Received: by 2002:ab2:6d45:0:b0:1fb:d597:ff75 with SMTP id d5csp414901lqr; Wed, 5 Jun 2024 09:31:52 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWg0a9wcAOKRb1oawGDbnU//RaKdY1QiJMxiLtw2qwgHJ3Y8r+pwkPd+CK1teoluWU0OCOESn5ESGcCHGPtWZuTJI4ifv4vqEm8Fkss9A== X-Google-Smtp-Source: AGHT+IEceJmdzGjmecJACRG2JBiw3kjIX3Q7gG6UvObuy8PGA+mqkgDIsnGAUq/uU3NdD/cvyIzC X-Received: by 2002:a17:903:22c3:b0:1f4:5fb2:f1d3 with SMTP id d9443c01a7336-1f6a5a7b19bmr33030035ad.59.1717605112449; Wed, 05 Jun 2024 09:31:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717605112; cv=pass; d=google.com; s=arc-20160816; b=vyhF/BzSVdUz8tiCF1E0GTEacopbWxUOIjqWzTwhZ0bgbvvBFSjWyYSYuO42PVqNbw OD6E4t6xu56Ns9DhwIa9cLLJs49SlxlpvjERZ/JIIhNnmcLgNeBsbdaTsw76OQ9sr2Ih tRFrcT3YgBXwHuSd7woqC2KfYCJDAhYODEqM8r14G7xT0JfJYKvJM5BvoEf5n5SIR/d/ JNFLmoJlsX/2GZ2NlDGe4HjksMzXhrno9T50SDv7I8mkZIAhgCy85IU8fckPaRglW/DI Bsl3755AGnlIp0+6fQydx2fzhLZGAp00O+YDyIXdxGG/+TMPvp1sOmJDcY/SXevNVsmt NtnA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=zJjkYApEyvblK8pH15PFceKRR+2eoUJckgORzNrtyOk=; fh=lv/5ibFmjVNay7t09FiL8h2W5zLOafCT+J/yqEQT9Ww=; b=aJgVRbzXp8TZK2QP+/lFAVj49Gu16ZT9h6QgqyDcCn9TSJ/n0NnFGbZWHLSDlf0rrF ees5HdlBGYn54aqIPeBSJVb3HOPm+D6wvw9e7mCw5Pc/XiteYhf9jpy+pE8fSTlLj82B spUcz9BmSUAdrlh8eZ1UQ8PMwrghRLVtdIbxtvzgUW191GAqG2AUzwBV0sMtxEXJfG41 zaLLns4fHa27lKcL65+26G+drlrPITG9tXQYNUcP2ObHaCqnUiuohpY/rtHXaoNUdV56 9N+1A9J7PFqrJYoxJqolnlwOwnWOnjxwzTmCejWptsz4fQvXVV/QzNmQfyswhz7U+rg9 nFVA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=WxJdjSB0; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=umich.edu dmarc=pass fromdomain=umich.edu); spf=pass (google.com: domain of linux-nfs+bounces-3571-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3571-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d9443c01a7336-1f6323dd05dsi102092135ad.211.2024.06.05.09.31.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Jun 2024 09:31:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs+bounces-3571-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@umich.edu header.s=google-2016-06-03 header.b=WxJdjSB0; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=umich.edu dmarc=pass fromdomain=umich.edu); spf=pass (google.com: domain of linux-nfs+bounces-3571-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3571-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umich.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6E1492827C8 for ; Wed, 5 Jun 2024 16:31:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9D97079DE; Wed, 5 Jun 2024 16:31:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=umich.edu header.i=@umich.edu header.b="WxJdjSB0" X-Original-To: linux-nfs@vger.kernel.org Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE667155A4D for ; Wed, 5 Jun 2024 16:31:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717605071; cv=none; b=rIOZiMMvPQImoNtocp9YR1oxerQaGUZsi3mzZ9s5Rh2CBuN+yNrxwJQ/VJXEL83a9oO5InRlkeXIwXVWAzv16Ks10Lx9MQ3Cn+Faeb3GXOQKxHFR5C7N0l718dhWbzY6YUXYRQltCtOavDFhSSJBP7pWdxrQnifccUiWB7f8CUQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717605071; c=relaxed/simple; bh=zJjkYApEyvblK8pH15PFceKRR+2eoUJckgORzNrtyOk=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=n1GSOs8f83zQfYnOoeEDpMoP8c83nqupYycAgPJMcRq9P9r2ARwo6ropetD5VaGruhNow8oFlnwxHnu7JaL8MYOQ7plTnZHmH/3limq5M34b6MPwiL84xzbin0rZzunhLl+haKgxpsVnk4i3GJI+itvKtv/nfYCrUaLnwCHJI0s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=umich.edu; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=umich.edu header.i=@umich.edu header.b=WxJdjSB0; arc=none smtp.client-ip=209.85.208.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=umich.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-f173.google.com with SMTP id 38308e7fff4ca-2eaa0075fefso5235481fa.3 for ; Wed, 05 Jun 2024 09:31:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; t=1717605068; x=1718209868; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=zJjkYApEyvblK8pH15PFceKRR+2eoUJckgORzNrtyOk=; b=WxJdjSB0BbDyZ3Whwzx3Z4Rea1ZAuUdInLSsp4rLGO9ZtT7+k2kV9lghIFqZ2dNtLR 8ySbaS4w/fgFUlkRzsWKoa7fDhjwxiQh2Ovkar7cM/2tEW3k8Mpzi1kO51gjAITTPP0D +eP1D1HB3hGTcdCT73umGQ9vhxu1zc943U3foM24QZY74TXBDct/UXZIrcHOEzkZ3P5K t7pjtchYmD8aBviZR9BO1RabQV5XhxFekFf/9GHEE3HNrzofoOzLsmS0Zx1asPX2027B 0fjuuADPA6lEG61IBin5FUDqnV5NQ2MXTNcyGHm+qNA0H/x/thsCwMowcwjdzlx1LVrF Tz4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717605068; x=1718209868; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zJjkYApEyvblK8pH15PFceKRR+2eoUJckgORzNrtyOk=; b=qUnuV3r4B4N+RSiRtUgA4yjABTuSbSevN7wwWMQ0ddNVp4746Z5IsM1bzUUOtI2uB4 CKxTykrHd0TfrwXQLCly9GekIoYhjwjKZpThIwHyhaEAYiij21YAcl1Z7GxtAY1WEQhl NDCj5By7/WVfzwglRttqpuI0rgFaLupkAHF1rRQvvcQ54nr5H9AGHzbexLFSOM8U43QR GtHEc1qfXWzV7kc5MF/Wrum6wBG9zcJabwk+fwTiIBR1TRzY6yplP4uhFy82fpG//T7F xnlcz7nytHftF77V1Hl6PcttqzjkbXeecmwKESbltJqjiZES11aEyeJ9iS3F/BsARed/ BXjg== X-Gm-Message-State: AOJu0Yz0/40UU+BxMWxQa0K7iOQmq7FOkQ4Z+rcMk/kJPCBTE5Y2CcGp gxJMa60LSF9rcC4crjkgHOAjiwPz0jegizvvzCpRnEw6z6cV005LnWkm9V/45lZVCNcjLFQtpCB 94TLBNz1Vd4dg6xSzluukKohkfzJHmA== X-Received: by 2002:a2e:3318:0:b0:2e4:c5fb:f3ed with SMTP id 38308e7fff4ca-2eac7a91d4dmr14763191fa.4.1717605067734; Wed, 05 Jun 2024 09:31:07 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <6E31172E-8991-43E2-A9E0-88FEAEDDA00B@oracle.com> In-Reply-To: <6E31172E-8991-43E2-A9E0-88FEAEDDA00B@oracle.com> From: Olga Kornievskaia Date: Wed, 5 Jun 2024 12:30:55 -0400 Message-ID: Subject: Re: NFS with TLS on 4.0 To: Chuck Lever III Cc: Linux NFS Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jun 5, 2024 at 11:37=E2=80=AFAM Chuck Lever III wrote: > > Howdy - > > > On Jun 5, 2024, at 10:34=E2=80=AFAM, Olga Kornievskaia = wrote: > > > > Hi Chuck, > > > > I noticed an interesting behaviour by the linux server. If I were to > > mount the linux server with vers=3D4.0,sec=3Dsys,xprtsec=3Dtls, acquire= a > > delegation, and trigger a CB_RECALL, then it is done with gss > > integrity. Why is that? I thought callback is supposed to be done with > > the same security flavor as the forechannel. > > The CB_RECALL is using the same flavor and principal as was used > for the SETCLIENTID. That is all that the NFSv4.0 spec requires. Thanks. For some reason I thought "do state operations with krb5i was 4.1 thing and not 4.0". But I can see now that this started with the client doing SETCLIENTID using krb5i (even though mount was sec=3Dsys). > Remember that xprtsec=3D does not specify a security flavor. > > > > But then also callback isn't done over TLS. Should the callback be > > done over TLS (and it's a future implementation to do for > > client/server)? > > The NFSv4.0 backchannel could be done over TLS, sure. > > > > Or is this a spec restriction/limitation? > > The NFSv4.0 spec doesn't know about TLS, so it doesn't take > a position about requiring it. > > Unless there's an interoperability concern, IMO standards action > isn't necessary. We can definitely say, though, that a prudent > NFSv4.0 server implementation would choose to try TLS if the > forward channel used it, and a prudent NFSv4.0 client would > require the use of TLS on the backchannel in that case. > > The Linux implementation does not do that yet -- TLS would > protect both directions of operation for NFSv4.1 and above, > but for NFSv4.0, it doesn't. Thank you for the clarification. Not sure it is worth the effort (given we've been discussing deprecating 4.0 anyway) but it answers my question if it's a question of implementation or spec. > > > -- > Chuck Lever > >