Telechat Review of draft-ietf-nfsv4-rpcsec-gssv3-15
review-ietf-nfsv4-rpcsec-gssv3-15-genart-telechat-davies-2016-01-22-00
| Request | Review of | draft-ietf-nfsv4-rpcsec-gssv3 |
|---|---|---|
| Requested revision | No specific revision (document currently at 17) | |
| Type | Telechat Review | |
| Team | General Area Review Team (Gen-ART) (genart) | |
| Deadline | 2016-01-19 | |
| Requested | 2016-01-07 | |
| Authors | Andy Adamson , Nicolás Williams | |
| I-D last updated | 2016-01-22 | |
| Completed reviews |
Genart Last Call review of -13
by Elwyn B. Davies
(diff)
Genart Telechat review of -15 by Elwyn B. Davies (diff) Secdir Telechat review of -14 by Radia Perlman (diff) Opsdir Last Call review of -13 by Victor Kuarsingh (diff) |
|
| Assignment | Reviewer | Elwyn B. Davies |
| State | Completed | |
| Request | Telechat review on draft-ietf-nfsv4-rpcsec-gssv3 by General Area Review Team (Gen-ART) Assigned | |
| Reviewed revision | 15 (document currently at 17) | |
| Result | Ready | |
| Completed | 2016-01-22 |
review-ietf-nfsv4-rpcsec-gssv3-15-genart-telechat-davies-2016-01-22-00
I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please wait for direction from your document shepherd or AD before posting a new version of the draft. For more information, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Document: draft-ietf-nfsv4-rpcsec-gssv3-15.txt Reviewer: Elwyn Davies Review Date: 2016/01/16 IETF LC End Date: 2015/12/09 IESG Telechat date: 2016/01/21 Summary: Almost ready. Thank you for addressing my comments from the last call review. For the record there are a couple of other points that have been raised elsewhere that need to be addressed. Major issues: s2.7.1/s4: There is a security issue with RPCSEC_GSS_CREATE when multi-principal authentication is required. See mail [1] below. This may have a (minor) knock-on effect of the NFSv4.2 specification where this is used; as currently specified (draft-ietf-nfsv4-minorversion2-40) use of privacy is already mandated for at least some of the relevant uses of RPCSEC_GSS_CREATE in NFSv4.2 which will mitigate the problem. I have raised this issue in the Telechat review of the NFSv4.2 draft to ensure that privacy is mandated in *all* relevant cases - and to ensure changes are coordinated. Minor issues: s2.7.1.4: Some refinement of the constraints on the rp_name string marked as 'human readable' would be desirable. Nits/editorial comments: None ======================================== [1] > From: Nico Williams <nico at cryptonector.com> > Subject: Re: rpcsec-gssv3 > Date: January 11, 2016 at 8:01:52 PM EST > To: Benjamin Kaduk <kaduk at mit.edu> > Cc: Stephen Farrell <stephen.farrell at cs.tcd.ie>, "sec-ads at ietf.org" <sec-ads at ietf.org>, Spencer Dawkins <spencerdawkins.ietf at gmail.com>, Martin Stiemerling <mls.ietf at gmail.com>, "Adamson, Andy" <William.Adamson at netapp.com> > > On Thu, Jan 07, 2016 at 02:14:01PM -0600, Nico Williams wrote: >> Ok, thanks. I'll post a write up this Saturday. > > Or on Monday. > > OK, so, a while back Ben Kaduk noticed that there is a security problem > with the RPCSEC_GSS_CREATE procedure with multi-principal > authentication. > > The attack varies from easy to difficult to mount depending on whether > the server implements a global or per-connection GSS context handle > namespace, and whether it assigns them in a way that the attacker can > get a specific context handle number assigned to it. > > There are two fixes, the simplest of which is to require that the > RPCSEC_GSS_CREATE procedure be called with privacy protection when using > the multi-principal authentication feature. > > To recap how the RPCSEC_GSS_CREATE procedure with multi-principal > authentication feature works, the client first makes a MIC token with a > GSS context that authenticates the user to the server, then it it uses > that MIC in the payload of the RPCSEC_GSS_CREATE procedure. The > RPCSEC_GSS_CREATE procedure is itself protected with a GSS context that > authenticates the client. > > The problem is that the data that the user GSS context MICs is > insufficiently strong a statement of intent because it only identifies > the client host GSS context by its RPCSEC_GSS context handle ID and > nothing more. An attacker that can intercept an RPCSEC_GSS_CREATE > procedure and cause the RPCSEC_GSS context handle to get re-assigned > will be able to steal the victim's identity. > > There are a number of solid fixes that fall into two classes: > > 1) Add to the data that the user context MICs in order to improve the > quality of the statement of intent. > > E.g., add the client host principal's name. Or add a MIC made with > the client host's GSS context. > > 2) Make it so the attacker cannot steal the MIC made with the user GSS > context. > > E.g., use privacy protection for the RPCSEC_GSS_CREATE procedure, > thus the MIC made with the user GSS context cannot be obtained by the > attacker without having the client host's or server's credentials. > Stephen proposed this. > > (The OpenAFS rxgk protocol uses GSS_Pseudo_random() [RFC4401] to > similar effect.) > > At this stage the simplest thing to do is to require that clients always > use privacy protection for the RPCSEC_GSS_CREATE procedure. Note > that there is nothing that the server can do to prevent this attack if > clients don't use privacy protection for this, but the server should > still reject RPCSEC_GSS_CREATE procedure calls without privacy > protection. (All of this is only for the multi-principal authentication > case.) > > Nico > --