TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key
draft-ietf-tls-tls13-cert-with-extern-psk-03
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8773.
|
|
|---|---|---|---|
| Author | Russ Housley | ||
| Last updated | 2019-12-12 (Latest revision 2019-11-17) | ||
| Replaces | draft-housley-tls-tls13-cert-with-extern-psk | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Joseph A. Salowey | ||
| Shepherd write-up | Show Last changed 2019-07-01 | ||
| IESG | IESG state | Became RFC 8773 (Experimental) | |
| Consensus boilerplate | Unknown | ||
| Telechat date |
(None)
Needs a YES. |
||
| Responsible AD | Benjamin Kaduk | ||
| Send notices to | Joseph Salowey <joe@salowey.net> | ||
| IANA | IANA review state | IANA OK - Actions Needed | |
| IANA expert review state | Expert Reviews OK |
draft-ietf-tls-tls13-cert-with-extern-psk-03
Network Working Group R. Housley
Internet-Draft Vigil Security
Intended status: Experimental November 17, 2019
Expires: May 20, 2020
TLS 1.3 Extension for Certificate-based Authentication with an External
Pre-Shared Key
draft-ietf-tls-tls13-cert-with-extern-psk-03
Abstract
This document specifies a TLS 1.3 extension that allows a server to
authenticate with a combination of a certificate and an external pre-
shared key (PSK).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 20, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Housley Expires May 20, 2020 [Page 1]
Internet-Draft Certificate with External PSK November 2019
1. Introduction
The TLS 1.3 [RFC8446] handshake protocol provides two mutually
exclusive forms of server authentication. First, the server can be
authenticated by providing a signature certificate and creating a
valid digital signature to demonstrate that it possesses the
corresponding private key. Second, the server can be authenticated
by demonstrating that it possesses a pre-shared key (PSK) that was
established by a previous handshake. A PSK that is established in
this fashion is called a resumption PSK. A PSK that is established
by any other means is called an external PSK. This document
specifies a TLS 1.3 extension permitting certificate-based server
authentication to be combined with an external PSK as an input to the
TLS 1.3 key schedule.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Motivation and Design Rationale
The development of a large-scale quantum computer would pose a
serious challenge for the cryptographic algorithms that are widely
deployed today, including the digital signature algorithms that are
used to authenticate the server in the TLS 1.3 handshake protocol.
It is an open question whether or not it is feasible to build a
large-scale quantum computer, and if so, when that might happen.
However, if such a quantum computer is invented, many of the
cryptographic algorithms and the security protocols that use them
would become vulnerable.
The TLS 1.3 handshake protocol employs key agreement algorithms and
digital signature algorithms that could be broken by the development
of a large-scale quantum computer [I-D.hoffman-c2pq]. The key
agreement algorithms include Diffie-Hellman (DH) [DH1977] and
Elliptic Curve Diffie-Hellman (ECDH) [IEEE1363]; the digital
signature algorithms inclue RSA [RFC8017] and Elliptic Curve Digital
Signature Algorithm (ECDSA) [FIPS186]. As a result, an adversary
that stores a TLS 1.3 handshake protocol exchange today could decrypt
the associated encrypted communications in the future when a large-
scale quantum computer becomes available.
In the near-term, this document describes TLS 1.3 extension to
protect today's communications from the future invention of a large-
Housley Expires May 20, 2020 [Page 2]
Internet-Draft Certificate with External PSK November 2019
scale quantum computer by providing a strong external PSK as an input
to the TLS 1.3 key schedule while preserving the authentication
provided by the existing certificate and digital signature
mechanisms.
4. Extension Overview
This section provides a brief overview of the
"tls_cert_with_extern_psk" extension.
The client includes the "tls_cert_with_extern_psk" extension in the
ClientHello message. The "tls_cert_with_extern_psk" extension MUST
be accompanied by the "key_share", "psk_key_exchange_modes", and
"pre_shared_key" extensions. The client MAY also find it useful to
include the "supported_groups" extension. Since the
"tls_cert_with_extern_psk" extension is intended to be used only with
initial handshakes, it MUST NOT be sent alongside the "early_data"
extension. These extensions are all described in Section 4.2 of
[RFC8446], which also requires the "pre_shared_key" extension to be
the last extension in the ClientHello message.
If the server is willing to use one of the external PSKs listed in
the "pre_shared_key" extension and perform certificate-based
authentication, then the server includes the
"tls_cert_with_extern_psk" extension in the ServerHello message. The
"tls_cert_with_extern_psk" extension MUST be accompanied by the
"key_share" and "pre_shared_key" extensions. If none of the external
PSKs in the list provided by the client is acceptable to the server,
then the "tls_cert_with_extern_psk" extension is omitted from the
ServerHello message.
When the "tls_cert_with_extern_psk" extension is successfully
negotiated, the TLS 1.3 key schedule processing includes both the
selected external PSK and the (EC)DHE shared secret value. As a
result, the Early Secret, Handshake Secret, and Master Secret values
all depend upon the value of the selected external PSK. Of course,
the Early Secret does not depend upon the (EC)DHE shared secret.
The authentication of the server and optional authentication of the
client depend upon the ability to generate a signature that can be
validated with the public key in their certificates. The
authentication processing is not changed in any way by the selected
external PSK.
Each external PSK is associated with a single hash algorithm, which
is required by Section 4.2.11 of [RFC8446]. The hash algorithm MUST
be set when the PSK is established, with a default of SHA-256.
Housley Expires May 20, 2020 [Page 3]
Internet-Draft Certificate with External PSK November 2019
5. Certificate with External PSK Extension
This section specifies the "tls_cert_with_extern_psk" extension,
which MAY appear in the ClientHello message and ServerHello message.
It MUST NOT appear in any other messages. The
"tls_cert_with_extern_psk" extension MUST NOT appear in the
ServerHello message unless the "tls_cert_with_extern_psk" extension
appeared in the preceding ClientHello message. If an implementation
recognizes the "tls_cert_with_extern_psk" extension and receives it
in any other message, then the implementation MUST abort the
handshake with an "illegal_parameter" alert.
The general extension mechanisms enable clients and servers to
negotiate the use of specific extensions. Clients request extended
functionality from servers with the extensions field in the
ClientHello message. If the server responds with a HelloRetryRequest
message, then the client sends another ClientHello message as
described in Section 4.1.2 of [RFC8446], including the same
"tls_cert_with_extern_psk" extension as the original ClientHello
message or abort the handshake.
Many server extensions are carried in the EncryptedExtensions
message; however, the "tls_cert_with_extern_psk" extension is carried
in the ServerHello message. Successful negotiation of the
"tls_cert_with_extern_psk" extension affects the key used for
encryption, so it cannot be carried in the EncryptedExtensions
message. Therefore, the "tls_cert_with_extern_psk" extension is only
present in the ServerHello message if the server recognizes the
"tls_cert_with_extern_psk" extension and the server possesses one of
the external PSKs offered by the client in the "pre_shared_key"
extension in the ClientHello message.
The Extension structure is defined in [RFC8446]; it is repeated here
for convenience.
struct {
ExtensionType extension_type;
opaque extension_data<0..2^16-1>;
} Extension;
The "extension_type" identifies the particular extension type, and
the "extension_data" contains information specific to the particular
extension type.
This document specifies the "tls_cert_with_extern_psk" extension,
adding one new type to ExtensionType:
Housley Expires May 20, 2020 [Page 4]
Internet-Draft Certificate with External PSK November 2019
enum {
tls_cert_with_extern_psk(TBD), (65535)
} ExtensionType;
The "tls_cert_with_extern_psk" extension is relevant when the client
and server possess an external PSK in common that can be used as an
input to the TLS 1.3 key schedule. The "tls_cert_with_extern_psk"
extension is essentially a flag to use the external PSK in the key
schedule, and it has the following syntax:
struct {
select (Handshake.msg_type) {
case client_hello: Empty;
case server_hello: Empty;
};
} CertWithExternPSK;
5.1. Companion Extensions
Section 4 lists the extensions that are required to accompany the
"tls_cert_with_extern_psk" extension. Most of those extension are
not impacted in any way. This section discusses the impacts on the
other extensions.
The "psk_key_exchange_modes" extension is defined in Section 4.2.9 of
[RFC8446]. The "psk_key_exchange_modes" extension restricts both the
use of PSKs offered in this ClientHello and those which the server
might supply via a subsequent NewSessionTicket. As a result, when
the "psk_key_exchange_modes" extension is included in the ClientHello
message, clients MUST include psk_dhe_ke mode. In addition, clients
MAY also include psk_ke mode to support a subsequent
NewSessionTicket. When the "psk_key_exchange_modes" extension is
included in the ServerHello message, servers MUST select the
psk_dhe_ke mode for the initial handshake. Servers MUST select a key
exchange mode that is listed by the client for subsequent handshakes
that include the resumption PSK from the initial handshake.
The "pre_shared_key" extension is defined in Section 4.2.11 of
[RFC8446]. The syntax is repeated below for convenience. All of the
listed PSKs MUST be external PSKs. If a resumption PSK is listed
along with the "tls_cert_with_extern_psk" extension, the server MUST
abort the handshake with an "illegal_parameter" alert.
Housley Expires May 20, 2020 [Page 5]
Internet-Draft Certificate with External PSK November 2019
struct {
opaque identity<1..2^16-1>;
uint32 obfuscated_ticket_age;
} PskIdentity;
opaque PskBinderEntry<32..255>;
struct {
PskIdentity identities<7..2^16-1>;
PskBinderEntry binders<33..2^16-1>;
} OfferedPsks;
struct {
select (Handshake.msg_type) {
case client_hello: OfferedPsks;
case server_hello: uint16 selected_identity;
};
} PreSharedKeyExtension;
The OfferedPsks contains the list of PSK identities and associated
binders for the external PSKs that the client is willing to use with
the server.
The identities are a list of external PSK identities that the client
is willing to negotiate with the server. Each external PSK has an
associated identity that is known to the client and the server; the
associated identities may be know to other parties as well. In
addition, the binder validation (see below) confirms that the client
and server have the same key associated with the identity.
The obfuscated_ticket_age is not used for external PSKs. As stated
in Section 4.2.11 of [RFC8446], clients SHOULD set this value to 0,
and servers MUST ignore the value.
The binders are a series of HMAC values, one for each external PSK
offered by the client, in the same order as the identities list. The
HMAC value is computed using the binder_key, which is derived from
the external PSK, and a partial transcript of the current handshake.
Generation of the binder_key from the external PSK is described in
Section 7.1 of [RFC8446]. The partial transcript of the current
handshake includes a partial ClientHello up to and including the
PreSharedKeyExtension.identities field as described in
Section 4.2.11.2 of [RFC8446].
The selected_identity contains the index of the external PSK identity
that the server selected from the list offered by the client. As
described in Section 4.2.11.2 of [RFC8446], the server MUST validate
Housley Expires May 20, 2020 [Page 6]
Internet-Draft Certificate with External PSK November 2019
the binder value that corresponds to the selected external PSK, and
if the binder does not validate, the server MUST abort the handshake
with an "illegal_parameter" alert.
5.2. Authentication
When the "tls_cert_with_extern_psk" extension is successfully
negotiated, authentication of the server depends upon the ability to
generate a signature that can be validated with the public key in the
server's certificate. This is accomplished by the server sending the
Certificate and CertificateVerify messages as described in Sections
4.4.2 and 4.4.3 of [RFC8446].
TLS 1.3 does not permit the server to send a CertificateRequest
message when a PSK is being used. This restriction is removed when
the "tls_cert_with_extern_psk" extension is negotiated, allowing
certificate-based authentication for both the client and the server.
If certificate-based client authentication is desired, this is
accomplished by the client sending the Certificate and
CertificateVerify messages as described in Sections 4.4.2 and 4.4.3
of [RFC8446].
5.3. Keying Material
Section 7.1 of [RFC8446] specifies the TLS 1.3 Key Schedule. The
successful negotiation of the "tls_cert_with_extern_psk&14.8. Operation 67: IO_ADVISE - Application I/O access
pattern hints . . . . . . . . . . . . . . . . . . . . . . 77
14.9. Changes to Operation 51: LAYOUTRETURN . . . . . . . . . . 82
14.10. Operation 65: READ_PLUS . . . . . . . . . . . . . . . . . 85
14.11. Operation 66: SEEK . . . . . . . . . . . . . . . . . . . 90
15. NFSv4.2 Callback Operations . . . . . . . . . . . . . . . . . 91
15.1. Operation 15: CB_OFFLOAD - Report results of an
asynchronous operation . . . . . . . . . . . . . . . . . 91
16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 92
17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 93
17.1. Normative References . . . . . . . . . . . . . . . . . . 93
17.2. Informative References . . . . . . . . . . . . . . . . . 93
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 95
Appendix B. RFC Editor Notes . . . . . . . . . . . . . . . . . . 96
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 96
Haynes Expires September 15, 2013 [Page 4]
Internet-Draft NFSv4.2 March 2013
1. Introduction
1.1. The NFS Version 4 Minor Version 2 Protocol
The NFS version 4 minor version 2 (NFSv4.2) protocol is the third
minor version of the NFS version 4 (NFSv4) protocol. The first minor
version, NFSv4.0, is described in [I-D.ietf-nfsv4-rfc3530bis] and the
second minor version, NFSv4.1, is described in [RFC5661]. It follows
the guidelines for minor versioning that are listed in Section 11 of
[I-D.ietf-nfsv4-rfc3530bis].
As a minor version, NFSv4.2 is consistent with the overall goals for
NFSv4, but extends the protocol so as to better meet those goals,
based on experiences with NFSv4.1. In addition, NFSv4.2 has adopted
some additional goals, which motivate some of the major extensions in
NFSv4.2.
1.2. Scope of This Document
This document describes the NFSv4.2 protocol. With respect to
NFSv4.0 and NFSv4.1, this document does not:
o describe the NFSv4.0 or NFSv4.1 protocols, except where needed to
contrast with NFSv4.2
o modify the specification of the NFSv4.0 or NFSv4.1 protocols
o clarify the NFSv4.0 or NFSv4.1 protocols. I.e., any
clarifications made here apply to NFSv4.2 and neither of the prior
protocols
The full XDR for NFSv4.2 is presented in [4.2xdr].
1.3. NFSv4.2 Goals
The goal of the design of NFSv4.2 is to take common local file system
features and offer them remotely. These features might
o already be available on the servers, e.g., sparse files
o be under development as a new standard, e.g., SEEK_HOLE and
SEEK_DATA
o be used by clients with the servers via some proprietary means,
e.g., Labeled NFS
but the clients are not able to leverage them on the server within
the confines of the NFS protocol.
Haynes Expires September 15, 2013 [Page 5]
Internet-Draft NFSv4.2 March 2013
1.4. Overview of NFSv4.2 Features
1.4.1. Server-side Copy
A traditional file copy from one server to another results in the
data being put on the network twice - source to client and then
client to destination. New operations are introduced to allow the
client to authorize the two servers to interact directly. As this
copy can be lengthy, asynchronous support is also provided.
1.4.2. Application I/O Advise
Applications and clients want to advise the server as to expected I/O
behavior. Using IO_ADVISE (see Section 14.8) to communicate future
I/O behavior such as whether a file will be accessed sequentially or
randomly, and whether a file will or will not be accessed in the near
future, allows servers to optimize future I/O requests for a file by,
for example, prefetching or evicting data. This operation can be
used to support the posix_fadvise function as well as other
applications such as databases and video editors.
1.4.3. Sparse Files
Sparse files are ones which have unallocated data blocks as holes in
the file. Such holes are typically transferred as 0s during I/O.
READ_PLUS (see Section 14.10) allows a server to send back to the
client metadata describing the hole and WRITE_PLUS (see Section 14.7)
allows the client to punch holes into a file. In addition, SEEK (see
Section 14.11) is provided to scan for the next hole or data from a
given location.
1.4.4. Space Reservation
When a file is sparse, one concern applications have is ensuring that
there will always be enough data blocks available for the file during
future writes. A new attribute, space_reserved (see Section 12.2.4)
provides the client a guarantee that space will be available.
1.4.5. Application Data Hole (ADH) Support
Some applications treat a file as if it were a disk and as such want
to initialize (or format) the file image. We extend both READ_PLUS
and WRITE_PLUS to understand this metadata as a new form of a hole.
1.4.6. Labeled NFS
While both clients and servers can employ Mandatory Access Control
(MAC) security models to enforce data access, there has been no
Haynes Expires September 15, 2013 [Page 6]
Internet-Draft NFSv4.2 March 2013
protocol support to allow full interoperability. A new file object
attribute, sec_label (see Section 12.2.2) allows for the server to
store and enforce MAC labels. The format of the sec_label
accommodates any MAC security system.
1.5. Differences from NFSv4.1
In NFSv4.1, the only way to introduce new variants of an operation
was to introduce a new operation. I.e., READ becomes either READ2 or
READ_PLUS. With the use of discriminated unions as parameters to
such functions in NFSv4.2, it is possible to add a new arm in a
subsequent minor version. And it is also possible to move such an
operation from OPTIONAL/RECOMMENDED to REQUIRED. Forcing an
implementation to adopt each arm of a discriminated union at such a
time does not meet the spirit of the minor versioning rules. As
such, new arms of a discriminated union MUST follow the same
guidelines for minor versioning as operations in NFSv4.1 - i.e., they
may not be made REQUIRED. To support this, a new error code,
NFS4ERR_UNION_NOTSUPP, is introduced which allows the server to
communicate to the client that the operation is supported, but the
specific arm of the discriminated union is not.
2. Minor Versioning
To address the requirement of an NFS protocol that can evolve as the
need arises, the NFSv4 protocol contains the rules and framework to
allow for future minor changes or versioning.
The base assumption with respect to minor versioning is that any
future accepted minor version will be documented in one or more
Standards Track RFCs. Minor version 0 of the NFSv4 protocol is
represented by [I-D.ietf-nfsv4-rfc3530bis], minor version 1 by
[RFC5661], and minor version 2 by this document. The COMPOUND and
CB_COMPOUND procedures support the encoding of the minor version
being requested by the client.
The following items represent the basic rules for the development of
minor versions. Note that a future minor version may modify or add
to the following rules as part of the minor version definition.
1. Procedures are not added or deleted.
To maintain the general RPC model, NFSv4 minor versions will not
add to or delete procedures from the NFS program.
2. Minor versions may add operations to the COMPOUND and
CB_COMPOUND procedures.
Haynes Expires September 15, 2013 [Page 7]
Internet-Draft NFSv4.2 March 2013
The addition of operations to the COMPOUND and CB_COMPOUND
procedures does not affect the RPC model.
* Minor versions may append attributes to the bitmap4 that
represents sets of attributes and to the fattr4 that
represents sets of attribute values.
This allows for the expansion of the attribute model to allow
for future growth or adaptation.
* Minor version X must append any new attributes after the last
documented attribute.
Since attribute results are specified as an opaque array of
per-attribute, XDR-encoded results, the complexity of adding
new attributes in the midst of the current definitions would
be too burdensome.
3. Minor versions must not modify the structure of an existing
operation's arguments or results.
Again, the complexity of handling multiple structure definitions
for a single operation is too burdensome. New operations should
be added instead of modifying existing structures for a minor
version.
This rule does not preclude the following adaptations in a minor
version:
* adding bits to flag fields, such as new attributes to
GETATTR's bitmap4 data type, and providing corresponding
variants of opaque arrays, such as a notify4 used together
with such bitmaps
* adding bits to existing attributes like ACLs that have flag
words
* extending enumerated types (including NFS4ERR_*) with new
values
* adding cases to a switched union
4. Note that when adding new cases to a switched union, a minor
version must not make new cases be REQUIRED. While the
encapsulating operation may be REQUIRED, the new cases (the
specific arm of the discriminated union) is not. The error code
Haynes Expires September 15, 2013 [Page 8]
Internet-Draft NFSv4.2 March 2013
NFS4ERR_UNION_NOTSUPP is used to notifify the client when the
server does not support such a case.
5. Minor versions must not modify the structure of existing
attributes.
6. Minor versions must not delete operations.
This prevents the potential reuse of a particular operation
"slot" in a future minor version.
7. Minor versions must not delete attributes.
8. Minor versions must not delete flag bits or enumeration values.
9. Minor versions may declare an operation MUST NOT be implemented.
Specifying that an operation MUST NOT be implemented is
equivalent to obsoleting an operation. For the client, it means
that the operation MUST NOT be sent to the server. For the
server, an NFS error can be returned as opposed to "dropping"
the request as an XDR decode error. This approach allows for
the obsolescence of an operation while maintaining its structure
so that a future minor version can reintroduce the operation.
1. Minor versions may declare that an attribute MUST NOT be
implemented.
2. Minor versions may declare that a flag bit or enumeration
value MUST NOT be implemented.
10. Minor versions may declare an operation to be OBSOLESCENT, which
indicates an intention to remove the operation (i.e., make it
MANDATORY TO NOT implement) in a subsequent minor version. Such
labeling is separate from the question of whether the operation
is REQUIRED or RECOMMENDED or OPTIONAL in the current minor
version. An operation may be both REQUIRED for the given minor
version and marked OBSOLESCENT, with the expectation that it
will be MANDATORY TO NOT implement in the next (or other
subsequent) minor version.
11. Note that the early notification of operation obsolescence is
put in place to mitigate the effects of design and
implementation mistakes, and to allow protocol development to
adapt to unexpected changes in the pace of implementation. Even
if an operation is marked OBSOLESCENT in a given minor version,
it may end up not being marked MANDATORY TO NOT implement in the
Haynes Expires September 15, 2013 [Page 9]
Internet-Draft NFSv4.2 March 2013
next minor version. In unusual circumstances, it might not be
marked OBSOLESCENT in a subsequent minor version, and never
become MANDATORY TO NOT implement.
12. Minor versions may downgrade features from REQUIRED to
RECOMMENDED, from RECOMMENDED to OPTIONAL, or from OPIONAL to
MANDATORY TO NOT implement. Also, if a feature was marked as
OBSOLESCENT in the prior minor version, it may be downgraded
from REQUIRED to OPTIONAL from RECOMMENDED to MANDATORY TO NOT
implement, or from REQUIRED to MANDATORY TO NOT implement.
13. Minor versions may upgrade features from OPTIONAL to
RECOMMENDED, or RECOMMENDED to REQUIRED. Also, if a feature was
marked as OBSOLESCENT in the prior minor version, it may be
upgraded to not be OBSOLESCENT.
14. A client and server that support minor version X SHOULD support
minor versions 0 through X-1 as well.
15. Except for infrastructural changes, a minor version must not
introduce REQUIRED new features.
This rule allows for the introduction of new functionality and
forces the use of implementation experience before designating a
feature as REQUIRED. On the other hand, some classes of
features are infrastructural and have broad effects. Allowing
infrastructural features to be RECOMMENDED or OPTIONAL
complicates implementation of the minor version.
16. A client MUST NOT attempt to use a stateid, filehandle, or
similar returned object from the COMPOUND procedure with minor
version X for another COMPOUND procedure with minor version Y,
where X != Y.
3. Server-side Copy
3.1. Introduction
The server-side copy feature provides a mechanism for the NFS client
to perform a file copy on the server without the data being
transmitted back and forth over the network. Without this feature,
an NFS client copies data from one location to another by reading the
data from the server over the network, and then writing the data back
over the network to the server. Using this server-side copy
operation, the client is able to instruct the server to copy the data
locally without the data being sent back and forth over the network
unnecessarily.
Haynes Expires September 15, 2013 [Page 10]
Internet-Draft NFSv4.2 March 2013
If the source object and destination object are on different file
servers, the file servers will communicate with one another to
perform the copy operation. The server-to-server protocol by which
this is accomplished is not defined in this document.
3.2. Protocol Overview
The server-side copy offload operations support both intra-server and
inter-server file copies. An intra-server copy is a copy in which
the source file and destination file reside on the same server. In
an inter-server copy, the source file and destination file are on
different servers. In both cases, the copy may be performed
synchronously or asynchronously.
Throughout the rest of this document, we refer to the NFS server
containing the source file as the "source server" and the NFS server
to which the file is transferred as the "destination server". In the
case of an intra-server copy, the source server and destination
server are the same server. Therefore in the context of an intra-
server copy, the terms source server and destination server refer to
the single server performing the copy.
The operations described below are designed to copy files. Other
file system objects can be copied by building on these operations or
using other techniques. For example if the user wishes to copy a
directory, the client can synthesize a directory copy by first
creating the destination directory and then copying the source
directory's files to the new destination directory. If the user
wishes to copy a namespace junction [FEDFS-NSDB] [FEDFS-ADMIN], the
client can use the ONC RPC Federated Filesystem protocol
[FEDFS-ADMIN] to perform the copy. Specifically the client can
determine the source junction's attributes using the FEDFS_LOOKUP_FSN
procedure and create a duplicate junction using the
FEDFS_CREATE_JUNCTION procedure.
For the inter-server copy, the operations are defined to be
compatible with the traditional copy authentication approach. The
client and user are authorized at the source for reading. Then they
are authorized at the destination for writing.
3.2.1. Overview of Copy Operations
COPY_NOTIFY: For inter-server copies, the client sends this
operation to the source server to notify it of a future file copy
from a given destination server for the given user.
(Section 14.3)
Haynes Expires September 15, 2013 [Page 11]
Internet-Draft NFSv4.2 March 2013
OFFLOAD_REVOKE: Also for inter-server copies, the client sends this
operation to the source server to revoke permission to copy a file
for the given user. (Section 14.4)
COPY: Used by the client to request a file copy. (Section 14.1)
OFFLOAD_ABORT: Used by the client to abort an asynchronous file
copy. (Section 14.2)
OFFLOAD_STATUS: Used by the client to poll the status of an
asynchronous file copy. (Section 14.5)
CB_OFFLOAD: Used by the destination server to report the results of
an asynchronous file copy to the client. (Section 15.1)
3.2.2. Locking the Files
Both the source and destination file may need to be locked to protect
the content during the copy operations. A client can achieve this by
a combination of OPEN and LOCK operations. I.e., either share or
byte range locks might be desired.
3.2.3. Intra-Server Copy
To copy a file on a single server, the client uses a COPY operation.
The server may respond to the copy operation with the final results
of the copy or it may perform the copy asynchronously and deliver the
results using a CB_OFFLOAD operation callback. If the copy is
performed asynchronously, the client may poll the status of the copy
using OFFLOAD_STATUS or cancel the copy using OFFLOAD_ABORT.
A synchronous intra-server copy is shown in Figure 1. In this
example, the NFS server chooses to perform the copy synchronously.
The copy operation is completed, either successfully or
unsuccessfully, before the server replies to the client's request.
The server's reply contains the final result of the operation.
Haynes Expires September 15, 2013 [Page 12]
Internet-Draft NFSv4.2 March 2013
Client Server
+ +
| |
|--- OPEN ---------------------------->| Client opens
|<------------------------------------/| the source file
| |
|--- OPEN ---------------------------->| Client opens
|<------------------------------------/| the destination file
| |
|--- COPY ---------------------------->| Client requests
|<------------------------------------/| a file copy
| |
|--- CLOSE --------------------------->| Client closes
|<------------------------------------/| the destination file
| |
|--- CLOSE --------------------------->| Client closes
|<------------------------------------/| the source file
| |
| |
Figure 1: A synchronous intra-server copy.
An asynchronous intra-server copy is shown in Figure 2. In this
example, the NFS server performs the copy asynchronously. The
server's reply to the copy request indicates that the copy operation
was initiated and the final result will be delivered at a later time.
The server's reply also contains a copy stateid. The client may use
this copy stateid to poll for status information (as shown) or to
cancel the copy using a OFFLOAD_ABORT. When the server completes the
copy, the server performs a callback to the client and reports the
results.
Haynes Expires September 15, 2013 [Page 13]
Internet-Draft NFSv4.2 March 2013
Client Server
+ +
| |
|--- OPEN ---------------------------->| Client opens
|<------------------------------------/| the source file
| |
|--- OPEN ---------------------------->| Client opens
|<------------------------------------/| the destination file
| |
|--- COPY ---------------------------->| Client requests
|<------------------------------------/| a file copy
| |
| |
|--- OFFLOAD_STATUS ------------------>| Client may poll
|<------------------------------------/| for status
| |
| . | Multiple OFFLOAD_STATUS
| . | operations may be sent.
| . |
| |
|<-- CB_OFFLOAD -----------------------| Server reports results
|\------------------------------------>|
| |
|--- CLOSE --------------------------->| Client closes
|<------------------------------------/| the destination file
| |
|--- CLOSE --------------------------->| Client closes
|<------------------------------------/| the source file
| |
| |
Figure 2: An asynchronous intra-server copy.
3.2.4. Inter-Server Copy
A copy may also be performed between two servers. The copy protocol
is designed to accommodate a variety of network topologies. As shown
in Figure 3, the client and servers may be connected by multiple
networks. In particular, the servers may be connected by a
specialized, high speed network (network 192.0.2.0/24 in the diagram)
that does not include the client. The protocol allows the client to
setup the copy between the servers (over network 203.0.113.0/24 in
the diagram) and for the servers to communicate on the high speed
network if they choose to do so.
Haynes Expires September 15, 2013 [Page 14]
Internet-Draft NFSv4.2 March 2013
192.0.2.0/24
+-------------------------------------+
| |
| |
| 192.0.2.18 | 192.0.2.56
+-------+------+ +------+------+
| Source | | Destination |
+-------+------+ +------+------+
| 203.0.113.18 | 203.0.113.56
| |
| |
| 203.0.113.0/24 |
+------------------+------------------+
|
|
| 203.0.113.243
+-----+-----+
| Client |
+-----------+
Figure 3: An example inter-server network topology.
For an inter-server copy, the client notifies the source server that
a file will be copied by the destination server using a COPY_NOTIFY
operation. The client then initiates the copy by sending the COPY
operation to the destination server. The destination server may
perform the copy synchronously or asynchronously.
A synchronous inter-server copy is shown in Figure 4. In this case,
the destination server chooses to perform the copy before responding
to the client's COPY request.
An asynchronous copy is shown in Figure 5. In this case, the
destination server chooses to respond to the client's COPY request
immediately and then perform the copy asynchronously.
Haynes Expires September 15, 2013 [Page 15]
Internet-Draft NFSv4.2 March 2013
Client Source Destination
+ + +
| | |
|--- OPEN --->| | Returns os1
|<------------------/| |
| | |
|--- COPY_NOTIFY --->| |
|<------------------/| |
| | |
|--- OPEN ---------------------------->| Returns os2
|<------------------------------------/|
| | |
|--- COPY ---------------------------->|
| | |
| | |
| |<----- read -----|
| |\--------------->|
| | |
| | . | Multiple reads may
| | . | be necessary
| | . |
| | |
| | |
|<------------------------------------/| Destination replies
| | | to COPY
| | |
|--- CLOSE --------------------------->| Release open state
|<------------------------------------/|
| | |
|--- CLOSE --->| | Release open state
|<------------------/| |
Figure 4: A synchronous inter-server copy.
Client Source Destination
+ + +
| | |
|--- OPEN --->| | Returns os1
|<------------------/| |
| | |
|--- LOCK --->| | Optional, could be done
|<------------------/| | with a share lock
| | |
|--- COPY_NOTIFY --->| | Need to pass in
|<------------------/| | os1 or lock state
| | |
| | |
Haynes Expires September 15, 2013 [Page 16]
Internet-Draft NFSv4.2 March 2013
| | |
|--- OPEN ---------------------------->| Returns os2
|<------------------------------------/|
| | |
|--- LOCK ---------------------------->| Optional ...
|<------------------------------------/|
| | |
|--- COPY ---------------------------->| Need to pass in
|<------------------------------------/| os2 or lock state
| | |
| | |
| |<----- read -----|
| |\--------------->|
| | |
| | . | Multiple reads may
| | . | be necessary
| | . |
| | |
| | |
|--- OFFLOAD_STATUS ------------------>| Client may poll
|<------------------------------------/| for status
| | |
| | . | Multiple OFFLOAD_STATUS
| | . | operations may be sent
| | . |
| | |
| | |
| | |
|<-- CB_OFFLOAD -----------------------| Destination reports
|\------------------------------------>| results
| | |
|--- LOCKU --------------------------->| Only if LOCK was done
|<------------------------------------/|
| | |
|--- CLOSE --------------------------->| Release open state
|<------------------------------------/|
| | |
|--- LOCKU --->| | Only if LOCK was done
|<------------------/| |
| | |
|--- CLOSE --->| | Release open state
|<------------------/| |
| | |
Figure 5: An asynchronous inter-server copy.
Haynes Expires September 15, 2013 [Page 17]
Internet-Draft NFSv4.2 March 2013
3.2.5. Server-to-Server Copy Protocol
The source server and destination server are not required to use a
specific protocol to transfer the file data. The choice of what
protocol to use is ultimately the destination server's decision.
3.2.5.1. Using NFSv4.x as a Server-to-Server Copy Protocol
The destination server MAY use standard NFSv4.x (where x >= 1) to
read the data from the source server. If NFSv4.x is used for the
server-to-server copy protocol, the destination server can use the
filehandle contained in the COPY request with standard NFSv4.x
operations to read data from the source server. Specifically, the
destination server may use the NFSv4.x OPEN operation's CLAIM_FH
facility to open the file being copied and obtain an open stateid.
Using the stateid, the destination server may then use NFSv4.x READ
operations to read the file.
3.2.5.2. Using an alternative Server-to-Server Copy Protocol
In a homogeneous environment, the source and destination servers
might be able to perform the file copy extremely efficiently using
specialized protocols. For example the source and destination
servers might be two nodes sharing a common file system format for
the source and destination file systems. Thus the source and
destination are in an ideal position to efficiently render the image
of the source file to the destination file by replicating the file
system formats at the block level. Another possibility is that the
source and destination might be two nodes sharing a common storage
area network, and thus there is no need to copy any data at all, and
instead ownership of the file and its contents might simply be re-
assigned to the destination. To allow for these possibilities, the
destination server is allowed to use a server-to-server copy protocol
of its choice.
In a heterogeneous environment, using a protocol other than NFSv4.x
(e.g., HTTP [RFC2616] or FTP [RFC0959]) presents some challenges. In
particular, the destination server is presented with the challenge of
accessing the source file given only an NFSv4.x filehandle.
One option for protocols that identify source files with path names
is to use an ASCII hexadecimal representation of the source
filehandle as the file name.
Another option for the source server is to use URLs to direct the
destination server to a specialized service. For example, the
response to COPY_NOTIFY could include the URL
ftp://s1.example.com:9999/_FH/0x12345, where 0x12345 is the ASCII
Haynes Expires September 15, 2013 [Page 18]
Internet-Draft NFSv4.2 March 2013
hexadecimal representation of the source filehandle. When the
destination server receives the source server's URL, it would use
"_FH/0x12345" as the file name to pass to the FTP server listening on
port 9999 of s1.example.com. On port 9999 there would be a special
instance of the FTP service that understands how to convert NFS
filehandles to an open file descriptor (in many operating systems,
this would require a new system call, one which is the inverse of the
makefh() function that the pre-NFSv4 MOUNT service needs).
Authenticating and identifying the destination server to the source
server is also a challenge. Recommendations for how to accomplish
this are given in Section 3.4.1.2.4 and Section 3.4.1.4.
3.3. Requirements for Operations
The implementation of server-side copy is OPTIONAL by the client and
the server. However, in order to successfully copy a file, some
operations MUST be supported by the client and/or server.
If a client desires an intra-server file copy, then it MUST support
the COPY and CB_OFFLOAD operations. If COPY returns a stateid, then
the client MAY use the OFFLOAD_ABORT and OFFLOAD_STATUS operations.
If a client desires an inter-server file copy, then it MUST support
the COPY, COPY_NOTICE, and CB_OFFLOAD operations, and MAY use the
OFFLOAD_REVOKE operation. If COPY returns a stateid, then the client
MAY use the OFFLOAD_ABORT and OFFLOAD_STATUS operations.
If a server supports intra-server copy, then the server MUST support
the COPY operation. If a server's COPY operation returns a stateid,
then the server MUST also support these operations: CB_OFFLOAD,
OFFLOAD_ABORT, and OFFLOAD_STATUS.
If a source server supports inter-server copy, then the source server
MUST support all these operations: COPY_NOTIFY and OFFLOAD_REVOKE.
If a destination server supports inter-server copy, then the
destination server MUST support the COPY operation. If a destination
server's COPY operation returns a stateid, then the destination
server MUST also support these operations: CB_OFFLOAD, OFFLOAD_ABORT,
COPY_NOTIFY, OFFLOAD_REVOKE, and OFFLOAD_STATUS.
Each operation is performed in the context of the user identified by
the ONC RPC credential of its containing COMPOUND or CB_COMPOUND
request. For example, a OFFLOAD_ABORT operation issued by a given
user indicates that a specified COPY operation initiated by the same
user be canceled. Therefore a OFFLOAD_ABORT MUST NOT interfere with
a copy of the same file initiated by another user.
Haynes Expires September 15, 2013 [Page 19]
Internet-Draft NFSv4.2 March 2013
An NFS server MAY allow an administrative user to monitor or cancel
copy operations using an implementation specific interface.
3.3.1. netloc4 - Network Locations
The server-side copy operations specify network locations using the
netloc4 data type shown below:
enum netloc_type4 {
NL4_NAME = 0,
NL4_URL = 1,
NL4_NETADDR = 2
};
union netloc4 switch (netloc_type4 nl_type) {
case NL4_NAME: utf8str_cis nl_name;
case NL4_URL: utf8str_cis nl_url;
case NL4_NETADDR: netaddr4 nl_addr;
};
If the netloc4 is of type NL4_NAME, the nl_name field MUST be
specified as a UTF-8 string. The nl_name is expected to be resolved
to a network address via DNS, LDAP, NIS, /etc/hosts, or some other
means. If the netloc4 is of type NL4_URL, a server URL [RFC3986]
appropriate for the server-to-server copy operation is specified as a
UTF-8 string. If the netloc4 is of type NL4_NETADDR, the nl_addr
field MUST contain a valid netaddr4 as defined in Section 3.3.9 of
[RFC5661].
When netloc4 values are used for an inter-server copy as shown in
Figure 3, their values may be evaluated on the source server,
destination server, and client. The network environment in which
these systems operate should be configured so that the netloc4 values
are interpreted as intended on each system.
3.3.2. Copy Offload Stateids
A server may perform a copy offload operation asynchronously. An
asynchronous copy is tracked using a copy offload stateid. Copy
offload stateids are included in the COPY, OFFLOAD_ABORT,
OFFLOAD_STATUS, and CB_OFFLOAD operations.
Section 8.2.4 of [RFC5661] specifies that stateids are valid until
either (A) the client or server restart or (B) the client returns the
resource.
A copy offload stateid will be valid until either (A) the client or
server restarts or (B) the client returns the resource by issuing a
OFFLOAD_ABORT operation or the client replies to a CB_OFFLOAD
Haynes Expires September 15, 2013 [Page 20]
Internet-Draft NFSv4.2 March 2013
operation.
A copy offload stateid" extension
requires the key schedule processing to include both the external PSK
and the (EC)DHE shared secret value.
If the client and the server have different values associated with
the selected external PSK identifier, then the client and the server
will compute different values for every entry in the key schedule,
which will lead to the client aborting the handshake with a
"decrypt_error" alert.
6. IANA Considerations
IANA is requested to update the TLS ExtensionType Registry to include
"tls_cert_with_extern_psk" with a value of TBD and the list of
messages "CH, SH" in which the "tls_cert_with_extern_psk" extension
may appear.
7. Security Considerations
The Security Considerations in [RFC8446] remain relevant.
TLS 1.3 [RFC8446] does not permit the server to send a
CertificateRequest message when a PSK is being used. This
Housley Expires May 20, 2020 [Page 7]
Internet-Draft Certificate with External PSK November 2019
restriction is removed when the "tls_cert_with_extern_psk" extension
is offered by the client and accepted by the server. However, TLS
1.3 does not permit an external PSK to be used in the same fashion as
a resumption PSK, and this extension does not alter those
restrictions. Thus, a certificate MUST NOT be used with a resumption
PSK.
Implementations must protect the external pre-shared key (PSK).
Compromise of the external PSK will make the encrypted session
content vulnerable to the future development of a large-scale quantum
computer.
Implementers should not transmit the same content on a connection
that is protected with an external PSK and a connection that is not.
Doing so may allow an eavesdropper to correlate the connections,
making the content vulnerable to the future invention of a large-
scale quantum computer.
Implementations must generate external PSKs with a secure key
management technique, such as pseudo-random generation of the key or
derivation of the key from one or more other secure keys. The use of
inadequate pseudo-random number generators (PRNGs) to generate
external PSKs can result in little or no security. An attacker may
find it much easier to reproduce the PRNG environment that produced
the external PSKs and searching the resulting small set of
possibilities, rather than brute force searching the whole key space.
The generation of quality random numbers is difficult. [RFC4086]
offers important guidance in this area.
If the external PSK is known to any party other than the client and
the server, then the external PSK MUST NOT be the sole basis for
authentication. The reasoning is explained in [K2016] (see
Section 4.2). When this extension is used, authentication is based
on certificates, not the external PSK.
In this extension, the external PSK preserves secrecy if the (EC)DH
key agreement is ever broken by cryptanalysis or the future invention
of a large-scale quantum computer. As long as the attacker does not
know the PSK and the key derivation algorithm remains unbroken, the
attacker cannot derive the session secrets even if they are able to
compute the (EC)DH shared secret.
TLS 1.3 key derivation makes use of the HKDF algorithm, which depends
upon the HMAC construction and a hash function. This extension
provides the desired protection for the session secrets as long as
HMAC with the selected hash function is a pseudorandom function (PRF)
[GGM1986].
Housley Expires May 20, 2020 [Page 8]
Internet-Draft Certificate with External PSK November 2019
In the future, if the (EC)DH key agreement is broken by cryptanalysis
or the invention of a large-scale quantum computer, the forward
secrecy advantages traditionally associated with ephemeral (EC)DH
keys will no longer be relevant. Although the ephemeral private keys
used during a given TLS session would be destroyed at the end of a
session, preventing the attacker from later accessing them, the
private keys would nevertheless be recoverable due to the break in
the algorithm. A more general notion of "secrecy after key material
is destroyed" would still be achievable using external PSKs, of
course, provided that they are managed in a way that ensures their
destruction when they are no longer needed, and with the assumption
that the algorithms that use the external PSKs remain quantum-safe.
This specification does not require that external PSK is known only
by the client and server. The external PSK may be known to a group.
Since authentication depends on the public key in a certificate,
knowledge of the external PSK by other parties does not enable
impersonation. Since confidentiality depends on the shared secret
from (EC)DH, knowledge of the external PSK by other parties does not
enable eavesdropping. However, group members can record the traffic
of other members, and then decrypt it if they ever gain access to a
large-scale quantum computer. Also, when many parties know the
external PSK, there are many opportunities for theft of the external
PSK by an attacker. Once an attacker has the external PSK, they can
decrypt stored traffic if they ever gain access to a large-scale
quantum computer in the same manner as a legitimate group member.
TLS 1.3 [RFC8446] takes a conservative approach to PSKs; they are
bound to a specific hash function and KDF. By contrast, TLS 1.2
[RFC5246] allows PSKs to be used with any hash function and the TLS
1.2 PRF. Thus, the safest approach is to use a PSK exclusively with
TLS 1.2 or exclusively with TLS 1.3. Given one PSK, one can derive a
PSK for exclusive use with TLS 1.2 and derive another PSK for
exclusive use with TLS 1.3 using the mechanism specified in
[I-D.ietf-tls-external-psk-importer].
TLS 1.3 [RFC8446] has received careful security analysis, and some
informal reasoning shows that the addition of this extension does not
introduce any security defects. This extension requires the use of
certificates for authentication, but the processing of certificates
is unchanged by this extension. This extension places an external
PSK in the key schedule as part of the computation of the Early
Secret. In the initial handshake without this extension, the Early
Secret is computed as:
Early Secret = HKDF-Extract(0, 0)
With this extension, the Early Secret is computed as:
Housley Expires May 20, 2020 [Page 9]
Internet-Draft Certificate with External PSK November 2019
Early Secret = HKDF-Extract(External PSK, 0)
Any entropy contributed by the external PSK can only make the Early
Secret better; the External PSK cannot make it worse. For these two
reasons, TLS 1.3 continues to meet its security goals when this
extension is used.
8. Privacy Considerations
Appendix E.6 of [RFC8446] discusses identity exposure attacks on
PSKs. The guidance in this section remains relevant.
This extension makes use of external PSKs to improve resilience
against attackers that gain access to a large-scale quantum computer
in the future. This extension is always accompanied by the
"pre_shared_key" extension to provide the PSK identities in plaintext
in the ClientHello message. Passive observation of the these PSK
identities will aid an attacker to track users of this extension.
9. Acknowledgments
Many thanks to Liliya Akhmetzyanova, Christian Huitema, Ben Kaduk,
Geoffrey Keating, Hugo Krawczyk, Nikos Mavrogiannopoulos, Nick
Sullivan, Martin Thomson, and Peter Yee for their review and
comments; their efforts have improved this document.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
10.2. Informative References
[DH1977] Diffie, W. and M. Hellman, "New Directions in
Cryptography", IEEE Transactions on Information
Theory V.IT-22 n.6, June 1977.
Housley Expires May 20, 2020 [Page 10]
Internet-Draft Certificate with External PSK November 2019
[FIPS186] National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", Federal Information Processing
Standards Publication (FIPS PUB) 186-4, July 2013.
[GGM1986] Goldreich, O., Goldwasser, S., and S. Micali, "How to
construct random functions", J. ACM 1986 (33), pp.
792-807, 1986.
[I-D.hoffman-c2pq]
Hoffman, P., "The Transition from Classical to Post-
Quantum Cryptography", draft-hoffman-c2pq-05 (work in
progress), May 2019.
[I-D.ietf-tls-external-psk-importer]
Benjamin, D. and C. Wood, "Importing External PSKs for
TLS", draft-ietf-tls-external-psk-importer-01 (work in
progress), October 2019.
[IEEE1363]
Institute of Electrical and Electronics Engineers, "IEEE
Standard Specifications for Public-Key Cryptography", IEEE
Std 1363-2000, 2000.
[K2016] Krawczyk, H., "A Unilateral-to-Mutual Authentication
Compiler for Key Exchange (with Applications to Client
Authentication in TLS 1.3)", IACR ePrint 2016/711, August
2016.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.
Housley Expires May 20, 2020 [Page 11]
Internet-Draft Certificate with External PSK November 2019#x27;s seqid MUST NOT be 0. In the context of a
copy offload operation, it is ambiguous to indicate the most recent
copy offload operation using a stateid with seqid of 0. Therefore a
copy offload stateid with seqid of 0 MUST be considered invalid.
3.4. Security Considerations
The security considerations pertaining to NFSv4
[I-D.ietf-nfsv4-rfc3530bis] apply to this chapter.
The standard security mechanisms provide by NFSv4
[I-D.ietf-nfsv4-rfc3530bis] may be used to secure the protocol
described in this chapter.
NFSv4 clients and servers supporting the inter-server copy operations
described in this chapter are REQUIRED to implement [rpcsecgssv3],
including the RPCSEC_GSSv3 privileges copy_from_auth and
copy_to_auth. If the server-to-server copy protocol is ONC RPC
based, the servers are also REQUIRED to implement the RPCSEC_GSSv3
privilege copy_confirm_auth. These requirements to implement are not
requirements to use. NFSv4 clients and servers are RECOMMENDED to
use [rpcsecgssv3] to secure server-side copy operations.
3.4.1. Inter-Server Copy Security
3.4.1.1. Requirements for Secure Inter-Server Copy
Inter-server copy is driven by several requirements:
o The specification MUST NOT mandate an inter-server copy protocol.
There are many ways to copy data. Some will be more optimal than
others depending on the identities of the source server and
destination server. For example the source and destination
servers might be two nodes sharing a common file system format for
the source and destination file systems. Thus the source and
destination are in an ideal position to efficiently render the
image of the source file to the destination file by replicating
the file system formats at the block level. In other cases, the
source and destination might be two nodes sharing a common storage
area network, and thus there is no need to copy any data at all,
and instead ownership of the file and its contents simply gets re-
assigned to the destination.
o The specification MUST provide guidance for using NFSv4.x as a
copy protocol. For those source and destination servers willing
to use NFSv4.x there are specific security considerations that
Haynes Expires September 15, 2013 [Page 21]
Internet-Draft NFSv4.2 March 2013
this specification can and does address.
o The specification MUST NOT mandate pre-configuration between the
source and destination server. Requiring that the source and
destination first have a "copying relationship" increases the
administrative burden. However the specification MUST NOT
preclude implementations that require pre-configuration.
o The specification MUST NOT mandate a trust relationship between
the source and destination server. The NFSv4 security model
requires mutual authentication between a principal on an NFS
client and a principal on an NFS server. This model MUST continue
with the introduction of COPY.
3.4.1.2. Inter-Server Copy with RPCSEC_GSSv3
When the client sends a COPY_NOTIFY to the source server to expect
the destination to attempt to copy data from the source server, it is
expected that this copy is being done on behalf of the principal
(called the "user principal") that sent the RPC request that encloses
the COMPOUND procedure that contains the COPY_NOTIFY operation. The
user principal is identified by the RPC credentials. A mechanism
that allows the user principal to authorize the destination server to
perform the copy in a manner that lets the source server properly
authenticate the destination's copy, and without allowing the
destination to exceed its authorization is necessary.
An approach that sends delegated credentials of the client's user
principal to the destination server is not used for the following
reasons. If the client's user delegated its credentials, the
destination would authenticate as the user principal. If the
destination were using the NFSv4 protocol to perform the copy, then
the source server would authenticate the destination server as the
user principal, and the file copy would securely proceed. However,
this approach would allow the destination server to copy other files.
The user principal would have to trust the destination server to not
do so. This is counter to the requirements, and therefore is not
considered. Instead an approach using RPCSEC_GSSv3 [rpcsecgssv3]
privileges is proposed.
One of the stated applications of the proposed RPCSEC_GSSv3 protocol
is compound client host and user authentication [+ privilege
assertion]. For inter-server file copy, we require compound NFS
server host and user authentication [+ privilege assertion]. The
distinction between the two is one without meaning.
RPCSEC_GSSv3 introduces the notion of privileges. We define three
privileges:
Haynes Expires September 15, 2013 [Page 22]
Internet-Draft NFSv4.2 March 2013
copy_from_auth: A user principal is authorizing a source principal
("nfs@<source>") to allow a destination principal ("nfs@
<destination>") to copy a file from the source to the destination.
This privilege is established on the source server before the user
principal sends a COPY_NOTIFY operation to the source server.
struct copy_from_auth_priv {
secret4 cfap_shared_secret;
netloc4 cfap_destination;
/* the NFSv4 user name that the user principal maps to */
utf8str_mixed cfap_username;
/* equal to seq_num of rpc_gss_cred_vers_3_t */
unsigned int cfap_seq_num;
};
cfp_shared_secret is a secret value the user principal generates.
copy_to_auth: A user principal is authorizing a destination
principal ("nfs@<destination>") to allow it to copy a file from
the source to the destination. This privilege is established on
the destination server before the user principal sends a COPY
operation to the destination server.
struct copy_to_auth_priv {
/* equal to cfap_shared_secret */
secret4 ctap_shared_secret;
netloc4 ctap_source;
/* the NFSv4 user name that the user principal maps to */
utf8str_mixed ctap_username;
/* equal to seq_num of rpc_gss_cred_vers_3_t */
unsigned int ctap_seq_num;
};
ctap_shared_secret is a secret value the user principal generated
and was used to establish the copy_from_auth privilege with the
source principal.
copy_confirm_auth: A destination principal is confirming with the
source principal that it is authorized to copy data from the
source on behalf of the user principal. When the inter-server
copy protocol is NFSv4, or for that matter, any protocol capable
of being secured via RPCSEC_GSSv3 (i.e., any ONC RPC protocol),
this privilege is established before the file is copied from the
source to the destination.
Haynes Expires September 15, 2013 [Page 23]
Internet-Draft NFSv4.2 March 2013
struct copy_confirm_auth_priv {
/* equal to GSS_GetMIC() of cfap_shared_secret */
opaque ccap_shared_secret_mic<>;
/* the NFSv4 user name that the user principal maps to */
utf8str_mixed ccap_username;
/* equal to seq_num of rpc_gss_cred_vers_3_t */
unsigned int ccap_seq_num;
};
3.4.1.2.1. Establishing a Security Context
When the user principal wants to COPY a file between two servers, if
it has not established copy_from_auth and copy_to_auth privileges on
the servers, it establishes them:
o The user principal generates a secret it will share with the two
servers. This shared secret will be placed in the
cfap_shared_secret and ctap_shared_secret fields of the
appropriate privilege data types, copy_from_auth_priv and
copy_to_auth_priv.
o An instance of copy_from_auth_priv is filled in with the shared
secret, the destination server, and the NFSv4 user id of the user
principal. It will be sent with an RPCSEC_GSS3_CREATE procedure,
and so cfap_seq_num is set to the seq_num of the credential of the
RPCSEC_GSS3_CREATE procedure. Because cfap_shared_secret is a
secret, after XDR encoding copy_from_auth_priv, GSS_Wrap() (with
privacy) is invoked on copy_from_auth_priv. The
RPCSEC_GSS3_CREATE procedure's arguments are:
struct {
rpc_gss3_gss_binding *compound_binding;
rpc_gss3_chan_binding *chan_binding_mic;
rpc_gss3_assertion assertions<>;
rpc_gss3_extension extensions<>;
} rpc_gss3_create_args;
The string "copy_from_auth" is placed in assertions[0].privs. The
output of GSS_Wrap() is placed in extensions[0].data. The field
extensions[0].critical is set to TRUE. The source server calls
GSS_Unwrap() on the privilege, and verifies that the seq_num
matches the credential. It then verifies that the NFSv4 user id
being asserted matches the source server's mapping of the user
principal. If it does, the privilege is established on the source
server as: <"copy_from_auth", user id, destination>. The
successful reply to RPCSEC_GSS3_CREATE has:
Haynes Expires September 15, 2013 [Page 24]
Internet-Draft NFSv4.2 March 2013
struct {
opaque handle<>;
rpc_gss3_chan_binding *chan_binding_mic;
rpc_gss3_assertion granted_assertions<>;
rpc_gss3_assertion server_assertions<>;
rpc_gss3_extension extensions<>;
} rpc_gss3_create_res;
The field "handle" is the RPCSEC_GSSv3 handle that the client will
use on COPY_NOTIFY requests involving the source and destination
server. granted_assertions[0].privs will be equal to
"copy_from_auth". The server will return a GSS_Wrap() of
copy_to_auth_priv.
o An instance of copy_to_auth_priv is filled in with the shared
secret, the source server, and the NFSv4 user id. It will be sent
with an RPCSEC_GSS3_CREATE procedure, and so ctap_seq_num is set
to the seq_num of the credential of the RPCSEC_GSS3_CREATE
procedure. Because ctap_shared_secret is a secret, after XDR
encoding copy_to_auth_priv, GSS_Wrap() is invoked on
copy_to_auth_priv. The RPCSEC_GSS3_CREATE procedure's arguments
are:
struct {
rpc_gss3_gss_binding *compound_binding;
rpc_gss3_chan_binding *chan_binding_mic;
rpc_gss3_assertion assertions<>;
rpc_gss3_extension extensions<>;
} rpc_gss3_create_args;
The string "copy_to_auth" is placed in assertions[0].privs. The
output of GSS_Wrap() is placed in extensions[0].data. The field
extensions[0].critical is set to TRUE. After unwrapping,
verifying the seq_num, and the user principal to NFSv4 user ID
mapping, the destination establishes a privilege of
<"copy_to_auth", user id, source>. The successful reply to
RPCSEC_GSS3_CREATE has:
struct {
opaque handle<>;
rpc_gss3_chan_binding *chan_binding_mic;
rpc_gss3_assertion granted_assertions<>;
rpc_gss3_assertion server_assertions<>;
rpc_gss3_extension extensions<>;
Haynes Expires September 15, 2013 [Page 25]
Internet-Draft NFSv4.2 March 2013
} rpc_gss3_create_res;
The field "handle" is the RPCSEC_GSSv3 handle that the client will
use on COPY requests involving the source and destination server.
The field granted_assertions[0].privs will be equal to
"copy_to_auth". The server will return a GSS_Wrap() of
copy_to_auth_priv.
3.4.1.2.2. Starting a Secure Inter-Server Copy
When the client sends a COPY_NOTIFY request to the source server, it
uses the privileged "copy_from_auth" RPCSEC_GSSv3 handle.
cna_destination_server in COPY_NOTIFY MUST be the same as the name of
the destination server specified in copy_from_auth_priv. Otherwise,
COPY_NOTIFY will fail with NFS4ERR_ACCESS. The source server
verifies that the privilege <"copy_from_auth", user id, destination>
exists, and annotates it with the source filehandle, if the user
principal has read access to the source file, and if administrative
policies give the user principal and the NFS client read access to
the source file (i.e., if the ACCESS operation would grant read
access). Otherwise, COPY_NOTIFY will fail with NFS4ERR_ACCESS.
When the client sends a COPY request to the destination server, it
uses the privileged "copy_to_auth" RPCSEC_GSSv3 handle.
ca_source_server in COPY MUST be the same as the name of the source
server specified in copy_to_auth_priv. Otherwise, COPY will fail
with NFS4ERR_ACCESS. The destination server verifies that the
privilege <"copy_to_auth&
Author's Address
Russ Housley
Vigil Security, LLC
516 Dranesville Road
Herndon, VA 20170
USA
Email: housley@vigilsec.com
Housley Expires May 20, 2020 [Page 12]