Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-03

James Lentini <jlentini@netapp.com> Wed, 30 September 2009 22:16 UTC

Return-Path: <jlentini@netapp.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5418B3A6975; Wed, 30 Sep 2009 15:16:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.483
X-Spam-Level:
X-Spam-Status: No, score=-6.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1SKgu0pluIw; Wed, 30 Sep 2009 15:16:15 -0700 (PDT)
Received: from mx2.netapp.com (mx2.netapp.com [216.240.18.37]) by core3.amsl.com (Postfix) with ESMTP id 180163A6817; Wed, 30 Sep 2009 15:16:14 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.44,482,1249282800"; d="scan'208";a="251509073"
Received: from smtp1.corp.netapp.com ([10.57.156.124]) by mx2-out.netapp.com with ESMTP; 30 Sep 2009 15:17:37 -0700
Received: from jlentini-linux.nane.netapp.com (jlentini-linux.hq.netapp.com [10.97.16.21]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id n8UMHYOj029898; Wed, 30 Sep 2009 15:17:34 -0700 (PDT)
Date: Wed, 30 Sep 2009 18:17:31 -0400
From: James Lentini <jlentini@netapp.com>
X-X-Sender: jlentini@jlentini-linux.nane.netapp.com
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20090930193620.GA902@Sun.COM>
Message-ID: <alpine.LFD.2.00.0909301707010.3163@jlentini-linux.nane.netapp.com>
References: <20090930193620.GA902@Sun.COM>
User-Agent: Alpine 2.00 (LFD 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Mailman-Approved-At: Thu, 01 Oct 2009 05:49:20 -0700
Cc: Craig Everhart <everhart@netapp.com>, secdir@ietf.org, Daniel Ellard <dellard@bbn.com>, nfsv4@ietf.org, Manoj Naik <manoj@almaden.ibm.com>, Renu Tewari <tewarir@us.ibm.com>, iesg@ietf.org
Subject: Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2009 22:16:16 -0000

Nico,

Thank you for your feedback. We will update the document to include 
the improvements you have suggested both to the security 
considerations (noting the authorization separation inherent in the 
design, the resource consumption considerations for NSDB objects, and 
the implications regarding NSDB authentication) and general 
description (regarding the absence of junctions in the NSDB and the 
benefits of using fixed size FSNs).

On Wed, 30 Sep 2009, Nicolas Williams wrote:

> I have reviewed this document as part of the security directorate's                                                                 
> ongoing effort to review all IETF documents being processed by the                                                                  
> IESG.  These comments were written primarily for the benefit of the                                                                 
> security area directors.  Document editors and WG chairs should treat                                                               
> these comments just like any other last call comments.                                                                              
> 
> This document describes the notion of "federated filesystem namespace"
> and requirements for specifications of an actual set of federated
> filesystem namespace components and even some requirements of actual
> implementations.
> 
> A federated namespace is one where multiple filesystems (or, rather,
> "filesets") are put together into a larger filesystem-like namespace,
> but where the various filesystems involved can be owned and administered
> by widely varying entities.
> 
> Authorization issues arise when filesystems migrate, and these are
> neatly resolved in the federated namespace concept by separating the
> location of references to filesystems from the location of fileset
> location information.  References to filesets ("junctions") live in
> actual filesystem (think of a magic symlink or "shortcut").  Fileset
> location information lives in a directory whose name is part of the
> fileset's name as referenced by any junction that refers to it.
> 
> Authorization of junction administration is a matter local to the
> filesystems where the junctions live.  Authorization of fileset location
> administration is a matter local to the directory where the fileset
> location information is published.
> 
> There is one more level of separation as well, to allow for filesets
> with replicas owned and administered by different entities.  "Fileset
> names" (FSNs) refer to directory objects which in turn refer to "fileset
> location" objects (FSLs); both, FSNs and FSLs include the name of the
> containing directory in their canonical name forms.
> 
> The document does not describe the authorization separation involved.
> And though it isn't strictly necessary, I believe that it would be
> beneficial to have such a description.
> 
> The document also does not clearly explain that junctions are not
> published in any directory, which confused me greatly at first, as in my
> opinion publishing FSN and FSL objects does not make the directories in
> which they are published "namespace databases" (NSDBs).  This is not a
> security concern, of course.
> 
> The document also does not explain that FSNs are intended to be small,
> even fixed sized, or with highly compressible variable size portions[*].
> But a moment's thought about filesystem designs quickly reveals that
> such a requirement is important.  In my opinion such a requirement
> should be documented.  This too is not a security concern.
> 
> The Security Considerations section is a bit skimpy.  Its claims are
> correct in my opinion.  I would, however, add to it the following:
> 
>  - A note that the federated namespace concept helps distribute
>    responsibility for authorization (a very good thing).
> 
>  - A note that orphaned FSNs and FSLs cannot be easily distinguished
>    from ones referenced by junctions and FSNs, respectively.  Therefore
>    objects will tend to pile up.  This is a resource consumption
>    consideration.  Resource control issues are, IMO, a security
>    consideration.
> 
> Finally, I'm not sure if it's worth saying anything about the fact that
> with the NSDB choice being up to the FSN and FSL publishers, there can
> be a plethora of NSDBs in a federation, which brings scalability of
> distributed authentication and trust into the picture.  For example,
> consider an NSDB that uses TLS and a self-signed server certificate to
> authenticate itself, then a fingerprint of the certificate will have to
> be part and parcel of the FSN/FSL names stored by junctions/FSNs
> (respectively).  A PKI would help, of course, but in a sufficiently
> large federation it may be necessary to have multiple trust anchors,
> rather than a single PKI root, which brings TA administration issues
> into the picture.  This is really nothing new, and so perhaps not worth
> noting, but the potential for having to store, and the consequences
> thereof, FSN NSDB authentication information in junctions, and FSL NSDB
> authentication information in FSNs, does seem to me to be worth noting.
> 
> [*] For example, assuming many FSNs but relatively few NSDBs, filesystem
>     implementors could choose store FSNs as {reference to NSDB name, FSN
>     object name relative to NSDB}.  If the second item of the tuple is
>     itself fixed-sized then the whole tuple can be fixed sized.  A table
>     of {NSDB name, reference} would be needed too, but it may be
>     critical to keep "inodes" fixed-sized, with little wastage, in which
>     case "interning" NSDB names as described above is a sufficient
>     compression technique.
> 
>     In fact, draft-ietf-nfsv4-federated-fs-protocol-03 does use UUIDs
>     for naming FSNs and FSLs, so that the above technique is certainly a
>     feasible way to keep inodes fixed-sized in spite of the fact that
>     FSNs are actually variable sized (the NSDB name where the FSN
>     resides is part of the FSN's name).
> 
> Nico
> -- 
>