IETF Logo Mail Archive

Re: [secdir] [nfsv4] Last Call: <draft-ietf-nfsv4-rfc3530bis-25.txt> (Network File System (NFS) Version 4 Protocol) to Proposed Standard

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 04 April 2013 17:36 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D064121F93CC; Thu, 4 Apr 2013 10:36:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.854
X-Spam-Level:
X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[AWL=0.745, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTN4PWpYu8e5; Thu, 4 Apr 2013 10:36:16 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (DMZ-MAILSEC-SCANNER-3.MIT.EDU [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 99D4C21F93C7; Thu, 4 Apr 2013 10:36:15 -0700 (PDT)
X-AuditID: 1209190e-b7f266d0000008cb-4d-515dba0e507c
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 58.16.02251.E0ABD515; Thu, 4 Apr 2013 13:36:14 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id r34HaC0k009503; Thu, 4 Apr 2013 13:36:13 -0400
Received: from multics.mit.edu (SYSTEM-LOW-SIPB.MIT.EDU [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id r34Ha9GV029365 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 4 Apr 2013 13:36:11 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id r34Ha8KQ027661; Thu, 4 Apr 2013 13:36:08 -0400 (EDT)
Date: Thu, 04 Apr 2013 13:36:08 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Haynes, Tom" <Tom.Haynes@netapp.com>, Nico Williams <nico@cryptonector.com>
In-Reply-To: <830AD203-2C2A-428F-A952-08B8F5A727E9@netapp.com>
Message-ID: <alpine.GSO.1.10.1304041234320.9389@multics.mit.edu>
References: <20130319142244.19905.39903.idtracker@ietfa.amsl.com> <alpine.GSO.1.10.1303312327530.9389@multics.mit.edu> <830AD203-2C2A-428F-A952-08B8F5A727E9@netapp.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IRYrdT1+XbFRto0HZAzeLZxvksFrPfP2K1 OHXtCJvFh4UPWSxOHTnN4sDq8fLUOUaPJUt+MnnM+PSFLYA5issmJTUnsyy1SN8ugSvjxoWX LAXPDCq2d05lbmDsV+ti5OSQEDCRWNi1nR3CFpO4cG89WxcjF4eQwD5Gib/X9jBDOBsYJT49 fQTlHGSS+ND3kRWkRUigXuLrlYVsIDaLgJbE175uRhCbTUBFYuabjWBxEYFIifOt+5lAbGaB PIknd+eDrRAW6GKUaFwzE2w3p4CdRMfR+ywgNq+Ag8TlmdtZIbatYJR4dHE9WEJUQEdi9f4p UEWCEidnPmGBmGop8W/tL9YJjIKzkKRmIUktYGRaxSibklulm5uYmVOcmqxbnJyYl5dapGus l5tZopeaUrqJERTWnJJ8Oxi/HlQ6xCjAwajEw5vRFxsoxJpYVlyZe4hRkoNJSZT36UagEF9S fkplRmJxRnxRaU5q8SFGCQ5mJRHepZuAcrwpiZVVqUX5MClpDhYlcd4rKTf9hQTSE0tSs1NT C1KLYLIyHBxKErzHdgA1ChalpqdWpGXmlCCkmTg4QYbzAA1n3QkyvLggMbc4Mx0if4pRUUqc dzNIswBIIqM0D64XlnZeMYoDvSLM2wtSxQNMWXDdr4AGMwENnno3GmRwSSJCSqqB0a+Iazbr 0tVX9/0+OOmxQgTrlkVhjhb21ka7HqXy/J2xcZYz58yYP1G/JWqe26ueOzCV5XnF5kAB/jev KvTUG3dkqD90EN4eZLb5OEfCPecd2xwLFVyCPY44TI6wPvkpZDqL4rWZJbfVF8tV1qWbr9vl Zpbz2pxDs9zpTPfUCb1C8ZdWPvoXocRSnJFoqMVcVJwIACpS8msWAwAA
Cc: "ietf@ietf.org" <ietf@ietf.org>, nfsv4 list <nfsv4@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [nfsv4] Last Call: <draft-ietf-nfsv4-rfc3530bis-25.txt> (Network File System (NFS) Version 4 Protocol) to Proposed Standard
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 17:36:17 -0000

Hi Tom, Nico,

On Thu, 4 Apr 2013, Haynes, Tom wrote:

>
> On Apr 1, 2013, at 10:01 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>
[snip.  Single-DES is weak and deprecated]
>
>
> Hi Ben,
>
> Thanks for pointing this out - the last work on Kerberos for this bis
> was done before RFC 6649 was published.

It did look like the Kerberos portions of the document had not been 
touched since the previous revision; RFC 6649 was probably later in coming 
than it should have been.

> While I can propose that we modify the text to point to take RFC 6649
> into consideration and to deprecate DES for Kerberos in NFSv4
> implementations, this will in no way invalidate the use of DES in shipping
> implementations based solely on RFC 3530.

Understood.  The DES-migration process has been and continues to be a long 
process; on the Kerberos side we're mostly done, but applications still 
need to adapt.  (I'm working on updates for AFS, which had DES baked into 
it pretty thoroughly.)  Thus, part of the work of the Kerberos folks is to 
actively encourage people to migrate away from DES -- though there's not 
much we can do about old standards still being used, new standards should 
encourage migration.  In this vein, my preference would be for this 
document to actively mention migration away from DES, though I understand 
that this is a stronger sentiment than is strictly speaking necessary.

Part of my concern stems from the fact that there are existing NFSv4 
implementations which remain DES-only, and I would like this document to 
strongly encourage those implementations to add support for strong crypto.

> We did have the following in RFC 3530:
>
>   Users and implementors are warned that 56 bit DES is no longer
>   considered state of the art in terms of resistance to brute force
>   attacks.  Once a revision to [RFC1964] is available that adds support
>   for AES, implementors are urged to incorporate AES into their NFSv4
>   over Kerberos V5 protocol stacks, and users are similarly urged to
>   migrate to the use of AES.
>
> And in RFC 5661, we have this wording:
>
>   At the time NFSv4.1 was specified, the Advanced Encryption Standard
>   (AES) with HMAC-SHA1 was a REQUIRED algorithm set for Kerberos V5.
>   In contrast, when NFSv4.0 was specified, weaker algorithm sets were
>   REQUIRED for Kerberos V5, and were REQUIRED in the NFSv4.0
>   specification, because the Kerberos V5 specification at the time did
>   not specify stronger algorithms.  The NFSv4.1 specification does not
>   specify REQUIRED algorithms for Kerberos V5, and instead, the
>   implementor is expected to track the evolution of the Kerberos V5
>   standard if and when stronger algorithms are specified.
>
> And instead of referencing RFC 1964, it instead references:
>
>   [5]   Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos Version
>         5 Generic Security Service Application Program Interface (GSS-
>         API) Mechanism Version 2", RFC 4121, July 2005.
>
> My proposal is that we adopt the language from RFC 5661:
>
>   At the time of this document, the Advanced Encryption Standard
>   (AES) with HMAC-SHA1 was a REQUIRED algorithm set for Kerberos V5.
>   In contrast, when NFSv4.0 was first specified, weaker algorithm sets were
>   REQUIRED for Kerberos V5, and were REQUIRED in the NFSv4.0
>   specification, because the Kerberos V5 specification at the time did
>   not specify stronger algorithms.  The NFSv4.0 specification no longer
>   specifies REQUIRED algorithms for Kerberos V5, and instead, the
>   implementor is expected to track the evolution of the Kerberos V5
>   standard if and when stronger algorithms are specified.
>
> In essence, the proposal is to replace Section 3.2 in 3530bis with
> that of Section 2.2.1 of 5661. You would not see DES in the new
> content.
>
> Does this alleviate your concern?

The quoted text would be a big improvement, but does not seem like a 
complete solution -- the table would need to be updated to remove the 
algorithm column, probably as per Nico's suggestion.  It also seems like 
section 2.2.1.1.1.2.1.1 of RFC 5661 is still applicable:

    When deploying NFSv4.1, the strength of the security achieved depends
    on the existing Kerberos V5 infrastructure.  The algorithms of
    Kerberos V5 are not directly exposed to or selectable by the client
    or server, so there is some due diligence required by the user of
    NFSv4.1 to ensure that security is acceptable where needed.

This would be a good place to reference RFC 6649 and/or mention that 
modern Kerberos implementations disable weak algorithms by default, as 
part of the "active encouragement" that I would prefer.


On Wed, 3 Apr 2013, Nico Williams wrote:

> Oh, well, this is just outdated text.  And indeed, the GSS-API's
> notion of "qop" (quality of protection) is broken: it's used in the
> wrong place (per-msg token functions).  The GSS qop brokenness is why
> this text persists.
>
[snip]
>
> NEW:
>   1 == number of pseudo flavor
>   2 == name of pseudo flavor
>   3 == mechanism's OID
>   4 == qop
>   5 == RPCSEC_GSS service
>
>   1      2     3                    4             5
>   --------------------------------------------------------------------
>   390003 krb5  1.2.840.113554.1.2.2 0   rpc_gss_svc_none
>   390004 krb5i 1.2.840.113554.1.2.2 0   rpc_gss_svc_integrity
>   390005 krb5p 1.2.840.113554.1.2.2 0   rpc_gss_svc_privacy
>
> Actually, I should also propose some text explaining why qop is a
> busted concept and what qop 0 means ("default").

The table in RFC 5661 also includes columns for whether the flavor is 
mandatory for clients and servers, but it looks like they are now always 
mandatory and those columns are not needed.

In combination with Tom's proposed changes, this table should work well.
Agreed that some text about what qop 0 means is needed.


> KITTEN WG should undertake an extension to replace the broken qop concept.

I worry that such an undertaking would degenerate into a full GSS-API 
rewrite, but regardless that's out of scope for the current discussion.


Thanks for the updates,

Ben

v2.23.0 | Report a Bug | By Email