Return-Path: Received: from aserp1040.oracle.com ([141.146.126.69]:45954 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751181AbdKZPx7 (ORCPT ); Sun, 26 Nov 2017 10:53:59 -0500 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: [PATCH v3 08/14] SUNRPC: add AF_VSOCK support to svc_xprt.c From: Chuck Lever In-Reply-To: <1511697511.9511.9.camel@redhat.com> Date: Sun, 26 Nov 2017 10:53:45 -0500 Cc: Stefan Hajnoczi , Linux NFS Mailing List , Abbas Naderi , Anna Schumaker , Trond Myklebust , Bruce Fields Message-Id: <716BB5E5-C1B4-4003-8A82-3B9D3CC043FD@oracle.com> References: <20170630132352.32133-1-stefanha@redhat.com> <20170630132352.32133-9-stefanha@redhat.com> <1509459038.4553.26.camel@redhat.com> <20171107133111.GK6809@stefanha-x1.localdomain> <1510063286.4518.34.camel@redhat.com> <20171116152502.GG29106@stefanha-x1.localdomain> <1511697511.9511.9.camel@redhat.com> To: Jeff Layton Sender: linux-nfs-owner@vger.kernel.org List-ID: > On Nov 26, 2017, at 6:58 AM, Jeff Layton wrote: > > On Thu, 2017-11-16 at 15:53 -0500, Chuck Lever wrote: >>> On Nov 16, 2017, at 10:25 AM, Stefan Hajnoczi wrote: >>> >>> On Tue, Nov 07, 2017 at 09:01:26AM -0500, Jeff Layton wrote: >>>> On Tue, 2017-11-07 at 13:31 +0000, Stefan Hajnoczi wrote: >>>>> On Tue, Oct 31, 2017 at 10:10:38AM -0400, Jeff Layton wrote: >>>>>> On Fri, 2017-06-30 at 14:23 +0100, Stefan Hajnoczi wrote: >>>>>>> @@ -595,6 +609,10 @@ int svc_port_is_privileged(struct sockaddr *sin) >>>>>>> case AF_INET6: >>>>>>> return ntohs(((struct sockaddr_in6 *)sin)->sin6_port) >>>>>>> < PROT_SOCK; >>>>>>> + case AF_VSOCK: >>>>>>> + return ((struct sockaddr_vm *)sin)->svm_port <= >>>>>>> + LAST_RESERVED_PORT; >>>>>>> + >>>>>>> default: >>>>>>> return 0; >>>>>>> } >>>>>> >>>>>> Does vsock even have the concept of a privileged port? I would imagine >>>>>> that root in a guest VM would carry no particular significance from an >>>>>> export security standpoint >>>>>> >>>>>> Since you're defining a new transport here, it might be nice write the >>>>>> RFCs to avoid that distinction, if possible. >>>>>> >>>>>> Note that RDMA just has svc_port_is_privileged always return 1. >>>>> >>>>> AF_VSOCK has the same 0-1023 privileged port range as TCP. >>>>> >>>> >>>> But why? And, given that you have 32-bits for a port with AF_VSOCK vs >>>> the 16 bits on an AF_INET/AF_INET6, why is the range so pitifully small? >>>> >>>> Reserved ports are a bit of a dinosaur holdover from when being root on >>>> a machine on the Internet meant something. With v4.1 it's much less of >>>> an issue, but in the "olden days", reserved port exhaustion could be a >>>> real problem. >>>> >>>> Mandating low ports can also be a problem in other way. Some well known >>>> services use ports in the ephemeral range, and if your service starts >>>> late and someone else has taken the port for an ephemeral one, you're >>>> out of luck. >>>> >>>> I think we have to ask ourselves: >>>> >>>> Should the ability to open a low port inside of a VM carry any >>>> significance at all to an RPC server? I'd suggest not, and I think it'd >>>> be good to word the RFC to make that explicitly clear. >>> >>> AF_VSOCK has had the reserved port range since it was first merged in >>> 2013. That's before my time but I do see some use for identifying >>> connections coming from privileged processes. >>> >>> Given that TCP has the same privileged port range, is there any reason >>> why AF_VSOCK would be any worse off than TCP for having it? >> >> I agree with Jeff that we need to think carefully about this. >> >> I don't especially care for the privileged port check, but: >> >> In this case, you are inventing an RPC transport that makes >> it impossible to use strong security (ie, RPCSEC_GSS). We >> should be careful about removing the check because only >> AUTH_NULL and AUTH_UNIX security can be used in this kind >> of deployment. >> > > I know we've discussed this a bit, but does this transport _really_ > preclude us from using RPCSEC_GSS? I know we don't have IP addresses > here, but hosts on either end of a vsocket will have hostnames. Yes, even for AUTH_UNIX, something has to go in the "hostname" field in the credential. Let's say the guest's uname. > WRT kerberos, I don't see a reason why both hosts couldn't communicate > with a KDC via other means, get tickets and then use those for > authenticating over their vsock connection. vsock might make it harder > to determine what SPN to use, but we could potentially work around that > in other ways. "No network configuration" implies to me that the KDC (or a proxy for it) would have to reside on the host. Indeed, there's no a priori way of determining the NFS server SPN, other than to tell the guest somehow via a manual administrative interface or we pick a well-known value for it and make it part of the RPC-over-VSOCK spec. >> Privileged ports are easy to spoof if there is an opportunity >> for a MitM attack to alter the port number of RPCs in transit. >> With VSOCK there may be no such opportunity, thus privileged >> ports might provide an adequate level of security here. I >> make that claim with no deep experience of VSOCK environments. >> >> When writing the VSOCK-related RFCs, you will need to provide >> a very clear and concise rationale to the IESG for purposely >> not supporting the use of RPCSEC_GSS. It will start with "well, >> these RPCs do not flow on open networks and are thus not >> subject to MitM attacks"; then proceed to careful discussion of >> how the server will guard against rogue users on guests, and >> assumptions about the trust relationship between the guests >> and the host. You will have to make AUTH_UNIX into a defensible >> deployment choice, and port privilege might be a part of that. >> >> Note also that the NFSv4 standards require that implementations >> can support RPCSEC_GSS. NFSv4 on VSOCK cannot. Something will >> have to be done about that. >> > > Good point on the reserved port value for AUTH_UNIX. That may be reason > enough to keep it in. -- Chuck Lever