[Search] [txt|html|xml|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00                                                            
NFSv4                                                     D. Noveck, Ed.
Internet-Draft                                                    NetApp
Updates: 8881, 7530 (if approved)                           11 July 2021
Intended status: Standards Track
Expires: 12 January 2022


                    Security for the NFSv4 Protocols
                    draft-dnoveck-nfsv4-security-00

Abstract

   This document describes the core security features of the NFSv4
   family of protocols, applying to all minor versions.  The discussion
   includes the use of security features provided at the RPC transport
   level.

   This prelimimary version of the document, is intended, in large part,
   to result in working group discussion regarding NFSv4 security issues
   and ientify issues on which the working group needs to work on
   achieving consensus.

   When published as an RFC, it will supersede the description of
   security appearing in existing minor version specification documents
   such as RFC 7530 and RFC 8881.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 12 January 2022.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.




Noveck                   Expires 12 January 2022                [Page 1]


Internet-Draft               Nfsv4 Security                    July 2021


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   5
     2.1.  Keyword Definitions . . . . . . . . . . . . . . . . . . .   5
     2.2.  Special Considerations  . . . . . . . . . . . . . . . . .   5
   3.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.1.  Handling of Multiple Minor Versions . . . . . . . . . . .   6
     3.2.  Handling of Minor-version-specific features . . . . . . .   7
     3.3.  Transport-based Security Features . . . . . . . . . . . .   9
   4.  Authorization in General  . . . . . . . . . . . . . . . . . .  10
   5.  User-based File Access Authorization  . . . . . . . . . . . .  11
     5.1.  Handling of Multiple Parallel File Access Authorization
           Models  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     5.2.  Attributes for User-based File Access Authorization . . .  13
     5.3.  Posix Authorization Model . . . . . . . . . . . . . . . .  14
       5.3.1.  Attribute 33: mode  . . . . . . . . . . . . . . . . .  14
       5.3.2.  V4.1 Attribute 74: mode_set_masked  . . . . . . . . .  15
     5.4.  ACL-based Authorization Model . . . . . . . . . . . . . .  15
       5.4.1.  Access control Entries  . . . . . . . . . . . . . . .  15
       5.4.2.  ACE Type  . . . . . . . . . . . . . . . . . . . . . .  17
       5.4.3.  ACE Access Mask . . . . . . . . . . . . . . . . . . .  19
       5.4.4.  Details Regarding Mask Bits . . . . . . . . . . . . .  20
       5.4.5.  ACE4_DELETE vs. ACE4_DELETE_CHILD . . . . . . . . . .  27
       5.4.6.  ACE flag  . . . . . . . . . . . . . . . . . . . . . .  27
       5.4.7.  Details Regardign ACE Flag Bits . . . . . . . . . . .  28
       5.4.8.  ACE Who . . . . . . . . . . . . . . . . . . . . . . .  29



Noveck                   Expires 12 January 2022                [Page 2]


Internet-Draft               Nfsv4 Security                    July 2021


       5.4.9.  Automatic Inheritance Features  . . . . . . . . . . .  31
     5.5.  Attribute 12: acl . . . . . . . . . . . . . . . . . . . .  33
     5.6.  Attribute 13: aclsupport  . . . . . . . . . . . . . . . .  34
     5.7.  V4.1 Attribute 58: dacl . . . . . . . . . . . . . . . . .  34
     5.8.  V4.1 Attribute 59: sacl . . . . . . . . . . . . . . . . .  35
   6.  Common Considerations for Both File access Models . . . . . .  35
     6.1.  Server Considerations . . . . . . . . . . . . . . . . . .  35
     6.2.  Client Considerations . . . . . . . . . . . . . . . . . .  36
   7.  Combining Authorization Models  . . . . . . . . . . . . . . .  37
     7.1.  Combined Authorization Models for V4.0  . . . . . . . . .  37
     7.2.  Combined Authorization Model for V4.1 and Beyond  . . . .  37
       7.2.1.  Computing a Mode Attribute from an ACL  . . . . . . .  38
       7.2.2.  Alternatives in Computing Mode Bits . . . . . . . . .  39
       7.2.3.  Setting Multiple ACL Attributes . . . . . . . . . . .  39
       7.2.4.  Setting Mode and not ACL  . . . . . . . . . . . . . .  40
       7.2.5.  Setting ACL and Not Mode  . . . . . . . . . . . . . .  41
       7.2.6.  Setting Both ACL and Mode . . . . . . . . . . . . . .  41
       7.2.7.  Retrieving the Mode and/or ACL Attributes . . . . . .  41
       7.2.8.  Creating New Objects  . . . . . . . . . . . . . . . .  41
       7.2.9.  Use of Inherited ACL When Creating Objects  . . . . .  43
     7.3.  Combined Authorization Models for V4.2  . . . . . . . . .  43
   8.  Labelled NFS Authorization Model  . . . . . . . . . . . . . .  43
   9.  State Modification Authorization  . . . . . . . . . . . . . .  44
   10. Identification and Authentication . . . . . . . . . . . . . .  45
     10.1.  Identification vs. Authentication  . . . . . . . . . . .  45
     10.2.  Items to be Identified . . . . . . . . . . . . . . . . .  45
     10.3.  Authentication Provided by specfic RPC Flavors . . . . .  47
     10.4.  Authentication Provided by the RPC Transport . . . . . .  47
   11. Security of Data in Flight  . . . . . . . . . . . . . . . . .  47
     11.1.  Data Security Provided by the Flavor-associated
            Services . . . . . . . . . . . . . . . . . . . . . . . .  47
     11.2.  Data Security Provided by the RPC Transport  . . . . . .  48
   12. Security Negotiation  . . . . . . . . . . . . . . . . . . . .  48
     12.1.  Flavors and Pseudo-flavors . . . . . . . . . . . . . . .  48
     12.2.  Negotiation of Security Flavors and Mechanisms . . . . .  50
     12.3.  Negotiation of RPC Transports and Characteristics  . . .  50
     12.4.  Overall Interpretation of SECINFO Response Arrays  . . .  51
     12.5.  SECINFO  . . . . . . . . . . . . . . . . . . . . . . . .  52
       12.5.4.  SECINFO IMPLEMENTATION (general) . . . . . . . . . .  54
         12.5.4.1.  SECINFO IMPLEMENTATION (for v4.0)  . . . . . . .  55
         12.5.4.2.  SECINFO IMPLEMENTATION (for v4.1 and v4.2) . . .  55
     12.6.  Future Security Needs  . . . . . . . . . . . . . . . . .  56
   13. Security Considerations . . . . . . . . . . . . . . . . . . .  57
     13.1.  Changes in Security Considerations . . . . . . . . . . .  57
       13.1.1.  Wider View of Threats  . . . . . . . . . . . . . . .  57
       13.1.2.  Transport-layer Security Facilities  . . . . . . . .  58
       13.1.3.  Compatibility and Maturity Issues  . . . . . . . . .  58
       13.1.4.  Discussion of AUTHSYS  . . . . . . . . . . . . . . .  59



Noveck                   Expires 12 January 2022                [Page 3]


Internet-Draft               Nfsv4 Security                    July 2021


     13.2.  Security Considerations Scope  . . . . . . . . . . . . .  60
       13.2.1.  Discussion of Potental Classification of
               Environmets . . . . . . . . . . . . . . . . . . . . .  60
       13.2.2.  Discussion of Environments . . . . . . . . . . . . .  60
     13.3.  Major New Recommendations  . . . . . . . . . . . . . . .  61
       13.3.1.  Recommendations Regarding Security of Data in
               Flight  . . . . . . . . . . . . . . . . . . . . . . .  61
       13.3.2.  Recommendations Regarding Client Peer
               Authentication  . . . . . . . . . . . . . . . . . . .  61
       13.3.3.  Issues Regarding Valid Reasons to Bypass
               Recommendations . . . . . . . . . . . . . . . . . . .  62
     13.4.  Data Security Threats  . . . . . . . . . . . . . . . . .  62
     13.5.  Authentication-based threats . . . . . . . . . . . . . .  62
       13.5.1.  Attacks based on the use of AUTH_SYS . . . . . . . .  62
       13.5.2.  Attacks on Name/Userid Mapping Facilities  . . . . .  62
     13.6.  Disruption and Denial-of-Service Attacks . . . . . . . .  63
       13.6.1.  Attacks Based on the Disruption of Client-Server
               Shared State  . . . . . . . . . . . . . . . . . . . .  63
       13.6.2.  Attacks Based on Forcing the Misuse of Server
               Resources . . . . . . . . . . . . . . . . . . . . . .  63
   14. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  63
     14.1.  New Authstat Values  . . . . . . . . . . . . . . . . . .  63
     14.2.  New Authentication Pseudo-Flavors  . . . . . . . . . . .  63
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . .  63
     15.1.  Normative References . . . . . . . . . . . . . . . . . .  64
     15.2.  Informative References . . . . . . . . . . . . . . . . .  65
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .  65
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  65

1.  Overview

   This document presents a new approach to security for the NFSv4
   protocols, which, although building on previous treatments of these
   issues, diverges substantially from them in a number of respects.

   A new treatment is necessary because:

   *  Previous treatments paid insufficient attention to security issues
      regarding data in flight.

   *  The presentation of AUTH_SYS as an "'OPTIONAL' means of
      authentication" obscured the severe security problems that come
      with its use.

   *  The security considerations sections of existing minor version
      specifications contain no threat analyses and focus on particular
      security issues in a way that obscures, rather than clarifying,
      the security issues that need to be addressed.



Noveck                   Expires 12 January 2022                [Page 4]


Internet-Draft               Nfsv4 Security                    July 2021


   *  The availabilty of RPC-with-TLS (described in [12]) provides
      facilities that NFSv4 clients and servers will need to use to
      provide security for data in flight and mitigate the lack of
      authentication when AUTH_SYS is used.

   This preliminary document contains many notes with headers in
   brackets, requesting comments regarding confusing or otherwise
   dubious passages in existing documents and other choices that need to
   made.  Comments and working group discussion of those notes will be
   important in arriving at an adequate RFC cadidate.

2.  Requirements Language

2.1.  Keyword Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as specified in BCP 14 [1] [5] when,
   and only when, they appear in all capitals, as shown here.

2.2.  Special Considerations

   Because this document needs to revise previous treatments of its
   subject, it will need to cite previous treatments of issues that now
   need to be dealt with in a different way.  This will take the form of
   quotations from documents whose treatment of the subject is being
   obsoleted, most often direct but sometimes indirect as well.

   Such treatments in quotations will involve use of these BCP14-defined
   terms in two noteworthy ways:

   *  The term may have been used inappropriately (i.e not in accord
      with [1]), as has been the case for the "RECOMMENDED" attributes,
      which are in fact OPTIONAL.

      In such cases, the surrounding text will make clear that the
      quoted text has no normative effect.

      Some specific issues relating to this case are described below
      Section 5.2.

   *  The term may been used in accord with [1], although the resulting
      normative statement is now felt to be inappropriate.

      In such cases, the surrounding text will need to make clear that
      the text quoted is no longer to be considered normative, often by
      providing new text that conficts with the quoted, previously
      nomative, text.



Noveck                   Expires 12 January 2022                [Page 5]


Internet-Draft               Nfsv4 Security                    July 2021


      An important instance of this situation is the description of
      AUTH_SYS as an "OPTIONAL" means of authentication.  For detailed
      discussion of this case, see Sections 10 and 13.1.4

3.  Introduction

   Because the basic approach to security issues is so similar for all
   minor versions, this document applies to all NFSv4 minor versions.
   The details of this transition are discused in Sections 3.1 and 3.2

   This document is able to take a new approach to security issues
   because of the work that has been done to provide security features
   at the transort level, rather than providing security features only
   by making choices with regard to the authentication flavor and
   associated mechanisms and services.  The effect of this shift is
   summarized in Section 3.3.

3.1.  Handling of Multiple Minor Versions

   In some cases, there are differences between minor versions in that
   there are security-related features, not present in all minor
   versions.

   To deal with this issue, this document will focus on a few major
   areas listed below which are common to all minor versions.

   *  File access authorization (discussed in Section 5) is the same in
      all minor versions togther with the identification/ authentication
      infrastructure supporting it (discussed in Section 10) provided by
      RPC and applying to all of NFS.

      An exception is made regarding labelled NFS, an optional feature
      within NFSv4.2, described in [10].  This is discussed as a
      version-specific feature in this document in Section 8

   *  Features to secure data in-flight, all provided by RPC, together
      with the negotation infrastructure to support them are common to
      all NFSv4 minor versions, are discussed in Section 12

      However, the use of SECINFO_NONAME, together with changes needed
      for transport level encryption, paralleling those proposed here
      for SECINFO, is treated as a version-specfic feature and, while
      mentioned here, will be fully documented in new v4.1 specification
      documents.







Noveck                   Expires 12 January 2022                [Page 6]


Internet-Draft               Nfsv4 Security                    July 2021


   *  The Protection of state data from unauthorized modification is
      discussed in Section 9) is the same in all minor versions togther
      with the identification/ authentication infrastructure supporting
      it (discussed in Section 10) provided by secure transports such as
      RPC-over-TLS.

      It should be noted that state protection based on RPCSEC_GSS is
      treated as a version-specific feature and will continue to be
      described by [8] or its successors.  Also, it needs to be noted
      that the use of state protection is not discussed in [6].

3.2.  Handling of Minor-version-specific features

   There are a number of areas in which security features differ among
   minor versions, as discussed below.  In some cases, a new feature
   requires specific security support while in others one version will
   have a new feature related to enhancing the security infrastructure.

   How such features are dealt with in this document depends on the
   specific feature.

   [Working group discussion advisable]: There's a lot of opportnities
   to make mistakes.  I'd prefer to find out sooner rather than later.

   *  In addition to SECINFO, whose enhanced description appears in this
      document, NFSv4.1 added a new SECINFO_NONAME operation, useful for
      pNFS file as well as having some non-pNFS uses.

      While the enhanced description of SECINFO mentions SECINFO_NONAME,
      this is handled as one of a number of cases in which the
      description has to indicate that different actions need to be
      taken for different minor versions.

      The definitive description of SECINFO_NONAME, now appearing in
      RFC8881 needs to be modified to match the description of SECINFO
      appearing in this document.  It is expected that this will be done
      as part of the rfc5661bis process.

      The security implications of the security negotiation facilities
      as a whole will be addressed in the security considerations
      section of this document.

   *  The pNFS optional feature added in NFSv4.1 has its own security
      needs which parallel closely those of non-pNFS access.  As a
      result, these needs and the means to satisfy them are not
      discussed in this document.





Noveck                   Expires 12 January 2022                [Page 7]


Internet-Draft               Nfsv4 Security                    July 2021


      The definitive description of pNFS security will remain in RFC8881
      and its successors (i.e. the rfc5661bis document suite).  However,
      because pNFS sucurity relies heavily on the infrastructure
      discussed here, it is anticipated that the new treatment of pNFS
      security will deal with many matters by referencing the overall
      NFS security document.

      The security considerations section of rfc5661bis will deal with
      pNFS security issues.

   *  In addition to the state protection facilities described in this
      document, NFS has another set of such facilities that are not
      usable in NFSv4.0.

      While this document will discuss the security implications of
      protection against state modification, it will not discuss the
      details of the v4.1-specfic features to accomplicsh it.

   *  The additional v4.1 acl attributes, sacl and dacl, are mentioned
      in this document, but do not affect the treatment of security,
      since the acl entries, whether in the acl attribute or separated
      into sacl and dacl attributes continue to have the same effect.

   *  Nfsv4.1 introduced detailed description of methods of co-
      ordinating the values of the authorization-related attributes mode
      and acl.  this is in contrast to Nfsv4.0, which while expecting
      such co-ordination to be provide somehow, did not provide any
      detils, allowing a number of different approaches to meat the goal
      of providing appopriate co-ordination.

      This document will provide separate sections describing each of
      the approaches, together with a common section describing the
      goals of providing co-ordination when both are supported.

      As a result, this document will override the treatment within
      RFC8881 and this material will be removed in the rfc5661bis
      document suite and replaced by a reference to the treatment in the
      NFSv4 security RFC.

      Simiarly, this doument will supersede the corresponding treatment
      in RFC7530 as well.  As a result, v4.0 server implementers reading
      any successor document will be aware of the possibility of the
      v4.1 approach even though it is clear that this only one of the
      possible approaches to this issue.  V4.1 client implementers will
      be made aware of the goals and that there is little that can be
      relied upon with regard to v4.0 servers' attempts to address those
      goals.




Noveck                   Expires 12 January 2022                [Page 8]


Internet-Draft               Nfsv4 Security                    July 2021


   *  The protocol extension defined in [13], now part of NFSv4.2, is
      also related to the issue of co-ordination of acl and mode
      attributes and will be discussed in that context.

      Nevertheless, the description in [13] will remain definitive.

   *  The the v4.1 attribute set-mode-masked attribute is mentioned
      together with the other attributes implementing the POSIX
      authorization model.

      Because this attribute. while related to security, does not
      substantively modify the security properties of the protocol, the
      full description of this attribute, will continue to be the
      province of the v4.1 specification proper.

   *  There is a brief description of the v4.2 Labelled NFS feature in
      Section 8.  Part of that description discusses the limitations in
      the desciption of that feature within [10].

      Because of some limitations in the desription, it is not possible
      to provide an appropriate security considerations section for that
      feature in this document.

      As a result, the responsibility to provide an apprpriate Security
      Considerations section remains, unrealized for now, with the
      NFSv4.2 specification document.

3.3.  Transport-based Security Features

   There are a number of security-related facilities that can be
   provided at the transport layer eliminating the need for or or
   proving support to processing done as part of RPC proper.

   These will initially be provided by RPC-over-TLS but similar
   facilties might be provided on new versions of existing transports or
   new RPC transports.

   *  The transport might provide encryption of requests and replies,
      eliminating the need for privacy and integrity services to be
      negotiated later and applied on a per-request basis.

      While clients might chooose to establish connections with such
      encryption, servers can establish policies allowing access to
      certain pieces of the namespace using such transports, or limiting
      access to those providing privacy, allowing the use of either
      transport-based encryption or privacy servicies provided by
      RPCSEC_GSS.




Noveck                   Expires 12 January 2022                [Page 9]


Internet-Draft               Nfsv4 Security                    July 2021


   *  The transport might provide mutual authentication of the client
      and server peers as part of the establishment of the connection
      This authentication is distinct from the the mutual authentication
      of the client user and server peer, implemented within the
      GSSSEC_RPC framework.

      This form of authentication is of particular importance when the
      when the server allows the use of the flavors AUTH_SYS and
      AUTH_NONE, which have no provision for the authentication of the
      user requesting the operation.

      While clients might chooose to establish connections with such
      peer authentication, servers can establish policies a limiting
      access to certain pieces of the namespace without such peer
      authentication or only allowing it using RPCSEC_GSS.

   To enable server policies to be effectively communicated to clients,
   the seurity negotiation framework now allows connection chacteristics
   to be specified using pseudo-flavors.  See Section 12 for details.

4.  Authorization in General

   There are three distinct methods of checking whether NFSv4 requests
   are authorized:

   *  The most important method of authorization is used to effect user-
      based file access control, as described in Section 5.

      This requires the identification of the user making the request.
      Because of the central role of such access control in providing
      NFSv4 security, server implementations SHOULD NOT use such
      identifications when they are not authenticated.  In this context,
      valid reasons to do otherwise are limited to the compatibility and
      maturity issues discussed in Section 13.1.3

   *  NFSv4.2, via the labelled NFS feature, provides an additional
      potential requirement for request authorization.

      For reasons made clear in Section 8, there is no realistic
      possibility of the server using the data defined by existing
      specifications of this feature to effect request authorization.
      While it is possible for clients to provide this authorization,
      the lack of detailed specfication makes it impossible to determine
      the nature of the identification used and whether it can be
      described as "authentication".






Noveck                   Expires 12 January 2022               [Page 10]


Internet-Draft               Nfsv4 Security                    July 2021


   *  Since undesired changes to server-mintained locking state (and,
      for NFSv4.1, session state) can result in denial of service
      attacks (see Section 13.6), server implementations SHOULD take
      steps to prevent unauthorized state changes.  This can be done by
      implementing the state authorization restrictions discussed in
      Section 9

5.  User-based File Access Authorization

5.1.  Handling of Multiple Parallel File Access Authorization Models

   ACLs and modes represent two well-established models for specifying
   user-based file access permissions.  NFSv4 provides support for
   either or both depending on the attributes supported by the server:

   *  When the attributes mode, owner, owner group are all supported,
      the posix-based authorization model, described in Section 5.3 can
      be used.

   *  When the acl (or dacl) attribute is supported, the acl based
      authorization model, described in Section 5.4 can be used.

      [Working group discussion needed]: Existing specifications neither
      require that owner and owner group be supported nor provide useful
      guidance about how clients might deal with servers that support
      the acl attribute but do not support owner or owner_group (e.g how
      such a server might deal with acl containing "OWNER@" or
      "GROUP@").  In addition, the use of acl's to generate a
      corresponding mode seems poinless in the absence of the owner and
      owner-group attributes.

      [Working group decision needed]: It apppears that, despite what
      RFC7530 and RFC8881 say, owner and owner_group are essentially
      REQUIRED attributes, but while our successor RFC will update both
      RFC7530 and RFC8881, that document may not be the place to rectify
      that mistake.  I'm thinking of something like the following:

         While formally Recommended (essentialy OPTIONAL) attributes, it
         appears that the owner and owner_group attributes need to be
         available to support any file access authorization model.  As a
         result, this document will not discuss th possibility of
         attributes that do not support either of these attributes.









Noveck                   Expires 12 January 2022               [Page 11]


Internet-Draft               Nfsv4 Security                    July 2021


   *  When both authorization models can be used, there are difficulties
      that can arise because the ACL-base model provides finer-grained
      access control than the POSIX model.  Some goals for dealing with
      these difficulties appear later in this section while more detail
      on the appropriate handlin of this situation, which may depend on
      the minor version used, appears in Section 7.

   The following lists the goals of NFSv4 in supporting multiple
   authorization models for file access.

   *  If a server supports the mode attribute, it should provide the
      appropriate POSIX semantics to clients that only set and retrieve
      the mode attribute.

      [WG Discussion might be needed]: The above substitutes for the
      requirement that the server provide "reasonable semantics".  Are
      there suggestions for other approaches to this passage?

   *  If a server supports ACL attributes, it should provide reasonable
      semantics to clients that only set and retrieve those attributes.

      [WG Discussion might be needed]: Similarly we need a replacement
      for "reasonable semantics".  I'm supposing "the semantics
      described in this document" is a reasonable replacement.

   *  On servers that support the mode attribute, if ACL attributes have
      never been set on an object, via inheritance or explicitly, the
      behavior should be the behavior mandated by POSIX.

   *  On servers that support the mode attribute, if the ACL attributes
      have been previously set on an object, either explicitly or via
      inheritance:

      -  Setting only the mode attribute should effectively control the
         traditional UNIX-like permissions of read, write, and execute
         on owner, owner_group, and other.

         [Working group discussion needed]: It isn't really clear what
         the above paragraph means, especially as it governs the
         handling of aces designating specific users and groups which
         are not the owner and have no overlap with the owning

         While it would be possible to substitute a three-ace acl with
         one ace for each of owner, group and others, I'm not sure that
         is what is intened.  In particular, I'm unsure why would need a
         second bullet item if we had a clear statement to that effect.





Noveck                   Expires 12 January 2022               [Page 12]


Internet-Draft               Nfsv4 Security                    July 2021


         It is particularly important to resolve this now, since this is
         part of the goals that apply to all minor versions.

      -  Setting only the mode attribute should provide reasonable
         security.  For example, setting a mode of 000 should be enough
         to ensure that future OPEN operations for
         OPEN4_SHARE_ACCESS_READ or OPEN4_SHARE_ACCESS_WRITE by any
         principal fail, regardless of a previously existing or
         inherited ACL.

         [Working group discussion needed]: We need some replacement for
         the subjective first sentence.  While the specfic example give
         is unexceptionable, it raises question about other case in
         which what constitutes "reasonable semantics" might subect to
         dispute.

   *  NFSv4.1 describes specfic semantic requirements relating to the
      interaction of mode and ACL attributes, which do contract the
      goals listed above.  As a result, the handling provided by servers
      of different minor version might well be different, as discussed
      below.

   In regard to the interaction of the mode and ACL attributes:

   *  As discussed in Section 7.1, the specfic semanric requirements
      specified for v4.1 could be adopted by v4.0, although some
      modification might be necessary to deal with the absence of the
      mode_set_masked attribute.

      V4.0 clients would have to be able to interact with servers that
      different approaches to these goals.

   *  V4.1 servers have specfic rules for handling these issues as
      discussed in Section 7.2.  However, despite this, the rules are,
      in many places, fairly loosely drawn and allow a range of server
      behaviors.

   *  To deal with issues related to the perceived overuse of modes
      derived from the umask in vitiating needed acl inheritance, a V4.2
      extension was provided, allowing the separation of the
      application-specfed mode from the umask.  This is discussed in
      Section 7.3

5.2.  Attributes for User-based File Access Authorization

   NFSv4.1 provides for multiple authentication models, controlled by
   the support for particular Recommended attributes implemented by the
   server, as discussed below:



Noveck                   Expires 12 January 2022               [Page 13]


Internet-Draft               Nfsv4 Security                    July 2021


   *  The attributes owner, owning_group, and mode enable use of a
      POSIX-based authorization model, as described in Section 5.3.
      When all of these attributes are supported, this authorization
      model can be implemented.  When none of these attributes or only a
      proper subset of them are supported, this attribute model is
      unavailable.

   *  The acl attribute (or the attributes sacl and dacl in v4.1)
      provide an ACL-based authorization model as described in
      Section 5.4.

5.3.  Posix Authorization Model

5.3.1.  Attribute 33: mode

   The NFSv4.1 mode attribute is based on the UNIX mode bits.  The
   following bits are defined:

   const MODE4_SUID = 0x800;  /* set user id on execution */
   const MODE4_SGID = 0x400;  /* set group id on execution */
   const MODE4_SVTX = 0x200;  /* save text even after use */
   const MODE4_RUSR = 0x100;  /* read permission: owner */
   const MODE4_WUSR = 0x080;  /* write permission: owner */
   const MODE4_XUSR = 0x040;  /* execute permission: owner */
   const MODE4_RGRP = 0x020;  /* read permission: group */
   const MODE4_WGRP = 0x010;  /* write permission: group */
   const MODE4_XGRP = 0x008;  /* execute permission: group */
   const MODE4_ROTH = 0x004;  /* read permission: other */
   const MODE4_WOTH = 0x002;  /* write permission: other */
   const MODE4_XOTH = 0x001;  /* execute permission: other */

   Bits MODE4_RUSR, MODE4_WUSR, and MODE4_XUSR apply to the principal
   identified in the owner attribute.  Bits MODE4_RGRP, MODE4_WGRP, and
   MODE4_XGRP apply to principals identified in the owner_group
   attribute but who are not identified in the owner attribute.  Bits
   MODE4_ROTH, MODE4_WOTH, and MODE4_XOTH apply to any principal that
   does not match that in the owner attribute and does not have a group
   matching that of the owner_group attribute.

   Bits within a mode other than those specified above are not defined
   by this protocol.  A server MUST NOT return bits other than those
   defined above in a GETATTR or READDIR operation, and it MUST return
   NFS4ERR_INVAL if bits other than those defined above are set in a
   SETATTR, CREATE, OPEN, VERIFY, or NVERIFY operation.







Noveck                   Expires 12 January 2022               [Page 14]


Internet-Draft               Nfsv4 Security                    July 2021


   [Working group input needed]: It is my impression that the three
   high-order bits do not affect server behavior.  Is this so?  If it
   is, should that be stated explicitly?  I there a need to more clearly
   define what the client does with these or is this somehow out of
   scope.

5.3.2.  V4.1 Attribute 74: mode_set_masked

   The mode_set_masked attribute is a write-only attribute that allows
   individual bits in the mode attribute to be set or reset, without
   changing others.  It allows, for example, the bits MODE4_SUID,
   MODE4_SGID, and MODE4_SVTX to be modified while leaving unmodified
   any of the nine low-order mode bits devoted to permissions.

   In instances such that none of the nine low-order bits are subject to
   modification, then neither the acl nor the dacl attribute should be
   automatically modified as discussed in Sections 7.2.4 and 7.2.6.

   The mode_set_masked attribute consists of two words, each in the form
   of a mode4.  The first consists of the value to be applied to the
   current mode value and the second is a mask.  Only bits set to one in
   the mask word are changed (set or reset) in the file's mode.  All
   other bits in the mode remain unchanged.  Bits in the first word that
   correspond to bits that are zero in the mask are ignored, except that
   undefined bits are checked for validity and can result in
   NFS4ERR_INVAL as described below.

   The mode_set_masked attribute is only valid in a SETATTR operation.
   If it is used in a CREATE or OPEN operation, the server MUST return
   NFS4ERR_INVAL.

   Bits not defined as valid in the mode attribute are not valid in
   either word of the mode_set_masked attribute.  The server MUST return
   NFS4ERR_INVAL if any such bits are set to one in a SETATTR.  If the
   mode and mode_set_masked attributes are both specified in the same
   SETATTR, the server MUST also return NFS4ERR_INVAL.

5.4.  ACL-based Authorization Model

5.4.1.  Access control Entries

   The attributes acl, sacl (v4.1 only) and dacl (v4.1 only) each
   contain an array of Access Control Entries (ACEs) that are associated
   with the file system object.  The client can set and get these
   attributes attribute, the server is responsible for using the ACL-
   related attributes to perform access control.  The client can use the
   OPEN or ACCESS operations to check access without modifying or
   expliitly reading data or metadata.



Noveck                   Expires 12 January 2022               [Page 15]


Internet-Draft               Nfsv4 Security                    July 2021


   The NFS ACE structure is defined as follows:

   typedef uint32_t        acetype4;

   typedef uint32_t aceflag4;

   typedef uint32_t        acemask4;

   struct nfsace4 {
           acetype4        type;
           aceflag4        flag;
           acemask4        access_mask;
           utf8str_mixed   who;
   };

   To determine if a request succeeds, the server processes each nfsace4
   entry in turnn as ordered in the array.  Only ACEs that have a "who"
   that matches the requester are considered.  An ACE is consider to
   match a given requester if at least one of the following is true:

   *  The "who' designates a specific user which is the specfic user
      making the request.

   *  The "who" specfies "OWNER@" and the user making the request is the
      owner of the file.

   *  The "who" designates a specific group and which is the specfic
      user making the request is a member of that group.

   *  The "who" specfies "GROUP@" and the user making the request is a
      member of the group owning the file.

   *  The "who" specfies "EVRYONE@".

   *  The "who" specfies "INTERACTIVE@", "NETWORK@", "DIALUP@",
      "BATCH@", or "SERVICE@" and the requester, in the judgement of the
      server, feels that designation appropriately describes the
      requester.

   *  The "who" specifies "ANONYMOUS@" or "AUTHENTICATED@" and the
      requestores authenication status matches the who, using the
      definitions in Section 5.4.8

   Each ACE is processed until all of the bits of the requester's access
   have been ALLOWED.  Once a bit (see below) has been ALLOWED by an
   ACCESS_ALLOWED_ACE, it is no longer considered in the processing of
   later ACEs.  If an ACCESS_DENIED_ACE is encountered where the
   requester's access still has unALLOWED bits in common with the



Noveck                   Expires 12 January 2022               [Page 16]


Internet-Draft               Nfsv4 Security                    July 2021


   "access_mask" of the ACE, the request is denied.  When the ACL is
   fully processed, if there are bits in the requester's mask that have
   not been ALLOWED or DENIED, access is denied.

   Unlike the ALLOW and DENY ACE types, the ALARM and AUDIT ACE types do
   not affect a requester's access, and instead are for triggering
   events as a result of a requester's access attempt.  Therefore, AUDIT
   and ALARM ACEs are processed only after processing ALLOW and DENY
   ACEs.

   The NFSv4.1 ACL model is quite rich.  Some server platforms may
   provide access-control functionality that goes beyond the UNIX-style
   mode attribute, but that is not as rich as the NFS ACL model.  So
   that users can take advantage of this more limited functionality, the
   server may support the acl attributes by mapping between its ACL
   model and the NFSv4.1 ACL model.  Servers must ensure that the ACL
   they actually store or enforce is at least as strict as the NFSv4 ACL
   that was set.  It is tempting to accomplish this by rejecting any ACL
   that falls outside the small set that can be represented accurately.
   However, such an approach can render ACLs unusable without special
   client-side knowledge of the server's mapping, which defeats the
   purpose of having a common NFSv4 ACL protocol.  Therefore, servers
   should accept every ACL that they can without compromising security.
   To help accomplish this, servers may make a special exception, in the
   case of unsupported permission bits, to the rule that bits not
   ALLOWED or DENIED by an ACL must be denied.  For example, a UNIX-
   style server might choose to silently allow read attribute
   permissions even though an ACL does not explicitly allow those
   permissions.  (An ACL that explicitly denies permission to read
   attributes should still be rejected.)

   The situation is complicated by the fact that a server may have
   multiple modules that enforce ACLs.  For example, the enforcement for
   NFSv4.1 access may be different from, but not weaker than, the
   enforcement for local access, and both may be different from the
   enforcement for access through other protocols such as SMB (Server
   Message Block).  So it may be useful for a server to accept an ACL
   even if not all of its modules are able to support it.

   The guiding principle with regard to NFSv4 access is that the server
   must not accept ACLs that appear to make access to the file more
   restrictive than it really is.

5.4.2.  ACE Type

   The constants used for the type field (acetype4) are as follows:





Noveck                   Expires 12 January 2022               [Page 17]


Internet-Draft               Nfsv4 Security                    July 2021


   const ACE4_ACCESS_ALLOWED_ACE_TYPE      = 0x00000000;
   const ACE4_ACCESS_DENIED_ACE_TYPE       = 0x00000001;
   const ACE4_SYSTEM_AUDIT_ACE_TYPE        = 0x00000002;
   const ACE4_SYSTEM_ALARM_ACE_TYPE        = 0x00000003;

   Only the ALLOWED and DENIED bits may be used in the dacl attribute,
   and only the AUDIT and ALARM bits may be used in the sacl attribute.
   All four are permitted in the acl attribute.











































Noveck                   Expires 12 January 2022               [Page 18]


Internet-Draft               Nfsv4 Security                    July 2021


   +==============================+==============+=====================+
   | Value                        | Abbreviation | Description         |
   +==============================+==============+=====================+
   | ACE4_ACCESS_ALLOWED_ACE_TYPE | ALLOW        | Explicitly grants   |
   |                              |              | the access          |
   |                              |              | defined in          |
   |                              |              | acemask4 to the     |
   |                              |              | file or             |
   |                              |              | directory.          |
   +------------------------------+--------------+---------------------+
   | ACE4_ACCESS_DENIED_ACE_TYPE  | DENY         | Explicitly denies   |
   |                              |              | the access          |
   |                              |              | defined in          |
   |                              |              | acemask4 to the     |
   |                              |              | file or             |
   |                              |              | directory.          |
   +------------------------------+--------------+---------------------+
   | ACE4_SYSTEM_AUDIT_ACE_TYPE   | AUDIT        | Log (in a system-   |
   |                              |              | dependent way)      |
   |                              |              | any access          |
   |                              |              | attempt to a file   |
   |                              |              | or directory that   |
   |                              |              | uses any of the     |
   |                              |              | access methods      |
   |                              |              | specified in        |
   |                              |              | acemask4.           |
   +------------------------------+--------------+---------------------+
   | ACE4_SYSTEM_ALARM_ACE_TYPE   | ALARM        | Generate an alarm   |
   |                              |              | (in a system-       |
   |                              |              | dependent way)      |
   |                              |              | when any access     |
   |                              |              | attempt is made     |
   |                              |              | to a file or        |
   |                              |              | directory for the   |
   |                              |              | access methods      |
   |                              |              | specified in        |
   |                              |              | acemask4.           |
   +------------------------------+--------------+---------------------+

                                  Table 1

   The "Abbreviation" column denotes how the types will be referred to
   throughout the rest of this section.

5.4.3.  ACE Access Mask

   The bitmask constants used for the access mask field are as follows:




Noveck                   Expires 12 January 2022               [Page 19]


Internet-Draft               Nfsv4 Security                    July 2021


   const ACE4_READ_DATA            = 0x00000001;
   const ACE4_LIST_DIRECTORY       = 0x00000001;
   const ACE4_WRITE_DATA           = 0x00000002;
   const ACE4_ADD_FILE             = 0x00000002;
   const ACE4_APPEND_DATA          = 0x00000004;
   const ACE4_ADD_SUBDIRECTORY     = 0x00000004;
   const ACE4_READ_NAMED_ATTRS     = 0x00000008;
   const ACE4_WRITE_NAMED_ATTRS    = 0x00000010;
   const ACE4_EXECUTE              = 0x00000020;
   const ACE4_DELETE_CHILD         = 0x00000040;
   const ACE4_READ_ATTRIBUTES      = 0x00000080;
   const ACE4_WRITE_ATTRIBUTES     = 0x00000100;
   const ACE4_WRITE_RETENTION      = 0x00000200;
   const ACE4_WRITE_RETENTION_HOLD = 0x00000400;

   const ACE4_DELETE               = 0x00010000;
   const ACE4_READ_ACL             = 0x00020000;
   const ACE4_WRITE_ACL            = 0x00040000;
   const ACE4_WRITE_OWNER          = 0x00080000;
   const ACE4_SYNCHRONIZE          = 0x00100000;

   Note that some masks have coincident values, for example,
   ACE4_READ_DATA and ACE4_LIST_DIRECTORY.  The mask entries
   ACE4_LIST_DIRECTORY, ACE4_ADD_FILE, and ACE4_ADD_SUBDIRECTORY are
   intended to be used with directory objects, while ACE4_READ_DATA,
   ACE4_WRITE_DATA, and ACE4_APPEND_DATA are intended to be used with
   non-directory objects.

5.4.4.  Details Regarding Mask Bits

   ACE4_READ_DATA

      Operation(s) affected:
         READ

         OPEN

      Discussion:
         Permission to read the data of the file.

         Servers SHOULD allow a user the ability to read the data of the
         file when only the ACE4_EXECUTE access mask bit is allowed.

   ACE4_LIST_DIRECTORY

      Operation(s) affected:
         READDIR




Noveck                   Expires 12 January 2022               [Page 20]


Internet-Draft               Nfsv4 Security                    July 2021


      Discussion:
         Permission to list the contents of a directory.

   ACE4_WRITE_DATA

      Operation(s) affected:
         WRITE

         OPEN

         SETATTR of size

      Discussion:
         Permission to modify a file's data.

   ACE4_ADD_FILE

      Operation(s) affected:
         CREATE

         LINK

         OPEN

         RENAME

      Discussion:
         Permission to add a new file in a directory.  The CREATE
         operation is affected when nfs_ftype4 is NF4LNK, NF4BLK,
         NF4CHR, NF4SOCK, or NF4FIFO.  (NF4DIR is not listed because it
         is covered by ACE4_ADD_SUBDIRECTORY.)  OPEN is affected when
         used to create a regular file.  LINK and RENAME are always
         affected.

   ACE4_APPEND_DATA

      Operation(s) affected:
         WRITE

         OPEN

         SETATTR of size









Noveck                   Expires 12 January 2022               [Page 21]


Internet-Draft               Nfsv4 Security                    July 2021


      Discussion:
         The ability to modify a file's data, but only starting at EOF.
         This allows for the specfication of append-only files, by
         allowing ACE4_APPEND_DATA and denying ACE4_WRITE_DATA to the
         same user or group.  If a file has an ACL such as the one
         described above and a WRITE request is made for somewhere other
         than EOF, the server SHOULD return NFS4ERR_ACCESS.

   ACE4_ADD_SUBDIRECTORY

      Operation(s) affected:
         CREATE

         RENAME

      Discussion:
         Permission to create a subdirectory in a directory.  The CREATE
         operation is affected when nfs_ftype4 is NF4DIR.  The RENAME
         operation is always affected.

   ACE4_READ_NAMED_ATTRS

      Operation(s) affected:
         OPENATTR

      Discussion:
         Permission to read the named attributes of a file or to look up
         the named attribute directory.  OPENATTR is affected when it is
         not used to create a named attribute directory.  This is when
         1) createdir is TRUE, but a named attribute directory already
         exists, or 2) createdir is FALSE.

   ACE4_WRITE_NAMED_ATTRS

      Operation(s) affected:
         OPENATTR

      Discussion:
         Permission to write the named attributes of a file or to create
         a named attribute directory.  OPENATTR is affected when it is
         used to create a named attribute directory.  This is when
         createdir is TRUE and no named attribute directory exists.  The
         ability to check whether or not a named attribute directory
         exists depends on the ability to look it up; therefore, users
         also need the ACE4_READ_NAMED_ATTRS permission in order to
         create a named attribute directory.

   ACE4_EXECUTE



Noveck                   Expires 12 January 2022               [Page 22]


Internet-Draft               Nfsv4 Security                    July 2021


      Operation(s) affected:
         READ

         OPEN

         REMOVE

         RENAME

         LINK

         CREATE

      Discussion:
         Permission to execute a file.

         Servers SHOULD allow a user the ability to read the data of the
         file when only the ACE4_EXECUTE access mask bit is allowed.
         This is because there is no way to execute a file without
         reading the contents.  Though a server may treat ACE4_EXECUTE
         and ACE4_READ_DATA bits identically when deciding to permit a
         READ operation, it SHOULD still allow the two bits to be set
         independently in ACLs, and MUST distinguish between them when
         replying to ACCESS operations.  In particular, servers SHOULD
         NOT silently turn on one of the two bits when the other is set,
         as that would make it impossible for the client to correctly
         enforce the distinction between read and execute permissions.

         As an example, following a SETATTR of the following ACL:

            nfsuser:ACE4_EXECUTE:ALLOW

         A subsequent GETATTR of ACL for that file SHOULD return:

            nfsuser:ACE4_EXECUTE:ALLOW

         Rather than:

            nfsuser:ACE4_EXECUTE/ACE4_READ_DATA:ALLOW

   ACE4_EXECUTE

      Operation(s) affected:
         LOOKUP

      Discussion:
         Permission to traverse/search a directory.




Noveck                   Expires 12 January 2022               [Page 23]


Internet-Draft               Nfsv4 Security                    July 2021


   ACE4_DELETE_CHILD

      Operation(s) affected:
         REMOVE

         RENAME

      Discussion:
         Permission to delete a file or directory within a directory.
         See Section 5.4.5 for information on ACE4_DELETE and
         ACE4_DELETE_CHILD interact.

   ACE4_READ_ATTRIBUTES

      Operation(s) affected:
         GETATTR of file system object attributes

         VERIFY

         NVERIFY

         READDIR

      Discussion:
         The ability to read basic attributes (non-ACLs) of a file.  On
         a UNIX system, basic attributes can be thought of as the stat-
         level attributes.  Allowing this access mask bit would mean
         that the entity can execute "ls -l" and stat.  If a READDIR
         operation requests attributes, this mask must be allowed for
         the READDIR to succeed.

   ACE4_WRITE_ATTRIBUTES

      Operation(s) affected:
         SETATTR of time_access_set, time_backup,

         time_create, time_modify_set, mimetype, hidden, system

      Discussion:
         Permission to change the times associated with a file or
         directory to an arbitrary value.  Also permission to change the
         mimetype, hidden, and system attributes.  A user having
         ACE4_WRITE_DATA or ACE4_WRITE_ATTRIBUTES will be allowed to set
         the times associated with a file to the current server time.

   ACE4_WRITE_RETENTION





Noveck                   Expires 12 January 2022               [Page 24]


Internet-Draft               Nfsv4 Security                    July 2021


      Operation(s) affected:
         SETATTR of retention_set, retentevt_set.

      Discussion:
         Permission to modify the durations of event and non-event-based
         retention.  Also permission to enable event and non-event-based
         retention.  A server MAY behave such that setting
         ACE4_WRITE_ATTRIBUTES allows ACE4_WRITE_RETENTION.

   ACE4_WRITE_RETENTION_HOLD

      Operation(s) affected:
         SETATTR of retention_hold.

      Discussion:
         Permission to modify the administration retention holds.  A
         server MAY map ACE4_WRITE_ATTRIBUTES to
         ACE_WRITE_RETENTION_HOLD.

   ACE4_DELETE

      Operation(s) affected:
         REMOVE

      Discussion:
         Permission to delete the filexs or directory.  See
         Section 5.4.5 for information on ACE4_DELETE and
         ACE4_DELETE_CHILD interact.

   ACE4_READ_ACL

      Operation(s) affected:
         GETATTR of acl, dacl, or sacl

         NVERIFY

         VERIFY

      Discussion:
         Permission to read the ACL.

   ACE4_WRITE_ACL

      Operation(s) affected:
         SETATTR of acl and mode

      Discussion:
         Permission to write the acl and mode attributes.



Noveck                   Expires 12 January 2022               [Page 25]


Internet-Draft               Nfsv4 Security                    July 2021


   ACE4_WRITE_OWNER

      Operation(s) affected:
         SETATTR of owner and owner_group

      Discussion:
         Permission to write the owner and owner_group attributes.  On
         UNIX systems, this is the ability to execute chown() and
         chgrp().

   ACE4_SYNCHRONIZE

      Operation(s) affected:
         NONE

      Discussion:
         Permission to use the file object as a synchronization
         primitive for interprocess communication.  This permission is
         not enforced or interpreted by the NFSv4.1 server on behalf of
         the client.

         Typically, the ACE4_SYNCHRONIZE permission is only meaningful
         on local file systems, i.e., file systems not accessed via
         NFSv4.1.  The reason that the permission bit exists is that
         some operating environments, such as Windows, use
         ACE4_SYNCHRONIZE.

         For example, if a client copies a file that has
         ACE4_SYNCHRONIZE set from a local file system to an NFSv4.1
         server, and then later copies the file from the NFSv4.1 server
         to a local file system, it is likely that if ACE4_SYNCHRONIZE
         was set in the original file, the client will want it set in
         the second copy.  The first copy will not have the permission
         set unless the NFSv4.1 server has the means to set the
         ACE4_SYNCHRONIZE bit.  The second copy will not have the
         permission set unless the NFSv4.1 server has the means to
         retrieve the ACE4_SYNCHRONIZE bit.

   Server implementations need not provide the granularity of control
   that is implied by this list of masks.  For example, POSIX-based
   systems might not distinguish ACE4_APPEND_DATA (the ability to append
   to a file) from ACE4_WRITE_DATA (the ability to modify existing
   contents); both masks would be tied to a single "write" permission
   bit.  When such a server returns attributes to the client that
   contain such masks, it would show ACE4_APPEND_DATA and
   ACE4_WRITE_DATA if and only if the the write permission bit is
   enabled.




Noveck                   Expires 12 January 2022               [Page 26]


Internet-Draft               Nfsv4 Security                    July 2021


   If a server receives a SETATTR request that it cannot accurately
   implement, it should err in the direction of more restricted access,
   except in the previously discussed cases of execute and read.  For
   example, suppose a server cannot distinguish overwriting data from
   appending new data, as described in the previous paragraph.  If a
   client submits an ALLOW ACE where ACE4_APPEND_DATA is set but
   ACE4_WRITE_DATA is not (or vice versa), the server should either turn
   off ACE4_APPEND_DATA or reject the request with NFS4ERR_ATTRNOTSUPP.

5.4.5.  ACE4_DELETE vs. ACE4_DELETE_CHILD

   Two access mask bits govern the ability to delete a directory entry:
   ACE4_DELETE on the object itself (the "target") and ACE4_DELETE_CHILD
   on the containing directory (the "parent").

   Many systems also take the "sticky bit" (MODE4_SVTX) on a directory
   to allow unlink only to a user that owns either the target or the
   parent; on some such systems the decision also depends on whether the
   target is writable.

   Servers SHOULD allow unlink if either ACE4_DELETE is permitted on the
   target, or ACE4_DELETE_CHILD is permitted on the parent.  (Note that
   this is true even if the parent or target explicitly denies one of
   these permissions.)

   If the ACLs in question neither explicitly ALLOW nor DENY either of
   the above, and if MODE4_SVTX is not set on the parent, then the
   server SHOULD allow the removal if and only if ACE4_ADD_FILE is
   permitted.  In the case where MODE4_SVTX is set, the server may also
   require the remover to own either the parent or the target, or may
   require the target to be writable.

   This allows servers to support something close to traditional UNIX-
   like semantics, with ACE4_ADD_FILE taking the place of the write bit.

5.4.6.  ACE flag

   The bitmask constants used for the flag field are as follows:

   const ACE4_FILE_INHERIT_ACE             = 0x00000001;
   const ACE4_DIRECTORY_INHERIT_ACE        = 0x00000002;
   const ACE4_NO_PROPAGATE_INHERIT_ACE     = 0x00000004;
   const ACE4_INHERIT_ONLY_ACE             = 0x00000008;
   const ACE4_SUCCESSFUL_ACCESS_ACE_FLAG   = 0x00000010;
   const ACE4_FAILED_ACCESS_ACE_FLAG       = 0x00000020;
   const ACE4_IDENTIFIER_GROUP             = 0x00000040;
   const ACE4_INHERITED_ACE                = 0x00000080;




Noveck                   Expires 12 January 2022               [Page 27]


Internet-Draft               Nfsv4 Security                    July 2021


   A server need not support any of these flags.  If the server supports
   flags that are similar to, but not exactly the same as, these flags,
   the implementation may define a mapping between the protocol-defined
   flags and the implementation-defined flags.

   For example, suppose a client tries to set an ACE with
   ACE4_FILE_INHERIT_ACE set but not ACE4_DIRECTORY_INHERIT_ACE.  If the
   server does not support any form of ACL inheritance, the server
   should reject the request with NFS4ERR_ATTRNOTSUPP.  If the server
   supports a single "inherit ACE" flag that applies to both files and
   directories, the server may reject the request (i.e., requiring the
   client to set both the file and directory inheritance flags).  The
   server may also accept the request and silently turn on the
   ACE4_DIRECTORY_INHERIT_ACE flag.

5.4.7.  Details Regardign ACE Flag Bits

   ACE4_FILE_INHERIT_ACE
      Any non-directory file in any sub-directory will get this ACE
      inherited.

   ACE4_DIRECTORY_INHERIT_ACE
      Can be placed on a directory and indicates that this ACE should be
      added to each new directory created.

      If this flag is set in an ACE in an ACL attribute to be set on a
      non-directory file system object, the operation attempting to set
      the ACL SHOULD fail with NFS4ERR_ATTRNOTSUPP.

   ACE4_NO_PROPAGATE_INHERIT_ACE
      Can be placed on a directory.  This flag tells the server that
      inheritance of this ACE should stop at newly created child
      directories.

   ACE4_INHERIT_ONLY_ACE
      Can be placed on a directory but does not apply to the directory;
      ALLOW and DENY ACEs with this bit set do not affect access to the
      directory, and AUDIT and ALARM ACEs with this bit set do not
      trigger log or alarm events.  Such ACEs only take effect once they
      are applied (with this bit cleared) to newly created files and
      directories as specified by the ACE4_FILE_INHERIT_ACE and
      ACE4_DIRECTORY_INHERIT_ACE flags.

      If this flag is present on an ACE, but neither
      ACE4_DIRECTORY_INHERIT_ACE nor ACE4_FILE_INHERIT_ACE is present,
      then an operation attempting to set such an attribute SHOULD fail
      with NFS4ERR_ATTRNOTSUPP.




Noveck                   Expires 12 January 2022               [Page 28]


Internet-Draft               Nfsv4 Security                    July 2021


   ACE4_SUCCESSFUL_ACCESS_ACE_FLAG and ACE4_FAILED_ACCESS_ACE_FLAG
      The ACE4_SUCCESSFUL_ACCESS_ACE_FLAG (SUCCESS) and
      ACE4_FAILED_ACCESS_ACE_FLAG (FAILED) flag bits may be set only on
      ACE4_SYSTEM_AUDIT_ACE_TYPE (AUDIT) and ACE4_SYSTEM_ALARM_ACE_TYPE
      (ALARM) ACE types.  If during the processing of the file's ACL,
      the server encounters an AUDIT or ALARM ACE that matches the
      principal attempting the OPEN, the server notes that fact, and the
      presence, if any, of the SUCCESS and FAILED flags encountered in
      the AUDIT or ALARM ACE.  Once the server completes the ACL
      processing, it then notes if the operation succeeded or failed.
      If the operation succeeded, and if the SUCCESS flag was set for a
      matching AUDIT or ALARM ACE, then the appropriate AUDIT or ALARM
      event occurs.  If the operation failed, and if the FAILED flag was
      set for the matching AUDIT or ALARM ACE, then the appropriate
      AUDIT or ALARM event occurs.  Either or both of the SUCCESS or
      FAILED can be set, but if neither is set, the AUDIT or ALARM ACE
      is not useful.

      The previously described processing applies to ACCESS operations
      even when they return NFS4_OK.  For the purposes of AUDIT and
      ALARM, we consider an ACCESS operation to be a "failure" if it
      fails to return a bit that was requested and supported.

   ACE4_IDENTIFIER_GROUP
      Indicates that the "who" refers to a GROUP as defined under UNIX
      or a GROUP ACCOUNT as defined under Windows.  Clients and servers
      MUST ignore the ACE4_IDENTIFIER_GROUP flag on ACEs with a who
      value equal to one of the special identifiers outlined in
      Section 5.4.8.

   ACE4_INHERITED_ACE
      Indicates that this ACE is inherited from a parent directory.  A
      server that supports automatic inheritance will place this flag on
      any ACEs inherited from the parent directory when creating a new
      object.  Client applications will use this to perform automatic
      inheritance.  Clients and servers MUST clear this bit in the acl
      attribute; it may only be used in the dacl and sacl attributes.

5.4.8.  ACE Who

   The "who" field of an ACE is an identifier that specifies the
   principal or principals to whom the ACE applies.  It may refer to a
   user or a group, with the flag bit ACE4_IDENTIFIER_GROUP specifying
   which.

   There are several special identifiers that need to be understood
   universally, rather than in the context of a particular DNS domain.
   Some of these identifiers cannot be understood when an NFS client



Noveck                   Expires 12 January 2022               [Page 29]


Internet-Draft               Nfsv4 Security                    July 2021


   accesses the server, but have meaning when a local process accesses
   the file.  The ability to display and modify these permissions is
   permitted over NFS, even if none of the access methods on the server
   understands the identifiers.

   +===============+==================================================+
   | Who           | Description                                      |
   +===============+==================================================+
   | OWNER         | The owner of the file.                           |
   +---------------+--------------------------------------------------+
   | GROUP         | The group associated with the file.              |
   +---------------+--------------------------------------------------+
   | EVERYONE      | The world, including the owner and owning group. |
   +---------------+--------------------------------------------------+
   | INTERACTIVE   | Accessed from an interactive terminal.           |
   +---------------+--------------------------------------------------+
   | NETWORK       | Accessed via the network.                        |
   +---------------+--------------------------------------------------+
   | DIALUP        | Accessed as a dialup user to the server.         |
   +---------------+--------------------------------------------------+
   | BATCH         | Accessed from a batch job.                       |
   +---------------+--------------------------------------------------+
   | ANONYMOUS     | Accessed without any authentication.             |
   +---------------+--------------------------------------------------+
   | AUTHENTICATED | Any authenticated user (opposite of ANONYMOUS).  |
   +---------------+--------------------------------------------------+
   | SERVICE       | Access from a system service.                    |
   +---------------+--------------------------------------------------+

                                 Table 2

   To avoid conflict, these special identifiers are distinguished by an
   appended "@" and should appear in the form "xxxx@" (with no domain
   name after the "@"), for example, ANONYMOUS@.

   The ACE4_IDENTIFIER_GROUP flag MUST be ignored on entries with these
   special identifiers.  When encoding entries with these special
   identifiers, the ACE4_IDENTIFIER_GROUP flag SHOULD be set to zero.

   [working group input needed]: I don't understand what might be valid
   reasons to ignore this.  Would "MUST" be appropriate here?

   It is important to note that "EVERYONE@" is not equivalent to the
   UNIX "other" entity.  This is because, by definition, UNIX "other"
   does not include the owner or owning group of a file.  "EVERYONE@"
   means literally everyone, including the owner or owning group.





Noveck                   Expires 12 January 2022               [Page 30]


Internet-Draft               Nfsv4 Security                    July 2021


   [working group input needed]: Some of these require that changes be
   made as discussed below:

   *  For "INTERACTIVE", "NETWORK", "DIALUP", "BATCH", and "SERVICE" it
      needs to be specified that server's ability to make these
      distinctions is limited, making teir use where secrity is an issue
      quite problemtic.

   *  For "ANONYMOUS", clearly requests using AUTH_NONE fit but what
      else?

      Request by nobody and by users root-squashed to nobody are
      probably OK, although you could argue about the case of a user
      "nobody" authenticated by ROCSEC_GSS>

      ON a more contentious note, I would argue that users
      "authenticated" using AUTH_SYS, in the clear, without client-peer
      authentication fit here, but we need to get to consensus on this
      point.

   *  Issues regarding "AUTHENTICATED" will be the mirror image of those
      for "ANONYMOUS".

5.4.9.  Automatic Inheritance Features

   The acl attribute consists only of an array of ACEs, but the sacl
   (Section 5.8) and dacl (Section 5.7) attributes also include an
   additional flag field.

   struct nfsacl41 {
           aclflag4        na41_flag;
           nfsace4         na41_aces<>;
   };

   The flag field applies to the entire sacl or dacl; three flag values
   are defined:

   const ACL4_AUTO_INHERIT         = 0x00000001;
   const ACL4_PROTECTED            = 0x00000002;
   const ACL4_DEFAULTED            = 0x00000004;

   and all other bits must be cleared.  The ACE4_INHERITED_ACE flag may
   be set in the ACEs of the sacl or dacl (whereas it must always be
   cleared in the acl).

   Together these features allow a server to support automatic
   inheritance, which we now explain in more detail.




Noveck                   Expires 12 January 2022               [Page 31]


Internet-Draft               Nfsv4 Security                    July 2021


   Inheritable ACEs are normally inherited by child objects only at the
   time that the child objects are created; later modifications to
   inheritable ACEs do not result in modifications to inherited ACEs on
   descendants.

   However, the dacl and sacl provide an OPTIONAL mechanism that allows
   a client application to propagate changes to inheritable ACEs to an
   entire directory hierarchy.

   A server that supports this feature performs inheritance at object
   creation time in the normal way, and SHOULD set the
   ACE4_INHERITED_ACE flag on any inherited ACEs as they are added to
   the new object.

   A client application such as an ACL editor may then propagate changes
   to inheritable ACEs on a directory by recursively traversing that
   directory's descendants and modifying each ACL encountered to remove
   any ACEs with the ACE4_INHERITED_ACE flag and to replace them by the
   new inheritable ACEs (also with the ACE4_INHERITED_ACE flag set).  It
   uses the existing ACE inheritance flags in the obvious way to decide
   which ACEs to propagate.  (Note that it may encounter further
   inheritable ACEs when descending the directory hierarchy and that
   those will also need to be taken into account when propagating
   inheritable ACEs to further descendants.)

   The reach of this propagation may be limited in two ways: first,
   automatic inheritance is not performed from any directory ACL that
   has the ACL4_AUTO_INHERIT flag cleared; and second, automatic
   inheritance stops wherever an ACL with the ACL4_PROTECTED flag is
   set, preventing modification of that ACL and also (if the ACL is set
   on a directory) of the ACL on any of the object's descendants.

   This propagation is performed independently for the sacl and the dacl
   attributes; thus, the ACL4_AUTO_INHERIT and ACL4_PROTECTED flags may
   be independently set for the sacl and the dacl, and propagation of
   one type of acl may continue down a hierarchy even where propagation
   of the other acl has stopped.

   New objects should be created with a dacl and a sacl that both have
   the ACL4_PROTECTED flag cleared and the ACL4_AUTO_INHERIT flag set to
   the same value as that on, respectively, the sacl or dacl of the
   parent object.

   Both the dacl and sacl attributes are Recommended, and a server may
   support one without supporting the other.






Noveck                   Expires 12 January 2022               [Page 32]


Internet-Draft               Nfsv4 Security                    July 2021


   A server that supports both the old acl attribute and one or both of
   the new dacl or sacl attributes must do so in such a way as to keep
   all three attributes consistent with each other.  Thus, the ACEs
   reported in the acl attribute should be the union of the ACEs
   reported in the dacl and sacl attributes, except that the
   ACE4_INHERITED_ACE flag must be cleared from the ACEs in the acl.
   And of course a client that queries only the acl will be unable to
   determine the values of the sacl or dacl flag fields.

   When a client performs a SETATTR for the acl attribute, the server
   SHOULD set the ACL4_PROTECTED flag to true on both the sacl and the
   dacl.  By using the acl attribute, as opposed to the dacl or sacl
   attributes, the client signals that it may not understand automatic
   inheritance, and thus cannot be trusted to set an ACL for which
   automatic inheritance would make sense.

   When a client application queries an ACL, modifies it, and sets it
   again, it should leave any ACEs marked with ACE4_INHERITED_ACE
   unchanged, in their original order, at the end of the ACL.  If the
   application is unable to do this, it should set the ACL4_PROTECTED
   flag.  This behavior is not enforced by servers, but violations of
   this rule may lead to unexpected results when applications perform
   automatic inheritance.

   If a server also supports the mode attribute, it SHOULD set the mode
   in such a way that leaves inherited ACEs unchanged, in their original
   order, at the end of the ACL.  If it is unable to do so, it SHOULD
   set the ACL4_PROTECTED flag on the file's dacl.

   Finally, in the case where the request that creates a new file or
   directory does not also set permissions for that file or directory,
   and there are also no ACEs to inherit from the parent's directory,
   then the server's choice of ACL for the new object is implementation-
   dependent.  In this case, the server SHOULD set the ACL4_DEFAULTED
   flag on the ACL it chooses for the new object.  An application
   performing automatic inheritance takes the ACL4_DEFAULTED flag as a
   sign that the ACL should be completely replaced by one generated
   using the automatic inheritance rules.

5.5.  Attribute 12: acl

   The acl attribute, as opposed to the sacl and dacl attributes,
   consists only of an ACE array and does not support automatic
   inheritance.







Noveck                   Expires 12 January 2022               [Page 33]


Internet-Draft               Nfsv4 Security                    July 2021


   The acl attribute is recommende and there is no requirement that a
   server support.  However, when the dacl attribute is supported, it is
   a good idea to provide support for the acl attributes as well, in
   order to accommodate clients that have not been upgraded to use the
   dacl attribute.

5.6.  Attribute 13: aclsupport

   A server need not support all of the above ACE types.  This attribute
   indicates which ACE types are supported for the current file system.
   The bitmask constants used to represent the above definitions within
   the aclsupport attribute are as follows:

   const ACL4_SUPPORT_ALLOW_ACL    = 0x00000001;
   const ACL4_SUPPORT_DENY_ACL     = 0x00000002;
   const ACL4_SUPPORT_AUDIT_ACL    = 0x00000004;
   const ACL4_SUPPORT_ALARM_ACL    = 0x00000008;

   Servers that support either the ALLOW or DENY ACE type SHOULD support
   both ALLOW and DENY ACE types.

   [Working group input needed]: What are the valid reasons not do this?

   Clients should not attempt to set an ACE unless the server claims
   support for that ACE type.  If the server receives a request to set
   an ACE that it cannot store, it MUST reject the request with
   NFS4ERR_ATTRNOTSUPP.  If the server receives a request to set an ACE
   that it can store but cannot enforce, the server SHOULD reject the
   request with NFS4ERR_ATTRNOTSUPP.

   [Working group input needed]: I might be mistaken but this might
   contradict material in Section 5.4.1

   Support for any of the ACL attributes is OPTIONAL, although
   Recommended.  However, a server that supports either of the new ACL
   attributes (dacl or sacl) MUST allow use of the new ACL attributes to
   access all of the ACE types that it supports.  In other words, if
   such a server supports ALLOW or DENY ACEs, then it MUST support the
   dacl attribute, and if it supports AUDIT or ALARM ACEs, then it MUST
   support the sacl attribute.

5.7.  V4.1 Attribute 58: dacl

   The dacl attribute is like the acl attribute, but dacl allows only
   ALLOW and DENY ACEs.  The dacl attribute supports automatic
   inheritance (see Section 5.4.9).





Noveck                   Expires 12 January 2022               [Page 34]


Internet-Draft               Nfsv4 Security                    July 2021


5.8.  V4.1 Attribute 59: sacl

   The sacl attribute is like the acl attribute, but sacl allows only
   AUDIT and ALARM ACEs.  The sacl attribute supports automatic
   inheritance (see Section 5.4.9).

6.  Common Considerations for Both File access Models

   [Important structural change to be noted]: This section is derived
   from Section 6.3 of 8881, entitled "Common Methods.  However, its
   content is different because it has been rewritten to deal with
   issues common to both file access models, which now appears to have
   not been the original intention.  Nevertheless, the following changes
   have been made:

   *  The section "Server Considerations" has been revised to deal with
      both the mode and acl attributes, since the points being made
      apply, in almost all cases, to both attributes.

   *  The section "Client Considerations" has been heavily revised,
      since what had been there did not make any sense to me.

   *  The section "Computing a Mode Attribute from an ACL" has been
      moved to Section 7.2.1 since it deals with the co-ordination of
      the posix and acl authorization models.

6.1.  Server Considerations

   The server uses the mode attribute or the acl attibute applying the
   algorithm described in Section 5.4.1 to determine whether an ACL
   allows access to an object.

   However, these attributes might not be the sole determiner of access.
   For example:

   *  In the case of a file system exported as read-only, the server
      will deny write access even though an object's file access
      attributes would grant it.

   *  Server implementations MAY grant ACE4_WRITE_ACL and ACE4_READ_ACL
      permissions to prevent a situation from arising in which there is
      no valid way to ever modify the ACL.

   *  All servers will allow a user the ability to read the data of the
      file when only the execute permission is granted (e.g., if the ACL
      denies the user the ACE4_READ_DATA access and allows the user
      ACE4_EXECUTE, the server will allow the user to read the data of
      the file).



Noveck                   Expires 12 January 2022               [Page 35]


Internet-Draft               Nfsv4 Security                    July 2021


   *  Many servers implement owner-override semantics in which the owner
      of the object is allowed to override accesses that are denied by
      the ACL.  This may be helpful, for example, to allow users
      continued access to open files on which the permissions have
      changed.

   *  Many servers provide for the existence of a "superuser" that has
      privileges beyond an ordinary user.  The superuser may be able to
      read or write data or metadata in ways that would not be permitted
      by the ACL or mode attributes.

   *  A retention attribute might also block access otherwise allowed by
      ACLs (see Section 5.13 of [8]).

6.2.  Client Considerations

   Clients SHOULD NOT do their own access checks based on their
   interpretation of the ACL, but rather use the OPEN and ACCESS
   operations to do access checks.  This allows the client to act on the
   results of having the server determine whether or not access should
   be granted based on its interpretation of the ACL.

   [Working group discussion needed]: With regard to the use of "SHOULD
   NOT" in the paragraph above, it is not clear what might be valid
   reasons to bypass this recommendation.  Perhaps "MUST NOT" or "should
   not" would be more appropriate.

   Clients must be aware of situations in which an object's ACL will
   define a certain access even though the server will not enforce it.
   In general, but especially in these situations, the client needs to
   do its part in the enforcement of access as defined by the ACL.

   [Working group input needed]: Despite what is said later, the only
   such case I know of is the use of READ and EXECUTE where the client,
   but not the server, has any means of distinguishing these.  don't
   know of any others.  If there were, houw could ACESS or OPEN be used
   to verify access?

   To do this, the client MAY send the appropriate ACCESS operation
   prior to servicing the request of the user or application in order to
   determine whether the user or application should be granted the
   access requested.

   For examples in which the ACL may define accesses that the server
   doesn't enforce, see Section 6.1.






Noveck                   Expires 12 January 2022               [Page 36]


Internet-Draft               Nfsv4 Security                    July 2021


   [Working group discussion needed]: The sentence above is clearly
   wrong since that section is about enforcement the server does do.
   Sigh!

7.  Combining Authorization Models

   [To be checked]: The section on computing mode from ACL in RFC3530 is
   quite similar to that in RFC8881.  If they are essentially identical,
   Section 7.2.1 could be moved out of Section 7.2 and apply to all
   minor versions :-).  In addition, there may be additional material
   that could be generalized in this way.

7.1.  Combined Authorization Models for V4.0

   V4.0 servers that support both the mode and acl attributes, like
   servers for other minor versions, have to appropriately co-ordinate
   the values.  Because much of the material in Section 7.2 does not
   apply to v4.0, the server is relatively free about how it does this.
   Nevertheless, that materal is one useful approach and v4.0
   implementers may want to consult it, even though the requirements in
   it do not apply and threcommendations have no normative force.

   One likely source of a need for different treatment is the absence of
   a set_mode_masked attribute in v4.0.

   Clients need to be aware that the v4.1 handling may nor may not be
   adopted by the server and that the client needs to adapt accordingly.

7.2.  Combined Authorization Model for V4.1 and Beyond

   *  On servers that support both the mode and the acl or dacl
      attributes, the server must keep the two consistent with each
      other.  The value of the mode attribute (with the exception of the
      three high-order bits described in Section 5.3.1) must be
      determined entirely by the value of the ACL, so that use of the
      mode is never required for anything other than setting the three
      high-order bits.  See Sections 7.2.4 through 7.2.6 for detailed
      requirements.

   *  When a mode attribute is set on an object, the ACL attributes may
      need to be modified in order to not conflict with the new mode.
      In such cases, it is desirable that the ACL keep as much
      information as possible.  This includes information about
      inheritance, AUDIT and ALARM ACEs, and permissions granted and
      denied that do not conflict with the new mode.






Noveck                   Expires 12 January 2022               [Page 37]


Internet-Draft               Nfsv4 Security                    July 2021


   The server that supports both mode and ACL must take care to
   synchronize the MODE4_*USR, MODE4_*GRP, and MODE4_*OTH bits with the
   ACEs that have respective who fields of "OWNER@", "GROUP@", and
   "EVERYONE@".  This way, the client can see if semantically equivalent
   access permissions exist whether the client asks for the owner,
   owner_group, and mode attributes or for just the ACL.

   In this section, much depends on the method in specified
   Section 7.2.1.  Many requirements refer to this section.  It should
   be noted that the methods have behaviors specified with "SHOULD" and
   that alternate approaches are discussed in Section 7.2.2.  This is
   intentional, to avoid invalidating existing implementations that
   compute the mode according to the withdrawn POSIX ACL draft (1003.1e
   draft 17), rather than by actual permissions on owner, group, and
   other.

   [Working group discussion needed]: Given the mixture of RFC2219
   terms, I think all of them in Section 7 need review.  Further, given
   the effort that has gone into Section 7, to accommodate these
   implementations of a draft that was withdrawn decades ago.  The idea
   of trying to make mode and acl match is undercut when there are
   different valid ways of computing the mode.  There shouldn't be.  To
   specify one way to do this is necessary to accomplish the goal here
   and to do so would not "invalidate" anything.  Rather, it would
   establish, correctly, that such implementations are not
   implementations of the NFSv4 ACL model, but of the withdrawn POSIX
   ACL draft.

7.2.1.  Computing a Mode Attribute from an ACL

   The following method can be used to calculate the MODE4_R*, MODE4_W*,
   and MODE4_X* bits of a mode attribute, based upon an ACL.

   [Working group discussion needed]: "can be used" says essentially "do
   whatever you choose" and would make Section 7 essentially pointless.
   Would prefer "is to be used", "MUST", or "SHOULD" if valid reasons to
   do otherwise can be found.

   First, for each of the special identifiers OWNER@, GROUP@, and
   EVERYONE@, evaluate the ACL in order, considering only ALLOW and DENY
   ACEs for the identifier EVERYONE@ and for the identifier under
   consideration.  The result of the evaluation will be an NFSv4 ACL
   mask showing exactly which bits are permitted to that identifier.

   Then translate the calculated mask for OWNER@, GROUP@, and EVERYONE@
   into mode bits for, respectively, the user, group, and other, as
   follows:




Noveck                   Expires 12 January 2022               [Page 38]


Internet-Draft               Nfsv4 Security                    July 2021


   1.  Set the read bit (MODE4_RUSR, MODE4_RGRP, or MODE4_ROTH) if and
       only if ACE4_READ_DATA is set in the corresponding mask.

   2.  Set the write bit (MODE4_WUSR, MODE4_WGRP, or MODE4_WOTH) if and
       only if ACE4_WRITE_DATA and ACE4_APPEND_DATA are both set in the
       corresponding mask.

   3.  Set the execute bit (MODE4_XUSR, MODE4_XGRP, or MODE4_XOTH), if
       and only if ACE4_EXECUTE is set in the corresponding mask.

7.2.2.  Alternatives in Computing Mode Bits

   Some server implementations also add bits permitted to named users
   and groups to the group bits (MODE4_RGRP, MODE4_WGRP, and
   MODE4_XGRP).

   Implementations are discouraged from doing this, because it has been
   found to cause confusion for users who see members of a file's group
   denied access that the mode bits appear to allow.  (The presence of
   DENY ACEs may also lead to such behavior, but DENY ACEs are expected
   to be more rarely used.)

   [Working group decision needed]; the text does not seem to really
   discourage this practice and makes no reference to the need to
   standardize behavior or any impediement to doing so.  "SHOULD NOT"
   needs to be considered if valid reasons to do otherwise can be found.

   The same user confusion seen when fetching the mode also results if
   setting the mode does not effectively control permissions for the
   owner, group, and other users; this motivates some of the
   requirements that follow.

7.2.3.  Setting Multiple ACL Attributes

   In the case where a server supports the sacl or dacl attribute, in
   addition to the acl attribute, the server MUST fail a request to set
   the acl attribute simultaneously with a dacl or sacl attribute.  The
   error to be given is NFS4ERR_ATTRNOTSUPP.













Noveck                   Expires 12 January 2022               [Page 39]


Internet-Draft               Nfsv4 Security                    July 2021


7.2.4.  Setting Mode and not ACL

   When any of the nine low-order mode bits are subject to change,
   either because the mode attribute was set or because the
   mode_set_masked attribute was set and the mask included one or more
   bits from the nine low-order mode bits, and no ACL attribute is
   explicitly set, the acl and dacl attributes must be modified in
   accordance with the updated value of those bits.  This must happen
   even if the value of the low-order bits is the same after the mode is
   set as before.

   Note that any AUDIT or ALARM ACEs (hence any ACEs in the sacl
   attribute) are unaffected by changes to the mode.

   In cases in which the permissions bits are subject to change, the acl
   and dacl attributes MUST be modified such that the mode computed via
   the method in Section 7.2.1 yields the low-order nine bits (MODE4_R*,
   MODE4_W*, MODE4_X*) of the mode attribute as modified by the
   attribute change.  The ACL attributes SHOULD also be modified such
   that:

   1.  If MODE4_RGRP is not set, entities explicitly listed in the ACL
       other than OWNER@ and EVERYONE@ SHOULD NOT be granted
       ACE4_READ_DATA.

   2.  If MODE4_WGRP is not set, entities explicitly listed in the ACL
       other than OWNER@ and EVERYONE@ SHOULD NOT be granted
       ACE4_WRITE_DATA or ACE4_APPEND_DATA.

   3.  If MODE4_XGRP is not set, entities explicitly listed in the ACL
       other than OWNER@ and EVERYONE@ SHOULD NOT be granted
       ACE4_EXECUTE.

   Access mask bits other than those listed above, appearing in ALLOW
   ACEs, MAY also be disabled.

   Note that ACEs with the flag ACE4_INHERIT_ONLY_ACE set do not affect
   the permissions of the ACL itself, nor do ACEs of the type AUDIT and
   ALARM.  As such, it is desirable to leave these ACEs unmodified when
   modifying the ACL attributes.

   Also note that the requirement may be met by discarding the acl and
   dacl, in favor of an ACL that represents the mode and only the mode.
   This is permitted, but it is preferable for a server to preserve as
   much of the ACL as possible without violating the above requirements.
   Discarding the ACL makes it effectively impossible for a file created
   with a mode attribute to inherit an ACL (see Section 7.2.8).




Noveck                   Expires 12 January 2022               [Page 40]


Internet-Draft               Nfsv4 Security                    July 2021


7.2.5.  Setting ACL and Not Mode

   When setting the acl or dacl and not setting the mode or
   mode_set_masked attributes, the permission bits of the mode need to
   be derived from the ACL.  In this case, the ACL attribute SHOULD be
   set as given.  The nine low-order bits of the mode attribute
   (MODE4_R*, MODE4_W*, MODE4_X*) MUST be modified to match the result
   of the method in Section 7.2.1.  The three high-order bits of the
   mode (MODE4_SUID, MODE4_SGID, MODE4_SVTX) SHOULD remain unchanged.

7.2.6.  Setting Both ACL and Mode

   When setting both the mode (includes use of either the mode attribute
   or the mode_set_masked attribute) and the acl or dacl attributes in
   the same operation, the attributes MUST be applied in this order:
   mode (or mode_set_masked), then ACL.  The mode-related attribute is
   set as given, then the ACL attribute is set as given, possibly
   changing the final mode, as described above in Section 7.2.5.

7.2.7.  Retrieving the Mode and/or ACL Attributes

   Some server implementations may provide for the existence of "objects
   without ACLs", meaning that all permissions are granted and denied
   according to the mode attribute and that no ACL attribute is stored
   for that object.  If an ACL attribute is requested of such a server,
   the server SHOULD return an ACL that does not conflict with the mode;
   that is to say, the ACL returned SHOULD represent the nine low-order
   bits of the mode attribute (MODE4_R*, MODE4_W*, MODE4_X*) as
   described in Section 7.2.1.

   For other server implementations, the ACL attribute is always present
   for every object.  Such servers SHOULD store at least the three high-
   order bits of the mode attribute (MODE4_SUID, MODE4_SGID,
   MODE4_SVTX).  The server SHOULD return a mode attribute if one is
   requested, and the low-order nine bits of the mode (MODE4_R*,
   MODE4_W*, MODE4_X*) MUST match the result of applying the method in
   Section 7.2.1 to the ACL attribute.

7.2.8.  Creating New Objects

   If a server supports any ACL attributes, it may use the ACL
   attributes on the parent directory to compute an initial ACL
   attribute for a newly created object.  This will be referred to as
   the inherited ACL within this section.  The act of adding one or more
   ACEs to the inherited ACL that are based upon ACEs in the parent
   directory's ACL will be referred to as inheriting an ACE within this
   section.




Noveck                   Expires 12 January 2022               [Page 41]


Internet-Draft               Nfsv4 Security                    July 2021


   Implementors should standardize the behavior of CREATE and OPEN
   depending on the presence or absence of the mode and ACL attributes
   by following the directions below:

   1.  If just the mode is given in the call:

       In this case, inheritance SHOULD take place, but the mode MUST be
       applied to the inherited ACL as described in Section 7.2.4,
       thereby modifying the ACL.

   2.  If just the ACL is given in the call:

       In this case, inheritance SHOULD NOT take place, and the ACL as
       defined in the CREATE or OPEN will be set without modification,
       and the mode modified as in Section 7.2.5.

   3.  If both mode and ACL are given in the call:

       In this case, inheritance SHOULD NOT take place, and both
       attributes will be set as described in Section 7.2.6.

   4.  If neither mode nor ACL is given in the call:

       In the case where an object is being created without any initial
       attributes at all, e.g., an OPEN operation with an opentype4 of
       OPEN4_CREATE and a createmode4 of EXCLUSIVE4, inheritance SHOULD
       NOT take place (note that EXCLUSIVE4_1 is a better choice of
       createmode4, since it does permit initial attributes).  Instead,
       the server SHOULD set permissions to deny all access to the newly
       created object.  It is expected that the appropriate client will
       set the desired attributes in a subsequent SETATTR operation, and
       the server SHOULD allow that operation to succeed, regardless of
       what permissions the object is created with.  For example, an
       empty ACL denies all permissions, but the server should allow the
       owner's SETATTR to succeed even though WRITE_ACL is implicitly
       denied.

       In other cases, inheritance SHOULD take place, and no
       modifications to the ACL will happen.  The mode attribute, if
       supported, MUST be as computed in Section 7.2.1, with the
       MODE4_SUID, MODE4_SGID, and MODE4_SVTX bits clear.  If no
       inheritable ACEs exist on the parent directory, the rules for
       creating acl, dacl, or sacl attributes are implementation
       defined.  If either the dacl or sacl attribute is supported, then
       the ACL4_DEFAULTED flag SHOULD be set on the newly created
       attributes.





Noveck                   Expires 12 January 2022               [Page 42]


Internet-Draft               Nfsv4 Security                    July 2021


7.2.9.  Use of Inherited ACL When Creating Objects

   If the object being created is not a directory, the inherited ACL
   SHOULD NOT inherit ACEs from the parent directory ACL unless the
   ACE4_FILE_INHERIT_ACE flag is set.

   If the object being created is a directory, the inherited ACL should
   inherit all inheritable ACEs from the parent directory, that is,
   those that have the ACE4_FILE_INHERIT_ACE or
   ACE4_DIRECTORY_INHERIT_ACE flag set.  If the inheritable ACE has
   ACE4_FILE_INHERIT_ACE set but ACE4_DIRECTORY_INHERIT_ACE is clear,
   the inherited ACE on the newly created directory MUST have the
   ACE4_INHERIT_ONLY_ACE flag set to prevent the directory from being
   affected by ACEs meant for non-directories.

   When a new directory is created, the server MAY split any inherited
   ACE that is both inheritable and effective (in other words, that has
   neither ACE4_INHERIT_ONLY_ACE nor ACE4_NO_PROPAGATE_INHERIT_ACE set),
   into two ACEs, one with no inheritance flags and one with
   ACE4_INHERIT_ONLY_ACE set.  (In the case of a dacl or sacl attribute,
   both of those ACEs SHOULD also have the ACE4_INHERITED_ACE flag set.)
   This makes it simpler to modify the effective permissions on the
   directory without modifying the ACE that is to be inherited to the
   new directory's children.

7.3.  Combined Authorization Models for V4.2

   The v4.1 server implementation requirements described in Section 7.2
   apply to v4.2 as well and v4.2 clients can assume that the server
   follows them.

   V4.2 contains an OPTIONAL extension, defined in [13], which is
   intended to reduce the interference of modes, restricted by the umask
   mechanism, with the acl inheritance mechanism.  The extension allows
   the client to specify the umask separately from the mask attribute.

8.  Labelled NFS Authorization Model

   The labelled NFS feature of NFSv4.2 is designed to support Mandatory
   Access control.

   The attribute sec_label enables an authorization model focused on
   Mandatory Access Control and is described in Section 8.








Noveck                   Expires 12 January 2022               [Page 43]


Internet-Draft               Nfsv4 Security                    July 2021


   Not much can be said about this feature because the specification, in
   the intrest of fexibility has left important features undefined in
   order to alllow future.  As a result, we have something that is a
   framework to allow Mandatory Acces Control rather than one to provide
   it.  In particular,

   *  The sec_label attribute, which provides the objects label has no
      existing specfication.

   *  There is no specfication of the of the format of the subject label
      or way to authenticate them.

   *  As a result, all authorization takes place on the client, and the
      server simply accepts the client's determination.

   This arrangements shares important similarities with AUTH_SYS.  As
   such it makes sense:

   *  To require/recommend that an encrypted connection be used.

   *  To require/recommend that client and server peers mutually
      authenticate as part of connection establishment.

   *  That work be devoted to providing a replacement without the above
      issues.

9.  State Modification Authorization

   Modification of locking and session state data should not be done by
   a client other than the one that created the lock.  For this form of
   authorization, the server needs to identify and authenticate client
   peers rather than client users.

   Such authentication is not directly provided by any RPC
   authentication flavor.  However, RPC-based transport, when sitable
   configured. can provide this authenication.

   NFSv4.1 defines a number of ways to provide appropriate authorization
   facilities.  These will not be discussed in detail her but the
   follwing points should be noted:

   *  NFSv4.1 defines the MACHCRED mechanism which uses the RPCSEC_GSS
      indrastrucure to provide authentication of the clients peer.
      However, this is of no value when AUTH_SYS is being used.

   *  NFSv4.1 also defines the SSV mechanism which uses the RPCSEC_GSS
      infrastructure to enable it to be reliably determined whether two
      different client connections are connected to the same client.  It



Noveck                   Expires 12 January 2022               [Page 44]


Internet-Draft               Nfsv4 Security                    July 2021


      is unclear whether the word "authentication" is appropriate in
      this case.  As with MACHCRED, this is of no value when AUTH_SYS is
      being used.

   *  Because of the lack of support for AUTH_SYS and for NFSv4.0, it is
      quite desirable for clients to use and for servers to require the
      use of client-peer authentication as part of connection
      establishment.

   When unauthenticated clients are allowed, their state is expsed to
   unwanted modification as part of disruptuion or denial-of-service
   attcks.  as a resul the potential burdens of such attacks are felt
   principally by client not to provide such authentication.

10.  Identification and Authentication

   Various objects and subjects need to be identified for a protocol to
   function.  For it to be secure, many of these need to be
   authenticated so that incorrect idenifification is not the basis for
   attacks.

10.1.  Identification vs. Authentication

   It is necessary to be clear about this distinction which has been
   obscured in the past, by the use of the term "RPC Authentification
   Flavor" in connection with situation in which identification without
   authentication occrred or in which there was neither identification
   nor authentication involved.  As a result, we will use the term "RPC
   Flavors" instead

10.2.  Items to be Identified

   Some identifier are not security-relevant and can used be used
   without authentication, given that, in the authorization decision,
   the object acted upon needs only to be properly identified

   *  File names are of this type.

      Unlike the case for some other protocols, confusion of names that
      result frominternationalization issue, while an annoyance are not
      relevant to security.  If the confusion between LATIN CAPITAL
      LETTER O and CYRILLIC CAPITAL LETTER O, results in the wrong file
      being accessed, the mechanisms dscribed in Section 5 prevent in
      appropriate access being granted.







Noveck                   Expires 12 January 2022               [Page 45]


Internet-Draft               Nfsv4 Security                    July 2021


      Despite the above, it is desirable if file names togeter with
      similar are not transferred in the clear as the information
      exposed may give atackers useful information helpful in planning
      and executing atacks.

   *  The case of file handles is similar.

   Identifier that refer to state shared between client and server can
   be the basis of disruption attacks since clients and server
   necessaily assume that neither side will change the state corpus
   without appropriate notice.

   While these identifiers do not need to be authenticated, they are
   associated with higher-level entities for which change of the state
   represented by those entities is subject to peer authentication.

   *  Unexpected closure of stateids or changes in state sequence values
      can disrupt client access as no clients have provision to deal
      with this source of interference.

      While encryption may make it more difficult to execute such
      attacks attackers can often guess stateid's since server generally
      not randomize them.

   *  Similarly, modification to v4.1 session state information can
      result in confusion if an attacker changes the slot sequence by
      assuing spurious requests.  Even if the request is rejected, the
      slot sequence is changed and clients may a difficult time getting
      back in sync with the server.

      While encryption may make it more difficult to execute such
      attacks attackers can often guess slot id's and obtain sessinid's
      since server generally do not randomize them.


   it is necessary that modification of the higher-levell entities be
   restricted to the client that created them.

   *  For v4.0, the relevant entity is the clientid.

   *  for v4.1, the releant entity is the sessionid.

   Identifiers describing the issuer of the request, whether in numeric
   or string form always require authentication.







Noveck                   Expires 12 January 2022               [Page 46]


Internet-Draft               Nfsv4 Security                    July 2021


10.3.  Authentication Provided by specfic RPC Flavors

   Different flavors differ quite consderably, as discussed below;

   *  When AUTH_NONE is used, the user making the request is neither
      authenticated nor identified to the server.

      Also, the server is not authenticated to the client and has no way
      to determine whether the server it is communicating with is an
      imposter.

   *  When AUTH_SYS is used, the user making is the request identified
      but there no authentication of that identification.

      As in the previous case, the server is not authenticated to the
      client and has no way to determine whether the server it is
      communicating with is an imposter.

   *  When RPCSEC_GSS is used, the user making the request is
      authenticated as is the server peer responding.

10.4.  Authentication Provided by the RPC Transport

   Different transports differ quite consderably, as discussed below.
   In contrast to the case of RPC flavors, any authentication happens
   once, at connection establishment, rather than on each RPC request.
   As a result, it is the client and server peers, rather than
   individual users that is authenticated.

   *  For most transports, such as TCP and RPC-over-RDMA version 1,
      there is no provision for peer authentication.

      As a result use of AUTH_SYS together with such transports is
      inherently problematic.

   *  Some transports provide for the possibility of mutual peer
      authentication.

11.  Security of Data in Flight

11.1.  Data Security Provided by the Flavor-associated Services

   The only flavor providing these facilities is RPCSEC_GSS.  When this
   flavor is used, data security can be negotiated between client and
   server as described in Section 12.2.  However, when data security is
   provided at the transport level, as described in Section 11.2, the
   negotiation of privacy and integrity support is unnecessary,




Noveck                   Expires 12 January 2022               [Page 47]


Internet-Draft               Nfsv4 Security                    July 2021


   Other flavors, such as AUTH_SYS and AUTH_NONE have no such data
   security facilities.  When these flavor are used, the only data
   security is provided by the transport.

11.2.  Data Security Provided by the RPC Transport

   Some transports provide data security for all transactions performed
   on them, eliminating the need for that security to be provided or
   negotiated by the selection of particular flavors, mechanism, or
   services.

12.  Security Negotiation

   As previously in NFSv4, we use the term "negotiation" to characterize
   the process of the server providing a set of options and the client
   selecting one.

   The use of SECINFO, possibly with SECINFO_NONAME, remains the primary
   means by which the security parameters are determined.  The addition
   of transports to flavors in providing security has resulted in the
   following changes:

   *  Transport-related security choices are typically decided at
      connection-establishment so there needs to be provision for
      negotiation at this point.

   *  Despite the above, because the choices of flavor and transport
      affect one another, SECINFO has been extended by the addition of
      pseudo-flavors, while retaining the existing XDR, to allow
      negotiation of transport choices and accompanying connection
      establishment options, in addition to selection of flavors and
      accompanying services.  This allows server policies for such
      matters to be different for different portions of the namespace.

12.1.  Flavors and Pseudo-flavors

   The flavor field of the secinfo4 items returned by SECINFO and
   SECINO_NONAME have always allowed pseudo flavors to be included.
   However, previous treatments of these operations have not provided
   information about how responses containing such pseudo-flavors are to
   be interpreted.

   Those pseudo-flavors now provide a means of extending the negotiation
   process so it is capable of providing for the negotiation of the use
   particular RPC transports and security-related options for the
   connections established using those transports.





Noveck                   Expires 12 January 2022               [Page 48]


Internet-Draft               Nfsv4 Security                    July 2021


   The flavors AUTH_NONE, AUTH_SYS and RPCSEC_GSS continue to indicate
   the acceptability of the corresponding method of user authentication,
   user identification, or user non-identification, when used with a
   particular RPC transport.

   The flavor AUTH_TLS, which is not used as part of issuing requests is
   not included in this list and is treated as a connetion-type--
   specifying pseudo-flavor.

   secinfo4s for the flavor RPCSEC_GSS contains additional information
   describing the specific secrity lgorithm to be used and the ancillary
   services to be provided (e.g. integrity, privacy) when these services
   are not provided by the trnsport.

   Such flavors are referred to as "flavor-specifying flavors"

   The classification below organizes the flavors and pseudo-flavors
   used in security negotiation while Section 12.4 describes how the set
   of secinfos in a response can be used by the client to select
   acceptble combinations of security flavor, security mechanism,
   security services, security-related transports, and security-related
   connection chractertics.

   *  The pseudo-flavors designating a security-relevant transport type,
      together with AUTH-TLS, nominally a flavor but used as a pseudo-
      flavor in connection with SECINFO.

      Such pseudo-flavors are referred to as "transport- specifying
      flavors".

   *  The pseudo-flavors designating restrictions on acceptble
      connnection characteristics include XPCH_ENCRYPT, XPCH_PEERAUTH,
      and XPCH_SECURE.

      Such pseudo-flavors are referred to as "transport-restriction
      flavors".

   *  The pseudo-flavors combining a flavor designation together with a
      restriction conerninng the connections it is relevant to include
      AUTHXP_CLIENTPEER, AUTHXP_ENCRYPT, AUTHXP_SECURE.

      Such pseudo-flavors are referred as tranport-hybridized flavors.

   *  The special pseudo-flavors, XPBREAK and XPCURRENT

      Such pseudo-flavors are referred to connection-organizing flavors.





Noveck                   Expires 12 January 2022               [Page 49]


Internet-Draft               Nfsv4 Security                    July 2021


12.2.  Negotiation of Security Flavors and Mechanisms

   For the current connection, this proceeds as it has previously, when
   security-relevant transports were not available.  Flavor entties,
   including those including mechanism information are listed in order
   of server preference and apply, by default, to the current
   connection, which normally is favored by the server.

   When other transport-identifying pseudo-flavors appear before the
   flavor entries, then the server is indicating that these transport
   types, with the server preference following the ordering of the
   entries.  In this case, any flavor entries that follow a transport
   entry specify that flavor is usable with the transport types denoted
   by that transport entry.


12.3.  Negotiation of RPC Transports and Characteristics

   First we define some necessary terminology.

   *  A transport type specifies one of a small set of RPC transport
      types such as TCP or RDMA.  Each such transport type has an
      associated pseudoflavor.  There are also pseudo-flavors that
      specify a set of transport types such as XPT_ALL.

   *  Connection characteristics are designations of security-relevant
      characteristics or sets of characteristics that connections might
      have.

      There are pseudo-flavors associated with connection
      characteristics such as CONCH_CPAUTH, denoting client-peer
      authentication and CONCH_ENCRYPT, denoting the presence of an
      encrypted channel.  The pseudo-flavor CONCH_SECURE denotes the
      presence of peer mutual authentication together with the use of an
      encrypted channel.

   *  The combination of a transport type with a set of connection
      chracteristics is considered a connection type..while many
      connection types are designated by a combination of a flavor
      designating a transport with on designating a set of connection
      chacteristics, ther are pseudo flavor that designate a connection
      type directly.

      For example, the flavor AUTH_TLS is equivalent to XP_TCP combined
      with CONCH_ENCRYPT, while the pseudo-flavor XP_TCP_SECURE
      equivalent to XP_TCP comnined with CONCH_SECURE.





Noveck                   Expires 12 January 2022               [Page 50]


Internet-Draft               Nfsv4 Security                    July 2021


   *  A flavor specification designates a specific flavor, or, in the
      case of RPCSEC_GSS, a flavor combined with additional mechanism
      and service information.

   *  A flavor assigment denote the assiciation of a specfic flavor
      specification with a connection type.

   A secinfo response will designate a set of valid flavor assigments
   with an implied server ordering derived from the order that the
   entries appear in.

   In interpreting the response array the client is to maintain sets of
   designated transport typtes, connection characteristics and
   connection types specfied indidually (i.e. without separately
   specifying transport types and connection characteristics).  When a
   flavor soecfication is encuntered, that flavor is considered valid
   when used with all curently active connection types, defined by the
   unionof the individually specified connection types and the cartesian
   product of the current transport types and current connection types.

   The presumed ordering of these assigments is as follows:

   *  When one of the connection types was specified directly by a
      connection type, the positionof that specification is compared to
      that of either the other individually-specified connection type or
      the earlier of the transport-type specfication and the connection
      characteristics specification.

   *  in other cases, the position of the transport type specifications
      are considered first withe the position of the connection
      characteristics considered if necessary.

   *  If neithe of the above resolve issue, the positionof the flavor
      specification is considered.

   *  The type of the current connection is considered to be specified
      first, implicitly.

   *  There are provisions, described in Section 12.4 to modify this
      ordering, as may be necessary, for example, when the current
      connection, while acceptsble is of lower server preference.

12.4.  Overall Interpretation of SECINFO Response Arrays

   [TBD in -01]






Noveck                   Expires 12 January 2022               [Page 51]


Internet-Draft               Nfsv4 Security                    July 2021


12.5.  SECINFO

   The description in the sub-sections below, while it adheres to the
   XDR appearing [6], [7], [8], [9] and [11].  will supersede the
   descriptions in [7] and [8].

   This is necessary to adapt the security negotiation process to the
   presence of transport-level security services such as encryption and
   peer authentication.

   Sumilar changes are necessary in the parallel SECINFO_NONAME
   operation introduced in NFSv4.1.  These are expected to be done as
   part of the rfc5661bis effort.

12.5.1.  SECINFO ARGUMENTS

   struct SECINFO4args {
           /* CURRENT_FH: directory */
           component4      name;
   };


                                  Figure 1

12.5.2.  SECINFO RESULTS


























Noveck                   Expires 12 January 2022               [Page 52]


Internet-Draft               Nfsv4 Security                    July 2021


   /*
    * From RFC 2203
    */
   enum rpc_gss_svc_t {
           RPC_GSS_SVC_NONE        = 1,
           RPC_GSS_SVC_INTEGRITY   = 2,
           RPC_GSS_SVC_PRIVACY     = 3
   };

   struct rpcsec_gss_info {
           sec_oid4        oid;
           qop4            qop;
           rpc_gss_svc_t   service;
   };

   /* RPCSEC_GSS has a value of '6' - See RFC 2203 */
   union secinfo4 switch (uint32_t flavor) {
    case RPCSEC_GSS:
            rpcsec_gss_info        flavor_info;
    default:
            void;
   };

   typedef secinfo4 SECINFO4resok<>;

   union SECINFO4res switch (nfsstat4 status) {
    case NFS4_OK:
           /* CURRENTFH: consumed */
            SECINFO4resok resok4;
    default:
            void;
   };


                                  Figure 2

12.5.3.  SECINFO DESCRIPTION

   The SECINFO operation is used by the client determine the appropriate
   RPC authentication flavors, security mechanisms and encrypting
   transports to access a specific directory filehandle, file name pair.
   SECINFO should apply the same access approach used for LOOKUP when
   evaluating the name.  In consequence, if the requester does not have
   the appropriate access to LOOKUP the name, then SECINFO will behave
   the same way and return NFS4ERR_ACCESS.






Noveck                   Expires 12 January 2022               [Page 53]


Internet-Draft               Nfsv4 Security                    July 2021


   The result will contain an array that represents the security flavor,
   security mechanisms and transports available, with an order
   corresponding to the server's preferences, the most preferred being
   first in the array.  The client is free to pick whatever security
   flavors, mechanisms and transports it both desires and supports, or
   to pick in the server's preference order the first one it supports.
   The array entries are represented by the secinfo4 structure.  The
   field 'flavor' will contain one of the following sorts of values:

   *  a value of AUTH_NONE, AUTH_SYS (as defined in RFC 5531 [4]).

   *  AUTH_TLS as described in ...

   *  A pseudo-flavor defined in Section 14.2

   *  RPCSEC_GSS (as defined in RFC 2203 [2]).

   *  Any other security flavor or pseudo-flavor registered with IANA.

   For the flavors other than RPCSEC_GSS, no additional security
   information is returned.  For a return value of RPCSEC_GSS, a
   security triple is returned that contains the mechanism object
   identifier (OID, as defined in RFC 2743 [3]), the quality of
   protection (as defined in RFC 2743 [3]), and the service type (as
   defined in RFC 2203 [2]).  It is possible for SECINFO to return
   multiple entries with flavor equal to RPCSEC_GSS with different
   security triple values.

   On success, the current filehandle is consumed, so that, if the
   operation following SECINFO tries to use the current filehandle, that
   operation will fail with the status NFS4ERR_NOFILEHANDLE.

   If the name has a length of zero, or if the name does not obey the
   UTF-8 definition in cirsumstanes in which UTF-8 names are required,
   the error NFS4ERR_INVAL will be returned.

   See Sections 12.2 through 12.4 for additional information on the use
   of SECINFO.

12.5.4.  SECINFO IMPLEMENTATION (general)

   The SECINFO operation is expected to be used by the NFS client when
   the error value of NFS4ERR_WRONGSEC is returned from another NFS
   operation.  This signifies to the client that the server's security
   policy is different from what the client is currently using.  At this
   point, the client is expected to obtain a list of possible security
   flavors and choose what best suits its policies.




Noveck                   Expires 12 January 2022               [Page 54]


Internet-Draft               Nfsv4 Security                    July 2021


12.5.4.1.  SECINFO IMPLEMENTATION (for v4.0)

   [TBD in -01]

12.5.4.2.  SECINFO IMPLEMENTATION (for v4.1 and v4.2)

   As mentioned, the server's security policies will determine when a
   client request receives NFS4ERR_WRONGSEC.

   See Table 14 of [8] for a list of operations that can return
   NFS4ERR_WRONGSEC. in the case of v4.2, there might be extensions
   alloed to return NFS4ERR_WRONGSEC.  In addition, when READDIR returns
   attributes, the rdattr_error (Section 5.8.1.12 of [8]) can contain
   NFS4ERR_WRONGSEC.

   Note that CREATE and REMOVE MUST NOT return NFS4ERR_WRONGSEC.  The
   rationale for CREATE is that unless the target name exists, it cannot
   have a separate security policy from the parent directory, and the
   security policy of the parent was checked when its filehandle was
   injected into the COMPOUND request's operations stream (for similar
   reasons, an OPEN operation that creates the target MUST NOT return
   NFS4ERR_WRONGSEC).  If the target name exists, while it might have a
   separate security policy, that is irrelevant because CREATE MUST
   return NFS4ERR_EXIST.  The rationale for REMOVE is that while that
   target might have a separate security policy, the target is going to
   be removed, and so the security policy of the parent trumps that of
   the object being removed.  RENAME and LINK MAY return
   NFS4ERR_WRONGSEC, but the NFS4ERR_WRONGSEC error applies only to the
   saved filehandle (see Section 2.6.3.1.2 of [8]).  Any
   NFS4ERR_WRONGSEC error on the current filehandle used by LINK and
   RENAME MUST be returned by the PUTFH, PUTPUBFH, PUTROOTFH, or
   RESTOREFH operation that injected the current filehandle.

   With the exception of LINK and RENAME, the set of operations that can
   return NFS4ERR_WRONGSEC represents the point at which the client can
   inject a filehandle into the "current filehandle" at the server.  The
   filehandle is either provided by the client (PUTFH, PUTPUBFH,
   PUTROOTFH), generated as a result of a name-to-filehandle translation
   (LOOKUP and OPEN), or generated from the saved filehandle via
   RESTOREFH.  As oSection 2.6.3.1.1.1 of [8] states, a put filehandle
   operation followed by SAVEFH MUST NOT return NFS4ERR_WRONGSEC.  Thus,
   the RESTOREFH operation, under certain conditions (see
   Section 2.6.3.1.1 of [8]), is permitted to return NFS4ERR_WRONGSEC so
   that security policies can be honored.

   The READDIR operation will not directly return the NFS4ERR_WRONGSEC
   error.  However, if the READDIR request included a request for
   attributes, it is possible that the READDIR request's security triple



Noveck                   Expires 12 January 2022               [Page 55]


Internet-Draft               Nfsv4 Security                    July 2021


   did not match that of a directory entry.  If this is the case and the
   client has requested the rdattr_error attribute, the server will
   return the NFS4ERR_WRONGSEC error in rdattr_error for the entry.

   To resolve an error return of NFS4ERR_WRONGSEC, the client does the
   following:

   *  For LOOKUP and OPEN, the client will use SECINFO with the same
      current filehandle and name as provided in the original LOOKUP or
      OPEN to enumerate the available security triples.

   *  For the rdattr_error, the client will use SECINFO with the same
      current filehandle as provided in the original READDIR.  The name
      passed to SECINFO will be that of the directory entry (as returned
      from READDIR) that had the NFS4ERR_WRONGSEC error in the
      rdattr_error attribute.

   *  For PUTFH, PUTROOTFH, PUTPUBFH, RESTOREFH, LINK, and RENAME, the
      client will use SECINFO_NO_NAME { style =
      SECINFO_STYLE4_CURRENT_FH }. The client will prefix the
      SECINFO_NO_NAME operation with the appropriate PUTFH, PUTPUBFH, or
      PUTROOTFH operation that provides the filehandle originally
      provided by the PUTFH, PUTPUBFH, PUTROOTFH, or RESTOREFH
      operation.

      NOTE: In NFSv4.0, the client was required to use SECINFO, and had
      to reconstruct the parent of the original filehandle and the
      component name of the original filehandle.  The introduction in
      NFSv4.1 of SECINFO_NO_NAME obviates the need for reconstruction.

   *  For LOOKUPP, the client will use SECINFO_NO_NAME { style =
      SECINFO_STYLE4_PARENT } and provide the filehandle that equals the
      filehandle originally provided to LOOKUPP.

12.6.  Future Security Needs

   [To be fleashed out in -01]: This section is basically an outline for
   now, to be filled out laater based on Working Group input,
   particularly from Chuck lever who suggested this section and has
   ideas about many of the items in it.

   *  Security for data-at-rest, most probably based on facilities
      defined within SAN.

   *  Support for content signing.

   *  Revision/extension of labelled NFS to provide true
      interoperability and server-based authorization.



Noveck                   Expires 12 January 2022               [Page 56]


Internet-Draft               Nfsv4 Security                    July 2021


   *  Work to provide more security for RDMA-based transports.  This
      would include the peer authentication infrastructure now being
      developed as part of RPC-over-RDMA version 2.  In addition, there
      is a need for an RPC-based transport that provides for encyption,
      which might be provided in number of ways.

13.  Security Considerations

13.1.  Changes in Security Considerations

   Beyond the needed inclusion of a threat analysis and the fact that
   all minor versions are dealt with together, there are a number of
   substantive changes in the approach to NFSv4 security presented in
   RFCs 7530 and 8881 and that appearing in this document.

   This document will not seek to speculate how the previous treatment,
   now viewed as incorrect, came to be written, approved, and published.
   However, it will, for the benefit of those familiar with the previous
   treatment of these matters, draw attention to the important changes
   listed here.

   *  There is a vastly expanded range of threats being considered as
      described in Section 13.1.1

   *  New facilities available at the RPC transport level can be used to
      deal with security issues, as described in Section 13.1.2

13.1.1.  Wider View of Threats

   Although the absence of a threat analysis in previous treatments
   makes comparison most difficult, the security-related features
   described in previous specifications and the associated discussion in
   their security considerations sections makes it clear that earlier
   specifications took a quite narrow view of threats to be protected
   against.

   One aspect of that narrow view that merits special attention is the
   handling of AUTH_SYS, at that time in the clear, with no client peer
   authentication.

   With regard to specific threats, there is no mention in existing
   security consideration sections of:

   *  Denial-of-service attacks.

   *  Client-impersonation attacks.

   *  Server-impersonation attacks.



Noveck                   Expires 12 January 2022               [Page 57]


Internet-Draft               Nfsv4 Security                    July 2021


   The handling of data security in-flight is even more troubling.

   *  Although there was considerable work in the protocol to allow use
      of encryption to be negotiated when using RPCSEC_GSS.  The
      existing security considerations do not mention the potential need
      for encryption at all.

      It is not clear why this was omitted but it is a pattern that
      cannnot repeated in this document.

   *  The case of negotiation of integrity services is similar and uses
      the same negotiation infrastructure.

      In this case, use of integrity is recommended but not to prevent
      the corruption of user data being read or written.

      The use of integrity services is recommended in connetion with
      issuing SECINFO (and for NFSv4.1, SECINFO_NONAME).  The presence
      of this recommendation in the associated security considerations
      sections has the unfortunate effect of suggesting that the
      protection of user data is of relatively low impotance.

13.1.2.  Transport-layer Security Facilities

   Such transport-level RPC facilitites as RPC-over-TLS provide
   important ways of proving better security for all the NFSv4 minor
   versions.

   In particular:

   *  The presence of encryption by default will deal with security
      issue regarding data-in-flight, for both RPCSEC_GSS and AUTH_SYS.

   *  Peer authentication provided by the server eliminates the
      possibility of a server-impersonation attack, even when using
      AUTH_SYS.

   *  When mutual authentication is part of connection establishment,
      there is a possibility, where an appropriate trust relationship
      exisrts of treating the userid's presented in AUTH_SYS, as
      effectively authenticated, based on the authetication of the
      client peer.

13.1.3.  Compatibility and Maturity Issues

   Given the need to drastically change the NFSv4 security approach from
   that specified previously, it is necessary for us to be mindful of:




Noveck                   Expires 12 January 2022               [Page 58]


Internet-Draft               Nfsv4 Security                    July 2021


   *  The difficulty that might be faced in adapting to the newer
      guidance because the delays involved in designing, developing, and
      testing new transport- level security facilities such as RPC-over-
      TLS.

   *  The difficulty in discarding or substantially modifying previous
      existing deployments and practices, developed on the basis of
      previous normative guidance.

   For these reasons, we will not use the term "MUST NOT" in some
   situations in which the use of that term might have been justified
   earlier.  In such cases, previous guidance together with the passsage
   of time may have created a situation in which the considerations
   mentioned above in this section may be valid reasons to defer, for a
   limited time, correction of the current sitution making the term
   "SHOULD NOT" appropriate, since the difficulties cited would
   constitute a valid reason to not allow what hsd been recommended
   against.

13.1.4.  Discussion of AUTHSYS

   An important change concerns the treatment of AUTH_SYS which is now
   divided into two subcases given the possible availabillity of support
   from the transport layer.

   When such support is not available, AUTH_SYS SHOULD NOT be used,
   since it makes the following attacks quite easy to execute:

   *  The absence of authentication of the server to the client allow
      server impersonation in which an imposter server can obtain data
      to be written by the user and supply corrupted data to read
      requests.

   *  The absence of authentication of the client user to the server
      allow server impersonation in which an imposter client can issue
      requests and have them executed as a user designated by imposter
      client, vitiating the server's authorization policy.

      With no authentication of the client peer, common approaches, such
      as using the source IP address can be easily defeated, allowing
      unauthenticated execution of requests made by the pseudo clients

   *  The absence of any support to protect data-in-flight when AUTH_SYS
      is used result in further serious security weaknesses.







Noveck                   Expires 12 January 2022               [Page 59]


Internet-Draft               Nfsv4 Security                    July 2021


   In connection with the use of the term "SHOULD NOT" above, it is
   understood that the "valid reasons" to use this form of access
   reflect the Compatibility and Maturity Issue discussed above in
   Section 13.1.3 and that it is expected that, over time, these will
   become less applicable.

13.2.  Security Considerations Scope

13.2.1.  Discussion of Potental Classification of Environmets

   [Working group discussion needed]: For now, we will not consider
   different security policies for different sorts of environments.
   This is because of:

   *  Doing so would add considrable complexity to this document.

   *  The additional complexity would undecut our main goal here, which
      is to discuss secure us on the internet, which remain an important
      NFSv4 goal.

   *  The ubiquity of internet acess makes it hard to treat corporate
      network separately from the internet per se.

   *  While small networks might be sufficiently isolated to make it
      reasonable use NFSv4 without serious attention to security issues,
      the complexity of characterizing the necessary isolation makes it
      impractical to deal with such cases in this document.

13.2.2.  Discussion of Environments

   Although the security goal for Nfsv4 has been and remains "secure use
   on the internet", much use of NFSv4 occurs on more restricted IP
   networks with NFS access from outside the owning organization
   prevented by firewalls.

   This security considerations section will not deal separately with
   such environments since the threats that need to be discussed are
   essentially the same, despite the assumption by many that the
   restricted network access would eliminate the possibility of attacks
   originating inside the network by attackers who have some legitimate
   Nfsv4 access within it.

   In organizations of significant size, this sort of assumption of
   trusted access is usually not valid and this document will not deal
   with them explicitly.  In any case, there is little point in doing
   so, since, if everyone can be trusted, there can be no attackers,
   rendering threat analysis superfluous.




Noveck                   Expires 12 January 2022               [Page 60]


Internet-Draft               Nfsv4 Security                    July 2021


   This does not mean that NFSv4 use cannot, as a practical matter, be
   made secure through means outside the scope of this document
   including strict administrative controls on all software running
   within it, frequent polygraph tests, and threats of prosecution.
   However, this document is not prepared to discuss the details of such
   policies, their implementation, or legal issues associated with them
   and treats such matters as out-of-scope.

   Nfsv4 can be used in very restrictive IP network environments where
   outside access is quite restricted and there is sufficient trust to
   allow, for example, every node to have the same root password.  The
   case of a simple network only accessible by a single user is similar.
   In such networks, many thing thats this document says "SHOULD NOT" be
   done are unexceptionable but the responsibility for making that
   determination is one for those creating such networks to take on.
   This document will not deal further with NFSv4 use on such networks.

13.3.  Major New Recommendations

13.3.1.  Recommendations Regarding Security of Data in Flight

   We RECOMMEND that requesters always issue requests with data security
   (i.e. with protection from disclosure or modification in flight)
   whether provided at the RPC request level or by the RPC transport,
   irrespective of the responder's requirements.

   We RECOMMEND that implementers provide servers the ability to
   configure policies in which requests without data security will be
   rejected as having insufficient security.

   We RECOMMEND that servers use such policies over either their entire
   local namespace or for all file systems except those clearly designed
   for the general dissemination of non-sensitive data.

13.3.2.  Recommendations Regarding Client Peer Authentication

   We RECOMMEND that clients provide authentication material whenever a
   connection is established with a server capable of using it to
   provide client peer authentication.

   We RECOMMEND that implementers provide servers the ability to
   configure policies in which attempts to establish connections without
   client peer authentication will be rejected.

   We RECOMMEND that servers adopt such policies whenever requests not
   using RPCSEC_GSS are allowed to be executed.





Noveck                   Expires 12 January 2022               [Page 61]


Internet-Draft               Nfsv4 Security                    July 2021


13.3.3.  Issues Regarding Valid Reasons to Bypass Recommendations

   Clearly, the maturity and compatibility issues mentioned in
   Section 13.1.3 are valid reasons to nypass the above recommenations,
   as loong as thse issues continue to exist.

   [Working group discussion needed}: The question the working group
   needs to address is whether other valid reasons exist.

   [Working group discussion needed}: In particular, some members of the
   group might feel that the performance cost of encrypted transports
   constitutes, in itself, a valid reason to ignore the above
   recommendations.

   [Working group discussion needed}: I cannot agree and feel that
   accepting that as a valid reason would undercut Nfsv4 security
   improvement, and probably would not be acceptable to the security
   directorate.  However, I do want to work out an a generally
   acceptable compromise.  I propose something along the following
   lines:

      The transport-based encryption facilities are designed to be
      compatible with facilities to offload the work of encryption and
      decryption.  When such facilities are not available, at a
      reasonable cost, to NFSv4 servers and clients anticipating heavy
      use of NFSv4, then the lack of such facilities can be considered a
      valid reason to bypass the above recommendations, as long as that
      situation continues.

13.4.  Data Security Threats

   [TBD in -01]

13.5.  Authentication-based threats

13.5.1.  Attacks based on the use of AUTH_SYS

   [TBD in -01]

13.5.2.  Attacks on Name/Userid Mapping Facilities

   [TBD in -01]









Noveck                   Expires 12 January 2022               [Page 62]


Internet-Draft               Nfsv4 Security                    July 2021


13.6.  Disruption and Denial-of-Service Attacks

13.6.1.  Attacks Based on the Disruption of Client-Server Shared State

   [TBD in -01]

13.6.2.  Attacks Based on Forcing the Misuse of Server Resources

   [TBD in -01]

14.  IANA Considerations

   Because of the shift from implementing security-related services only
   in connection with RPCSEC_GSS to one in which transport-level
   security has a prominent role, a number if new values need to be
   assigned.

   These include new authstat values to guide selection of a Transports
   aceptable to both client and server, presented in Section 14.1 and
   new pseudo-flavors to be used in the process of security negotion,
   presented in Section 14.2.

14.1.  New Authstat Values

   The following new authstat values are necessary to enable a server to
   indicte that the server's policy does not allows requests to be made
   on the current connection because of security issues associated with
   the rpc transport.  In the event they are received, the client need
   to establish a new connection.

   *  The value XP_CRYPT indicates that the server will not support
      access using unencrypted connections while the current connection
      is not encrypted.

   *  The value XP_CPAUTH indicates that the server will not support
      access using connections for which the client peer has not
      authenticad itelf as part of connection while the current
      connection has not been set up in that way.

14.2.  New Authentication Pseudo-Flavors

   The following new pseudo-flavors are made available to allow their
   return as part of the response to SECINFO operation described in
   Section 12.5 and for similar operations.

   [TBD in -01]

15.  References



Noveck                   Expires 12 January 2022               [Page 63]


Internet-Draft               Nfsv4 Security                    July 2021


15.1.  Normative References

   [1]        Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [2]        Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol
              Specification", RFC 2203, DOI 10.17487/RFC2203, September
              1997, <https://www.rfc-editor.org/info/rfc2203>.

   [3]        Linn, J., "Generic Security Service Application Program
              Interface Version 2, Update 1", RFC 2743,
              DOI 10.17487/RFC2743, January 2000,
              <https://www.rfc-editor.org/info/rfc2743>.

   [4]        Thurlow, R., "RPC: Remote Procedure Call Protocol
              Specification Version 2", RFC 5531, DOI 10.17487/RFC5531,
              May 2009, <https://www.rfc-editor.org/info/rfc5531>.

   [5]        Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [6]        Haynes, T., Ed. and D. Noveck, Ed., "Network File System
              (NFS) Version 4 Protocol", RFC 7530, DOI 10.17487/RFC7530,
              March 2015, <https://www.rfc-editor.org/info/rfc7530>.

   [7]        Haynes, T., Ed. and D. Noveck, Ed., "Network File System
              (NFS) Version 4 External Data Representation Standard
              (XDR) Description", RFC 7531, DOI 10.17487/RFC7531, March
              2015, <https://www.rfc-editor.org/info/rfc7531>.

   [8]        Noveck, D., Ed. and C. Lever, "Network File System (NFS)
              Version 4 Minor Version 1 Protocol", RFC 8881,
              DOI 10.17487/RFC8881, August 2020,
              <https://www.rfc-editor.org/info/rfc8881>.

   [9]        Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed.,
              "Network File System (NFS) Version 4 Minor Version 1
              External Data Representation Standard (XDR) Description",
              RFC 5662, DOI 10.17487/RFC5662, January 2010,
              <https://www.rfc-editor.org/info/rfc5662>.

   [10]       Haynes, T., "Network File System (NFS) Version 4 Minor
              Version 2 Protocol", RFC 7862, DOI 10.17487/RFC7862,
              November 2016, <https://www.rfc-editor.org/info/rfc7862>.




Noveck                   Expires 12 January 2022               [Page 64]


Internet-Draft               Nfsv4 Security                    July 2021


   [11]       Haynes, T., "Network File System (NFS) Version 4 Minor
              Version 2 External Data Representation Standard (XDR)
              Description", RFC 7863, DOI 10.17487/RFC7863, November
              2016, <https://www.rfc-editor.org/info/rfc7863>.

   [12]       Myklebust, T. and C. Lever, "Towards Remote Procedure Call
              Encryption By Default", Work in Progress, Internet-Draft,
              draft-ietf-nfsv4-rpc-tls-11, 23 November 2020,
              <https://datatracker.ietf.org/doc/html/draft-ietf-nfsv4-
              rpc-tls-11>.

15.2.  Informative References

   [13]       Bensley, S., Thaler, D., Balasubramanian, P., Eggert, L.,
              and G. Judd, "Data Center TCP (DCTCP): TCP Congestion
              Control for Data Centers", RFC 8257, DOI 10.17487/RFC8257,
              October 2017, <https://www.rfc-editor.org/info/rfc8257>.

Appendix A.  Acknowledgments

   The author wishes to thanl tom haynes for his helpful suggestion to
   deal with security for all NFSv4 minor versions in the same document.

   The author wishes to draw people's attention to Nico Williams' remark
   that NFSv4 security was not so bad, except that there was no
   provision for authentication of the client peer.  This perceptive
   remark, which now seems like common sense, did not seem so when made,
   but it has served as a beacon for those putting NFSv4 security on a
   firmer footing.  Our gratitude is appropriate.

   The author wishes to acknowledge the important role of the authors of
   RPC-with-TLS, Chuck Lever and Trond Myklebust, in moving the NFS
   security agenda forward and thank them for all their efforts to
   improve NFS security.

   The author wishes to thank Chuck Lever for his many helpful comments
   about nfsv4 security issues, his explanation of many unclear points,
   and and much important guidance he provided that is reflected in this
   document.

   The author wishes to thank Rick Macklem for his role in clarifying
   possible server policies regarding RPC-over-TLS and bringing possible
   approaches to the attention of the working group.

Author's Address






Noveck                   Expires 12 January 2022               [Page 65]


Internet-Draft               Nfsv4 Security                    July 2021


   David Noveck (editor)
   NetApp
   1601 Trapelo Road, Suite 16
   Waltham, MA 02451
   United States of America

   Phone: +1-781-572-8038
   Email: davenoveck@gmail.com











































Noveck                   Expires 12 January 2022               [Page 66]