Re: [secdir] [nfsv4] Secdir last call review of draft-ietf-nfsv4-rpcrdma-cm-pvt-data-06
Chuck Lever <chuck.lever@oracle.com> Wed, 29 January 2020 18:11 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B46412004C; Wed, 29 Jan 2020 10:11:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sr5wYB7JQHi; Wed, 29 Jan 2020 10:11:23 -0800 (PST)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E0F120019; Wed, 29 Jan 2020 10:11:23 -0800 (PST)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00TI4IDp116160; Wed, 29 Jan 2020 18:11:21 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2019-08-05; bh=q10DjYfEbWXClvG/yTsxHf0dXG4ryu/hDCRwh2KJcwk=; b=T1WFaTqPalBuoGmS9R9EF+rXAKcpy96HNrAN/nLqJXij9X7BqZ39OEiM2IEpcpKIGS9N cKW+5NzWabTeIuqn4kuLj6XjC9B7oqzNVlM+s9Swsq4AtqWGnMC6xppC3gmWSFv8+Fvp KzuIEsZ8+Sh1wkmzbFBhBwwo6L64eHdDka4NXfApZovDo91rF357nk3B6yqm8WpHaOSu J+NxaojwyahGpiOZu/7JWdZBJOlrehFA3x1GgSIMi3aFiCibVmpDcA+2ABVkpashSARd E2v6BOGvn6Zd3zkMc1Ri/PPND2jFCQrc2Ne6AVYczmJqjbSoeRjPv37thNOz5+zJmBSO nQ==
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2120.oracle.com with ESMTP id 2xrdmqq9h3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Jan 2020 18:11:21 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id 00TI8q3W033176; Wed, 29 Jan 2020 18:11:21 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3030.oracle.com with ESMTP id 2xuc2x6s8x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Jan 2020 18:11:21 +0000
Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 00TIBJUW020735; Wed, 29 Jan 2020 18:11:20 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 29 Jan 2020 10:11:19 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <80F557DD-BD17-4119-98B9-614B7A9FDDFB@oracle.com>
Date: Wed, 29 Jan 2020 13:11:18 -0500
Cc: secdir@ietf.org, last-call@ietf.org, nfsv4@ietf.org, draft-ietf-nfsv4-rpcrdma-cm-pvt-data.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <14AED4E4-E166-4760-8F8D-9DB1CAB5ECD0@oracle.com>
References: <158007038921.30641.13334124837519126164@ietfa.amsl.com> <80F557DD-BD17-4119-98B9-614B7A9FDDFB@oracle.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9514 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001290147
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9514 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001290146
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/xu8mMNkKV-OBeVtPw3-PMhg69Uw>
Subject: Re: [secdir] [nfsv4] Secdir last call review of draft-ietf-nfsv4-rpcrdma-cm-pvt-data-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 18:11:26 -0000
Following up... > On Jan 27, 2020, at 10:01 AM, Chuck Lever <chuck.lever@oracle.com> wrote: > > Hello Yaron- > > Thanks for your review and comments. I will respond to your comments > below, then we can determine how to clarify the text to improve matters. > > >> On Jan 26, 2020, at 3:26 PM, Yaron Sheffer via Datatracker <noreply@ietf.org> wrote: >> >> Reviewer: Yaron Sheffer >> Review result: Has Issues >> >> The document defines limited parameter negotiation for RPC-RDMAv1, using a >> private message sent over the underlying transport protocol (e.g., InfiniBand). >> >> The document is clear enough, until it comes to the Security Considerations. As >> a newcomer to this domain, there are several points that I fail to understand: >> >> - The CM Private Data described here is not one of the messages of the RPC-RDMA >> protocol. So how can it "inherit the security considerations of the protocols >> it extends," - where this refers to RPC-RDMA? > > The private data is conveyed on the same transport connection as the > other messages in RPC-over-RDMA. The exchange of private data is part > of the connection handshake, and does not appear after the connection > is established. > > The intended purpose of this paragraph is introductory, referring the > reader to the Security Considerations section of RFC 8166 as background > material. > > >> - The next paragraph explains that the integrity is ensured by use of RC QP >> (whatever that is). But there's no mention of this entity in RFC 8166, which is >> supposed to define the security for this protocol. (Or in RFC 5042, for that >> matter). > > That does seem to be an omission of background material in these documents. > > The queue pair (QP) type used for RPC-over-RDMA is Reliable Connected (RC). > This is part of the RDMA Verbs API, thus it is not defined in any > published IETF document. > > However, a relevant definition can be found in Section 9.7.7 of > > InfiniBand Trade Association, "InfiniBand Architecture Specification Volume > 1", Release 1.3, March 2015. Available from https://www.infinibandta.org/ > > Section 8.1.1 of RFC 8166 discusses one aspect of Reliable Connected behavior > but does not provide an adequate citation. The document as a whole does not > make a specific compliance statement about the use of RC QPs. > draft-ietf-nfsv4-rpcrdma-version-two rectifies that omission. > > However, the protocol framework depends on the semantics of RC QPs, thus > RPC-over-RDMA version one implementations to date use only the RC QP type. > That makes it rather a de facto requirement up to this point. To address the above two comments, I've updated the Security Considerations section to read: 6. Security Considerations The Private Data extension specified in the current document inherits the security considerations of RPC-over-RDMA version one [RFC8166]. The reader is directed to the Security Considerations section of that document for further discussion. Additional analysis of RDMA transport security appears in the Security Considerations section of [RFC5042]. Improperly setting one of the fields in a version 1 Private Message can result in an increased risk of disconnection (i.e., self-imposed Denial of Service). There is no additional risk of exposing upper- layer payloads. >> - I am usually suspicious of pre-2010 RFCs that recommend IPsec as a >> per-protocol solution (RFC 5042, Sec. 5.4.3). Is IPsec deployed in real life to >> protect these protocols, and if so, does it also protect the new CM Private >> Data? > > IPsec is appropriate for iWARP (defined in the RFC 504x series), as iWARP > can operate on public untrusted networks. Typically IPsec is implemented > along side iWARP in NIC hardware, and thus is relatively transparent to > the host (aside from initial configuration). > > When deployed, IPsec would establish a protected channel before iWARP > operations are exchanged, and thus would protect the exchange of private > data that occurs as each QP connection is established. > > IPsec is not used for InfiniBand or RoCE. Deployment of these fabrics is > typically in monolithic security environments. I'm not clear whether this issue is in the scope of cm-pvt-data. >> - And then after saying that integrity protection is ensured, we say that even >> if integrity was compromised and the parameters were modified anyway, no >> problem, this would only result in "self imposed denial of service". Even if >> true for the currently negotiated parameters, this cannot be true for every >> conceivable parameter that may be added in the future. > > That's correct. > > Practically speaking, even though we made this private data mechanism > extensible, we are already busy creating an RPC-over-RDMA version two, > where the same exchange is done via RPC-over-RDMA messages rather than > via CM Private Data. It's not likely that cm-pvt-data itself will ever > be extended. To address this comment, I've added a paragraph to the end of Section 5 "Updating the Message Format": In addition to describing the structure of a new format version, any document that extends the Private Data format described in the current document must discuss security considerations of new items exchanged between connection peers. -- Chuck Lever
- [secdir] Secdir last call review of draft-ietf-nf… Yaron Sheffer via Datatracker
- Re: [secdir] [nfsv4] Secdir last call review of d… Chuck Lever
- Re: [secdir] [nfsv4] Secdir last call review of d… Chuck Lever
- Re: [secdir] [nfsv4] Secdir last call review of d… Yaron Sheffer
- Re: [secdir] [nfsv4] Secdir last call review of d… Chuck Lever
- Re: [secdir] [nfsv4] Secdir last call review of d… Yaron Sheffer