YVa3xjdVDclEDew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR0101MB1622
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/c7o7ujAjksUGszm1WrQdhx47OK8>
Subject: Re: [nfsv4] NFS over TLS for laptops
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 17:30:36 -0000

David Noveck wrote:
>On Sat, Dec 12, 2020, 7:02 PM Rick Macklem  wrote:
>>Hi,
>>
>>David Noveck emailed me w.r.t talking about this at a future meeting.
>>This sounds rather scary to me,
>>
> Not sure why we you think we are so scary.
Heh, heh. It's not you guys that are scary, it's the technology that's scary.
In January, I'll probably be living in a room with flakey wifi.
I don't currently have a microphone (just earphones). Buying such a thing
may be somewhat challenging, given my location and the pandemic.
The last order I did with Amazon took a month and the nearest Walmart
is 200km away, but I can get that done, if I need to.
I've also never used any of these systems like Zoom.
(I really do still use "ed" as my main text editor and I hate using my phone.;-)
I'm worse at tech stuff than any teenager...

So, I'll wait a week and see what others might say about this.

I'll also note I didn't exactly intend this as a proposal, but I suppose there
is a thin line between what I am testing and proposing it for others.

rick

sooooo I figured I'd post here and then, if
others want me to, I can try to attend a "virtual meeting".

I'd like to have your proposal discussed, but, if you don't want to actually present, it is ok.
I just need you to decide in the next week so I can put together an agenda.

First off, the disclaimer that I am neither a security guy nor TLS guy.

That's not a problem. A security guy would just tell us we suck.  A TLS guy is going to be attending tls meetings, but will be needed to review your proposal if the working group decides to pursue it.

The case I was trying to address was mobile device (aka laptop)
mounts to an NFS server using TLS. These devices are assumed to
have two properties:
- Used by a single user.
- Connecting to the Internet from anywhere (ie. no fixed IP nor
   DNS name).

Secure use on the internet was an official goal of RFC 3530 published 4/2003.  Sigh!


Typical filtering at the NFS server via client IP address obviously cannot work, so
what can be done?

The old answer was RPCSECGSS but we seem to be stuck with AUTH_SYS which is one reason security people tell us we suck.

The working group has to decide how to retain AUTH_SYS, with acceptable security. As I see it your proposal has a possible role in that


Now, for the part that might be considered a violation of the "soon
to be an RFC" draft.

Unless you are quoting someone else, you are misquoting me.  I never said "soon". Rpc-tls is in rfc-editor state and so is an rfc-to-be.

Whether your proposal is in conflict with rpc-tls should be first addressed with its editor






_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org<mailto:nfsv4@ietf.org>
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email