Re: [secdir] SecDir Review of draft-ietf-nfsv4-labreqs

"Haynes, Tom" <Tom.Haynes@netapp.com> Sun, 03 November 2013 19:15 UTC

Return-Path: <Tom.Haynes@netapp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34F2321E8104; Sun, 3 Nov 2013 11:15:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.203
X-Spam-Level:
X-Spam-Status: No, score=-5.203 tagged_above=-999 required=5 tests=[AWL=-2.831, BAYES_00=-2.599, SARE_SUB_OBFU_Q1=0.227]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YCJheh-IRgKs; Sun, 3 Nov 2013 11:15:22 -0800 (PST)
Received: from mx11.netapp.com (mx11.netapp.com [216.240.18.76]) by ietfa.amsl.com (Postfix) with ESMTP id D7F5D21E80FF; Sun, 3 Nov 2013 11:15:19 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.93,627,1378882800"; d="scan'208";a="68875450"
Received: from vmwexceht02-prd.hq.netapp.com ([10.106.76.240]) by mx11-out.netapp.com with ESMTP; 03 Nov 2013 11:15:17 -0800
Received: from SACEXCMBX05-PRD.hq.netapp.com ([169.254.8.3]) by vmwexceht02-prd.hq.netapp.com ([10.106.76.240]) with mapi id 14.03.0123.003; Sun, 3 Nov 2013 11:15:17 -0800
From: "Haynes, Tom" <Tom.Haynes@netapp.com>
To: Yoav Nir <ynir@checkpoint.com>
Thread-Topic: SecDir Review of draft-ietf-nfsv4-labreqs
Thread-Index: AQHO18c3l5Ocx4tIM0WjeGDw7jvwUJoS5PWAgADOSQCAAC9C8A==
Date: Sun, 3 Nov 2013 19:15:16 +0000
Message-ID: <3E4AD982-592B-4F8E-A41D-639FAFB18226@netapp.com>
References: <FF6A9891-728D-4688-BE3D-663A2C1DF362@checkpoint.com> <ADA3E59C-A56A-486A-A527-67AA1E547912@netapp.com>, <0665E0C6-DFB6-4CA5-B261-CB3AD27DEB50@checkpoint.com>
In-Reply-To: <0665E0C6-DFB6-4CA5-B261-CB3AD27DEB50@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-nfsv4-labreqs.all@tools.ietf.org" <draft-ietf-nfsv4-labreqs.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "<secdir@ietf.org>" <secdir@ietf.org>
Subject: Re: [secdir] SecDir Review of draft-ietf-nfsv4-labreqs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2013 19:15:29 -0000

> On Nov 3, 2013, at 10:26 AM, "Yoav Nir" <ynir@checkpoint.com>; wrote:
> 
> 
>> On Nov 2, 2013, at 2:07 PM, "Haynes, Tom" <Tom.Haynes@netapp.com>; wrote:
>> 
>> inline...
>> 
>>> On Nov 2, 2013, at 5:29 AM, Yoav Nir <ynir@checkpoint.com>; wrote:
>>> 
>>> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments ust like any other last call comments.
>>> 
>>> Short version: I think the draft is ready.
>>> 
>>> This draft is intended to be Informational. It does not specify any standard. Instead, it describes the operating environment and assumptions behind labeled NFS. 
>>> 
>>> Labeled NFS associates labels with resources (usually files) and processes, where the resources reside on a file server, while the resources run on a client. Such labels (Multi-Level Security is but one example) are then used as a basis for policy decisions. The draft is intended for people not familiar with NFS, and does a good job of explaining the different scenarios. For example, with a limited server, it is up to the client to decide about authorization for accessing resources, and the server functions solely as a store. This model is surprising to people familiar with, for example, web servers, where the resources are considered to belong to the server, and it is up to the server to make authorization decisions. Other NFS servers, called "MAC-functional" have authorization decisions on both client and server.
>>> 
>>> I found the draft to be well-written and informative.
>>> 
>>> I have a few comments, but I consider none of them show-stoppers:
>>> 
>>> - The introduction has this text: "DAC systems offer no real protection against malicious or flawed software due to each program running with the full permissions of the user executing it.". Put like that, this sentence is inflammatory. Discretionary Access Control protects you against unauthorized users running malicious software. It just doesn't protect against "good" users being tricked into running bad software.
>>> 
>> 
>> Can rework....
>> 
>>> - Section 3.3 uses the term "opaque". This is a surprising term, considering this sentence about the opaque component: "The LFS component provides a mechanism for identifying the structure and semantics of the opaque component." So it's not really opaque, is it?  The term "opaque" is commonly used when the data is unparseable by the participants in the protocol. Here, the client and a MAC-functional server can parse this data just fine.
>>> 
>> 
>> I can't argue with your statement - I've tried and every time I get 20 words in, I disagree with
>> what I am writing.
>> 
>> The intent is that the payload of the component is not describable via the protocol. seLinux
>> might pick a different labeling scheme than say Trusted Solaris.
>> 
>> I am willing to rewrite to get that intent through.
> 
> So how about…
> 
> OLD:
>                                 To accomplish this the labels
>   MUST consist of an opaque component bound with a Label Format
>   Specifier (LFS).
> NEW:
>                                 To accomplish this the labels
>   MUST consist of a format-specific component bound with a Label
>   Format Specifier (LFS).

Agreed.



> 
>>> - I think the security considerations is missing some text on what additional security is needed in the case of a limited server that only stores the information. Something should protect the data so that client A's data is not served to client B, even if client B is malicious. 
>> 
>> 
>> A limited server cannot parse the labels. In essence, the server is acting like a disk array
>> to the client. It simply passes the labels back to allow the client to act. As a use case, it
>> is actually very attractive in achieving parity with SAN based implementations. I do believe
>> there are now Linux NFSv4.2 prototypes available for just this purpose.
>> 
>> Nothing prevents a server vendor from implementing some user ID and IP based schema to 
>> provide a coarse control.
> 
> Great. That's the text I was missing.
> 
>> 
>> 
>> 
>>> 
>>> Yoav
>>> 
>> 
>> Thanks for the comments.
>> Email secured by Check Point
>