NFSv4 D. Noveck
Internet-Draft NetApp
Intended status: Informational June 18, 2020
Expires: December 20, 2020

Security Needs for the NFSv4 Protocols
draft-dnoveck-nfsv4-security-needs-00

Abstract

This document discusses the existing inadequacies in the handling of security issues within the NFSv4 protocols and the steps that might be taken to correct the situation, including the preparation of new standards-track documents updating existing ones. Because the security approach has been and should remain the same for all minor versions, it is expected that security for all the NFSv4 protocols will be addressed together in a single NFSv4-wide standards-track document.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on December 20, 2020.

Copyright Notice

Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

This document will discuss the changes that need to be made in the security facilities to be used with NFSv4. These changes are made necessary by the fact that the original goal for NFSv4, that of enabling secure use on the internet has not been effectively realized and because the current approach to security does not address current needs for secure operation in many environments. This document is intended to serve as a resource for the working group, as it creates new standards-track documents to address the security issues that exist within NFSv4. These potential documents are listed and the likely process of producing them is discussed in Section 9.

Needed changes are expected to involve use of new transport-level security facilities provided within the RPC layer (See Section 7). These will involve the encryption of NFSv4 traffic and the potential use of client host authentication to improve security when AUTH_SYS is used, replacing the security approach specified in [RFC7530] and [RFC5661]. For a discussion of issues connected to shifting the security approach for existing protocols, see Section 4.2.

Although most use of NFSv4 is not within the internet, but in more restricted local area network environments, it appears that NFSv4 security, as actually used, needs updating to provide security appropriate to the current needs of these environments as well. Although restricting physical access to the network on which the client and server interact can result in limiting access to users associated with a particular organization, this step does not eliminate the need for protocol support for secure operation. The specific environments and the corresponding security needs are discussed in Section 4.1.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Requirements Language Usage in this Document

Because this is an informational document, it will generally not make normative statements including the keywords discussed in Section 2. However, in discussing the existing treatment of security in the NFSv4 protocols, there will be occasions in which we include quotations (most often direct but sometimes indirect) from existing standards-track documents that use these keywords. In such cases, the definitions within BCP 14 [RFC2119] [RFC8174] are to be adhered to when the terms appear in all-capitals.

In addition, we will often use these terms in exploring possible changes that might be made in possible future standards-track documents dealing with NFSv4 and RPC security. While these terms do not have a normative effect in this context, the meaning of these terms remains the same. These statements will differ from and may contradict corresponding existing normative statements for one or more of the following reasons:

Any such changes in the set of normative statements applying to implementations of a particular NFSv4 minor version require special care to avoid creating later difficulties. Problems might arise because:

4. Situation to be Addressed

4.1. NFSv4 Use Environments to be Addressed

We will consider a range of network environments and how the type of environment affects the need for the features being introduced to provide for secure operation.

  1. Within a data center local area network, there may well be sufficient administrative controls over the software running on machines with physical access to the network as to make additional security features within NFS unnecessary.

    If such a network is physically isolated or has all access to it controlled using an appropriately configured firewall, it may be acceptable, from a security point of view, to use AUTH_SYS without client host authentication, and without encryption, assuming all attackers have been excluded from access.

    Although such networks typically do have firewalls, they are generally configured to allow significant access, including NFSv4 access, to traffic originating outside the data center, although not outside the owning organization. In such cases, we effectively have a within-organization network, dealt with in item 2 below.
  2. Within a network devoted to a single organization or a single site within an organization. Such networks often have associated firewalls configured to exclude access from outside the organization, and restrict it inside the organization.

    It had until recently been assumed that, by excluding access to those outside the organization, it could be assumed that attackers would also be excluded. However, this approach ignores the possibility of insider threats. Since we feel these threats cannot be ignored, the security of NFSv4 needs to be upgraded to prevent attacks by insiders, making the security needs in this case more like those on the internet.
  3. Use on the internet is the most challenging. While secure use on the internet was a goal of NFSv4 and steps were taken to achieve that goal, the approach required a number of steps, including a significant performance penalty and a significantly different approach to systems administration. Given that those administering such systems were unwilling to adapt in this way, we now need to meet the goal of secure use on the internet in a new way.

    Secure use on the internet requires not only protection of user data in-flight from unauthorized disclosure or modification, as in case 2 above, but also effort to deal with the possibility of extensive external monitoring and denial-of-service attacks.
  4. Use of NFSv4 to access data located in the cloud poses many of issues discussed in item 3 above. However, in general, the cloud service provider is responsible for protecting multiple tenants from one another, often involving use of tenant-specific credentials. If the distribution of such credentials is quite tightly limited, we can have a situation like that in item 1. However, if those credentials are available to a larger group, then the situation become like that in item 2, with insider threats being a point of concern.
  5. The use of NFSv4 within cloud-located data centers presents different issues. If access to the NFSv4 service is suitably restricted, the situation is quite close to that described in case 1, with the physical location of the data center irrelevant. However, if there means of external access that are not tightly restricted, the situation becomes like that of case 2 above, with the possibility of insider threats requiring a security model with many similarities to that needed for the environments described in item 3.

As will be discussed below, NFSv4 security, as currently defined, has significant security issues in many of the above environments, although not in all. No special provisions will be made for the more restricted environments, except where necessary to avoid incompatibilities when interacting with existing implementations.

By focusing on a single set of requirements for all of these environments, there will necessarily be occasions in which some security-related work is required that is not, strictly speaking, needed for the particular environment in which it is used. However, we have endeavored to keep the required effort small, eliminating requirements for major administrative changes or compute-intensive additions to the processing path.

4.2. Emergence and Correction of Security Issues

The fact that serious security issues exist in many of the environment discussed above has made it necessary to consider taking the drastic step of modifying security-related recommendations for existing protocols. This situation seems to call for an explanation and we will attempt to provide one.

One possible form this might take would be to explain why [RFC7530] and [RFC5661] made erroneous choices, with accompanying commentary explaining the choices that should have been made instead.

Such an explanation does not appear to be possible, since it would not have been possible for the authors and approvers of these documents to reach the conclusions we have adopted without an implausible level of foresight on their part. This is so even though we would not adopt the choices made in [RFC7530] and [RFC5661] today. Knowing what was known then, we might well have made the same choices, although it is hard not to fault the lack of attention, in the relevant documents, to the security consequences of the decisions made.

Although we will call attention in sections below to things which might have been done differently, this does indicate that we believe that the authors and approvers of these documents, could have arrived at conclusions similar to the ones we expect to choose now. Our choices are so different from the ones made previously because they take into account the needs of NFSv4 today and take advantage of security facilities not available earlier.

In order to better understand this divergence, we have to look at the history of NFS and take note of the context in which assumptions were established with regard to security or changes in security guidance occurred. In understanding this history and the choices of RFC2119-defined keywords, the constraints on the working group need to be understood, as described in Section 6.2

With the above history in mind, we will look at why NFSv4 security needs are different today and take advantage of some options that were not available on earlier occasions in which NFSv4 security decisions were made.

These options have been made available by the work at the RPC layer described in Section 7 while the specifics of having NFSv4 take advantage of these options are described in Section 8.

Providing a new security approach for multiple existing protocols is potentially disruptive and due care will need to be taken to avoid damaging implementation incompatibilities. However, as will be discussed below, the existing situation, in which serious security inadequacies need to be addressed, requires that significant changes be made. It is our expectation that the situation will be resolved by the eventual publication of a Standards-track document updating [RFC7530] and [RFC5661] and much of this document will concern itself with determining how the needed changes can resolve existing security issues without undue disruption.

5. Major Problems to Address

The problems to be addressed concern the way that security information has been conveyed in earlier specifications (discussed in Section 5.1) as well as two sets of substantive security weaknesses discussed in Sections 5.2 and 5.3.

Although the inadequacies in the presentation of security issues have contributed to prolongation of the substantive weaknesses and will be discussed in the latter two sections, there is no reason to believe that correction of the presentation problems, will, by itself, improve the security situation, since the substantive problems still need to be addressed. Nevertheless, correction of the presentation issues is necessary so that the proposed solutions to the substantive security issues receive the proper attention and analysis, both now in connection with the changes to be proposed, and also going forward, as needs change.

5.1. Problems with Security Presentation/Organization

While attention has previously focused on the deficiencies of the Security Considerations sections (e.g. Lack of a threat analysis), this is not the only presentation issue that needs to be addressed.

Problems with the overall presentation of NFSv4 security, particularly the discussion of the security architecture will be dealt with in Section 5.1.1.

Problems with the evaluation of NFSv4 security including the lack of a threat analysis and the contents of the Security considerations sections will be dealt with in Section 5.1.2.

5.1.1. Problems with Presentation of Security Architecture

The presentation of the NFSv4 security architecture (for both minor versions) focuses on the work done to make RPCSEC_GSS usable in view of the basic architectural decisions made in going from NFSv3 to NFSv4. These include the use of NFS4ERR_WRONGSEC and SECINFO to allow the server namespace to be carved into regions with the use of particular security flavors and services (associated with particular quality-of- protection values) required in each one.

Unfortunately, features added later in the NFSv4.0 development cycle were not integrated into the description of the security architecture. A list of such noteworthy features follows.

Another consequence of the approach taken to writing Security Considerations sections has been that these sections may have not appropriately highlighted the security implications of new features being added to the protocols.

As we have seen, the description of the security architecture of NFSv4 is quite limited and a new security document will have some gaps to fill.

5.1.2. Problems with Security Evaluation

The principal difficulty in the overall approach to security taken in the Security Considerations section of [RFC7530] and [RFC5661] concerns the absence of a threat analysis within these documents. The absence of such an analysis has meant that:

5.2. Problems with treatment of AUTH_SYS

While [RFC3530], [RFC7530], and [RFC5661] provide for the MANDATORY implementation of RPCSEC_GSS, they do not require its use, allowing an opportunity for unauthenticated requests to be issued by attackers targeting the many NFSv4 servers in which RPCSEC_GSS is not the only form of authentication provided, which appears to be the vast majority in operation.

Although there are a number of nominal authentication flavors that allow unauthenticated requests to be presented in circumstances in which they will typically be executed by the server, AUTH_SYS is of greatest importance for a number of reasons:

The common use of AUTH_SYS, which has continued until now, arose from the early history of NFS and its development, as part of the RPC authentication function, together with NFSv2 [RFC1094] and NFSv3 [RFC1813]. That approach, in which security was made the responsibility of large multi-user clients trusted by the servers, might have made sense when it was developed, but, as things changed, became less relevant to NFSv4 security needs.

In the shift to NFSv4, RPCSEC_GSS was added on a mandatory-to-implement basis, while AUTH_SYS was left in place as an alternative without any effective consideration of the corresponding consequences for security.

A number of common practices which servers have typically used in determining whether AUTH_SYS requests would be accepted are mentioned in associated standards-track documents (i.e. in [RFC5531], [RFC7530], RFC5661 [RFC5661]) often without clear discussion of their obvious security weaknesses.

As a result of the lack of attention to AUTH_SYS, there is no standards-track description of its implementation in connection with NFSv4. Nevertheless, the following practices seem to have been adhered to in providing whatever security does exist.

As can be seen from the above, important elements of AUTH_SYS implementations are not specified within current standards-track documents in sufficient detail that interoperable implementations could be developed using these documents or subjected to a threat analysis, even if one were to be attempted.

The Security Considerations section of [RFC5531] states that AUTH_SYS is "known to be insecure" and further states "AUTH_SYS SHOULD NOT be used for services that permit clients to modify data. Nevertheless, AUTH_SYS has been commonly used by NFSv4 clients modifying data since NFSv4 was first implemented, while the consequences for security have never been addressed.

Given the security difficulties that use of AUTH_SYS gives rise to, we face a choice between two alternatives:

Although both of these alternatives should be considered, there is reason to believe that the first of these is not feasible, for reasons similar to those that have prevented such a step being attempted earlier, either as part of the transition to NFSv4 or to NFSv4.1. The use of AUTH_SYS has continued despite the fact that alternatives were made available, and there is no reason to expect that the use of the words "SHOULD NOT" or "MUST NOT" would prevent implementers from continuing to support it, or administrators depending on such support, despite the negative effect on the security of NFSv4 implementations

Because of the current predominant role of AUTH_SYS in existing NFSv4 implementations, providing better security while remaining within the AUTH_SYS framework will also be difficult because of the issues discussed in Section 6.2. Nevertheless, we feel it needs to be attempted, as a new security framework cannot address AUTH_SYS without clearly discussing its security weaknesses. Once that is done, we need to take advantage of the ability to effect client host authentication provided by [I-D.ietf-nfsv4-rpc-tls] to provide a modicum of security while allowing administrators to delegate credential checking to trusted clients as they are now accustomed to doing.

While this approach is far from ideal, in that it requires a trust relationship between client and servers, adopting it provides a reasonable approach to support NFSv4 in the near-term while allowing development of a better alternative (e.g. a new authentication flavor) to proceed in parallel. With regard to our immediate need for better NFSv4 security, the obvious alternatives might not be realizable:

Despite this summary of the author's views on this matter, this question is ultimately a matter for working group decision. For a further discussion of related issues, see Section 8.4.3. Although the rest of this document is written assuming that the author's choice will be selected, Section 8.4.3 explains the changes to the eventual standards-track document that would be required if different choices were to be made.

5.3. Problems with Confidentiality

Confidentiality is currently provided within NFSv4 by the use of RPCSEC_GSS, with the server charged with enforcing any administrator-specified needs to use these facilities on appropriate portions of the server namespace. Requirements for the use of integrity protection are handled similarly. This approach is capable of providing confidentiality when accessing certain directories or file systems, assuming that files that require such protection can be isolated in certain regions of the server namespace.

An important difficulty with regard to this approach to confidentiality is that there is significant non-encrypted data sent on NFSv4 connections which can allow extensive data to be gathered on the part of those engaged in monitoring attacks

Despite the availability of encryption in NFSv4, it is very rarely used, which makes its formal sufficiency essentially irrelevant. In understanding why confidentiality is not more generally used, we need look at the issues below in order to understand how to address the problem going forward.

Looking at the relevant Security Considerations sections, we find the following:

All of the issues discussed above may have contributed to the lack of use of encryption with NFSv4, but the issues of poor performance due to the a non-offloadable nature of encryption appears to have had a critical role in creating an unsatisfactory situation for a protocol where high performance is often of critical importance.

Once the choice was made to limit encryption to specific file systems or directories, there was commonly a perceived need to avoid the cost of encryption and the difficulties that approach to the matter led to were exacerbated by the lack within the Security Considerations sections of information about the damage thus done. Because there was insufficient attention to these issues, effective action to address them was delayed, until the problem could no longer be ignored.

Given these weaknesses with regard to encryption, those needing to use NFSv4 outside local area networks often implemented NFSv4 over secure tunnels. As this work proceeded, it served as an inspiration for the work done in [I-D.ietf-nfsv4-rpc-tls] that provided the opportunity to provide encryption uniformly and potentially with high performance. An overview of steps necessary to address these issues appears in Section 7.1

6. Framework for Correcting Problems

This section addresses the fundamental issues of the organization and presentation of a new security framework. The complementary issues involved in making substantive improvements in NFSv4 security will be dealt with in Section 7.

6.1. Correcting Problems with Regard to Threat Analyses

Of prime importance is the inclusion of appropriate threat analyses, even apart from the requirement (in BCP72 [RFC3552]) that such analyses appear in Security Considerations sections. As we have already seen, without such an analysis, there is no way to determine whether any security changes adopted are adequate to address NFSv4's security difficulties. In the case of NFSv4, because of its complicated history and the conflict between the status of AUTH_SYS as specified by the NFSv4 specification documents ([RFC7530], [RFC5661]) and that in [RFC5531], there might be multiple analyses, located in different places:

The appropriate location of a threat analysis for AUTH_SYS as currently used depends on the question of whether to consider AUTH_SYS as part of RPC, as it formally is, or to transfer responsibility to NFSv4, since it was deprecated as insecure in [RFC5531], while at the same time embedded as a heavily used optional feature for all minor versions of NFSv4, including a new protocol, NFSv4.1 published as a Proposed Standard subsequently, in [RFC5661].

Also relevant to the question of the appropriate location for this threat analysis is the question of whether there might be a need for a revised treatment of AUTH_SYS including client host authentication. The possible existence of such a revised treatment, together with issues related to a threat analysis necessary for its inclusion is discussed in Section 8.4.4.

6.2. Correcting Problems with Regard to Use of Normative Terms

Another important issue concerns the potential need for adjustment of inappropriate use of terms defined by RFC2119 [RFC2119], particularly any suggestion that use of AUTH_SYS may be validly used without important security consequences, as suggested by the current understanding that its use is optional.

However, as desirable as such clarifications might be, it is necessary that we be realistic about what such changes can accomplish, even if the particular issues cited in Section 3 are properly attended to. Documents can be written to define certain implementations as non-conformant, but the ability of any such designation to affect implementer behavior is strongly affected by circumstances, particularly when the term is a hard one to pin down such as "SHOULD" or "SHOULD NOT".

The ability of such term choices to affect implementer behavior is at its maximum when a new protocol is defined. In this case, the specification document formalizes a contract between implementations, so that the consequence of not following these terms is a lack of interoperability rather the fact that one's implementation may be, formally speaking, non-conformant. In the case of a protocol such as NFSv4,intended to build and extend the work of earlier NFS versions, the ability of the IETF to affect implementer choices is significantly reduced, as interoperability with the existing protocol and the existing infrastructure to support it will be of greater importance to implementers. Further, it needs to be recognized that when these terms are used to constrain security-related behavior rather than interoperability per se, their effect on implementer choice is likely to be similarly reduced.

Although [RFC2119] provides definitions of "SHOULD" and "SHOULD NOT", it is difficult to determine the proper interpretation unless it is clear what the "valid reasons" that might supersede the recommendation or the expected consequences of doing so. For this reason, when these terms are used in proposed text, we will make such matters explicit, where they are not otherwise clear, as suggested by Section 7 of [RFC2119].

7. Opportunities for Improvement Provided by Recent Work within the RPC Layer

The work done to provide TLS support for RPC (in [I-D.ietf-nfsv4-rpc-tls]) presents an important opportunity to address the substantive security problems described in Sections 5.2 and 5.3. While there will be a need to specify appropriate policies for its use by NFSv4 as a ULP (see Sections 8.3.2 and 8.4.6 for details), the following opportunities present themselves and are likely to be taken advantage of:

Although [I-D.ietf-nfsv4-rpc-tls]) does not provide support for RDMA transports, parallel services to provide encryption and authentication are expected to be available, as discussed in Section 7.3.

7.1. Opportunities for Improvement in Encryption

[I-D.ietf-nfsv4-rpc-tls] provides the ability to encrypt all traffic on the connection used between an NFSv4 client and server. This requires that that both the client and server provide support for RPC-over-TLS. Appropriate requirements/recommendations are discussed in Section 8.3.2.

Because this facility is based on an opportunistic use of TLS, there is a need for ULP-defined policies to deal with situations in which the server rejected the request for a TLS connection. These matters are discussed in Section 8.3.2 as well, as is the policy that servers are to adopt when dealing with a connection on which RPC-over-TLS is not requested.

Because this new form of encryption is being added to an existing protocol, all of these policies are more complicated than would be the case for a new protocol, since there might be a need to accommodate earlier implementations, which might not have had time to be enhanced, while providing the ability to take advantage of whatever confidentiality support that might be present for a given client and server.

7.2. Opportunities for Improvement in Authentication

When establishing a connection, as provided for by [I-D.ietf-nfsv4-rpc-tls], authentication material is provided by the client and could be used to authenticate the client host to the server.

By using this authentication material to authenticate the client host, it would be possible to correct some of the issues discussed in Section 5.2. This would involve clearly specifying how that material is to be used, in contrast to the situation for the existing AUTH_SYS, for which current documentation (in Appendix A of [RFC5531]) is quite limited. Any such respecification would need to be acceptable to those used to using AUTH_SYS while avoiding the security issues that make its further use, in the old form, inadvisable.

This could allow the following improvements:

The details of how the authentication material could be used are discussed Section 8.4.6.

7.3. Opportunities for Improvement when Using RDMA Transports

As noted above, [I-D.ietf-nfsv4-rpc-tls]) is not supported on RDMA transports, making it necessary to provide appropriate support for encryption and client host authentication in other ways.

It should be noted that our need to normatively reference [I-D.ietf-nfsv4-rpcrdma-version-two] would affect the schedule of a standards-track document dealing with NFSv4 security. Given that the current milestone for requesting publication is December 2020, this not expected to pose an obstacle.

8. Issues that Need to be Addressed

These sections discuss the issues that need to be addressed by new standards-track documents including both issues of the presentation/evaluation of NFSv4 (discussed in Section 5.1) and the substantive security weaknesses discussed in Sections 5.2 and 5.3. For each issue there is a section providing background followed by information suggesting how the issue would be addressed or issues that would need to be resolved before the issue could be addressed.

8.1. Threat Analysis Goals

8.1.1. Background

For reasons that remain unclear, none of the specification documents for the existing NFSv4 minor versions contain a threat analysis. As a result, for the reasons discussed in Section 5.1, we need to provide an appropriate threat analysis for all NFSv4 minor versions. Because of the high degree of overlap between pairs of NFSv4 minor versions, most of the analysis will be common to all versions. However, there are some areas where features in later minor versions have significant security implications:

While the bulk of the threat analysis would be minor-version- independent, differences between minor version will have to be noted, as will differences that reflect uses of the facilities discussed in Section 7.

Beyond the lack of NFsv4 threat analyses, there is a further problem in that there is no threat analysis dealing with the AUTH_SYS case in the existing RPC specification, RFC5531 [RFC5531]. In this case, the gap is easier to understand since RPC deals with security on a per-flavor basis and declares AUTH_SYS as "insecure". It may well be that the authors, the working group and the IESG thought this was adequate, and it would have been if this had resulted in its not being used subsequently. As things happened however, AUTH_SYS continued to be used extensively, including for NFsv4, so that there still remains a gap in this regard.

The following facts are relevant to the continued use of AUTH_SYS despite its security problems:

8.1.2. Issues to be Addressed

It is expected that a threat analysis dealing with all NFSv4 minor will be dealt with in new standards-track document dealing with NFSv4 security. Because this document will address security for all minor versions, it will update [RFC7530], [RFC5661], and [RFC7862].

There will, in addition, be a need for a threat analysis dealing with AUTH_SYS, which might or might not appear in the NFSv4-wide security document for reasons explained in Section 6.1. The question of where this best be done is discussed in Section 8.4.4.

8.2. NFSv4 Extension Policies

8.2.1. Background

The basic framework for the extension of NFSv4 was established by [RFC8178]. Given that the anticipated standards-track document dealing with NFSv4 security will, in a sense, extend NFSv4, there might be some uncertainty about whether the changes anticipated are in line with that extension framework and whether there might be a need for that document to update [RFC8178].

The following questions need to be addressed:

8.2.2. Addressing Extension Issues

We anticipate that the material would be in a section entitled, "NFSv4 Security Changes and the Existing NFSv4 Extension Model"

The following introductory material seems appropriate:

The following paragraphs discuss the core issues:

8.3. TLS Encryption Policies

8.3.1. Background

As discussed in Section 5.3, NFSv4 as currently defined, has serious problems providing the appropriate level of confidentiality for its transmissions. Providing encryption at the transport layer, whether as described in Section 7.1 or otherwise, can be expected to resolve this issue by providing encryption in a potentially offloadable way, making use of RPC-level privacy and integrity services unnecessary.

If we were defining a new protocol, such transport-level encryption could be REQUIRED without difficulty. However, given that we are upgrading the security for an existing protocol, it might not be possible to designate this encryption as "REQUIRED", since this might give rise to extensive interoperability problems between new and old implementations. In any case, existing implementers of the existing protocol would not have the same interest in specification compliance as in the corresponding situation with a new protocol, leading to a situation in which one group of implementations essentially ignored the issue of specification-compliance with regard to the latest protocol specifications.

We need to be aware that,

As we consider how to discuss the need for encryption in Section 8.3.2, we will be mindful of the above. Since it not possible to REQUIRE encryption, we will RECOMMEND it. However, in discussing the valid reasons that encryption might not be provided, we will try to restrict them to the degree we can reasonably do so. Further, we will try to clearly state the security consequences which implementers and those configuring clients and server need to be aware of when choosing to not provide the RECOMMENDED encryption.

8.3.2. Issues to Address

There is a need to recommend the implementation and use of appropriate encryption by the server and client, as is done, for example, by the following paragraphs.

Although, as indicated in [I-D.ietf-nfsv4-rpc-tls], that there should be no need to negotiate security flavors to be used to provide integrity and confidentiality, the exact effect on existing clients and servers needs to be made clearer.

The text below is a suggested way of doing this.

8.4. Handling of AUTH_SYS

8.4.1. Historical Background

During the development of NFSv2 [RFC1094], little attention was directed to network security and no attention was directed to the possibility that a machine on the network might represent itself as a client, with the ability to make requests on behalf of non-existent client processes it identified by user id. During this time, NFS clients were multi-user machines and it made sense to many for the client kernel to have the same responsibilities to verify user credentials and keep track of process user ids as it had successfully been doing with local file systems. This was the origin of AUTH_UNIX (later renamed AUTH_SYS) which was based on a model of co-operating UNIX kernels and provided no protection against an attacker with kernel privileges. Despite the later name change, actual implementations were strongly focused on UNIX, deriving the necessary implementation requirements from shared code and from informal inter-developer communications, rather than standards documents. As a result, as discussed in Section 5.2, when it was necessary to discuss the security of AUTH_SYS in connection with RPC (in [RFC5531], there was insufficient information on which to base a threat analysis, although it was correctly concluded that the result of use was a lack of security.

With regard to the following aspects of AUTH_SYS, this UNIX orientation was significant. In many cases as the computing environment changed, it was not possible to change the details to keep up with evolving needs.

Later, with the development of NFSv3 [RFC1813], some of these assumptions started to seem less justifiable and alternate authentication models were developed. However, because AUTH_SYS was so suited to the Unix environment, making NFS administration so similar to local file system administration, its use remained predominant despite its obvious weaknesses from the security standpoint.

8.4.2. Background for Existing AUTH_SYS in NFSv4

When NFSv4 was first defined (in [RFC3530]), RPCSEC_GSS was added as a MANDATORY to implement means of authentication which was optional to use, presumably under the assumption that other optional-to-implement authentication flavors, such as AUTH_SYS would be used by some clients

The continued use of AUTH_SYS is troubling and hard to explain if one is focused on network security, but the following possibilities are worthy of note:

Regardless of why this happened, the important fact is that it did happen, despite the serious security problems that it gave rise to. Later subsections of Section 8.4 will discuss ways to address the resulting situation.

8.4.3. Core Issue to Resolve for AUTH_SYS

Given the serious security weaknesses described in Section 5.2, there is clearly a need to discourage its further use in its existing form, since the difficulties with it will not be eliminated by the adoption of encryption of NFSv4 connections alone

There are two basic forms that such an effort might take:

While the author is strongly of the opinion that the second choice is more likely to be successful, and this document reflects that view, there is no intention to foreclose the first option, should the working group choose it. If that option is chosen, then the material in Section 8.4.6 becomes irrelevant and can be ignored while much of that in Section 8.4.5 can be simply modified to expand its scope, as described below in that section.

8.4.4. Need to Better Document and Explain Issues with AUTH_SYS

As described in Section 8.1 there is a need for an appropriate threat analysis for NFSv4. For a number of reasons, issues with AUTH_SYS that would make it difficult to refer to in an NFSv4-wide security document without some additional work preparatory work:

Under other circumstances, it might have been possible to dispense with further analysis of AUTH_SYS because of the following facts:

Despite the above, we will need a more complete of treatment of AUTH_SYS security for a number of reasons.

An important question is where such a treatment should appear. In deciding this question, the important question is whether, at this point, it is best addressed as a feature associated with NFSv4 or with RPC.

The last of these is most likely to be adopted regardless of how the working group decides the issue described in Section 8.4.3. However, if the working group decides to strongly discourage the use of AUTH_SYS even with client-host authentication, the first is a possibility that should be considered.

8.4.5. Issues to Address for Existing Use of AUTH_SYS

This section presents material that might be included in a standards-track document in an effort to suitably discourage use of AUTH_SYS in its current (insecure) form.

While it is sometimes the case that such a task can be accomplished by substituting one of the terms defined in [RFC2119] by another, that is not the case here While the designation of AUTH_SYS as optional (to implement) with [RFC7530] and [RFC5661] using the language "MAY be implemented", is wrong and probably needs to be fixed, the situation is more complex than generally recognized. It should be kept in mind that these terms are, in many cases, ignored or followed while ignoring the underlying intent. As a result, such changes, without supporting explanations might not be effective in changing implementer behavior.

To summarize the confusing situation with AUTH_SYS and NFS and the role of the RPC specification, [RFC5531].

While there may well be sufficient loopholes within [RFC5531] to avoid an outright contradiction of the rules established there, it is certainly troubling that the security implications of implementing and using AUTH_SYS are not properly recommended against.

While we may need to adjust the normative language, the effect of doing so is limited for reasons that have already been discussed. As a result, we need to put substantial emphasis on clearly stating the consequences of doing what "SHOULD NOT" (or "should not") be done, as is suggested by [RFC2119], at least for the former case.

The following text is one way to present the situation:

8.4.6. Issues to Resolve for Revised Approach to AUTH_SYS

The availability of client-host authentication makes possible a revised approach to AUTH_SYS addressing some of its security vulnerabilities. A revised approach to AUTH_SYS might provide:

  1. The ability to prevent, using client host-authentication, another machine masquerading as the expected client.

    The authentication features described in [I-D.ietf-nfsv4-rpc-tls], would be assure that you could identify trusted client machines, eliminating a major security issue with AUTH_SYS. On the other hand, it is not clear whether servers would be wise to trust clients to this degree, especially if the items below (#2 and #3) are not satisfactorily dealt with.
  2. It would be possible to include, as part of the client authentication material, information known only to the client and the server. The secret value would be chosen by the client, and saved so it is usable by later client instances. If this were done, it would prevent any process with root privileges on a trusted machine from impersonating the trusted client. If this were not done, then any compromise of a single trusted client would compromise any server which trusted it to present AUTH_SYS requests.

    To make this approach viable, servers would have to maintain, in persistent storage, a record of the secret value assigned to each authenticated client. When an authenticated client connected with a different value it would indicate that a root process on the client-host was attempting to impersonate the NFSv4 client.
  3. The power granted to the authenticated client-host, to make a request on behalf of user or group has troubling consequences. Although most implementations have the ability to exclude requests from the root user, that may not, as has been noted previously, be sufficient to satisfactorily deal with the problem, since many deployments contain security-critical files that can be accessed and modified but users other than root.

    It would be desirable to exclude a wider range of users such as all users within a given group (or alternatively include only users within a given group). However, neither of these is viable since servers receiving AUTH_SYS requests typically have no knowledge of what users belong to what groups, relying on the AUTH_SYS client to provide this information within the request.

    Given this lack of knowledge on the part of the servers, any restrictions on the ability of AUTH_SYS requests to access or modify files designate a set of protected files in some way. Since designating a list of files is complicated and hard to maintain, it might be possible to describe the files whose access and/or modification by means of an ACL. When a request is made to access a file, that request is suppressed (i.e. treated as a request by "nobody") iff it would be allowed to access by the designated ACL and similarly in the case of modifying requests.

How to address the question of the potential use of AUTH_SYS with client-host authentication would depend on the working group's judgement about how likely such an arrangement would be likely to be in providing security when AUTH_SYS is used. This in turn would depend on the working group's judgment as to whether solutions for #2 and #3 could be defined and effectively deployed, as well as the results of the threat analysis

I am assuming that AUTH_SYS with client-host authentication needs to be considered inferior to RPCSEC_GSS but sufficiently superior to AUTH_SYS without client authentication, to make it desirable to encourage its use, given that it is impossible to eliminate use of AUTH_SYS, even with a "MUST NOT". A number of potential introductions to the topic, of varying tone are explored below:

The following paragraph might be added if item #2 is not successfully addressed:

The following paragraph might be added if item #2 is successfully addressed:

The following paragraph might be added if item #3 is not successfully addressed:

The following paragraph might be added if item #3 is successfully addressed:

The following closing paragraphs are proposed for an eventual introduction to AUTH_SYS, as revised. In these paragraphs, material to be added only if a particular item above is addressed or not addressed will appear in brackets with the prefix "if-#x:" or "if-not-#x:".

8.5. Handling of State Protection

8.5.1. Background

The inclusion of state management within NFSv4 created new security issues in which the objects requiring protection were not files associated with particular users but locks, opens, and delegations, associated with particular clients.

In NFSv4.0, some protection could be provided when RPCSEC_GSS was used by limiting modification of state objects to users having access to the associated file. Nevertheless, the fundamental issue remained unresolved.

When sessions were introduced into NFSv4 (in NFSv4.1) there were additional vulnerabilities that needed to be protected against. There needed to be protection to prevent a session established by one client being bound to a connection established by another client, leading to the following possibilities:

Facilities were defined in [RFC5661] to allow such client-based protection to be implemented: SP4_MACHCRED and SP4_SSV but implementation has been quite limited. Client-host authentication makes it possible to apply such protection more generally, as described below.

8.5.2. Issues to be Addressed

While transport-level encryption would make it harder for attackers to mount attacks based on these vulnerabilities, the authentication material provided when a TLS connection is established could enable the vulnerabilities discussed above to be eliminated without the work of implementing SP4_MACHCRED or SP4_SSV, and irrespective of whether the client is using AUTH_SYS or RPCSEC_GSS.

If one has a TLS connection including suitable authentication material, then the server is in a position to reject attempts to bind to sessions established under this connection by other connections that are not TLS connections or are not established by the same client, unless SP4_MACHCRED or SP4_SSV is in effect. This would make state protection available to those using SP4_NONE, i.e. the vast majority, whether they used RPCSEC_GSS or AUTH_SYS with client-host authentication.

The fact that this is an NFSv4.1-only security feature make it difficult to fully it address solely in the NFSv4-wide security document which we writing. The following plan is intended to allow the security document to be published before proceeding to publish the anticipated rfc5661bis:

It should be noted that this use of client-host authentication provides applicable protection even when AUTH_SYS is used. This is so however the issues discussed in Section 8.4.6 are addressed, and independent of the decision made regarding the choice discussed in Section 8.4.3 unless it is decided that AUTH_SYS MUST NOT be used. Issues regarding the impersonation of a large set of users are not relevant because user ids are not referenced. Furthermore, the possibility of a privileged user-level client implementing a denial-of-service attach (if issue #2 in Section 8.4.6 is not addressed), is not of concern since such a privileged process would find it far easier to deny service directly on the client host.

9. Steps Going Forward

This document is expected to facilitate concrete discussion of how to address security in NFSv4. It is expected to be modified to reflect working group comments. If the working group is amenable to this approach, at some point a request will be made to adopt it as a working group item.

A large part of the discussion is expected to concern how AUTH_SYS will be dealt with. However, it is not expected that the working group needs to reach consensus on this issue immediately. This document could be adopted as a working group item if it is an appropriate vehicle to organize the discussion of related issues, such as formulating a consensus regarding the treatment of AUTH_SYS.

It is anticipated that, once the document is adopted as a working group item, this document will be used to discuss the writing of multiple standards-track documents, which may need co-ordination since they address a set of related issues:

This document is being written to guide the working group in preparing future standards-track documents. There are no plans to publish it as an RFC. If a milestone is to be associated with it, the appropriate goal would be completion of WGLC.

10. IANA Considerations

The current document does not require any actions by IANA.

11. Security Considerations

The convention of requiring a Security Considerations Section within an I-D encounters difficulties when applied to a document dealing solely with security, making it most unclear what such a section might contain for such documents.

In addition, the nature of this particular document poses further issues regarding the possible content of a Security Consideration Section:

In light of the above, this section will summarize the security-related message of earlier sections and will, in subsections, discuss the appropriate contents of Security Considerations Sections for a eventual standards-track documents to be written

The message of this document with regard to security issues can be summarized as follows

11.1. Security Considerations Section for Eventual NFSv4-wide Standards-track Security Document

Although it is clear that such a document would need to include a threat analysis, as provided for by RFC3552/BCP72 [RFC3552]. However, the length of such an analysis might well be so large that it cannot be reasonably contained within a Security Considerations Section. In that case, the Security Considerations Section will summarize the results of the threat analysis, referring to those parts that appear in other sections of the document.

11.2. Security Considerations Section for Revised RPC Specification Document

The general form of this section in [RFC5531] in which references are made to documents for each security flavor, seem appropriate. However, the following changes are likely to be required:

11.3. Security Considerations Section for Standard-track Document dealing with AUTH_SYS

As mentioned above, a prime goal of the threat analysis for AUTH_SYS would be to clarify the degree to which the security weaknesses of AUTH_SYS can be successfully addressed using transport-level security facilities. Those pieces of the threat analysis might well appear outside the Security Consideration section proper.

The Security Considerations needs to summarize these and provide a basis for ULPs that allow AUTH_SYS to specify the appropriate conditions for use and the consequences of not enforcing these.

12. References

12.1. Normative References

[I-D.ietf-nfsv4-rpc-tls] Myklebust, T. and C. Lever, "Towards Remote Procedure Call Encryption By Default", Internet-Draft draft-ietf-nfsv4-rpc-tls-07, April 2020.
[I-D.ietf-nfsv4-rpcrdma-version-two] Lever, C. and D. Noveck, "RPC-over-RDMA Version 2 Protocol", Internet-Draft draft-ietf-nfsv4-rpcrdma-version-two-01, January 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003.
[RFC5531] Thurlow, R., "RPC: Remote Procedure Call Protocol Specification Version 2", RFC 5531, DOI 10.17487/RFC5531, May 2009.
[RFC5661] Shepler, S., Eisler, M. and D. Noveck, "Network File System (NFS) Version 4 Minor Version 1 Protocol", RFC 5661, DOI 10.17487/RFC5661, January 2010.
[RFC7530] Haynes, T. and D. Noveck, "Network File System (NFS) Version 4 Protocol", RFC 7530, DOI 10.17487/RFC7530, March 2015.
[RFC7862] Haynes, T., "Network File System (NFS) Version 4 Minor Version 2 Protocol", RFC 7862, DOI 10.17487/RFC7862, November 2016.
[RFC8166] Lever, C., Simpson, W. and T. Talpey, "Remote Direct Memory Access Transport for Remote Procedure Call Version 1", RFC 8166, DOI 10.17487/RFC8166, June 2017.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.

12.2. Informative References

[RFC1094] Nowicki, B., "NFS: Network File System Protocol specification", RFC 1094, DOI 10.17487/RFC1094, March 1989.
[RFC1813] Callaghan, B., Pawlowski, B. and P. Staubach, "NFS Version 3 Protocol Specification", RFC 1813, DOI 10.17487/RFC1813, June 1995.
[RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M. and D. Noveck, "Network File System (NFS) version 4 Protocol", RFC 3530, DOI 10.17487/RFC3530, April 2003.
[RFC8178] Noveck, D., "Rules for NFSv4 Extensions and Minor Versions", RFC 8178, DOI 10.17487/RFC8178, July 2017.

Appendix A. Acknowledgements

The author would like to thank Chuck Lever (of Oracle) and Trond Myklebust (of Hammerspace) for their important work providing security at the RPC layer, enabling us to break the NFSv4 security logjam.

The author would like to thank Tom Haynes (of Hammerspace) for introducing the idea of dealing with security for all minor versions in a single document.

Author's Address

David Noveck NetApp 1601 Trapelo Road Waltham, MA 02451 United States of America Phone: +1 781 572 8038 EMail: davenoveck@gmail.com