IETF Logo Mail Archive

Re: [secdir] [nfsv4] SECDIR Review of draft-ietf-nfsv4-umask-03

David Noveck <davenoveck@gmail.com> Wed, 31 May 2017 13:23 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3695129524; Wed, 31 May 2017 06:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZqkjPX-OkIP; Wed, 31 May 2017 06:23:53 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C82FE129438; Wed, 31 May 2017 06:23:52 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id g126so11254666ith.0; Wed, 31 May 2017 06:23:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kPIalmkq3FyPiUSPOslsw0mPM+uWZYwyxwHV/g8apeU=; b=nERP2asZlPEZEPMA7O86bTQ+B6dJXsy4NSvFmQNtLUUfvxh+w0/q4ke2nt1NGZS1qi u8AtNoGTuPEitaH9ema9yvuPq+emJUU9BYreoysq2AjJqI+vhdJ8wxbyw+NxMaALvVXg vPvtkLdWoaTjz77+FZjjRTaBsmPOQv6D3IRBiYYPHf6c7+aaq87M//4RGtnTi7lEhvad 8frscadFcQU/o+tp+y26RiVfy+G2EFs3awxBAezgdpFFw/g+uVsgyMyQWwvVq4dW8DEq 51NrQBwz91j0CPv+owVadENJxR+s7jAhq6kPaehQDbVFzDvzQ82VZ8xyn8h0hcQLewFt fzLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kPIalmkq3FyPiUSPOslsw0mPM+uWZYwyxwHV/g8apeU=; b=HdkL8m7a5qfWkSt2j9yEO19mjW1vryN9LzNYyBetfE4gSeU64xOjdIVWyDZeSz0d6O MG4ag58ux5rcgDbNkUIC3YwL3G8YZHEuWqb/6SOZOjnGQCFwUolyq8pgUhxrYQdeU4VE 844hCPoXZADA7lIzgcx2cPAM0qwqYjdXEs7J+mDuOqQVeF64ntu3RPontHF4KxokS01F loWOFc5Z6hZ+ZgVxMh0LneGG5uTWoSaU9vH/8/emSeYfGx/kbxqz5r2RB3DykSlOlH3e 1JEL2aViZZH78Z9vyYu9doGRKVC09FJ98Nu3yF29/ne6UAY8DpCkpIJqOTMC2JoyvgCM yZEg==
X-Gm-Message-State: AODbwcDrVpFsYWEdX1UkCY/iRT0AlrsTcrObaOX+OaM6rX71rWpXIqOx EVebJASgZArcX3vX+Oelcex3FhhKRA==
X-Received: by 10.36.26.199 with SMTP id 190mr7245223iti.57.1496237032084; Wed, 31 May 2017 06:23:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.4.148 with HTTP; Wed, 31 May 2017 06:23:51 -0700 (PDT)
In-Reply-To: <CAKKJt-fsJ1UinNiW2LitxVQT4M1YqnFF+1cygU132=bQNgiUnA@mail.gmail.com>
References: <CAMm+Lwh+E+BsATQmmX6ccJou-sz1XNtFHxQZikohYCeT0qkfdQ@mail.gmail.com> <CAKKJt-fsJ1UinNiW2LitxVQT4M1YqnFF+1cygU132=bQNgiUnA@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 31 May 2017 09:23:51 -0400
Message-ID: <CADaq8jd+6gN2H0QWC+dM-e3pb1gUJKLE7=8PPpprGGKBQZhueg@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, NFSv4 <nfsv4@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="001a1143d750cc1b850550d1d4e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/P5TBHygmVix7JjTxQFtkyl3QXEE>
Subject: Re: [secdir] [nfsv4] SECDIR Review of draft-ietf-nfsv4-umask-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 13:23:55 -0000

Phillip Hallam-Baker wrote
> They are not so much a security plan as a collection of random thoughts
jotted down
> in haphazard fashion.​

This is fair criticism.  I've looked through the Security Considerations
sections of RFCs 3530, 7530, and 5661 and the differences are minor.   None
of these sections were written to provide a security plan, but tried to
describe, somewhat inelegantly, the evolution of NFS from its origins in a
LAN environment towards NFSv4 which attempted to provide some reasonable
security features.  Any security needs were provided by RPCSECGSS, and not
by the protocol itself.

> There is clearly no coherent model of what NFS security should achieve,
what the
> threats are, what controls are deployed to control them

An alternative would have been to define an entirely new protocol with a
real security plan covering these matters, but that wasn't the goal then.
If it had been, we would probably have a much more secure protocol that
nobody would deploy.  What happened was that NFSv4 was defined requiring
implementation, but not use, of RPCSECGSS.  Even today, many NFSv4
deployments use AUTH_SYS and very few which use RPCSECGSS, use integrity or
privacy, because of performance issues.  Security is provided by use of
physically isolated networks or VPNs.   That was considered adequate when
RFCs 3530, 5661, and 7530 were written and approved.

If it is appropriate to move the goal posts here, based on current needs,
we have to understand exactly what is being asked for, in order to see if
remediation is possible while maintaining continuity with the existing
NFSv4 protocol and implementations.  Some possibilities:

   - A clear security plan which defines the threats that NFSv4 addresses
   and is clear about those it does not address (and so have to addressed by
   other means).
   - A security plan plan defining the threats that NFSv4 should address,
   how some of those are addressed by various NFSv4 minor versions, and others
   will be by extensions to NFSv4.2 or later minor versions.

Spencer Dawkins wrote:
> Speaking as the responsible AD, I'm thinking that the right thing to do,
is for me to ask the NFSv4
> working group to consider the issue you're raising, with the high-order
bit question being whether
> it's time to revisit NFS security.

If so, we need to better understand exactly what we need to do in this area
and are able to do while supporting adequately other uses of NFS, in more
controlled environments, where the concerns are different.

> The working group is actively discussing a recharter, likely to be
discussed in Prague, so it's
> the right time to ask the question.

Yes.  Right now, one of the bulleted items in the extensions section of my
proposed draft reads:

   - Provide effective NFS response to increasing security challenges.

It seems to me that the IESG might reasonably be skeptical of our attempt
to address new/increasing security challenges, given the level of
dissatisfaction with the base we are building on.

My next draft will try to address the clarity needs regarding security in
the Maintenance section.  In any case, the working group will have to
discuss these issues in Prague.  As it is, we have allocated a total of 30
minutes to the entire charter discussion, so there will probably only be
time to begin the discussion and not reach a conclusion.

> Given that RFC 7530 is the umbrella RFC for all of NFSv4.

Actually, there is no umbrella RFC for all of NFSv4, which is a definite
problem given reasonable precipitation expectations :-(

RFC5661 is pretty clear about the the fact that it stands on its own.

The only NFSv4 RFC that will apply to all of NFSv4 is the one that will
arise from the vesioning work.  We could create others.

> I'm thinking that's  the right place to fix anything that needs fixing.

I think that will depend on what we decide is fixable, but any substantive
securIty extensions would require definition in a new document.

With regard to updating the Security Considerations section, we need to
address both NFSv4.0 and NFSv4.1, so I don't see an rfc7530bis in our
future.  If we are able to provide an appropriate updated treatment, it
would have to be marked as updating RFCs 5661 and 7530.



On Fri, May 26, 2017 at 12:00 PM, Spencer Dawkins at IETF <
spencerdawkins.ietf@gmail.com> wrote:

> Hi, Phillip,
>
> (adding the NFSv4 working group mailing list, because the issue you raised
> in this review is relevant to pretty much all of NFSv4)
>
> On Thu, May 18, 2017 at 12:10 PM, Phillip Hallam-Baker <
> phill@hallambaker.com> wrote:
>
>> Reviewer:
>> ​Phillip Hallam-Baker
>>
>> Review result:
>> ​OK but...​
>>
>>
>> I reviewed this document as part of the Security Directorate's
>> ongoing
>> effort to review all IETF documents being processed by the IESG.
>> These
>> comments were written primarily for the benefit of the Security Area
>> Directors.  Document authors, document editors, and WG chairs should
>> treat these comments just like any other IETF Last Call comments.
>>
>> Document: Review of draft-ietf-nfsv4-umask-03
>> Reviewer:
>> ​Phillip Hallam-Baker
>>
>>
>>
>> Review result:
>> ​OK but...​
>>
>>
>> This particular draft looks OK to me. Aligning the semantics of NFS with
>> the semantics of the file system seems to me to be absolutely the way to go
>> forward. I am not sufficiently experienced in the semantics of NFS or Unix
>> as deployed to be able to offer an opinion on whether the draft achieves
>> that. However it appears that the author does.
>>
>> ​What is problematic here is that the Security Considerations in the
>> draft are essentially relying on those in rfc7530 which are woefully
>> inadequate given the critical role of NFS in Internet security. They are
>> not so much a security plan as a collection of random thoughts jotted down
>> in haphazard fashion.​
>>
>> There is clearly no coherent model of what NFS security should achieve,
>> what the threats are, what controls are deployed to control them. Also note
>> that the main reason this review is late is that I have been dealing with
>> issues arising from WannaCry which used an SMB:1 exploit. Re-reading
>> RFC7530 in the light of that experience gives me grave concern.
>>
>
> This is very interesting ...
>
> Speaking as the responsible AD, I'm thinking that the right thing to do,
> is for me to ask the NFSv4 working group to consider the issue you're
> raising, with the high-order bit question being whether it's time to
> revisit NFS security. The working group is actively discussing a recharter,
> likely to be discussed in Prague, so it's the right time to ask the
> question.
>
> Given that RFC 7530 is the umbrella RFC for all of NFSv4, I'm thinking
> that's the right place to fix anything that needs fixing.
>
> And thanks for your review.
>
> Spencer
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>
>

v2.23.0 | Report a Bug | By Email