Last Call Review of draft-ietf-nfsv4-scsi-layout-06
review-ietf-nfsv4-scsi-layout-06-secdir-lc-kent-2016-08-04-00
| Request | Review of | draft-ietf-nfsv4-scsi-layout |
|---|---|---|
| Requested rev. | no specific revision (document currently at 10) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2016-07-12 | |
| Requested | 2016-06-30 | |
| Authors | Christoph Hellwig | |
| Draft last updated | 2016-08-04 | |
| Completed reviews |
Genart Last Call review of -06 by Joel Halpern
(diff)
Secdir Last Call review of -06 by Stephen Kent (diff) Opsdir Last Call review of -05 by Victor Kuarsingh (diff) |
|
| Assignment | Reviewer | Stephen Kent |
| State | Completed | |
| Review | review-ietf-nfsv4-scsi-layout-06-secdir-lc-kent-2016-08-04 | |
| Reviewed rev. | 06 (document currently at 10) | |
| Review result | Ready | |
| Review completed: | 2016-08-04 |
Review
review-ietf-nfsv4-scsi-layout-06-secdir-lc-kent-2016-08-04
I
reviewed this document as part of the security
directorate's ongoing effort to review all IETF documents
being processed by
the IESG.
These
comments were written
with the intent of improving security requirements and
considerations in IETF
drafts.
Comments not
addressed in last
call may be included in AD reviews during the IESG review.
Document editors and WG
chairs should treat
these comments just like any other last call comments.
This
document the SCSI
layout for Parallel NFS (RFC 5663). It appears to update that
RFC (see the last
paragraph on page 3), although the header does not indicate
this.
In section
1 the text
refers to a SCSI device “signature” but does not define this
term.
Section 2.1
describes the
security responsibilities for clients, and notes that the
Security
Considerations section (4) provides an expanded discussion.
The bottom line is
that SCSI layout pNFS is not recommended for use in contexts
where clients
cannot be trusted to enforce file access controls.
I did not
review later
parts of Section 2.
Section 3
reiterates the
fact that SCSI layout pNFS relies on clients to enforce access
controls and
locks at a granularity finer than a device. For example, the
architecture
relies on client software to not try to access blocks on a
device other than
those to which the metadata server has granted access.
Sections
3.1 and 3.2
provide additional descriptions of the security assumptions
and limitations
associated with SCSI layout pNFS.
The
Security Considerations
section consists of
two paragraphs. The first reminds the reader that NFS security
mechanisms may
not be available in the SCSI layout pNFS context, because it
operates at a
lower layer than NFS. This mode of operation for pNFS may be
insecure, or may
be afforded good security, depending on the underlying access
protocols. iSCSI
(RFC 7143) is cited as an example of the latter.
The second paragraph
reiterates the warnings
that appeared earlier in the document, noting that this mode
of pNFS is not
suitable for all environments.
I think the
discussions of
security provided by this I-D are appropriate and clearly
written.