[secdir] secdir review of draft-ietf-nfsv4-federated-fs-protocol-13

Charlie Kaufman <charliek@microsoft.com> Wed, 17 October 2012 17:00 UTC

Return-Path: <charliek@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0489621F8630; Wed, 17 Oct 2012 10:00:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.534
X-Spam-Level: **
X-Spam-Status: No, score=2.534 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Llw9pF-YZczY; Wed, 17 Oct 2012 10:00:27 -0700 (PDT)
Received: from NA01-BL2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com []) by ietfa.amsl.com (Postfix) with ESMTP id EDEE521F862A; Wed, 17 Oct 2012 10:00:26 -0700 (PDT)
Received: from BL2FFO11FD010.protection.gbl ( by BL2FFO11HUB025.protection.gbl ( with Microsoft SMTP Server (TLS) id 15.0.516.0; Wed, 17 Oct 2012 17:01:19 +0000
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com ( by BL2FFO11FD010.mail.protection.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.516.0 via Frontend Transport; Wed, 17 Oct 2012 17:01:18 +0000
Received: from tx2outboundpool.messaging.microsoft.com ( by mail.microsoft.com ( with Microsoft SMTP Server (TLS) id 14.2.318.3; Wed, 17 Oct 2012 16:59:39 +0000
Received: from mail210-tx2-R.bigfish.com ( by TX2EHSOBE015.bigfish.com ( with Microsoft SMTP Server id; Wed, 17 Oct 2012 16:59:38 +0000
Received: from mail210-tx2 (localhost []) by mail210-tx2-R.bigfish.com (Postfix) with ESMTP id B08DB840122; Wed, 17 Oct 2012 16:59:38 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: 2
X-BigFish: PS2(zzc85fhzz1202h1d1ah1d2ahzz17326ah8275bh8275dhz31h2a8h668h839hd24hf0ah107ah1288h12a5h12bdh137ah1441h9a9j1155h)
Received-SPF: softfail (mail210-tx2: transitioning domain of microsoft.com does not designate as permitted sender) client-ip=; envelope-from=charliek@microsoft.com; helo=BL2PRD0310HT005.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(4196001)(49866001)(1076001)(3846001)(42186003)(47976001)(8716001)(51856001)(47736001)(50986001)(46102001)(31966008)(16826001)(5343635001)(33646001)(74662001)(5343655001)(16696001)(15202345001)(47446002)(74502001)(4396001)(16406001)(316001)(24736002)(3746001)(3556001); DIR:OUT; LANG:en;
Received: from mail210-tx2 (localhost.localdomain []) by mail210-tx2 (MessageSwitch) id 1350493176890012_23177; Wed, 17 Oct 2012 16:59:36 +0000 (UTC)
Received: from TX2EHSMHS005.bigfish.com (unknown []) by mail210-tx2.bigfish.com (Postfix) with ESMTP id CD48074009E; Wed, 17 Oct 2012 16:59:36 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com ( by TX2EHSMHS005.bigfish.com ( with Microsoft SMTP Server (TLS) id; Wed, 17 Oct 2012 16:59:35 +0000
Received: from BL2PR03MB594.namprd03.prod.outlook.com ( by BL2PRD0310HT005.namprd03.prod.outlook.com ( with Microsoft SMTP Server (TLS) id; Wed, 17 Oct 2012 16:59:33 +0000
Received: from BL2PR03MB592.namprd03.prod.outlook.com ( by BL2PR03MB594.namprd03.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.545.9; Wed, 17 Oct 2012 16:59:21 +0000
Received: from BL2PR03MB592.namprd03.prod.outlook.com ([]) by BL2PR03MB592.namprd03.prod.outlook.com ([]) with mapi id 15.00.0545.000; Wed, 17 Oct 2012 16:59:20 +0000
From: Charlie Kaufman <charliek@microsoft.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-nfsv4-federated-fs-protocol.all@tools.ietf.org" <draft-ietf-nfsv4-federated-fs-protocol.all@tools.ietf.org>
Thread-Topic: secdir review of draft-ietf-nfsv4-federated-fs-protocol-13
Thread-Index: Ac2sgUiODQgVIE9DQg6Wk3Nfd1X60w==
Date: Wed, 17 Oct 2012 16:59:20 +0000
Message-ID: <ea36913b70bc44638e7483861120a00f@BL2PR03MB592.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-forefront-prvs: 0637FCE711
Content-Type: multipart/alternative; boundary="_000_ea36913b70bc44638e7483861120a00fBL2PR03MB592namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT005.namprd03.prod.outlook.com
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(5836001)(4396001)(20776001)(47736001)(74502001)(3846001)(50986001)(1076001)(876001)(512954001)(33646001)(5343635001)(4196001)(42186003)(15202345001)(44976002)(74662001)(46102001)(49866001)(47446002)(31966008)(51856001)(8716001)(5343655001)(16696001)(6806001)(16676001)(16616001)(47976001)(316001)(24736002)(3556001)(3746001)(37146003); DIR:OUT; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0637FCE711
Subject: [secdir] secdir review of draft-ietf-nfsv4-federated-fs-protocol-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2012 17:00:28 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This standards track document essentially defines an LDAP schema and associated semantics for storing federated NFS server metadata. Standardizing this schema and associated semantics will facilitate construction of federations of NFS file servers where the servers come from different vendors. This LDAP database (at least by my reading) appears to be designed to be accessed by the various NFS servers and not by NFS clients. NFS clients will continue to get redirections directly from the NFS servers. By centralizing and standardizing the metadata, it should be possible when adding or removing servers for file system branches or replicas to make the update in one place instead of in vendor-specific ways on each existing federated server.

The Security Considerations section correctly points out the potential damage from someone making unauthorized updates to the LDAP database or successfully impersonating the LDAP database to the various NFS servers. The information is not secret, however, and the document calls for the information to be readable without authentication of the client. The document recommends that this information be served from a dedicated LDAP database, and recommends accessing it over TLS. Some would argue that the spec should require that the access MUST be over some cryptographically strong protocol (i.e., if not TLS, then IPsec, SSH, or some such).

Within my limited understanding of NFS (and related file service protocols), this all seems entirely reasonable.