Last Call Review of draft-ietf-nfsv4-rpcsec-gssv3-13

Request Review of draft-ietf-nfsv4-rpcsec-gssv3
Requested rev. no specific revision (document currently at 17)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2016-01-05
Requested 2015-11-29
Authors Andy Adamson, Nicolás Williams
Draft last updated 2016-01-11
Completed reviews Genart Last Call review of -13 by Elwyn Davies (diff)
Genart Telechat review of -15 by Elwyn Davies (diff)
Secdir Telechat review of -14 by Radia Perlman (diff)
Opsdir Last Call review of -13 by Victor Kuarsingh (diff)
Assignment Reviewer Victor Kuarsingh 
State Completed
Review review-ietf-nfsv4-rpcsec-gssv3-13-opsdir-lc-kuarsingh-2016-01-11
Reviewed rev. 13 (document currently at 17)
Review result Has Issues
Review completed: 2016-01-11


Dear Authors,

I have reviewed this document as part of the Operational directorate's 

ongoing effort to review all IETF documents being processed by the 

IESG.  These comments were written with the intent of improving the 

operational aspects of the IETF drafts. Comments that are not addressed 

in last call may be included in AD reviews during the IESG review.  

Document editors and WG chairs should treat these comments just like any 

other last call comments.

Document Reviewed - Remote Procedure Call (RPC) Security Version 3

Link to Document -


This document specifies version 3 of the RPC Security protocol 

(RPCSEC_GSS).  The updated specification provides support for new 

functionality beyond RPCSEC_GSS Version 2 and 1.  This specification is 

a superset of the previous specifications.

Key additions which are included in RPCSEC_GSSv3 include: 

multi-principal authentication (client host to user principals on 

server), security label assertions for multi-level enforcement, 

structure privilege assertions and updated channel binding function.

General Comments and Feedback:

The document is well matured within the WG and had gone through a number 

of revisions.  Document progress over the last year has been minimal 

(minor changes based on review of previous versions and WG list 

discussion) and appears to be mature.

In reviewing operational considerations, there was a small Operational 

Recommendations for Deployment section, but much of the discussion 

around operational components to the updated spec is captured within the 

text (e.g. interactions with previous versions of RPCSEC_GSS) and covers 

aspects of how this updated specification would operate/inter-operate 

within existing implementations.

There are currently only minor feedback points (covered below in Textual 

Review) with a couple of comments and a question to the authors.  There 

are not apparent issues from this review which would prevent it from 

review by the IESG.  The updates appear clear, well documented and the 

update is inline with how previous updates (RPCSEC_GSSv2) were documented.

Textual Review, questions and feedback:

Section 1: Introduction and Motivation

No Updates / Items of Note

Section 1.1: Added Functionality

<< Minor NIT >>.  NO changed is absolutely needed here, it’s just being 

noted for document consistency.  The list order for how the target 

responds to unsupported items (e.g. multi-principal, auth, channel 

bindings, label assertions and structure privileges) is in a different 

order then the list higher up when highlighting the added functionality.

For consistently, perhaps the second list can be re-ordered to match the 

order of the first list (which was listed as - Security Labels, 

Structured Privileges, Multi-Principal Authentication and Channel Binding.

Section 1.2: XDR Code Extraction

No Updates / Items of Note

Section 2: The PRCSEC_GSSv3 Protocol

** Should authors noted that an implementer needs to read/understand 

RPCSEC_GSSv2 in addition to RPCSEC_GSSv3 - this is implied by text in 

this section, but perhaps it can be specifically noted ***

Section 2.1: Compatibility with RPCSEC_GSSv2

No Updates / Items of Note

Section 2.2: Version Negotiation

No Updates / Items of Note

Section 2.3: Net REPLAY Verifier

No Updates / Items of Note.  Appears previous WG feedback taken care of 

with pre-version 10 of draft.

Section 2.4: XDR Code Preliminaries

No Updates / Quick review of code fragment appears consistent / good

Section 2.5: RPCSEC_GSS_BIND_CHANNEL Operation

No Updates / Items of Note.

Section 2.6: New auth_stat Values

No Updates / Items of Note.

Section 2.7: New Control Procedures

<< Small Text Error>>

<old text> “As in RPCSEC_GSS version 1 and version 2, the RPCSEC_GSSv 

version 3”

<Suggestion> remove extra “v” after GSS

Section 2.7.1: New Control Procedure - RPCSEC_GSS_CREATE

<<Second Paragraph>>

<old text> “… and are REQUIRED be enumerated in the same order as they 

appeared in the ..”

<new text> “.. and are REQUIRED to be enumerated in the same order as 

they appeared in the .. “

Section Multi-principal Authentication

No Updates / Items of Note.

Section Channel Binding

No Updates / Items of Note.

Section Label Assertions

<< Update reference >> for NFSv4.2 to Draft version 39 (sept/15) vs. 29 


Section Structured Privilege Assertions

<<Text nit>> Paragraph 3.

<old text> “If a server receives a structured privilege assertion that 

it does not recognize the assertion is..”

<new text>” If a server receives a structured privilege assertion that 

it does not recognize, the assertion is…” (add comma)

Section 2.7.2: New Control Procedure - PRCSEC_GSS_LIST

No Updates / Items of Note.

Section 2.8: Extensibility

No Updates / Items of Note.

Section 3: Operational Recommendations for Deployment

<< Question >>

- the paragraph states that RPCSEC_GSSv3 can be used “where RPCSEC_GSSv1 

or RPCSEC_GSSv2 is used”.  Would a more accurate statement not be that 

GSSv3 can be used in which GSSv2 is used, or where GSSv1 is used and 

channel bindings functionality is not needed/required?

Section 4: Security Considerations

Well written and informative.  No additional comments.