Skip to main content

Last Call Review of draft-ietf-nfsv4-scsi-layout-nvme-05
review-ietf-nfsv4-scsi-layout-nvme-05-secdir-lc-cooley-2023-11-02-00

Request Review of draft-ietf-nfsv4-scsi-layout-nvme
Requested revision No specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-11-01
Requested 2023-10-18
Authors Christoph Hellwig , Chuck Lever , Sorin Faibish , David L. Black
I-D last updated 2023-11-02
Completed reviews Secdir Last Call review of -05 by Deb Cooley (diff)
Artart Last Call review of -05 by James Gruessing (diff)
Genart Last Call review of -05 by Roni Even (diff)
Assignment Reviewer Deb Cooley
State Completed
Request Last Call review on draft-ietf-nfsv4-scsi-layout-nvme by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/bTU_zHVHXgu0m6qIyE9m08Gw648
Reviewed revision 05 (document currently at 07)
Result Ready
Completed 2023-11-02
review-ietf-nfsv4-scsi-layout-nvme-05-secdir-lc-cooley-2023-11-02-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Document: draft-ietf-nfsv4-scsi-layout-nvme-05
Reviewer: Deb Cooley
Review Date: 2023-11-02

Please note that I know very little about NFS or SCSI, but I did spend some
time trying to understand some of the nuance of these technologies.

The summary of the review is 'Ready'.

Comment:  I think the draft is well written, concise, and clear to understand.

This is mostly to attempt to address the comments made in the GENART review:

It appears to me that this protocol can be run over a wide variety of
transports*.  Some can be protected by physical mechanisms, some cannot.  Even
some use of TCP might be protected by isolation mechanisms (small, disconnected
LANs, for example) where the attack surface is minimal.  I agree that TLS
should be a very strong SHOULD in the case where TCP is used for transport, but
I can see situations where it might not be completely necessary.  The normative
reference (NVME-TCP) lays out some pretty reasonable TLS requirements (TLS 1.2
or 1.3, decent ciphers, etc.).

*I'm happy to be corrected if I've interpreted this incorrectly.