Last Call Review of draft-ietf-nfsv4-multi-domain-fs-reqs-08
review-ietf-nfsv4-multi-domain-fs-reqs-08-secdir-lc-housley-2016-06-30-00

Request Review of draft-ietf-nfsv4-multi-domain-fs-reqs
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-07-06
Requested 2016-06-23
Draft last updated 2016-06-30
Completed reviews Genart Last Call review of -08 by Brian Carpenter (diff)
Genart Telechat review of -09 by Brian Carpenter (diff)
Secdir Last Call review of -08 by Russ Housley (diff)
Secdir Telechat review of -09 by Russ Housley (diff)
Assignment Reviewer Russ Housley
State Completed
Review review-ietf-nfsv4-multi-domain-fs-reqs-08-secdir-lc-housley-2016-06-30
Reviewed rev. 08 (document currently at 11)
Review result Not Ready
Review completed: 2016-06-30

Review
review-ietf-nfsv4-multi-domain-fs-reqs-08-secdir-lc-housley-2016-06-30

I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Version reviewed: draft-ietf-nfsv4-multi-domain-fs-reqs-08


Summary: Not Ready


Major Concerns:

The whole document needs an editing pass.  In many places it talks about
issues.  To be consistent with the title of the document, it should be
talking about guidance or deployment alternatives.

The Abstract does not reflect the content of the document.  Please
rewrite the Abstract.  Some things that I believe belong in the Abstract
include:

 - This document provide guidance on the deployment of the NFSv4
   protocols in environments with multiple NFSv4 domains.
 - The server must offer a multi-domain-capable file system and support
   RPCSEC_GSS for user authentication.
 - The server must also support identity mapping.


I did not find the Introduction helpful.  I really needed to read the
whole document to get a feeling to the guidance that it contains.  The
reader needs some background that is not directly explained in the 
Introduction.  I suggest some topics that should be covered in the
Introduction:

 - Point to NFSv4 specifications
 - Users and Groups are named with the name@domain syntax
 - Explain the difference between an NFS domain and NFSv4 domain
 - This document provides guidance on deploying servers that support
   multiple NFSv4 domains
 - Features that the NFSv4 server must implementation to work in this
   environment


I think it might also be useful to explain some other concepts toward
the front of the document, but I am not sure if they belong in the
Introduction or the Terminology section:

 - Stand-alone NFSv4 domain
 - Federated File System (FedFS)


In Section 1, it says:

   Multi-domain deployments require support for global identities in
   name services and security services, and file systems capable of the
   on-disk representation of identities belonging to multiple NFSv4
   domains.

I do not think that "global" is the right term here.  The identities
clearly need to be unique across all of the NFSv4 domains involved, but
this may not mean global uniqueness.


In Section 4, please provide a pointers for AUTH_NONE, AUTH_SYS,
and RPCSEC_GSS.


In section 5.2, it says:

   The AUTH_NONE security flavor can be useful in a multi-domain
   deployment to grant universal access to public data without any
   credentials.

I assume this is read-only access.  If my assumption is correct,
please expand this paragraph to cover this point.


In Section 8, it says:

   ...  We don't
   treat them fully here, but implementors should study the protocols in
   question to get a more complete set of security considerations.

Does the first paragraph os Section 8 include all of the references
that are relevant.  If so, then I do not understand the point of this
sentence.  If not, then please expand the first paragraph of Section 8
to cover all of the places that an implementer needs to look.


Minor Concerns:

The first sentence of the introduction says:

   An NFSv4 domain is defined as a set of users and groups named by a
   particular domain using the NFSv4 name@domain syntax.

Please define "domain" without using that word in the definition.


In Section 8, it says:

   ... Even when not using labeled
   security, since there could be many realms (credential issuer) for a
   given server, it's important to verify that the server a client is
   talking to has a credential for the name the client has for the
   server, and that that credential's issuer (i.e., its realm) is
   allowed to issue it.  

I cannot figure this out.  First, it has nothing to do with security
labels, so it might deserve a paragraph of its own.  Second, maybe the
point can be made more directly, perhaps something that begins: "When
the server accepts user credential from more than one realm, then the
server must verify that ... and ...".  Third, the points in the last
paragraph of Section 8 should be made before this one.


Nits:

Please pick one spelling and use it throughout the document:
   - unix or UNIX
   - uid or UID
   - gid or GID
   - AUTH_NONE or AUTH_NULL


In Section 2, it says:

      Stringified UID or GID: NFSv4 owner and group strings that consist
      of decimal numeric values with no leading zeros, and which do not
      contain an '@' sign.  See Section 5.9 "Interpreting owner and
      owner_group" [RFC5661].

Please reword the last sentence so that it is clear that this is a
pointer to Section 5.9 of RFC 5661.