Re: [secdir] Secdir last call review of draft-ietf-nfsv4-mv1-msns-update-04
David Noveck <davenoveck@gmail.com> Fri, 01 March 2019 01:30 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BEC6131101; Thu, 28 Feb 2019 17:30:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7L9TzZyHsz7n; Thu, 28 Feb 2019 17:30:47 -0800 (PST)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 189A3131100; Thu, 28 Feb 2019 17:30:47 -0800 (PST)
Received: by mail-ot1-x32e.google.com with SMTP id q24so19623031otk.0; Thu, 28 Feb 2019 17:30:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B9h4E7SOLQapPZ4Fw/KWTvac6weQEUiix3WOB6hgAlU=; b=oPveZYe1aqkV9DWsg1bK3QJOFqvUJ6bbWaT9KIFY6kDxC7Gas+Ms1PnRqpXx3/c8rM Ckw+uyFACG3GZ7nIdeH/FFO1EydpnpJCcc3ToB7t0xL4nHHQ46ZeSpBqmwTnHgwR6DB2 NO/NCpHGsu7Z+YLVruMVABX9nKXUYFGhRUz7saPHVB0WQmU0fxyIbDXD6MqOed8i7AUR hrzcjpsOVW+JUPupikDvVR/Cqjg+mOgmosNFtz2XhrfDahtfBMjtDBaeqqREVS4MuQjK zB2GOcgUJke9r8zk9tuaU5hTk2B4BWrJvf3Dl5lBFkMpp7y8bKvNgY8KWuj1H9y56C9B vMPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B9h4E7SOLQapPZ4Fw/KWTvac6weQEUiix3WOB6hgAlU=; b=A9RpkE/pjo4g2nXTt+adU+4CuricsswCK9da1bpb8n45sXMQAOV9QQnWdW1ExTznIC jdP/7JqvSVp40NXr2gy0e8w4AvVExfnE+VPvLopA5leTv+bZm2nmcLIe0LGSoDw5b2br Cr9hH8odGJKN+nE5dRwuu68Hv+U89v6XiaxA9JIRRIB5eZbFRzQm7XsgRYDZbIjEJkBa 9Qj2H5GjYWHi/msgDSUfdcUh7I6VGW40BeC+UhlOs0Kmw9eWaarBXIFmg70pl4QKMS3M siLNkk1lAScPg81Of4WPQKZKlBGTl1uJMWyB23v2uP5lD1rDsUUj0JWwUI4uP3k5p/eQ ctjw==
X-Gm-Message-State: APjAAAVAqQRor2/eGozizkDBCykhEheGzsr6Hf4N2XbFWV8q5K/mYxsQ eEmoY/Gr/KsQWZQFJMhXeXbX9SFXI7Fi9nMo60k=
X-Google-Smtp-Source: APXvYqy2WNBjlZ3EB8OyB0ZLozWU19QTNtgK1DapGnu45Wdla6WWkALnj32mBWI5KlRBf59ODx9CErZAYbsITk3Pwh0=
X-Received: by 2002:a05:6830:1193:: with SMTP id u19mr1737581otq.221.1551403846034; Thu, 28 Feb 2019 17:30:46 -0800 (PST)
MIME-Version: 1.0
References: <155128908237.14053.17188619727012241844@ietfa.amsl.com>
In-Reply-To: <155128908237.14053.17188619727012241844@ietfa.amsl.com>
From: David Noveck <davenoveck@gmail.com>
Date: Thu, 28 Feb 2019 20:30:35 -0500
Message-ID: <CADaq8jeQJi+azCcuMCRN8h+quqvx+NM2kiOAMq9E-n+Kp6eWRw@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Cc: secdir@ietf.org, ietf@ietf.org, NFSv4 <nfsv4@ietf.org>, draft-ietf-nfsv4-mv1-msns-update.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000256c000582fe5b8d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_HfVIIshJ59l2BQJtnS72owe6Wk>
Subject: Re: [secdir] Secdir last call review of draft-ietf-nfsv4-mv1-msns-update-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 01:30:50 -0000
> These > instructions will really help when work on a fully revised NFS RFC gets > going. That's the intention. The working group is now discussing the possibility of an rfc5661bis that would use those instructions. Note that the current document would be the source of a large set of the changes but there are also others: The internationalization section needs to be updated as it was in RFC7530. Section 12 needs to be updated to reflect the work done by RFC8434. Also, there are a lot of erratta that would need to be applied. > 0) The big issue being addressed in the security considerations is the fact > that RPSEC_GSS is must support not must use That reflects choices made for RFC3530 and carried over until now. This has resulted in a situation in which AUTH_SYS is very commonly used despite its obvious security weaknesses. > So what do you do when RFC 5661 says: > The fetching of attributes containing file system location > information SHOULD be performed using RPCSEC_GSS with integrity > protection, Not much, since there is not much I can do about that. > And, you don’t now change to MUST use RPSEC_GSS? No I don't. Currently use of AUTH_SYS is allowed and the working group has not made any decision to change that. > Well I think at a minimum you should do some 2119 language: OK, but note that this is a widely-deployed protocol and we are not in a position to invalidate deployment choices made in line with RFC5661, even if we think they were ill-advised. > 0) s16 (after the bullets): 2119 this should: If you are suggesting changing "should" to "SHOULD" in this parapgraph, I'm OK with making that change in -05, although I will raise the issue with the working group to check about existing implemtations. > 1) s16 (2nd para after the bullets): 2199 this SHOULD NOT: I intend to shift this to "SHOULD NOT" in -05. > 2) s16 (last bullet): 2119 this should: Given that this bullet appears in a summary, I think the "should" is misleading. Converting it to "SHOULD" would lead to recommemmending filtering without specifying the filtering to be done. What I propose to do in -05 is replace "should be subect to filtering" by "is made subject to filtering as described above". > The use of requests issued without RPCSEC_GSS (i.e. using > the known to be insecure AUTH_SYS), while undesirable and > Insecure, may not be avoidable in all cases. While I approve of drawing more attention to the weaknesses of AUTH_SYS, I feel the use of the word "insecure" is too vague. "Insecure" covers a range of problems whereby traffic is either exposed to prying eyes, subject to corruption in transit, or acted upon without authentiction. Given the context, I think we need to be clear about what the actual problem is even though AUTH_SYS, in what has to be considered a virtuoso performance :-), manages to acomplish the hat trick of protocol insecurity. So I propose writing this as follows: The use of requests issued without RPCSEC_GSS (i.e. using AUTH_SYS which has no provision to avoid corruption of data in flight), while undesirable and a potential security exposure, may not be avoidable in all cases. > It’s probably also worth discussing whether s14.3 should drop > support for includes id-sha1 The text you are referring to was carried over from RFC5661 as-is since there was no issue known with it. Regarding the potential deletion of id-sha1, the issue, given that server support is currently REQUIRED, is whether there are clients using this who might be impacted by a change. I'll check with the working group. > 4) s4.3 (1st sentence): Not sure the 2119-RECOMMENDED is needed. These are really OPTIONAL althouh the word "RECOMMENDED" is (confusingly) used. Will delete. > 5) s4.3 (penultimate para): Seems like r/should/SHOULD. It is probably the case that RFC5661 made a poor choice here. However, I don't think we can change it now. > 10) s16 (3rd bullet): Why is requirement is caps? It's because I was under the misapprehension that statement that things were REQUIRED or RECOMMENDED could be referred to as "REQUIREMENTS" or "RECOMMENDATIONS". It turns out not to be so. Will address nits 0)-4) and 6)-10) in -05. On Wed, Feb 27, 2019 at 12:38 PM Sean Turner <sean@sn3rd.com> wrote: > Reviewer: Sean Turner > Review result: Has Issues > > This draft updates NFSv4.1 to correct handling of the fs_locations and > fs_locations_info attributes; NFSv4.1 weighs in at 617 pages and this > draft weighs in a relatively spry 106; let’s say I was really, really > hoping > for some multi-page ASCII art, but also no pretty much all text. The > draft does a good job of explaining what’s being replaced and why, but > I have to say that I did not check all of section pointers. These > instructions will really help when work on a fully revised NFS RFC gets > going. Unfortunately for me, I do not have NFSv4.1 in my head so let’s > just say that I did my best … > > Summary: This draft is probably worthy of some type of DISCUSS based > on the following: > > 0) The big issue being addressed in the security considerations is the fact > that RPSEC_GSS is must support not must use and the other mechanism > referred to by RFC 5661 are: > > - AUTH_NONE - nada authentication > > - AUTH_SYS as described in Appendix A is known to be insecure due to > the lack of a verifier to permit the credential to be validated. > AUTH_SYS SHOULD NOT be used for services that permit clients to > modify data. AUTH_SYS MUST NOT be specified as RECOMMENDED or > REQUIRED for any Standards Track RPC service. > > - AUTH_DH as mentioned in Sections 8.2 and 13.4.2 is considered > obsolete and insecure; see [RFC2695]. AUTH_DH SHOULD NOT be used for > services that permit clients to modify data. AUTH_DH MUST NOT be > specified as RECOMMENDED or REQUIRED for any Standards Track RPC > service. > > So what do you do when RFC 5661 says: > The fetching of attributes containing file system location > information SHOULD be performed using RPCSEC_GSS with integrity > protection, > And, you don’t now change to MUST use RPSEC_GSS? Well I think at a > minimum you should do some 2119 language: > > 0) s16 (after the bullets): 2119 this should: > > In light of the above, a server should present file system > location entries that correspond to file systems on other servers > using a host name. > > 1) s16 (2nd para after the bullets): 2199 this SHOULD NOT: > > As a > result, the client should not use such unverified location entries > as a basis for migration, even though RPCSEC_GSS might be > available on the destination. > > 2) s16 (last bullet): 2119 this should: > > Where the use of the returned information cannot be > avoided, it should be subject to filtering to eliminate the > possibility that the client would treat an invalid address as > if it were a NFSv4 server. > > And, I guess since AUTH_SYS is insecure can I suggest a friendly > amendment to the following sentence: > > OLD: > The use of requests issued without RPCSEC_GSS (i.e. using > AUTH_SYS), while undesirable, may not be avoidable in all > cases. > > NEW: > > The use of requests issued without RPCSEC_GSS (i.e. using > the known to be insecure AUTH_SYS), while undesirable and > Insecure, may not be avoidable in all cases. > > It’s probably also worth discussing whether s14.3 should drop > support for includes id-sha1. > > > These are the nits: > > 0) Update to use new 2119 paragraph: > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and > "OPTIONAL" in this document are to be interpreted as described in BCP > 14 [RFC2119] [RFC8174] when, and only when, they appear in all > capitals, as shown here. > > 1) s3.1 (wordy): r/since the > ports to be used for various types of connections might be > required to be different/since the > ports to be used for various types of connections might be > different. > > 2) s3.1 (missing period): r/Two such addresses support the use of clientid > ID trunking, as described in [RFC5661]/Two such addresses support the > use of clientid > ID trunking, as described in [RFC5661]. > > 3) s4.2 (missing word): r/which may accessed/which may be accessed > > 4) s4.3 (1st sentence): Not sure the 2119-RECOMMENDED is needed. > > 5) s4.3 (penultimate para): Seems like r/should/SHOULD. > > 6) s4.5: r/present , is/present, is > > 7) s4.5: Note sure you need the parenthetical in the following: > a server may (but is not required to) > > 8) s4.5.4: r/In the event that server failures,/In the event that > server fails, > or > r/In the event that server failures,/In the event of server failures, > > 9) s12.2.3: replace ietf.org with example.org (not supposed to use > real domains even if it is “ours”). > > 10) s16 (3rd bullet): Why is requirement is caps? > >
- [secdir] Secdir last call review of draft-ietf-nf… Sean Turner
- Re: [secdir] Secdir last call review of draft-iet… David Noveck
- Re: [secdir] Secdir last call review of draft-iet… David Noveck
- Re: [secdir] Secdir last call review of draft-iet… Spencer Dawkins at IETF
- Re: [secdir] Secdir last call review of draft-iet… Brian E Carpenter