Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-03
Jeffrey Hutzelman <jhutz@cmu.edu> Fri, 02 October 2009 21:41 UTC
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A0EF28C13D; Fri, 2 Oct 2009 14:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.018
X-Spam-Level:
X-Spam-Status: No, score=-3.018 tagged_above=-999 required=5 tests=[AWL=-0.419, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZ4fqVxaKB-S; Fri, 2 Oct 2009 14:41:41 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by core3.amsl.com (Postfix) with ESMTP id E6D9728C133; Fri, 2 Oct 2009 14:41:40 -0700 (PDT)
Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n92LgmXJ016549 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 Oct 2009 17:42:49 -0400 (EDT)
Date: Fri, 02 Oct 2009 17:42:48 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Message-ID: <70430176023E61F897E5DC22@minbar.fac.cs.cmu.edu>
In-Reply-To: <20091002191942.GJ887@Sun.COM>
References: <1372_1254340959_n8UK2bOg025386_20090930193620.GA902@Sun.COM> <65075E890F4E784CD4416173@atlantis.pc.cs.cmu.edu> <20091002191942.GJ887@Sun.COM>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
Cc: Craig Everhart <everhart@netapp.com>, secdir@ietf.org, Daniel Ellard <dellard@bbn.com>, nfsv4@ietf.org, Manoj Naik <manoj@almaden.ibm.com>, Renu Tewari <tewarir@us.ibm.com>, iesg@ietf.org, James Lentini <jlentini@netapp.com>
Subject: Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2009 21:41:45 -0000
--On Friday, October 02, 2009 02:19:42 PM -0500 Nicolas Williams <Nicolas.Williams@sun.com> wrote: > I agree that orphaning over time is not a security problem. I was > thinking more of the fact that to authorize someone to publish FSNs/FSLs > in some NSDB is to authorize them to create unlimited amounts of > garbage. Garbage collection being effectively impossible, the fact that > authorization to publish is also authorization to consume all resources > seems like a problem to me. One might want to implement resource > controls at NSDBs ("Joe can create FSNs and FSLs in this NSDB, at the > rate of 10 objects per-day" or "Jane can create up to 100 FSNs and FSLs > in this NSDB"). I don't know enough about NFSv4's intended model to know if that's actually a problem. In AFS, the equivalent objects are entries in the volume location database, only administrators get the power to create them, and they are tied fairly tightly to volumes. The resource you worry about people exhausting is the disk space occupied by volumes, not VLDB entries. What's not clear to me is whether the NFSv4 NSDB's are intended to be similar, or whether the intent is that relatively unprivileged users be able to create arbitrary entries. > One might also wish to have an optional way to document in an FSN the > paths to junctions that are expected to reference the FSNs Similarly, > an optional way to document in an FSL the FSNs that are expected to > reference the FSL. Not that such documentation would be sufficient to > make garbage collection possible; it'd only make it feasible to check > _intended_ references. That does sound like a useful feature. In practice, intended references are the ones you care about; if you decide a resource is going away, then anyone else who has unexpected references just loses. That said, one of the common problems AFS administrators run into is trying to enumerate all of the mount points, other than by doing a find-style traversal of the entire filesystem. It would be cool to see some sort of answer to this problem in NFS.
- [secdir] draft-ietf-nfsv4-federated-fs-reqts-03 Nicolas Williams
- Re: [secdir] [nfsv4] draft-ietf-nfsv4-federated-f… Nicolas Williams
- Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-… Jeffrey Hutzelman
- Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-… James Lentini
- Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-… Nicolas Williams
- Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-… Jeffrey Hutzelman
- Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-… Nicolas Williams