Re: [nfsv4] binding user credentials to client host in draft-ietf-nfsv4-rpcsec-gssv3-16
"Adamson, Andy" <William.Adamson@netapp.com> Mon, 25 January 2016 15:53 UTC
Return-Path: <William.Adamson@netapp.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E3B1B2C76 for <nfsv4@ietfa.amsl.com>; Mon, 25 Jan 2016 07:53:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TZTiH96VPJP2 for <nfsv4@ietfa.amsl.com>; Mon, 25 Jan 2016 07:53:52 -0800 (PST)
Received: from mx143.netapp.com (mx143.netapp.com [216.240.21.24]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63CB51B2C72 for <nfsv4@ietf.org>; Mon, 25 Jan 2016 07:53:52 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.22,345,1449561600"; d="scan'208";a="93037412"
Received: from hioexcmbx07-prd.hq.netapp.com ([10.122.105.40]) by mx143-out.netapp.com with ESMTP; 25 Jan 2016 07:48:51 -0800
Received: from HIOEXCMBX03-PRD.hq.netapp.com (10.122.105.36) by hioexcmbx07-prd.hq.netapp.com (10.122.105.40) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Mon, 25 Jan 2016 07:48:51 -0800
Received: from HIOEXCMBX03-PRD.hq.netapp.com ([::1]) by hioexcmbx03-prd.hq.netapp.com ([fe80::644f:85d6:6e9c:9797%21]) with mapi id 15.00.1130.005; Mon, 25 Jan 2016 07:48:51 -0800
From: "Adamson, Andy" <William.Adamson@netapp.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [nfsv4] binding user credentials to client host in draft-ietf-nfsv4-rpcsec-gssv3-16
Thread-Index: AQHRVhbxXoabdiQcjkCcpxSgmPNQSZ8M6bGA
Date: Mon, 25 Jan 2016 15:48:50 +0000
Message-ID: <2CD815F8-843F-48BB-8244-ADD24BB35AFD@netapp.com>
References: <20160121191052.316.9921.idtracker@ietfa.amsl.com> <alpine.GSO.1.10.1601231434460.26829@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1601231434460.26829@multics.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.2098)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.122.56.79]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A1F4035BC4203248AA907D1BDBFEAED2@hq.netapp.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/nfsv4/z1ZhqNT6zsO_A8SB2C_T_7AZI5U>
Cc: "nico@cryptonector.com" <nico@cryptonector.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Subject: Re: [nfsv4] binding user credentials to client host in draft-ietf-nfsv4-rpcsec-gssv3-16
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 15:53:54 -0000
> On Jan 23, 2016, at 2:47 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote: > > On Thu, 21 Jan 2016, internet-drafts@ietf.org wrote: > >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the Network File System Version 4 Working Group of the IETF. >> >> Title : Remote Procedure Call (RPC) Security Version 3 >> Authors : William A. (Andy) Adamson >> Nico Williams >> Filename : draft-ietf-nfsv4-rpcsec-gssv3-16.txt >> Pages : 23 >> Date : 2016-01-21 >> >> Abstract: >> This document specifies version 3 of the Remote Procedure Call (RPC) >> security protocol (RPCSEC_GSS). This protocol provides support for >> multi-principal authentication of client hosts and user principals to >> a server (constructed by generic composition), security label >> assertions for multi-level and type enforcement, structured privilege >> assertions, and channel bindings. >> >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-rpcsec-gssv3/ >> >> There's also a htmlized version available at: >> https://tools.ietf.org/html/draft-ietf-nfsv4-rpcsec-gssv3-16 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-nfsv4-rpcsec-gssv3-16 > > > The change in this version that is attempting to remediate the issue > raised by Nico is: > > OLD: > A MIC of the RPC call header up to and including the credential is > computed using the GSS-API security context associated with the inner > context handle and is placed in rgmp_rpcheader_mic field. > > NEW: > A MIC of the RPC call header up to and including the credential plus the > GSS security mechanism client host principal name is computed using the > GSS-API security context associated with the inner context > handle and is placed in rgmp_rpcheader_mic field. > > Unfortunately, I do not think this is sufficient to produce interoperable > implementations. Is "plus the [principal name]" supposed to mean that I > put it at the beginning, the end or in the middle. Furthermore (and more > problematic), GSS name objects have a lot of moving parts and different > representations. In order to get all the pieces lined up, something like > this would be needed, I think: "a GSS name identifying the client host is > constructed, of type GSS_C_NT_HOSTBASED_SERVICE, converted to a mechanism > name for the GSS mechanism in use with GSS_Canonicalize_name(), then > converted to wire format with GSS_Export_name(). The resulting octet > string is included in the MIC." > > Given the extra complications, I would suggest a more explicit description > of the input to the MIC operation than the running prose currently used. I see your point. Is this acceptable? —>Andy NEW: A MIC is computed using the GSS-API security context associated with the inner context handle over the RPC call header up to and including the credential directly followed by a GSS name identifying the client host labeled the “gss_client_host_name” below in figure X. The MIC is placed in the rgmp_rpcheader_mic field. The gss_client_hosname is a name of type GSS_C_NT_HOSTBASED_SERVICE that is converted to a mechanism name for the GSS mechanism in use with GSS_Canonicalize_name(), and then converted to wire format with GSS_Export_name(). rgmp_rpcheader_mic is computed over the following data: unsigned int xid; msg_type mtype; /* set to CALL */ unsigned int rpcvers; unsigned int prog; unsigned int vers; unsigned int proc; opaque_auth cred; /* captures the RPCSEC_GSS handle */ opaque gss_client_hostname; > > -Ben > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] I-D Action: draft-ietf-nfsv4-rpcsec-gssv3… internet-drafts
- [nfsv4] binding user credentials to client host i… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Adamson, Andy
- Re: [nfsv4] binding user credentials to client ho… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Benjamin Kaduk
- Re: [nfsv4] binding user credentials to client ho… Adamson, Andy