Security Needs for the NFSv4 Protocols
draft-dnoveck-nfsv4-security-needs-02
Network File System Version 4 D. Noveck
Internet-Draft NetApp
Intended status: Informational C. Lever, Ed.
Expires: 25 July 2021 Oracle
21 January 2021
Security Needs for the NFSv4 Protocols
draft-dnoveck-nfsv4-security-needs-02
Abstract
This document discusses the inadequate approach to security within
the family of NFSv4 protocol specifications and proposes steps to
correct the situation. Because the security architecture is similar
for all NFSv4 minor versions, we recommend a single new standards-
track document to encapsulate NFSv4 security fundamentals, and
propose the introduction of several additional security-related
documents.
Note
Discussion of this draft takes place on the NFSv4 working group
mailing list (nfsv4@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/nfsv4/. Working Group
information can be found at https://datatracker.ietf.org/wg/nfsv4/
about/.
This note is to be removed before publishing as an RFC.
The source for this draft is maintained in GitHub. Suggested changes
should be submitted as pull requests at
https://github.com/chucklever/i-d-security-needs. Instructions are
on that page as well.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Noveck & Lever Expires 25 July 2021 [Page 1]
Internet-Draft NFSv4 Security Needs January 2021
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 25 July 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2.2. Requirements Language as Used in This Document . . . . . 4
2.3. Glossary . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Use of this Document . . . . . . . . . . . . . . . . . . . . 6
3.1. Current Use of this Document . . . . . . . . . . . . . . 6
3.2. Future Use of this Document . . . . . . . . . . . . . . . 7
4. Situation to be Addressed . . . . . . . . . . . . . . . . . . 8
4.1. NFSv4 Use Environments to be Addressed . . . . . . . . . 8
4.2. Emergence and Correction of Security Issues . . . . . . . 9
5. Major Problems to Address . . . . . . . . . . . . . . . . . . 12
5.1. Problems with Security Presentation/Organization . . . . 12
5.1.1. Problems with Presentation of Security
Architecture . . . . . . . . . . . . . . . . . . . . 13
5.1.2. Problems with Security Evaluation . . . . . . . . . . 15
5.2. The Treatment of AUTH_SYS . . . . . . . . . . . . . . . . 15
5.2.1. Current AUTH_SYS Security Policies . . . . . . . . . 16
5.2.2. Working Group Actions . . . . . . . . . . . . . . . . 18
5.3. Problems with Confidentiality . . . . . . . . . . . . . . 20
5.4. File Access Control . . . . . . . . . . . . . . . . . . . 22
5.4.1. File Content Integrity and Provenance . . . . . . . . 23
6. Framework for Correcting Problems . . . . . . . . . . . . . . 23
6.1. Correcting Problems with Regard to Threat Analyses . . . 24
Noveck & Lever Expires 25 July 2021 [Page 2]
Internet-Draft NFSv4 Security Needs January 2021
6.2. Correcting Problems with Regard to Use of Normative
Show full document text