Re: [secdir] Secdir review of draft-ietf-nfsv4-rfc5666bis-10
Chuck Lever <chuck.lever@oracle.com> Fri, 24 February 2017 18:57 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A49ED1294CC; Fri, 24 Feb 2017 10:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.088
X-Spam-Level:
X-Spam-Status: No, score=-6.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.887, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xSDYUh3HqvMS; Fri, 24 Feb 2017 10:57:58 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D565129486; Fri, 24 Feb 2017 10:57:58 -0800 (PST)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v1OIvvhi032315 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 24 Feb 2017 18:57:57 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v1OIvuf0007225 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 24 Feb 2017 18:57:56 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v1OIvtAJ028248; Fri, 24 Feb 2017 18:57:55 GMT
Received: from dhcp-whq-5op-3rd-and-4th-floor-gen-off-10-211-47-189.usdhcp.oraclecorp.com (/10.211.47.189) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 24 Feb 2017 10:57:55 -0800
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <B2BB177E-540B-4888-BD58-AB2BAF7AD6E6@inria.fr>
Date: Fri, 24 Feb 2017 10:57:53 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <EB6E22D3-B8CF-4440-9B73-244EFCE98E13@oracle.com>
References: <B2BB177E-540B-4888-BD58-AB2BAF7AD6E6@inria.fr>
To: Vincent Roca <vincent.roca@inria.fr>
X-Mailer: Apple Mail (2.3124)
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/9FmwYhKTN1OcJgtNlWHzA8DWLts>
Cc: IESG <iesg@ietf.org>, draft-ietf-nfsv4-rfc5666bis.all@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-nfsv4-rfc5666bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 18:58:00 -0000
> On Feb 24, 2017, at 4:59 AM, Vincent Roca <vincent.roca@inria.fr> wrote: > > Hello, > > I have reviewed this document as part of the security directorate’s ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > > Summary: ready with issues > > Main comments: > > A long and detailed Security considerations section is provided, which is clearly a good thing. However I have > a few comments WRT this section: Hi Vincent- Thanks for your review. I believe your questions are mostly rhetorical, so I will respond to those by saying the authors, shepherd, and AD will attempt to address these issues with the next document revision. There is one remaining comment that IMO needs group discussion, below. > ** Privacy or confidentiality? Throughout section 8, authors mention "Privacy" inappropriately IMHO. > Privacy refers to PII (Personally identifiable information) which is different. For instance in section 8.2, when saying: > "However, integrity and privacy services require significant movement of data on each endpoint host." > the authors really mean confidentiality (this is mentioned just above, when saying that RPCSEC_GSS implements > "per-message confidentiality"). There are several mistakes of that kind throughout section 8. > > > ** On the opposite, meta-data can raise privacy issues, regardless of whether the content is encrypted or not. > Can an eavesdropper who observes the traffic from an intermediate node (for instance) derive these meta-data > and identify the hosts that communicate together, at what frequency, when? > It probably depends on the protection provided (IPsec versus other RPCSEC integrated approach if I understand > correctly). However if this is the case then there can be privacy impacts... Is it the case, this is not detailed? > > > ** Section 8.1: it is said: > "The use of RPC-over-RDMA MUST NOT introduce any vulnerabilities to system memory contents, nor to > memory owned by user processes." > This is of course highly desirable, but how can the destination be sure that data copied in its own memory does not > contain a malware? I have the feeling (but may be wrong) that there's a confusion between the RPC-over-RDMA > **protocol** that MUST be secure, and the **content** transferred between two hosts where it's more a matter of > trust between them. > > > ** Section 8.2.2.1: What happens when there's no TCP based NFS server on port 2049? The authors could be > more explicit and provide guidance. > > > ** Section 8.2.2.4: There's something that is not clear to me. > It is said that "IDs, connection credit limits, and chunk lists" are exposed and if an attacker alters them, several > consequences are possible. > I understand that this information **is not** included in the RPCSEC_GSS integrity verifications. > Is it really the case? I'm asking this because the paragraph concludes with: > "The use of RPCSEC_GSS integrity or privacy services enable the requester to detect if such tampering > has been done and reject the RPC message." > which suggests that this information **is** protected. > > > ** Last sentence: > "To address attacks on RDMA protocols themselves, RDMA transport implementations should conform > to [RFC5042]." > "should" or "SHOULD"? Lower case "should" is used here because this statement is IMO not an interoperability directive. I hope I correctly understand the intent of your question. If there is a security requirement that this be changed to the RFC 2119 term, please let us know and that can be done. Any other thoughts about this? > Minor comments: > > - A side comment: can we really say that IPsec can be co-located in RDMA hardware "without any [...] loss of > data movement efficiency"? I'd rather say that the IPsec performance impacts can be **greatly reduced**. > > - Typo in Introduction: "future NFSv4 minor verions" => versions > > > Cheers, > > Vincent > -- Chuck Lever
- [secdir] Secdir review of draft-ietf-nfsv4-rfc566… Vincent Roca
- Re: [secdir] Secdir review of draft-ietf-nfsv4-rf… Chuck Lever
- Re: [secdir] Secdir review of draft-ietf-nfsv4-rf… Tom Talpey
- Re: [secdir] Secdir review of draft-ietf-nfsv4-rf… Chuck Lever