[secdir] Secdir review of draft-ietf-nfsv4-rfc5666bis-10
Vincent Roca <vincent.roca@inria.fr> Fri, 24 February 2017 12:59 UTC
Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D644A129694; Fri, 24 Feb 2017 04:59:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhWNsZQvN8KQ; Fri, 24 Feb 2017 04:59:49 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12A341296CD; Fri, 24 Feb 2017 04:59:48 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.35,201,1484002800"; d="scan'208,217";a="261943924"
Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO [192.168.1.149]) ([82.236.155.50]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Feb 2017 13:59:46 +0100
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A2109949-94DD-4124-A7BB-223F130803B2"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Message-Id: <B2BB177E-540B-4888-BD58-AB2BAF7AD6E6@inria.fr>
Date: Fri, 24 Feb 2017 13:59:44 +0100
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-nfsv4-rfc5666bis.all@ietf.org
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/h2b6IVIO0WVjawKfF9dVHVf10yg>
Subject: [secdir] Secdir review of draft-ietf-nfsv4-rfc5666bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 12:59:52 -0000
Hello,
I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.
Summary: ready with issues
Main comments:
A long and detailed Security considerations section is provided, which is clearly a good thing. However I have
a few comments WRT this section:
** Privacy or confidentiality? Throughout section 8, authors mention "Privacy" inappropriately IMHO.
Privacy refers to PII (Personally identifiable information) which is different. For instance in section 8.2, when saying:
"However, integrity and privacy services require significant movement of data on each endpoint host."
the authors really mean confidentiality (this is mentioned just above, when saying that RPCSEC_GSS implements
"per-message confidentiality"). There are several mistakes of that kind throughout section 8.
** On the opposite, meta-data can raise privacy issues, regardless of whether the content is encrypted or not.
Can an eavesdropper who observes the traffic from an intermediate node (for instance) derive these meta-data
and identify the hosts that communicate together, at what frequency, when?
It probably depends on the protection provided (IPsec versus other RPCSEC integrated approach if I understand
correctly). However if this is the case then there can be privacy impacts... Is it the case, this is not detailed?
** Section 8.1: it is said:
"The use of RPC-over-RDMA MUST NOT introduce any vulnerabilities to system memory contents, nor to
memory owned by user processes."
This is of course highly desirable, but how can the destination be sure that data copied in its own memory does not
contain a malware? I have the feeling (but may be wrong) that there's a confusion between the RPC-over-RDMA
**protocol** that MUST be secure, and the **content** transferred between two hosts where it's more a matter of
trust between them.
** Section 8.2.2.1: What happens when there's no TCP based NFS server on port 2049? The authors could be
more explicit and provide guidance.
** Section 8.2.2.4: There's something that is not clear to me.
It is said that "IDs, connection credit limits, and chunk lists" are exposed and if an attacker alters them, several
consequences are possible.
I understand that this information **is not** included in the RPCSEC_GSS integrity verifications.
Is it really the case? I'm asking this because the paragraph concludes with:
"The use of RPCSEC_GSS integrity or privacy services enable the requester to detect if such tampering
has been done and reject the RPC message."
which suggests that this information **is** protected.
** Last sentence:
"To address attacks on RDMA protocols themselves, RDMA transport implementations should conform
to [RFC5042]."
"should" or "SHOULD"?
Minor comments:
- A side comment: can we really say that IPsec can be co-located in RDMA hardware "without any [...] loss of
data movement efficiency"? I'd rather say that the IPsec performance impacts can be **greatly reduced**.
- Typo in Introduction: "future NFSv4 minor verions" => versions
Cheers,
Vincent
- [secdir] Secdir review of draft-ietf-nfsv4-rfc566… Vincent Roca
- Re: [secdir] Secdir review of draft-ietf-nfsv4-rf… Chuck Lever
- Re: [secdir] Secdir review of draft-ietf-nfsv4-rf… Tom Talpey
- Re: [secdir] Secdir review of draft-ietf-nfsv4-rf… Chuck Lever