Remote Procedure Call Version 2 Encryption By Default
draft-cel-nfsv4-rpc-tls-00

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Authors Trond Myklebust  , Chuck Lever 
Last updated 2018-11-12
Replaced by draft-ietf-nfsv4-rpc-tls
Stream (None)
Intended RFC status (None)
Formats pdf htmlized (tools) htmlized bibtex
Reviews
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network File System Version 4                               T. Myklebust
Internet-Draft                                               Hammerspace
Updates: 5531 (if approved)                                C. Lever, Ed.
Intended status: Standards Track                                  Oracle
Expires: May 16, 2019                                  November 12, 2018

         Remote Procedure Call Version 2 Encryption By Default
                       draft-cel-nfsv4-rpc-tls-00

Abstract

   This document proposes a mechanism that makes it possible to enable
   in-transit encryption of Remote Procedure Call traffic with little
   administrative overhead and full compatibility with implementations
   that do not support it.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 16, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Myklebust & Lever         Expires May 16, 2019                  [Page 1]
Internet-Draft                RPC With TLS                 November 2018

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  RPC on TLS in Operation . . . . . . . . . . . . . . . . . . .   4
     3.1.  Discovering Server-side TLS Support . . . . . . . . . . .   4
     3.2.  Streams and Datagrams . . . . . . . . . . . . . . . . . .   5
     3.3.  Authentication  . . . . . . . . . . . . . . . . . . . . .   5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   In 2014, the IETF published [RFC7258] which recognized that
   unauthorized observation of network traffic had become widespread,
   and was a subversive threat to all who make use of the Internet at
   large.  It strongly recommended that newly defined Internet protocols
   make a real effort to mitigate monitoring attacks.  Typically this
   mitigation is done by encrypting data in transit.

   The Remote Procedure Call version 2 protocol has been around for more
   than a decade [RFC5531].  Support for in-transit encryption of RPC
   was introduced with RPCSEC GSS [RFC7861].  However, experience has
   shown that RPCSEC GSS is challenging to deploy, especially in
   environments where:

   o  Per-host administrative or deployment costs must be kept to a
      minimum,

   o  Parts of the RPC header that remain in clear-text are a security
      exposure,

   o  Host CPU resources are at a premium, or

   o  Host identity management is carried out in a security domain that
      is distinct from user identity management.

   However strong a privacy service is, it is not effective if it cannot
   be deployed in typical environments.

   An alternative approach is to employ a transport layer security
   mechanism that can protect the privacy of each RPC connection
   transparently to RPC and Upper Layer protocols.  The Transport Layer

Myklebust & Lever         Expires May 16, 2019                  [Page 2]
Internet-Draft                RPC With TLS                 November 2018

   Security protocol [RFC8446] (TLS) is a well-established Internet
   building block that protects many common Internet protocols such as
   https [RFC2818].

   Encrypting at the RPC transport layer enables several significant
Show full document text