[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [nfsv4] [FedFS] meeting agenda (10/1)

To: James Lentini <jlentini at netapp.com>
Subject: Re: [nfsv4] [FedFS] meeting agenda (10/1)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Thu, 1 Oct 2009 11:05:59 -0500
Cc: nfsv4 at ietf.org
Delivered-to: nfsv4 at core3.amsl.com
In-reply-to: <alpine.LFD.2.00.0910010930340.3163 at jlentini-linux.nane.netapp.com>
List-archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-help: <mailto:nfsv4-request@ietf.org?subject=help>
List-id: NFSv4 Working Group <nfsv4.ietf.org>
List-post: <mailto:nfsv4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
References: <alpine.LFD.2.00.0909301818020.3163 at jlentini-linux.nane.netapp.com> <20090930225424.GQ887 at Sun.COM> <alpine.LFD.2.00.0910010930340.3163 at jlentini-linux.nane.netapp.com>
User-agent: Mutt/1.5.7i

On Thu, Oct 01, 2009 at 09:55:42AM -0400, James Lentini wrote:
> On Wed, 30 Sep 2009, Nicolas Williams wrote:
> > if SRV RRs are not in use, unless you wish to have a single alternative
> > port number used throughout.  Yet another way in which SRV RRs help
> > here.
> 
> We had a brief discussion about the use of non-standard LDAP ports two 
> weeks ago. There was a question about how firewalls would interact 
> with a non-standard port, but we didn't have time to fully discuss the 
> issue then. I don't remember if anyone advocated requiring NSDBs to 
> run on the standard LDAP port though.

Firewalls are a relatively minor issue.  If you get a new port assigned
then it will be up to each NSDB operator to ensure that their firewalls
open that port.  Same thing if you allow configurable ports.  If
firewalls that limit the ports open for outbound connections are a
concern, then having a standard port would help.

> > As a compromise, you could try SRV RR queries, then fallback on A
> > RRsets, but I don't think that simplifies anything (it's not RRset
> > administration that's the problem -- it's the code to do SRV RR queries
> > that is).  We all already have SRV RR query code for other purposes, so
> > I say just use SRV RRs.
> > 
> > Also, see my secdir evaluation of the requirements document: you may
> > want to include optional authentication information in the FSN format:
> 
> Authentication information in the FSN format would not eliminate the 
> PKI benefits that you described in the requirements document 
> evaluation. In the event that the NSDB's or certification authority's 

Did you mean "would eliminate"?  But note that I intended for
authentication information in the NSDB name to be OPTIONAL.  It'd only
be used when an NSDB has a self-signed cert.

> keys are compromised, the certificate information must be invalidated. 
> With or without an authentication token in the FSN, a fileserver 
> concerned about this issue should validate the NSDB's certificate. 

Of course.

> We will include a full discussion of this subject in the Security 
> Considerations section of the NSDB specification.

OK.

Follow-Ups:
- Re: [nfsv4] [FedFS] meeting agenda (10/1)
  - From: James Lentini

References:
- [nfsv4] [FedFS] meeting agenda (10/1)
  - From: James Lentini
- Re: [nfsv4] [FedFS] meeting agenda (10/1)
  - From: Nicolas Williams
- Re: [nfsv4] [FedFS] meeting agenda (10/1)
  - From: James Lentini

Prev by Date: Re: [nfsv4] New Version Notification - draft-ietf-nfsv4-federated-fs-reqts-04.txt
Next by Date: Re: [nfsv4] sparse files support for NFS
Previous by thread: Re: [nfsv4] [FedFS] meeting agenda (10/1)
Next by thread: Re: [nfsv4] [FedFS] meeting agenda (10/1)
Index(es):
- Date
- Thread