[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [nfsv4] [FedFS] meeting agenda (10/1)

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: [nfsv4] [FedFS] meeting agenda (10/1)
From: James Lentini <jlentini at netapp.com>
Date: Thu, 1 Oct 2009 09:55:42 -0400 (EDT)
Cc: nfsv4 at ietf.org
Delivered-to: nfsv4 at core3.amsl.com
In-reply-to: <20090930225424.GQ887 at Sun.COM>
List-archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-help: <mailto:nfsv4-request@ietf.org?subject=help>
List-id: NFSv4 Working Group <nfsv4.ietf.org>
List-post: <mailto:nfsv4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
References: <alpine.LFD.2.00.0909301818020.3163 at jlentini-linux.nane.netapp.com> <20090930225424.GQ887 at Sun.COM>
User-agent: Alpine 2.00 (LFD 1167 2008-08-23)

On Wed, 30 Sep 2009, Nicolas Williams wrote:

> On Wed, Sep 30, 2009 at 06:19:41PM -0400, James Lentini wrote:
> > + Discuss Open Issues
> > 
> >   - Configurable NSDB port?
> > 
> >   - fedfsNfsPathname format
> > 
> >   - FSN format: <NSDB location, LDAP base DN, UUID>
> > 
> >   - NSDB location format: hostname or SRV RR?
> 
> Conveniently enough, the FSN format had better include the NSDB port #

The Admin protocol allows an optional port number to be included in 
the NSDB address.

> if SRV RRs are not in use, unless you wish to have a single alternative
> port number used throughout.  Yet another way in which SRV RRs help
> here.

We had a brief discussion about the use of non-standard LDAP ports two 
weeks ago. There was a question about how firewalls would interact 
with a non-standard port, but we didn't have time to fully discuss the 
issue then. I don't remember if anyone advocated requiring NSDBs to 
run on the standard LDAP port though.

> As a compromise, you could try SRV RR queries, then fallback on A
> RRsets, but I don't think that simplifies anything (it's not RRset
> administration that's the problem -- it's the code to do SRV RR queries
> that is).  We all already have SRV RR query code for other purposes, so
> I say just use SRV RRs.
> 
> Also, see my secdir evaluation of the requirements document: you may
> want to include optional authentication information in the FSN format:

Authentication information in the FSN format would not eliminate the 
PKI benefits that you described in the requirements document 
evaluation. In the event that the NSDB's or certification authority's 
keys are compromised, the certificate information must be invalidated. 
With or without an authentication token in the FSN, a fileserver 
concerned about this issue should validate the NSDB's certificate. 

We will include a full discussion of this subject in the Security 
Considerations section of the NSDB specification.

Follow-Ups:
- Re: [nfsv4] [FedFS] meeting agenda (10/1)
  - From: Nicolas Williams

References:
- [nfsv4] [FedFS] meeting agenda (10/1)
  - From: James Lentini
- Re: [nfsv4] [FedFS] meeting agenda (10/1)
  - From: Nicolas Williams

Prev by Date: Re: [nfsv4] [secdir] draft-ietf-nfsv4-federated-fs-reqts-03
Next by Date: [nfsv4] I-D Action:draft-ietf-nfsv4-federated-fs-reqts-04.txt
Previous by thread: Re: [nfsv4] [FedFS] meeting agenda (10/1)
Next by thread: Re: [nfsv4] [FedFS] meeting agenda (10/1)
Index(es):
- Date
- Thread