Telechat Review of draft-ietf-nfsv4-rfc3530bis-26
review-ietf-nfsv4-rfc3530bis-26-genart-telechat-davies-2013-05-09-00

Request Review of draft-ietf-nfsv4-rfc3530bis
Requested rev. no specific revision (document currently at 35)
Type Telechat Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-05-28
Requested 2013-03-28
Draft last updated 2013-05-09
Completed reviews Genart Last Call review of -25 by Martin Thomson (diff)
Genart Telechat review of -26 by Elwyn Davies (diff)
Genart Telechat review of -26 by Elwyn Davies (diff)
Genart Telechat review of -33 by Elwyn Davies (diff)
Genart Last Call review of -34 by Elwyn Davies (diff)
Secdir Last Call review of -25 by Yoav Nir (diff)
Assignment Reviewer Elwyn Davies
State Completed
Review review-ietf-nfsv4-rfc3530bis-26-genart-telechat-davies-2013-05-09
Reviewed rev. 26 (document currently at 35)
Review result Ready
Review completed: 2013-05-09

Review
review-ietf-nfsv4-rfc3530bis-26-genart-telechat-davies-2013-05-09

Title: 

Gen-art additional review of draft-ietf-nfsv4-rfc3530bis-25








    I am another Gen-ART reviewer for this draft. For background on 


    Gen-ART, please see the FAQ at 







<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>

.
    





    Please resolve these comments along with any other Last Call
    comments 


    you may receive. 





    Document: draft-ietf-nfsv4-rfc3530bis-25


    Reviewer: Elwyn Davies


    Review Date: 8 May 2013


    IETF LC End Date: -


    IESG Telechat date: 30 May 2013 





    Summary: 


    This is a mammoth document.  The comments run to 650 lines.  Clearly
    there ae issues in modifying a -bis document given that it has to be
    pretty much compatible with its progenitor  - but that is now going
    on 14 years old. I believe that there are a significant number of
    minor issues to address and parts of the document (despite the
    overall size) need to provide a bit more explanation of what is
    going on.  In particular I think that a little bit more rationale
    over the way in which an NFS server attempts to provide something
    like a common interface to the two big player filesystem types (*ix
    and Windows) [Aside: I am disappointed that it doesn't try to handle
    versioning file systems like the venerable VAX filing system! ;-) ] 
    There are some areas where the addition of named attributes hasn't
    really been properly dealt with AFAICS. One major area that I felt
    ought to have been better addressed in the -bis was
    internationalisation.  As mentioned below, I don't understand why
    additional atrributes couldn't be added to help clients understand
    what the server is doing with internationalisation - the client has
    to do some complex acrobatics which seem close to guesswork to work
    out what is going on in the server.   As ever, I am not an expert in
    NFSv4 (although I used v2 extensively almost 30 years ago...
    arrrgghhh!) so there may well be comments where I don't understand
    the problem.


          


    Major issues:





    Overall section comments:


    s6: AccessControl Attributes


    Combining two different access control paradigms (UNIX-clone mode
    control bitmasks and access control lists) is an uphill struggle and
    provides a deal of complexity in situations where both, either one
    or neither may be specified.  The detailed text deals reasonably
    with the various cases.  There are, in my view, a couple of
    significant problems:


    - The first is essentially editorial:  I would say that rather more
    than basic understanding of UNIX-like file systems is needed.  An
    explanation or at least a suitable reference to explain the use of
    the mode bits in s6.2.2, especially the first three (SUID, SGID,
    SVTX) would help, and a clearer linkage to the explanations of
    owner, group and other sets of users that are distributed in parts
    of the text.


    - The second is more fundamental:  The intended functionality of
    inheritance is not explicitly documented.  To come to any sort of
    understanding of how inheritance is supposed to work you have to
    read through to the next to the last section (s6.4.3).  I have now
    read through the section two or three times and I have a model in my
    mind, but there is no text that would allow me to verify my
    understanding.  I *think* i have understood that (1) inheritance
    only applies when you initially create an object rather than being
    fed through to all 'inferior' objects in the tree if a superior
    object has a heritable ACE added; (2) inheritance only applies if
    you don't explicitly give any ACEs when the object is created, and
    (3) if you give a mode but no ACL then some complex combination of
    inherited ACL and mode is applied.  An upfront explanation of what
    is trying to be achieved would have helped a lot.  However, none of
    this explains what happens with either hard or symbolic links.  It
    is unclear to me whether inheritance of ACLs is applied when
    creating a hard or symbolic link to an existing object.





    s7, Multi-Server Namespace:


    This section is very verbose and contains a number of areas that
    bring in topics that  are actually forward references without
    indicating where the information can be found, particularly in
    relation to various 'change classes'.  Some reordering might help. 
    The whole concept of change classes seems a little odd, because when
    they are finally defined (s7.9.1), it appears that servers are
    rarely in the same class during any of the interesting transitions
    (s7.9.1 says that in most cases they have to be taken as in
    different classes).  Overall, this section contains an awful lot of
    discursive specification relating to servers that may not have any
    coordination which makes it very difficult both from the
    specification and the implementation angles to check that everything
    is working.





    s8, NFS Server namespace:  This is a important section for overall
    understanding and I think it would help to have it much earlier,
    certainly before s7.





    s9, File Locking and Share Reservations:


    Generally very well written, but the treatment of share reservations
    is very skimpy,


    It would also be good to be more 'honest' about the interaction with
    the semantics of the underlying file system as regards locks as
    described in s15.12.





    s10, Clientside Caching:


    Clearly very complex to implement but seems to be well-described.  A
    bit of earlier explanation of the use of CLAIM_PREVIOUS vs
    CLAIM_DELEGATION_PREV in client/server reboots would help.





    s11, Minor Versions:


    No particular issues.





    s12, Internationalisation:


    A minefield.  There seems to be an awful lot of guess work for
    clients trying to decide how the sever behaves.  On reflection, I am
    surprised that several of the things that clients are supposed to
    deduce (e.g., what normalisation the server does) were not supplied
    as attributes of the server.  Is there some good reason for this?  I
    was also surprised that there didn't seem to be a requirement that
    servers working on a particular filesystem all did the same
    internationalisation things.  It appears to me that if a filesystem
    gets migrated the client doesn't have any sort of guarantee that the
    internationalisation behaviour won't change under its feet - and it
    has no easy way to check if this is or is not the case because of
    the lack of attributes.  I have no idea to what extent the
    internationalisation is implemented in current servers.





    s13, Error Codes:


    Generally OK but with a few code value inconsistencies.  I haven't
    checked the cross-consistency of Table 9 and Table 11 or whether the
    sets of error codes per operation are really right - they are just
    too voluminous.





    s14, NFSv4 Requests:


    No problems.





    s15/16, Operations:


    Generally in good shape apart from some issues with the meaning of
    'regular files'.





    s17: Security:


    I have some doubts about the Kerberos algorithms suggested.  Maybe
    should be moving on to better algorithms even if this is a bis.








    =============


    Minor issues: 


    S1.1, bullet 7: Are there issues with backwards compatibility after
    removal of LIPKEY and SPKM-3 completely?





    s1.5.1: Should NFSv4 be using RPCSEC_GSS v2 (RFC 5403) rather than
    v1 (RFC 2203)?





    s.1.5.3.2, para 4, and s5.3: It would be useful to say upfront in
    s1.5.3.2 whether the attribute names are fully internationalized or
    whether this is still an ASCII name.





    s2.1:  This section contains a number of symbolic constants (chiefly
    for opaque element sizes) which have not been defined as yet.  It
    would be highly desirable if these were also defined before this
    section.





    s2.1, utf8val_RECOMMENDED4:  







 String SHOULD be sent UTF-8 





    What else could it be sent as in this type?





    s2.2/s6.2.1:  The type nfsace4 is used in the protocol: Accordingly
    it ought to be defined in s2.2 rather than s6.2.1.





    s2.2.3/s5.8.2.34/s5.8.2.40: It would probably be nicer if the union
    case SET_TO_SERVER_TIME4 were put into the union explicitly.  A note
    about being able to set the access and modify times to either client
    or server time would be appropriate in the two items in s5.8.2.  Are
    there any constraints on the values that can be given when setting
    from the client.. like not moving the time backwards (or is this
    explained later?).





    s3.1, para 1:







 Using the registered port for NFS services
   means the NFS client will not need to use the RPC binding protocols
   as described in [

RFC1833

]; this will allow NFS to transit firewalls.





    I think some explanation of why this will definitively allow NFS to
    transit firewalls is needed. 





    s3.1.1: Presumably the requirement to eschew silent dropping of
    'requests' does not apply if security is being negotiated.  I take
    it 'requests' should be interpreted as  'NFSv4 requests' and
    procedures as defined in s14/15 and this requirement should apply
    only once the secure connection is established.  The word
    'established' might help.





    s3.2: (reprise) Should we be using RPCSEC_GSSv2 (RFC 5203) rather
    than v1?


     


    s3.2.1.1: The Kerberos specifications appear to use rather ancient
    algorithms.  In particular DES, MD5.. should there not be more 
    modern algorithms?  DES and MD5 get a pretty bad press these days. 
    RFC 2623 is also a bit of an antique so I can't say its a modern
    assessment.





    s3.3.1,security poiicy boundaries etc:







 In general, the client will not have to use the SECINFO
   operation except during initial communication with the server or when


   the client crosses policy boundaries at the server.  It is possible
   that the server's policies change during the client's interaction
   therefore forcing the client to negotiate a new security triple.





     The  concept of 'security policy boundary' has not been previously
    discussed in the doc.  How would the client know it had crossed a
    security boundary or that the server had changed the policy under
    its feet? I suppose maybe the next section tells me... but... How
    does this interact with the no silent drop, mostly no retries
    requirement in s3.1.1? or have i to read s15.33.    





    I suspect that some discussion of the interaction of mount points
    and security policy boundaries may be needed at an earlier stage.  I
    suspect that mount points might well be security policy boundaries
    and crossing mount points might interact.  There is nothing in the
    description of mounted_on_fileid (s5.8.2.19).





    s5.6, item lease_time:  I can't find a definition of nfs_lease4 type
    used for this.





    s5.6, item rdattr_error: Just giving 'enum' as the type isn't too
    specific!





    s5.8.2.25:







It is understood that this space may be
   consumed by allocations to other files or directories though there is
   a rule as to which other files or directories.





    Where do I find the rule?





    s5.10, para 1:  







although there are variations that occur additional characters with a
   name including "SMALL" or "CAPITAL" are added in a subsequent version
   of Unicode.





    so... should the client be able to find out which version of Unicode
    the server is working to?





    s6.3.1.2: Is there any interaction between delegation and client
    considerations for ACLs? Do clients holding delegations have to do
    any access checks in the client that would normally be done in the
    server if there was no delegation?  I'm not sure.





    s7.5:







   If a single location entry designates multiple server IP addresses,
   the client cannot assume that these addresses are multiple paths to
   the same server.  In most cases, they will be, but the client MUST
   verify that before acting on that assumption. 





    How is the verification achieved?  I don't see any attributes within
    NFSv4 that would help.





    s7.7.6.1, para 3: 







   If state has not been transferred transparently because the client ID
   is rejected when presented to the new server, the client should fetch
   the value of lease_time on the new (i.e., destination) server, and
   use it for subsequent locking requests.  However, the server must
   respect a grace period of at least as long as the lease_time on the
   source server, in order to ensure that clients have ample time to
   reclaim their lock before potentially conflicting non-reclaimed locks
   are granted.





    How does the destination server know what the lease_time/grace
    period on the source server was? It doesn't know what server the
    client was previously connected to in many cases and so can't ask. 
    Doesn't this amount to saying all servers for a given file system
    should (MUST) be configured with the same lease time in the
    non-transparent transparent case?





    s9.9: This section is a little skimpy.  There are several points
    that probably ought to be clarified:


    - The section explicitly refers to files:  Does it actually apply to
    all filesystem objects?


    - An explicit statement that the 'file_state' is maintained for each
    file(system object)


    - The pseudo-code applies to the OPEN case; different pseudo-code
    (presumably) applies to OPEN_DOWNGRADE.  I *think* I could guess it
    but it would be good to be explicit.


    - Is there any interaction between byte range locks and share
    reservations?  e.g., does a client holding (say) a byte range write
    lock but with no DENY state prevent another client taking out a
    DENY_WRITE  share reservation on the same file?


    - Does the discussion of placing lock state into stable storage
    across server reboot also apply to the share reservation file_state?





    s9.14:  The text in this section addresses topics also covered in
    s7.  This does  not seem desirable as there may be discrepancies
    (see next comment).  It would seem better to merge the text into s7
    and possibly provide a reference back to s7 from s9.  





    s9.14.1:  This section envisages migration of state from one server
    to another where the client already has state on the other server
    using the same client ID.  Merging of the states is suggested. 
    AFAICS this situation is not discussed in s7 which seems a little
    odd.





    s12:  It seems the client has to play '20 questions' with the server
    to find out how it treats internationalized component names.  Some
    of it seems little better than guesswork.  I was wondering why some
    of the server choices are not described using attributes so that the
    client doesn't have to thrash around in the dark.  Also there
    doesn't seem to be any requirement for a filesystem to be treated
    identically after migration. As far as I can see the client can't
    really rely on the internationalisation treatment not changing after
    migration.





    s18.1:  The NFSv4 Named Attribute Definitions registry has already
    been created in exactly the form specified here by RFC 5661
    (NFSv4.1).  This section should be removed and words noting that the
    existing registry is common to all minor versions of NFSv4  should
    be substituted.





    ==================


    Nits/editorial comments:


    General: Review the remaining instances of 'file' and 'files' to
    determine if they should really be 'filesystem objects'.





    General: Consistency between 'file system' and 'filesystem'. 
    'filesystem' is used first in abstract and s1.3 but only File System
    is defined.  I cannot see whether there is any real distinction
    between the usages... but  am open to argument! OTOH there is
    definitely inconsistency: Consider 'fsid' and 'fsid4' - the type
    definition says fsid4 is for a filesystem (s2.2.5) but s5.8.1.9 says
    this is about a 'file system'





    General: The terms 'regular file' and 'named attribute' are not used
    uniformly.  s5.8.1.2 typifies the confusion.  In the first set of
    bullets, NF4REG is defined as 'a regular file' and NF4NAMEDATTR is
    defined as a Named Attribute.  In the last bullet, "is an[sic]
    regular file" is defined as implying either type NF4REG or
    NF4NAMEDATTR.  


    Thus we have the same term used for a set and a superset of the same
    set (maybe when qualified with 'is a').  Consequently, for example
    in s15.25.4,  we have "the READ operation reads data from the
    regular file...".  Presumably this is supposed to cover both NF4REG
    and NF4NAMEDATTR types but one can't be absolutely sure (to be
    pedantic it doesn't explicitly say 'is a regular file' so perhaps it
    should be read as NF4REG only).  OTOH the OPEN operation (s15.18.5)
    has two separate paragraphs for regular files and named attributes. 
    This needs some tidying up.  One could try using 'data object' as an
    unambiguous term for the union of the actual file (NF4REG) class and
    the named attribute class.





    Abstract: s/owes heritage to/builds on the heritage of/  





    s1.1: Expand IDNA acronym.





    s1.2, bullet 5:s/mounted_on_filed/mounted_on_fileid/





    s1.3: Expand acronyms ONCRPC and RPCSEC_GSS (and/or ref to RFC 2203
    or 5403).





    s1.5: s/the reader that is new/the reader who is new/





    s1.5.1, para 2: s/provides the client a method/provides the client
    with a method/





    s1.5.3:  A couple of sentences outlining the presentational scheme
    for filesystem object names (i.e., /a/b/c etc) would be worthwhile
    even if 'we all know what this means'!  This could include defining
    'component name' used later with no introduction.





    s1.5.3.1, et seq: Would it be useful to identify 'persistent' and
    'volatile' as key words: e.g., 'Persistent' and 'Volatile'. 





    s1.5.3.2, para 3: For consistency the 'acl' example should have a
    ref (s6.2.1) earlier in the para.  So s/((Section 6)/(Section
    6.2.1)/ and move one sentence earlier.





    s1.5.5: There should be a discussion of share reservations in this
    section.





    s1.6, definition of Lease: There should be a definition of 'grace
    period' (as per s9.6.2) as there are lots of references to it
    earlier than s9.6.2.





    s1.6, definition of Lock:  There should be a definition of share
    reservation.





    s2.1 et seq:  Whilst the terms 'hard link' and 'symbolic link' are
    pretty commonly known,  they are so fundamental that I think putting
    them in the definitions would be highly desirable.


     


    s2.1, attrlist4:  In line with comment about opaque max sizes,
    should this have a max size? (Might also apply to bitmap4)





    s2.2: It would be useful to have section references to the places
    where the types are used where these are explicitly mentioned.





    s2.2.8 (and s2.1):  I guess that the bit ordering in bitmap4 is
    implicitly derived from the XDR representation, but it would be
    useful  to remind people of what this bit ordering actually is. 





    s2.2.9, atomic element:  With a name like that are there any special
    handling requirements for this element/structure?





    s2.2.10: Note  to self: verify external refs in this section.


     


    s2.2.11, cb_program: It should be explained that the cb_program is
    an RPC program number (had to ferret in s15.35.4 to understand
    this).  BTW this would entail an earlier expansion of RPC acronym.





    s2.2.12:  It would be good to have a definition of NFS4_OPAQUE_LIMIT
    before this section (see earlier comment about s2.1) so that all the
    magic number constants are concentrated in one place.





    s2.2.13:  Arrgh! Now we have two definitions of NFS_OPAQUE_LIMIT
    (fortunately they are the same until they aren't).





    s2.2.14: ARRRGGGHHH! THREE defs.





    s2.2.16, 'other':  And this definition contains the magic number 12
    not as a symbolic constant and with no explanation of why 12 is a
    good value! 





    s3.1, para 2:  







   Where an NFSv4 implementation supports operation over the IP network
   protocol, the supported transports between NFS and IP MUST be among
   the IETF-approved congestion control transport protocols, which
   include TCP and SCTP. 





    I know what is meant, but technically, I don't believe the IETF
    actually has a list marked 'congestion control transport
    protocols'.  A better way of phrasing this might be:


       Where an NFSv4 implementation supports operation over the IP
    network


       protocol, the supported transport layer between NFS and IP MUST
    be an IETF


       standardised transport protocol that is specified to avoid
    network 


       congestion; such  transports include TCP and SCTP.





    [Check whether SCTP is on the IANA well-known acronym list]. 





    Also:


    OLD:


    to use a different IETF-approved congestion control transport
    protocol.


    NEW:


    to use a different IETF standardised transport protocol with
    appropriate congestion control.





    s3.1, para 3: Expand WAN acronym. (I think)





    s3.1, para 4:  Where would I find a justification that DCCP or NORM
    are inadequate?





    s3.1, para 5: s/regardless whether/regardless of whether/





    s3.1, para 6: A rather throwaway comment about avoiding timer sync. 
    Not sure yet how many timers, but it would be good to know which
    ones were critical.  After reding the document I am still not sure. 
    It might almost be worth adding a section that summarizes the set of
    timers used.





    s3.2.1/s3.2.1.1: Check section title capitalization.  (Mostly OK -
    spotted also s6.4.1/s6.4.1.x - possibly)





    s4.2.1: Earlier parts of s4 have been generalised to talk about
    'filesystem objects'.  This section still has filehandles referring
    to 'files'.





    s4.2.3, para at top of p33; s4.3, para 4: Ditto talking about
    'files'.





    s4.3, para 1:  







   If possible, the client SHOULD recover from the receipt of an
   NFS4ERR_FHEXPIRED error. 





    I think this is a 'should' rather than a 'SHOULD'. Its not something
    that the protocol designer has any control over.





    s5 title:  Attributes apply to more than just files. 





    s5, para 4: s/new  OPENATTR operation/OPENATTR operation introduced
    in NFSv4/





    s5.1, last sentence: I think the 'must' is a 'MUST' - the server is
    constrained to send the values if asked (but the client has a choice
    to ask or not).





    s5.2: 







A client MAY ask for the
   set of attributes the server supports and SHOULD NOT request
   attributes the server does not support.





    This should probably be 


       An operation allows the client to determine the set of attributes
    


       that the server supports; a client should not request attributes
    the 


       server does not support.


    Its not something the protocol can do anything about.





    s5.8.1.4:s/may/MAY/





    s5.8.2.10, para 2: Not sure what root path has to do with locations.





    s5.9, para 4:







 Servers that do not provide support for all possible values of the
   owner and owner_group attributes SHOULD return an error
   (NFS4ERR_BADOWNER) when a string is presented that has no
   translation, as the value to be set for a SETATTR of the owner,
   owner_group, or acl attributes.





    What might the server do if it doesn't return NFS4ERR_BADOWNER? I
    would have thought this ought to be  MUST.





    s5.9, para 5:







   The "dns_domain" portion of the owner string is meant to be a DNS
   domain name.  For example, 

user at example.org

.  Servers should accept
   as valid a set of users for at least one domain.  A server may treat
   other domains as having no valid translations.  A more general
   service is provided when a server is capable of accepting users for
   multiple domains, or for all domains, subject to security
   constraints.






    I suspect that the 'should' and 'may' ought to be 'SHOULD' and
    'MAY'.  Arguably the 'should' ought to be a 'MUST' if the server
    recognises owner and owner_group as attributes. i.e., a mandatory to
    implement.





    s5.9, para 6:







In the absence of such a
   configuration, or as a default, the current DNS domain name should be
   the value used for the "dns_domain".





    The term 'current DNS domain' is not very specific. Do you mean the
    DNS domain in which the host resides?  





    s5.9, 1st bullet point on page 50: A reference to (probably) RFC
    5890 is needed to explain U-labels and other IDN stuff is needed
    (probably best in s1.6).





    s5.10: Expand UCS acronym (and add ref to ISO.10646-1.1993).





    s6.1, bullet 3:  An explanation of what is meant by (acl)
    inheritance is needed.





    s6.1, bullet 4, sub-bullet 1:







      *  Setting only the mode attribute should effectively control the
         traditional UNIX-like permissions of read, write, and execute
         on owner, owner_group, and other.






    Does this extend to the interpretation of the x bit as searchability
    on directory objects as per UNIX?  





    s6.1, bullet 5:  Does mode setting affect the inherited ACL
    attributes as well as the those of the object for which the mode is
    set?





    s6.2.1, next to last para: Expand SMB (and/or give reference).





    s6.2.1.1, sentence above table:







   All four but types are permitted in the acl attribute.






    'but' is clearly not the right word but I am not quite sure what
    this trying to say.





    s6.2.1.3.1, ACE4_ADD_SUBDIRECTORY:


    Why is the RENAME operation affected if the object being renamed is
    a file rather than a directory?





    s6.2.1.3.1, ACE4_EXECUTE:  


    Given that directory operation aliases for ACE4_READ_DATA and
    ACE4_WRITE_DATA have been defined, it would seem sensible to define
    an alias for the directory/traverse use case of ACE4_EXECUTE.





    s6.2.1.3.1, ACE4_DELETE_CHILD and ACE4_DELETE:


    s/for information on/for information on how/ 





    s6.2.1.3.1, ACE4_WRITE_ATTRIBUTES - file times modification:


    Can the client find out if the server uses client or server times? I
    didn't see an attribute that tells me which is allowed on the server
    - cansettime only allows the client to find out if it can modify the
    times.  What happens (which error code comes back) if the SETATTR
    has the wrong sort of time spec (e.g., client time when the server
    only supports server times)? As previously mentioned, is the server
    expected to do any sanity checks on supplied client times (maybe not
    allowing - at least - ordinary users to set times backwards from
    previous values.)





    s6.2.1.4: A few words on the effect of inheritance would help and
    and clarify the next two comments.  Points that arise from the
    discussions in s6.2.1.4.1:


    - Is there a time factor in ACEs?  The phrase 'newly created' seems
    to imply that there is.  The document doesn't really explain how it
    is expected that inheritance will be implemented: It could be seen
    as copying the current set of ACEs from the parents up the tree at
    the time an object is created or tracking the ACEs up the tree when
    a access request has to be verified. 


    - Is the inheritance fully recursive down a directory tree?  I guess
    that it is unless the NO_PROPAGATE flag is set.. but what about
    symbolic links?


    - Does the inheritance propagate across mount points?





    Additionally, how does ACE inheritance interact with hard and
    symbolic links?  Does the inheritance attach to the underlying
    object or only to the name path?





    s6.2.1.4.1, ACE4_FILE_INHERIT_ACE:


    Three issues:


    - presumably this implies the ACE is (primarily) inherited by files
    in the directory to which it applies


    - does 'any sub-directory' imply that the inheritance applies
    recursively down the tree?


    - does 'any non-directory file' include symbolic links?





    s6.2.1.4.1, ACE4_DIRECTORY_INHERIT_ACE:


    Three issues:


    - Does 'should be added to each *new* directory created' imply that
    the ACE does not get inherited by sub-directories are already in
    existence when the ACE is applied? Either way it would be good to be
    explicit about the effect.


    - Does this apply recursively down the tree?


    - Would the inheritance apply to symbolic links to directories?





    s6.2.2:


    It would be worth pointing out that the execute permission bits
    imply searchability for directory objects.  This isn't mentioned in
    READDIR... is this something missing?





    s6.2.2:


    Are there restrictions on the mode bits that can be set on named
    attributes and their directories?  Wouldn't make a lot of sense to
    set the x bits on named attributes  (probably), nor the suid and
    svtx bits.





    s6.3.1.2, para 1: s/interpretation the ACL/interpretation of the
    ACL/








    s6.1, last para: Expand DCE/DFS acronyms.





    s6.2: Expand TLS and SPKM acronyms. (IPsec is 'well-known')





    s7.1:







These attributes specify such file system
   instances by specifying a server address target (either as a DNS name
   representing one or more IP addresses or as a literal IP address)
   together with the path of that file system within the associated
   single-server namespace.





    I don't understand 'associated single-server namespace'.  Does this
    mean the aggregated logical file system or something else?  Having
    read further I suspect that this at least needs a forward reference
    to Section 8.





    s7.2 and s7.3:  These sections are very repetitive.  They
    essentially convey the fact that if a file system is absent only
    GETATTR on the absent system and READDIR on a  referring system will
    produce useful answers and only a couple of attributes are valid.





    s7.6:







   A potential problem exists if a client were to allow an open owner to
   have state on multiple filesystems on server, in that it is unclear
   how the sequence numbers associated with open owners are to be dealt
   with, in the event of transparent state migration.  A client can
   avoid such a situation, if it ensures that any use of an open owner
   is confined to a single filesystem.






    This paragraph is not very helpful because the concepts of 'open
    owner', associated state and sequence numbers have not been
    introduced up to this point apart from as cryptic references in type
    definitions.  At worst a forward reference is needed.  It might be
    better to have a brief introduction to the state mechanism under the
    NFSv4 basic concepts section (maybe around s1.5.4).





    Without this introduction I have no idea under what circumstances
    the 'open owner' might have state on multiple file systems - and
    hence what I would have to do to avoid going down this rat hole.





    s7.7, last para:  Would be worthwhile to either substitute 'network
    order' for 'big endian' or add it as an alternative. (It turns out
    that s9.14 uses network order for just this requirement -
    consistency would be good!)





    s7.7.1:







   When a single file system may be accessed at multiple locations,
   either because of an indication of file system identity as reported
   by the fs_locations attribute, the client will, depending on specific
   circumstances as discussed below, either:






    The first 'either' has no corresponding 'or'.


    The second 'either' needs an 'or' at the end of the first bullet.





    s7.7.1, 2nd bullet: s/Accesses/Access/





    s7.7.2, para 3 (and  para 2):







   When there is co-operation in filehandle assignment, the two file
   systems are reported as being in the same handle classes.





    It appears that the term 'handle class' is not defined until s7.9.1
    (like fileid class in the s7.7.3 and various other attribute
    classes).  A forward reference to this section is essential  (or
    maybe better a reordering of the sections).  It would be worth a
    note somewhere in this area that a client needs to ensure that it
    knows the fh_expire_type for any filesystem instance it is
    accessing  in case it get forcibly transitioned, since it can't find
    out post-facto from an absent filesystem.





    s7.7.2, paras 2 and 3:







   When there is no such cooperation in filehandle assignment, the two
   file systems are reported as being in different handle classes.  In
   this case, all filehandles are assumed to expire as part of the file
   system transition.  Note that this behavior does not depend on
   fh_expire_type attribute and depends on the specification of the
   FH4_VOL_MIGRATION bit.

   When there is co-operation in filehandle assignment, the two file
   systems are reported as being in the same handle classes.  In this
   case, persistent filehandles remain valid after the file system
   transition, while volatile filehandles (excluding those that are only
   volatile due to the FH4_VOL_MIGRATION bit) are subject to expiration
   on the target server.






    I do not understand the final parts of these paras where
    FH4_VOL_MIGRATION is mentioned:


    - In para 2, FH4_VOL_MIGRATION is a bit in fh_expire_type, so I fail
    to understand how the behavior can both be independent of
    fh_expire_type and dependent on a bit within it at the same time.


    - In para 3, the wording appears to imply that filehandles with
    FH4_VOL_MIGRATION set will not expire. My  understanding of the
    definition of this bit was that such filehandles would explicitly
    expire on migration.  Accordingly I would have expected that such
    filehandles would have been guaranteed to expire on transition  -
    but maybe this is some difficulty with the meanings of transition
    and migration?





    s7.7.3, last para:







   Note that when consistent fileids do not exist across a transition
   (either because there is no continuity of fileids or because fileid
   is not a supported attribute on one of instances involved), and there
   are no reliable filehandles across a transition event (either because
   there is no filehandle continuity or because the filehandles are
   volatile),





    I don't understand how there can be no filehandle continuity other
    than because the filehandle is volatile.  If a filehandle is not
    volatile, then it is persistent and s4.2.2 appears to indicate that
    any persistent filehandle would be valid across a transition.





    s7.7.5 and s7.7.6, last paras:  s7.9.1 states that distinct server
    instances are always in different change classes. Since there
    doesn't seem to be anyway to check that two instances of a server
    are actually the same when accessed over different connections, the
    consistent change class mentioned in the last para of s7.7.5 and the
    continuity mentioned in the last para of s7.7.6 can never occur in
    practice and would probably be better omitted.





    s7.7.6, para 7: A reference to s9.6.3.4 where the edge conditions
    are described would be desirable.





    s7,7,8:  s7.9.1 says all server instances have different readdir
    classes, so once again the instances will never be deemed
    consistent.





    s7.9:  Copying the fs_location(s)4 structure definitions here
    creates a double maintenance problem.  Better just to reference
    ss2.2.6/2.2.7 where they are defined.





    s8:  Placing this section much earlier in the document would help
    understanding, especially of Section 7.





    s9:  There is a comment in s15.12.5 (para 2) that exactly how locks
    behave depends on the underlying semantics of the exported  file
    system.  It would be worth reproducing that statement here to ensure
    that this section is interpreted in that context. 





    s9, last para:







To support Win32 share reservations it is necessary to atomically
   OPEN or CREATE files.





    Add 'and apply the appropriate locks in the same operation' to the
    end of this sentence.





    s9.1: I think that for the sake of clarity, it would be worth
    explicitly stating that the client has to hold an open before
    applying locks to the same file.





    s9.1:  What happens if you try to acquire a byte range lock on a
    non-file filesystem object?





    s9.1.1, para after struct nfs_client_id4 definition: s/which the
    server has previously recorded the client/which the server has
    previously recorded for the client/.  Also copying the structure
    definition creates a double maintenance problem.  A ref to s2.2.12
    would be better.





    s9.1.3, first sentence:  Question: Should the 'including' list also
    have share reservations or are these included in byte-range locks or
    opens?





    s9.1.3.5: Expand acronym I/O - this isn't on the RFC Editors 'well
    known' list - maybe strangely. 





    s9.1.3.2: NFS4_UINT32_MAX should be in the proposed constants
    section.





    s9.1.3.2, para 2 and s9.1.6, para 1: The two paragraphs have
    conflicting statements about the initial value of seqid for locks
    (s9.1.3.2 => 1, s9.1.6 => server choice) - not that it really
    matters much unless clients check that they always get 1!  Note that
    s9.1.6 does say anything about missing out 0 when wrapping round.





    s9.1.5, para 9 (bottom of page 116): s/ (e.g., another open specify
    denial of READs)/(e.g., another open specifying denial of READs)/





    s9.4:  Changing:


    OLD:


       The server is not


       required to maintain a list of pending blocked locks as it is
    used to


       increase fairness and not correct operation.


    NEW:


       The server is not


       required to maintain a list of pending blocked locks as it is not
    used to


       provide correct operation but only to increase fairness.


    scans more easily.





    s9.6: If I understand correctly, share reservations with a DENY
    reservation are essentially locks that cover the whole file and
    adjust dynamically to cover the entire byte range of the file if it
    changes. Presumably. therefore, the whole discussion of lock
    recovery applies both to byte range locks and share reservation
    implicit locks.  I think it would be worth pointing out that this is
    the case at the beginning of s9.6 (assuming this is indeed the case
    - or alternatively explaining how things differ with share
    reservations).





    s9.8, para 4: In the last sentence s/may not/MUST NOT/. 





    s9.8, para 5: 







The client may accomplish this task by
   issuing an I/O request, either a pending I/O or a zero-length read,
   specifying the stateid associated with the lock in question.





    I am not sure how you 'issue a pending I/O'.  Does this mean
    checking whether there is already a pending I/O request associated
    with this stateid? 





    s10.2, para 6: s/server times its wait/server times out its wait/





    s10.2, para 7: I think the lat two sentences are requiremenst:


    next to last sentence: s/may/MAY/


    last sentence: s/should not/SHOULD NOT/





    s10.2.1, para 9 (last para on p146):  I think that this para is
    referring to the server not the client: s/client/server/





    s10.2.1, para 12 (2nd bullet): Good to have a ref to the Courtesy
    Locks section (s9.6.3.1)





    s10.2.1, para 17:  "s special semantic adjustments" => either
    "special semantic adjustments" or "a special semantic adjustment"





    s10.2.1, para 19:  It might be better to explain about the
    distinction between the CLAIM_xxx attribute to be used after server
    and client restarts that doesn't come till para 24 currently - the
    changeover to CLAIM_PREVIOUS in this para isn't obvious without this
    discussion. 





    s10.2.1, last para, sentence 1: s/Is/is/





    s10.3, 1st bullet: s/and not change/and not the change attribute/
    ... there are a couple of other instances where this might also be
    helpful.





    s10.3, 2nd bullet: s/client OPENS as file/the client OPENS a file/





    s10.3.3:  I need to think a bit more about what mandatory locking
    implies.





    s10.4, para after 2nd set of bullets: should the 'standard stateid'
    be associated with the open-owner rather than the lock-owner as
    currently stated.





    s10.4.3: Should there be some discussion of wrap round in the
    'change' attribute?





    s10.5.1, para 2: s/a complete cached copy  of file/a complete cached
    copy  of the file/,


    s/In other case/In other cases/





    s10.7, para 2:


    OLD:




(regardless whether the file is local file or is being access remotely)


    NEW:




(regardless of whether the file is local file or is being accessed remotely)


    s11, item 8, first sentence: s/implement/inplemented/





    s11, items 9 and 10: Its probably not that important, but would
    OPTIONAL <=> REQURED be allowed - i.e., two 'levels' of change
    rather then the explicit one currently documented.





    s12.1.1, bullet 2: s/in many case/in many cases/





    s12.1.2, para 1: s/important to understand/important to
    understanding/





    s12.1.2: The quoted sections should be attributed to where they come
    from (including section numbers).





    s12.1.2: There seems to be a spurious ACCENT in this para: 







         LATIN SMALL LETTER E, COMBINING MACRON, ACCENT, COMBINING ACUTE
         ACCENT (U+0xxx, U+0304, U+0301)






    s12.1.2 (Maybe expand IDNA again - its 180 pages since it was last
    expanded).





    s12.2.3, para just after Table 5: s/or it in may/or it may/





    s12.3: (maybe expand UCS again since it is 130 pages since previous
    occurrence).





    s12.7, 2nd bullet: s/lintext4/linktext4/;  also the term 'link text'
    hasn't been properly defined.





    s12.7.1.5.1: Need to expand NFC and NFD and provide a reference.





    s12.7.1.5.2, para 8, last sentence: s/it should generally mapped/it
    should generally be mapped/





    s12.7.3, bullet 4: Should 'converting a user to group to an internal
    id' be 'converting a user or group to an internal id'?





    s13.1.1.7: s/fit/fitted/





    s13.1.2.1 s/file handle/filehandle/





    s13.1.2.7: should refer to filesystem object rather than file.





    s13.1.4.2: Value of NFS4ERR_DQUOT is 19 here but 69 in table 8





    s13.1.4.3/4/5/7: should refer to filesystem object rather than file.





    s13.1.4.8: Does this apply to any filesystem object rather than just
    file or directory?





    s13,1.4.11: Value of NFS4ERR_NXIO is 5 here but 6 in table 8 (and
    value 5 is already used for NFS4ERR_IO).





    s13.1.5.2: Value of NFS4ERR_BAD_STATEID is 10026 here but 10025 in
    table 8 (and value 10026 is already used for NFS4ERR_BAD_SEQID).





    s13.1.5.2, bullet 1: should refer to filesystem object rather than
    file.





    s13.1.7: s/When the strings are not are of length zero./When the
    strings are not of length zero./





    s13.2-13.4: I didn't check these tables.  Table 11 can be checked
    automatically if it is thought worthwhile by inverting tables 9 and
    10.





    s14.2: Might be worth stating that COMPOUND doesn't represent a
    'transaction', as is expressed in para 3.





    s14.2, para 4:  The operation descriptions explicitly mention what
    happens to the current filehandle after operations.  Nothing is said
    about the stability of the saved filehandle.  Can this be assumed to
    be preserved in all cases whether the operation succeeds or fails? 
    I guess it would also be useful to explicitly state that there are
    no guarantees about the contents of the current filehandle after an
    operation unless explicitly stated (i.e., after most errors you
    ought to reload the current filehandle).





    s14.3, para 1: s/UNSTABLE/UNSTABLE4/





    s15.2.5, para 2: I am not sure how you *could* mix operations - I
    was under the impression that the COMPOUND is submitted in the
    context of a particular client ID and the current/saved filehandles
    are tied to the client ID/connection. The client ID can't be changed
    in a single compound statement so this seems a spurious statement. 
    Presumably if stateid's etc are used on the wrong client ID the
    server will object. See also s15.18.6.





    s15.3.4: Presumably the access permissions generally apply to named
    attributes.  Currently it only talks about files and directories.





    s15.3.5, para 2, sentence 3: s/which will result/which might
    result/?





    s15.3.5, para 4: I found the following confusing:







   The client should use the effective credentials of the user to build
   the authentication information in the ACCESS request used to
   determine access rights.





    I am not sure where there is any authentication info (explicitly)
    "in the ACCESS request" - the parameter is just the requested access
    mask.  Where is the auth info?





    s15.9.4:


    OLD:







The server returns an attribute bitmap that
   indicates the attribute values for which it was able to return,








    NEW:







The server returns an attribute bitmap that
   indicates the attributes for which it was able to return values,








    s15.9.5, last sentence: s/returned if while a delegation/returned if
    [or while] a delegation/





    s15.11.4:  This section refers explicitly to files.  Is it ever
    possible to make hard links to:


    - directories?


    - named attributes?


    - device and other special types of 'file'?


    It would be good to be explicit.





    s15.12.4, para 2:







 To lock the file from a specific offset
   through the end-of-file (no matter how long the file actually is) use
   a length field with all bits set to 1 (one).





    Is the end offset fixed at the value given by the length of the file
    at the time of applying the lock, or does this byte range vary as
    the length of the file changes?


    What happens if the length of the file gets to be less than the
    start offset, or indeed is currently less than the length of the
    file?


    Actually that is a more general question: Is any special treatment
    needed for locks that are outside the current length of the file? 
    Does the server make any checks on whether a lock is within the
    current length of the file when applied - or automatically delete
    locks off the end of a file.. probably not but would be good to be
    explicit. 





    s15.14.5, para 1:










In all of
   these cases, allowed by POSIX locking [

fcntl

] semantics, a client
   receiving this error, should if it desires support for such
   operations, simulate the operation using LOCKU on ranges
   corresponding to locks it actually holds, possibly followed by LOCK
   requests for the sub-ranges not being unlocked.








    Shouldn't the client apply the sub-range locks before unlocking? 
    Otherwise there is a potential race condition and some other client
    could get in a lock between the unlock and the relock. [After a bit
    of background reading I understand that this rather silly
    arrangement is 'the way it is done'





    s15.16.4/5:  What happens when you apply LOOKUPP to the 'hidden'
    named attributes directory?  Do you get NFS4ERR_NOENT or the
    filehandle of the object that owns the named attributes (inverting
    OPENATTR)?  s15.16.4 only talks about the root of the server's file
    tree. 





    s15.18.6: Do SHARES work on named attributes?  Just checking...





    s15.20.5, para3, sentence 1:  "Servers must not require..." I think
    this is a 'MUST NOT'.





    s15.23.5: Acronm SNEGO needs an expansion and a reference (RFC
    2478?)





    s15.25.4, para 4: If the OPEN didn't use locks or share reservations
    and there is no delegation, is the stateid in the READ request the
    'basic' OPEN stateid returned with all OPENs? It doesn't explicitly
    say this.  (also relevant to WRITE operation - s15.38.4, para 3).





    s15.25.5, para 1:


    OLD:







 It
   is possible that the server reduce the transfer size and so return a
   short read result.  Server resource exhaustion may also occur in a
   short read.





    NEW:







 It
   is possible that the server reduces the transfer size and so returns a
   short read result.  Server resource exhaustion may also result in a
   short read.








    s15.28.4: The specification says nothing about the semantics of
    sub-directory removal.  NFSv3 says that 'some servers won't allow
    removal of non-empty directories'.  What is the story for NFSv4?  Is
    there any standardised strategy for dealing with 'orphaned'
    resources in sub-directories if the server does allow a non-empty
    sub-directory to be deleted?





    s15.29.4, para 5:  It would be clearer to say that the operation
    will fail if the saved and current file handles refer to named
    attribute directories attached to different filesystem objects.





    s15.30.5, para 1 , last sentence: s/such that is could/such that it
    could/





    s15.33.5, para 2:







The filehandle is either provided by the client (PUTFH,
   PUTPUBFH, PUTROOTFH) or generated as a result of a name to filehandle
   translation (LOOKUP and OPEN).





    Aren't the PUTxxx filehandles supplied by the server?





    s15.38.4:  Does all the discussion of writing to stable storage
    apply when writing to a named attribute?





    s15.38.5, para next to next to last:







   Some implementations may return NFS4ERR_NOSPC instead of
   NFS4ERR_DQUOT when a user's quota is exceeded.  In the case that the
   current filehandle is a directory, the server will return
   NFS4ERR_ISDIR.  If the current filehandle is not a regular file or a
   directory, the server will return NFS4ERR_INVAL.






     I am not sure what circumstances the last sentence is referring
    to.  One interpretation would be that WRITE is not allowed at all
    for special files.  I guess this is not what is intended - please
    clarify.