IETF Logo Mail Archive

Re: [secdir] [nfsv4] SECDIR Review of draft-ietf-nfsv4-umask-03

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 03 June 2017 00:32 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A192D12EAED; Fri, 2 Jun 2017 17:32:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnekNmZwv8yg; Fri, 2 Jun 2017 17:32:16 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 535F112EAEA; Fri, 2 Jun 2017 17:32:16 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id h4so109942506oib.3; Fri, 02 Jun 2017 17:32:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aYRLQ8VKLuwCdfAuMmGdthTMbhUsfk4xX/oUgiMbs7c=; b=Ch2Pv/zvTuSBbT1pNpiNkzYtk0MTEyd9N2wUm1LihDpdH3NzJ3OLvr7+0PbOHaVcyK 8Zj71/z2wCTcI9sdPorSaM9PZUmN6GK1oHKVVBhu6+nk3kdtkQjaU/y/8y8Xel+MmBxo b/W//hIxWMQR2XB61uPpUdBBSM0eEc44aHbDP5XzgwPvRXSfl4XQ0vU4D45EDgGMU/qY ozeTcXK1h97Ejmd+JbtuyitGbaGQNuz7mmlL2e919qTRClh4unJzfAOkO4MfwgB3hxkQ UmUUMifs7zUNAzrF2K+rRhf2bLepyQ9RBkjgmEeOQplfb8idNwQNhHz1L4qyp9evPopG nyaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=aYRLQ8VKLuwCdfAuMmGdthTMbhUsfk4xX/oUgiMbs7c=; b=mpgQHdavX1t/lD70ZOgZrsAbFi1HOi8RFUT2f8Uxn7dGC9BmK/l7iQdGvZDHTEDe9C qoNufks1Sylgq0KDLoWkaVj671+e0+xpjLiKe68Pt6laADnOK/V3qC2oO9H2yJbwc058 CAbZ01IdUP20xqmQIXpbTv+BVWufQ1t0qMfsLaACytsjeuomuwux0uG5/XehKnxZd0r3 kGLKu+JBqHAqa3ULMr0SmWs1vnNnnRZp/XpGum2YlGPOPGCEYZ2F1wJzLmqOkQHIC4y0 dphTum8Bf/9o7xtj9zTmIycSemjlRYySQa1EKSTtaRerQvr/p5SpqoRGl/VA0DU2bLSv oV6w==
X-Gm-Message-State: AKS2vOzXcmn1msS/zUn3qKRxTB/fNQ0ut1aEYuqc5a3vkXqA6r5zDGmf bUsEtwW6mkqkZH07iUV4kZmR4elZfg==
X-Received: by 10.157.34.117 with SMTP id o108mr5888572ota.214.1496449935753; Fri, 02 Jun 2017 17:32:15 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.23.5 with HTTP; Fri, 2 Jun 2017 17:32:15 -0700 (PDT)
In-Reply-To: <CADaq8jd+6gN2H0QWC+dM-e3pb1gUJKLE7=8PPpprGGKBQZhueg@mail.gmail.com>
References: <CAMm+Lwh+E+BsATQmmX6ccJou-sz1XNtFHxQZikohYCeT0qkfdQ@mail.gmail.com> <CAKKJt-fsJ1UinNiW2LitxVQT4M1YqnFF+1cygU132=bQNgiUnA@mail.gmail.com> <CADaq8jd+6gN2H0QWC+dM-e3pb1gUJKLE7=8PPpprGGKBQZhueg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 02 Jun 2017 20:32:15 -0400
X-Google-Sender-Auth: RCiJRzANYjuCi2vkL4Ao0umMx0A
Message-ID: <CAMm+Lwgw0fwXa4Gd0nm_d+mwvkfeM8gq9=ROLRqhHyTO-pjeRQ@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Cc: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, NFSv4 <nfsv4@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="001a113bf388d847320551036623"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/42j9ZdG0IWs2gOmyK8N0rvIcn9s>
Subject: Re: [secdir] [nfsv4] SECDIR Review of draft-ietf-nfsv4-umask-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jun 2017 00:32:18 -0000

On Wed, May 31, 2017 at 9:23 AM, David Noveck <davenoveck@gmail.com> wrote:

> Phillip Hallam-Baker wrote
> > They are not so much a security plan as a collection of random thoughts
> jotted down
> > in haphazard fashion.​
>
> This is fair criticism.  I've looked through the Security Considerations
> sections of RFCs 3530, 7530, and 5661 and the differences are minor.   None
> of these sections were written to provide a security plan, but tried to
> describe, somewhat inelegantly, the evolution of NFS from its origins in a
> LAN environment towards NFSv4 which attempted to provide some reasonable
> security features.  Any security needs were provided by RPCSECGSS, and not
> by the protocol itself.
>
> > There is clearly no coherent model of what NFS security should achieve,
> what the
> > threats are, what controls are deployed to control them
>
> An alternative would have been to define an entirely new protocol with a
> real security plan covering these matters, but that wasn't the goal then.
> If it had been, we would probably have a much more secure protocol that
> nobody would deploy.  What happened was that NFSv4 was defined requiring
> implementation, but not use, of RPCSECGSS.  Even today, many NFSv4
> deployments use AUTH_SYS and very few which use RPCSECGSS, use integrity or
> privacy, because of performance issues.  Security is provided by use of
> physically isolated networks or VPNs.   That was considered adequate when
> RFCs 3530, 5661, and 7530 were written and approved.
>

​When the decisions were made performance was likely an issue. No longer.
turning on encryption has negligible impact in the HTTP world. What would
be an issue is that TLS ain't exactly designed to be NFS friendly.

​
​Protocols do wear out over time. And often it is simpler to start from
scratch than to try and extend something beyond capacity.​ ​I don't see a
need to rewrite NFS though. As a file sharing protocol it is fine. What I
would look into changing is the transport layer.

When I look at a protocol, I ask, how much of this protocol needs to
interact with other 'stuff' because that is the stuff that is really
expensive to change. In NFS, that is the parts that interact with the file
system semantics operating system drivers and all that.


​Instead of layering over UDP/TCP I would look at QUIC. Sure, you are not
using that any time soon in a standard but it is probably in a decent
enough state now to start looking at the possibilities.

Instead of using GSS which is a framework for fifty shades of almost always
password auth, I would move to authenticating and encrypting using public
key based credentials.

​What you would need to make this work is a mechanism to make management of
the public key credentials​ really simple and that just happens to be what
I am working on right now. I am pretty sure that it would suit a file
system because I am using it to support an object storage system which is
not the same thing but it is close enough. The main difference I see
between the two is that a remote file system allows you to modify remote
files while in an object system the only modification supported is to
append additional data to an append only log.
​

v2.23.0 | Report a Bug | By Email