IETF Logo Mail Archive

Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-03

Nicolas Williams <Nicolas.Williams@sun.com> Fri, 02 October 2009 22:22 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 376C33A682E; Fri, 2 Oct 2009 15:22:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.586
X-Spam-Level:
X-Spam-Status: No, score=-5.586 tagged_above=-999 required=5 tests=[AWL=-0.140, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMlIAv7wVcYt; Fri, 2 Oct 2009 15:22:04 -0700 (PDT)
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by core3.amsl.com (Postfix) with ESMTP id F373D3A680F; Fri, 2 Oct 2009 15:22:03 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n92MNVTU017814; Fri, 2 Oct 2009 22:23:31 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n92MNVoL053629; Fri, 2 Oct 2009 16:23:31 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n92LnnRs003236; Fri, 2 Oct 2009 16:49:49 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n92LnmYY003235; Fri, 2 Oct 2009 16:49:48 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Fri, 02 Oct 2009 16:49:48 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Message-ID: <20091002214947.GT887@Sun.COM>
References: <1372_1254340959_n8UK2bOg025386_20090930193620.GA902@Sun.COM> <65075E890F4E784CD4416173@atlantis.pc.cs.cmu.edu> <20091002191942.GJ887@Sun.COM> <70430176023E61F897E5DC22@minbar.fac.cs.cmu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <70430176023E61F897E5DC22@minbar.fac.cs.cmu.edu>
User-Agent: Mutt/1.5.7i
Cc: Craig Everhart <everhart@netapp.com>, secdir@ietf.org, Daniel Ellard <dellard@bbn.com>, nfsv4@ietf.org, Manoj Naik <manoj@almaden.ibm.com>, Renu Tewari <tewarir@us.ibm.com>, iesg@ietf.org, James Lentini <jlentini@netapp.com>
Subject: Re: [secdir] draft-ietf-nfsv4-federated-fs-reqts-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2009 22:22:05 -0000

On Fri, Oct 02, 2009 at 05:42:48PM -0400, Jeffrey Hutzelman wrote:
> --On Friday, October 02, 2009 02:19:42 PM -0500 Nicolas Williams 
> <Nicolas.Williams@sun.com> wrote:
> >I agree that orphaning over time is not a security problem.  I was
> >thinking more of the fact that to authorize someone to publish FSNs/FSLs
> >in some NSDB is to authorize them to create unlimited amounts of
> >garbage.  Garbage collection being effectively impossible, the fact that
> >authorization to publish is also authorization to consume all resources
> >seems like a problem to me.  One might want to implement resource
> >controls at NSDBs ("Joe can create FSNs and FSLs in this NSDB, at the
> >rate of 10 objects per-day" or "Jane can create up to 100 FSNs and FSLs
> >in this NSDB").
> 
> I don't know enough about NFSv4's intended model to know if that's actually 
> a problem.  In AFS, the equivalent objects are entries in the volume 
> location database, only administrators get the power to create them, and 
> they are tied fairly tightly to volumes.  The resource you worry about 
> people exhausting is the disk space occupied by volumes, not VLDB entries. 
> What's not clear to me is whether the NFSv4 NSDB's are intended to be 
> similar, or whether the intent is that relatively unprivileged users be 
> able to create arbitrary entries.

The admins for some file server need not be the same as the admins for
some NSDB.  One possible practice is to have an NSDB per-file server in
which to store FSLs, but FSNs really belong in a replicated DB.

I expect that in practice there will be an NSDB per-site/domain and that
NSDB will grant object create writes, in the o=fedfs container, to all
file server admins in that site/domain.

This is a rather minor concern.  I think it merits a mention though.

> >One might also wish to have an optional way to document in an FSN the
> >paths to junctions that are expected to reference the FSNs  Similarly,
> >an optional way to document in an FSL the FSNs that are expected to
> >reference the FSL.  Not that such documentation would be sufficient to
> >make garbage collection possible; it'd only make it feasible to check
> >_intended_ references.
> 
> That does sound like a useful feature.  In practice, intended references 
> are the ones you care about; if you decide a resource is going away, then 
> anyone else who has unexpected references just loses.
> 
> That said, one of the common problems AFS administrators run into is trying 
> to enumerate all of the mount points, other than by doing a find-style 
> traversal of the entire filesystem.  It would be cool to see some sort of 
> answer to this problem in NFS.

I agree.  What do the authors think?

Nico
--

v2.23.0 | Report a Bug | By Email