draft-ietf-nfsv4-integrity-measurement-06.txt   draft-ietf-nfsv4-integrity-measurement-07.txt 
Network File System Version 4 C. Lever Network File System Version 4 C. Lever
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track September 21, 2019 Intended status: Standards Track September 30, 2019
Expires: March 24, 2020 Expires: April 2, 2020
Integrity Measurement for Network File System version 4 Integrity Measurement for Network File System version 4
draft-ietf-nfsv4-integrity-measurement-06 draft-ietf-nfsv4-integrity-measurement-07
Abstract Abstract
This document specifies an OPTIONAL extension to NFS version 4 minor This document specifies an OPTIONAL extension to NFS version 4 minor
version 2 that enables Linux Integrity Measurement Architecture version 2 that enables Linux Integrity Measurement Architecture
metadata (IMA) to be conveyed between NFS version 4.2 servers and metadata (IMA) to be conveyed between NFS version 4.2 servers and
clients. Integrity measurement authenticates the creator of a file's clients. Integrity measurement authenticates the creator of a file's
content and helps guarantee the content's integrity end-to-end from content and helps guarantee the content's integrity end-to-end from
creation to use. creation to use.
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 24, 2020. This Internet-Draft will expire on April 2, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
3.1. XDR Extraction . . . . . . . . . . . . . . . . . . . . . 7 3.1. XDR Extraction . . . . . . . . . . . . . . . . . . . . . 7
4. Managing IMA Metadata on NFS Files . . . . . . . . . . . . . 7 4. Managing IMA Metadata on NFS Files . . . . . . . . . . . . . 7
4.1. XDR Definition . . . . . . . . . . . . . . . . . . . . . 7 4.1. XDR Definition . . . . . . . . . . . . . . . . . . . . . 7
4.1.1. NFS4ERR_INTEGRITY (Error Code YYYYY) . . . . . . . . 8 4.1.1. NFS4ERR_INTEGRITY (Error Code YYYYY) . . . . . . . . 8
4.2. Detecting support for IMA Metadata . . . . . . . . . . . 8 4.2. Detecting support for IMA Metadata . . . . . . . . . . . 8
4.2.1. Reporting Server-Side IMA Appraisal Failures . . . . 9 4.2.1. Reporting Server-Side IMA Appraisal Failures . . . . 9
4.3. Storing IMA Metadata . . . . . . . . . . . . . . . . . . 9 4.3. Storing IMA Metadata . . . . . . . . . . . . . . . . . . 9
4.3.1. Sending IMA Metadata When Creating a New Object . . . 10 4.3.1. Sending IMA Metadata When Creating a New Object . . . 10
4.3.2. Authorizing Updates to IMA Metadata . . . . . . . . . 10 4.3.2. Authorizing Updates to IMA Metadata . . . . . . . . . 10
4.4. Retrieving IMA Metadata . . . . . . . . . . . . . . . . . 11 4.4. Retrieving IMA Metadata . . . . . . . . . . . . . . . . . 11
4.5. Using NFS Attribute Fencing (VERIFY/NVERIFY) . . . . . . 12 4.5. Using NFS Attribute Fencing (VERIFY/NVERIFY) . . . . . . 11
5. Deployment Examples . . . . . . . . . . . . . . . . . . . . . 12 5. Deployment Examples . . . . . . . . . . . . . . . . . . . . . 12
5.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 12
5.2. Instantiating IMA Metadata . . . . . . . . . . . . . . . 13 5.2. Instantiating IMA Metadata . . . . . . . . . . . . . . . 13
5.3. Interaction With Legacy Implementations . . . . . . . . . 14 5.3. Interaction With Legacy Implementations . . . . . . . . . 14
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 15 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 14
6.1. Linux NFS server and client . . . . . . . . . . . . . . . 15 6.1. Linux NFS server and client . . . . . . . . . . . . . . . 15
7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.1. Normative References . . . . . . . . . . . . . . . . . . 16 9.1. Normative References . . . . . . . . . . . . . . . . . . 16
9.2. Informative References . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . 17
9.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 17 9.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18
skipping to change at page 10, line 36 skipping to change at page 10, line 36
4.3.1. Sending IMA Metadata When Creating a New Object 4.3.1. Sending IMA Metadata When Creating a New Object
An alternate way to set an attribute is to provide the attribute An alternate way to set an attribute is to provide the attribute
during an NFS OPEN(CREATE) operation. Upon creation, an object has during an NFS OPEN(CREATE) operation. Upon creation, an object has
no content to protect. If a client presents an FATTR4_IMA attribute no content to protect. If a client presents an FATTR4_IMA attribute
to an NFS version 4.2 server during NFS OPEN(CREATE), the server MUST to an NFS version 4.2 server during NFS OPEN(CREATE), the server MUST
respond with NFS4ERR_INVAL. respond with NFS4ERR_INVAL.
4.3.2. Authorizing Updates to IMA Metadata 4.3.2. Authorizing Updates to IMA Metadata
An NFS version 4.2 server needs to ensure that modifications to IMA An NFS server permits a user to replace a file's IMA metadata
metadata are done only by appropriately authorized agents. Although whenever that user is permitted to modify that file's byte content.
access to file content is typically controlled by ACLs and permission This is consistent with similar mechanisms already used throughout
bits, these mechanisms do not apply to IMA metadata. the NFS version 4 protocol; for instance, setting an ACL. If an NFS
server determines that a user requesting a SETATTR with the
The question of "who is authorized to modify IMA metadata" is often FATTR4_IMA attribute is not authorized to update the IMA metadata,
left to the server's local IMA security policy. In addition, the the SETATTR operation MUST return NFS4ERR_ACCESS.
issue of whether to allow a particular IMA metadata update has no
bearing on protocol interoperability, as long as the server sticks to
returning NFS4ERR_ACCESS or NFS4ERR_INTEGRITY, as appropriate. Thus,
to enable server implementation flexibility, the current document
treats the following recommendations as implementation guidance
rather than as normative protocol requirements.
Possible NFS server implementations include limiting IMA metadata
update authority in the following ways:
Particular users
A server might allow IMA metadata updates only by UID 0 or by a
client's machine principal.
Particular clients
A server might allow IMA metadata updates only from specific
client IP addresses.
File owners
A server might allow IMA metadata updates only by the file's owner
or group owner.
No remote updates If an NFS server implementation does not support modification of IMA
A server might always return NFS4ERR_ACCESS when an NFS client metadata via NFS, the server MUST return NFS4ERR_INVAL to a SETATTR
sends a SETATTR request that updates IMA metadata. request with the FATTR4_IMA attribute, as required by Section 5.5 of
[RFC5661].
4.4. Retrieving IMA Metadata 4.4. Retrieving IMA Metadata
An NFS version 4.2 client retrieves IMA metadata by retrieving the An NFS version 4.2 client retrieves IMA metadata by retrieving the
FATTR4_IMA attribute via an NFS GETATTR operation, specifying the FATTR4_IMA attribute via an NFS GETATTR operation, specifying the
file handle of the object associated with the metadata to be file handle of the object associated with the metadata to be
retrieved. retrieved.
The IMA subsystem typically manages its own cache of this metadata to The IMA subsystem typically manages its own cache of this metadata to
maintain reasonable performance. The NFS client implementation MUST maintain reasonable performance. The NFS client implementation MUST
 End of changes. 7 change blocks. 
37 lines changed or deleted 17 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/