idnits 2.17.1 

draft-ietf-nfsv4-designconsider-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The document doesn't use any RFC 2119 keywords, yet seems to have RFC
     2119 boilerplate text.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (March 1999) is 9174 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'RFC2054' on line 820 looks like a reference

  -- Missing reference section? 'RFC2055' on line 826 looks like a reference

  -- Missing reference section? 'RFC1831' on line 796 looks like a reference

  -- Missing reference section? 'XDSM' on line 933 looks like a reference

  -- Missing reference section? 'HPFS' on line 879 looks like a reference

  -- Missing reference section? 'Nagar' on line 898 looks like a reference

  -- Missing reference section? 'DCEACL' on line 874 looks like a reference

  -- Missing reference section? 'RFC2203' on line 844 looks like a reference

  -- Missing reference section? 'RFC2246' on line 862 looks like a reference

  -- Missing reference section? 'RFC2025' on line 814 looks like a reference

  -- Missing reference section? 'RFC1510' on line 784 looks like a reference

  -- Missing reference section? 'RFC2401' on line 868 looks like a reference

  -- Missing reference section? 'RFC1832' on line 802 looks like a reference

  -- Missing reference section? 'Unicode1' on line 920 looks like a reference

  -- Missing reference section? 'RFC1094' on line 778 looks like a reference

  -- Missing reference section? 'RFC1813' on line 790 looks like a reference

  -- Missing reference section? 'RFC1833' on line 808 looks like a reference

  -- Missing reference section? 'RFC2078' on line 832 looks like a reference

  -- Missing reference section? 'RFC2152' on line 838 looks like a reference

  -- Missing reference section? 'RFC2222' on line 850 looks like a reference

  -- Missing reference section? 'RFC2279' on line 856 looks like a reference

  -- Missing reference section? 'Hutson' on line 883 looks like a reference

  -- Missing reference section? 'Kistler' on line 888 looks like a reference

  -- Missing reference section? 'Mummert' on line 893 looks like a reference

  -- Missing reference section? 'Sandberg' on line 902 looks like a reference

  -- Missing reference section? 'Satyanarayanan1' on line 910 looks like a
     reference

  -- Missing reference section? 'Satyanarayanan2' on line 914 looks like a
     reference

  -- Missing reference section? 'Unicode2' on line 927 looks like a reference

  -- Missing reference section? 'XNFS' on line 938 looks like a reference


     Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 31 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                    Spencer Shepler
3	Internet Draft                                                March 1999
4	Document: draft-ietf-nfsv4-designconsider-00.txt

6	                  NFS Version 4 Design Considerations

8	Status of this Memo

10	   This document is an Internet-Draft and is in full conformance with
11	   all provisions of Section 10 of RFC2026.

13	   Internet-Drafts are working documents of the Internet Engineering
14	   Task Force (IETF), its areas, and its working groups.  Note that
15	   other groups may also distribute working documents as Internet-
16	   Drafts.

18	   Internet-Drafts are draft documents valid for a maximum of six months
19	   and may be updated, replaced, or obsoleted by other documents at any
20	   time.  It is inappropriate to use Internet- Drafts as reference
21	   material or to cite them other than as "work in progress."

23	   The list of current Internet-Drafts can be accessed at
24	   http://www.ietf.org/ietf/1id-abstracts.txt

26	   The list of Internet-Draft Shadow Directories can be accessed at
27	   http://www.ietf.org/shadow.html.

29	Abstract

31	   The main task of the NFS version 4 working group is to create a
32	   protocol definition for a distributed file system that focuses on the
33	   following items: improved access and good performance on the
34	   Internet, strong security with negotiation built into the protocol,
35	   better cross-platform interoperability, and designed for protocol
36	   extensions.  NFS version 4 will owe its general design to the
37	   previous versions of NFS.  It is expected, however, that many
38	   features will be quite different in NFS version 4 than previous
39	   versions to facilitate the goals of the working group and to address
40	   areas that NFS version 2 and 3 have not.

42	   This design considerations document is meant to present more detail
43	   than the working group charter.  Specifically, it presents the areas
44	   that the working group will investigate and consider while developing
45	   a protocol specification for NFS version 4.  Based on this
46	   investigation the working group will decide the features of the new
47	   protocol based on the cost and benefits within the specific feature
48	   areas.

50	Copyright

52	   Copyright (C) The Internet Society (1999).  All Rights Reserved.

54	Key Words

56	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
57	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
58	   document are to be interpreted as described in RFC 2119.

60	Table of Contents

62	   1.  NFS Version 4 Design Considerations . . . . . . . . . . . . . 4
63	   2.  Ease of Implementation or Complexity of Protocol  . . . . . . 4
64	   2.1.  Extensibility / layering  . . . . . . . . . . . . . . . . . 4
65	   2.2.  Managed Extensions or Minor Versioning  . . . . . . . . . . 4
66	   3.  Reliable and Available  . . . . . . . . . . . . . . . . . . . 6
67	   4.  Scalable Performance  . . . . . . . . . . . . . . . . . . . . 6
68	   4.1.  Throughput and Latency via the Network  . . . . . . . . . . 7
69	   4.2.  Client Caching  . . . . . . . . . . . . . . . . . . . . . . 7
70	   4.3.  Disconnected Client Operation . . . . . . . . . . . . . . . 8
71	   5.  Interoperability  . . . . . . . . . . . . . . . . . . . . . . 8
72	   5.1.  Platform Specific Behavior  . . . . . . . . . . . . . . . . 9
73	   5.2.  Additional or Extended Attributes . . . . . . . . . . . . . 9
74	   5.3.  Access Control Lists  . . . . . . . . . . . . . . . . . .  10
75	   6.  RPC Mechanism and Security  . . . . . . . . . . . . . . . .  11
76	   6.1.  User identification . . . . . . . . . . . . . . . . . . .  11
77	   6.2.  Security  . . . . . . . . . . . . . . . . . . . . . . . .  12
78	   6.2.1.  Transport Independence  . . . . . . . . . . . . . . . .  12
79	   6.2.2.  Authentication  . . . . . . . . . . . . . . . . . . . .  12
80	   6.2.3.  Data Integrity  . . . . . . . . . . . . . . . . . . . .  12
81	   6.2.4.  Data Privacy  . . . . . . . . . . . . . . . . . . . . .  13
82	   6.2.5.  Security Negotiation  . . . . . . . . . . . . . . . . .  13
83	   6.3.  Summary . . . . . . . . . . . . . . . . . . . . . . . . .  14
84	   7.  Internet Accessibility  . . . . . . . . . . . . . . . . . .  14
85	   7.1.  Congestion Control and Transport Selection  . . . . . . .  14
86	   7.2.  Firewalls and Proxy Servers . . . . . . . . . . . . . . .  15
87	   7.3.  Multiple RPCs and Latency . . . . . . . . . . . . . . . .  15
88	   8.  File locking / recovery . . . . . . . . . . . . . . . . . .  16
89	   9.  Internationalization  . . . . . . . . . . . . . . . . . . .  17
90	   10.  Security Considerations  . . . . . . . . . . . . . . . . .  18
91	   10.1.  Denial of Service  . . . . . . . . . . . . . . . . . . .  19
92	   11.  Bibliography . . . . . . . . . . . . . . . . . . . . . . .  20
93	   12.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . .  25
94	   13.  Author's Address . . . . . . . . . . . . . . . . . . . . .  25
95	   14.  Full Copyright Statement . . . . . . . . . . . . . . . . .  26

97	1.  NFS Version 4 Design Considerations

99	   As stated in the charter, the first deliverable for the NFS version 4
100	   working group is this design considerations document.  This document
101	   is to cover the "limitations and deficiencies of NFS version 3".
102	   This document will also be used as a mechanism to focus discussion
103	   and avenues of investigation as the definition of NFS version 4
104	   progresses.  Therefore, the contents of this document cover the
105	   general functional/feature areas that are anticipated for NFS version
106	   4.  Where appropriate, discussion of current NFS version 2 and 3
107	   practice will be presented along with other appropriate references to
108	   current distributed file system practice.

110	2.  Ease of Implementation or Complexity of Protocol

112	   One of the strengths of NFS has been the ability to implement a
113	   client or server with relative ease.  The eventual size of a basic
114	   implementation is relatively small.  The main reason for keeping NFS
115	   as simple as possible is that a simple protocol design can be
116	   described in a simple specification that promotes straightforward,
117	   interoperable implementations.  All protocols can run into problems
118	   when deployed on real networks, but simple protocols yield problems
119	   that are easier to diagnose and correct.

121	2.1.  Extensibility / layering

123	   With NFS' relative simplicity, the addition or layering of
124	   functionality has been easy to accomplish.  The addition of features
125	   like the client automount or autofs, client side disk caching and
126	   high availability servers are examples.  This type of extensibility
127	   is desirable in an environment where problem solutions do not require
128	   protocol revision.  This extensibility can also be helpful in the
129	   future where unforeseen problems or opportunities can be solved by
130	   layering functionality on an existing set of tools or protocol.

132	2.2.  Managed Extensions or Minor Versioning

134	   For those cases where the NFS protocol is deficient or where a minor
135	   modification is the best solution for a problem, a minor version or a
136	   managed extension could be helpful.  There have been instances with
137	   NFS version 2 and 3 where small straightforward functional additions
138	   would have increased the overall value of the protocol immensely.
139	   For instance, the PATHCONF procedure that was added to version 2 of
140	   the MOUNT protocol would have been more appropriate for the NFS
141	   protocol. WebNFS [RFC2054][RFC2055] overloading of the LOOKUP
142	   procedure for NFS versions 2 and 3 would have been more cleanly
143	   implemented in a new LOOKUP procedure.

145	   However, the perceived size and burden of using a change of RPC
146	   version number for the introduction of new functionality led to no or
147	   slow change.  It is possible that a new NFS protocol could allow for
148	   the rare instance where protocol extension within the RPC version
149	   number is the most prudent course and an RPC revision would be
150	   unnecessary or impractical.

152	   The areas of an NFS protocol which are most obviously volatile are
153	   new orthogonal procedures, new well-defined file or directory
154	   attributes and potentially new file types.  As an example, potential
155	   file types of the future could be a type such as "attribute" that
156	   represents a named file stream or a "dynamic" file type that
157	   generates dynamic data in response to a "query" procedure from the
158	   client.

160	   It is possible and highly desirable that these types of additions be
161	   done without changing the overall design model of NFS without
162	   significant effort or delay.

164	   A strong consideration should be given to a NFS protocol mechanism
165	   for the introduction of this type of new functionality.  This is
166	   obviously in contrast to using the standard RPC version mechanism to
167	   provide minor changes.  The process of using RPC version numbers to
168	   introduce new functionality brings with it a lot of history which may
169	   not technically prevent its use.  However, the historical issues
170	   involved will need to be addressed as part of the NFS version 4
171	   protocol work; this should increase the ability for current and
172	   future success of the protocol.

174	   As background, the RPC protocol described in [RFC1831] uses a version
175	   number to describe the set of procedure calls, replies, and their
176	   semantics.  Any change in this set must be reflected in a new version
177	   number for the program.  An example of this was the
178	   MOUNTPROC_PATHCONF procedure added in version 2 of the MOUNT
179	   protocol.  Except for the addition of this new procedure, the
180	   protocol was unchanged.  Many thought this protocol revision was
181	   unnecessary, since the RPC protocol already allows certain procedures
182	   not be implemented and defines a PROC_UNAVAIL error.

184	   Another historical data-point from NFS version 2 and 3 is the support
185	   (or lack) of symbolic links.  Servers that cannot support this
186	   feature will simply reject calls to the SYMLINK and READLINK
187	   procedures.  Additionally, NFS version 4 may describe many file
188	   attributes which cannot be supported by the server or file systems on
189	   the server.  Therefore, the protocol must support a discovery
190	   mechanism that allows clients to determine which features of the
191	   protocol are supported by a server.

193	3.  Reliable and Available

195	   Current NFS protocol design, while placing an emphasis on simple
196	   server design, has led to timely recovery from server and client
197	   failure.  This and other aspects to the design have provided a basis
198	   for layered technologies like high availability and clustered
199	   servers.  Providing a protocol design approach that lends itself to
200	   these types of reliability and availability features is very
201	   desirable.

203	   For the next version of NFS, consideration should be given to client
204	   side availability schemes such as client switching between or fail-
205	   over to available server replicas.  NFS currently requires that file
206	   handles be immutable; this requirement adds unnecessarily to the
207	   complexity of building fail-over configurations.  If possible, the
208	   protocol should allow for or ease the building of such layered
209	   solutions.

211	   For the next version of NFS, consideration should be given to schemes
212	   that support client switching between server replicas or highly
213	   available NFS servers that provide paths to data through multiple
214	   servers. For example: NFS currently requires that filehandles be
215	   unchanging for any instance of a file or directory. This requirement
216	   makes it more difficult for a client to switch from one server to
217	   another, since each server may construct filehandles differently.
218	   Protocol support could allow the client to handle a filehandle
219	   change.

221	4.  Scalable Performance

223	   In designing and developing an NFS protocol from a performance
224	   viewpoint there are several different points to consider.  Each can
225	   play a significant role in perceived and real performance from the
226	   user's perspective.  The three main areas of interest are: throughput
227	   and latency via the network, server work load or scalability and
228	   client side caching.

230	4.1.  Throughput and Latency via the Network

232	   NFS currently has characteristics that provide good throughput for
233	   reading and writing file data. This is commonly achieved by the
234	   client's use of pipelining or windowing multiple RPC READ/WRITE
235	   requests to the server. The flexibility of the NFS and ONCRPC
236	   protocols allow for implementations to use this type of adaptation to
237	   provide efficient use of the network connection.

239	   However, the number of RPCs required to accomplish some tasks
240	   combined with high latency network environments may lead to sluggish
241	   single user or single client response.  The protocol should continue
242	   to provide good raw read and write throughput while addressing the
243	   issue of network latency.  This issue is discussed further in the
244	   section on Internet Accessibility.

246	4.2.  Client Caching

248	   In an attempt to speed response time and to reduce network and server
249	   load, NFS clients have always cached directory and file data.
250	   However, this has usually been done as memory cache and in relatively
251	   recent history, local disk caching has been added.

253	   It is very desirable to have the NFS client cache directory and file
254	   data.  Other distributed file systems have shown that aggressive
255	   client side caching can be very visible to the end user in the form
256	   of decreasing overall response time.  For AFS and DCE/DFS, caching is
257	   accomplished by the utilization of server call backs to notify the
258	   client of potential cache invalidation.  CIFS and its opportunistic
259	   locks provide a similar call back mechanism.  Clients in both of
260	   these environments are able to cache data while avoiding interaction
261	   with the network and server.

263	   With these protocols it is also possible to cache or delay certain
264	   protocol requests at the client which further reduces the protocol
265	   traffic flowing between client and server.  In the case of CIFS, it
266	   is possible for a client to obtain an opportunistic lock for a file
267	   and subsequently process file lock requests completely at the client.
268	   If there are no conflicts with other clients for file data access,
269	   the server is never contacted for the file locking traffic generated
270	   by the user application. This behavior is not a protocol requirement
271	   but is allowed by the protocol as an implementation option to improve
272	   performance.

274	   NFS versions 2 and 3 make no caching requirements.  Implementations
275	   typically implement close-to-open cache consistency which requires
276	   clients flush all changes to the server on each file close, and check
277	   for file changes on the server on each file open.  The consistency
278	   check required on each file open can generate a large amount of
279	   GETATTR traffic.  With this approach, there are windows when the
280	   client can still be acting with stale data between the open and close
281	   of a file.

283	   Client caching is increasingly important for Internet environments
284	   where throughput can be limited and response time can grow
285	   significantly. Therefore the NFS version 4 caching design will need
286	   to take into account the full spectrum of caching designs as
287	   exemplified by the current technologies of NFS, AFS, DCE/DFS, CIFS,
288	   etc. in determining an appropriate design.  This will need to be done
289	   while weighing the complexity of each possible approach with the need
290	   of the eventual users and operating environments into which NFS
291	   version 4 may be deployed.  Some of these considerations are:
292	   Internet accessibility, firewall traversal (call back availability),
293	   proxy caching, low-overhead or simple clients.

295	4.3.  Disconnected Client Operation

297	   An extension of client caching is the provision for disconnected
298	   operation at the client.  With the ability to cache directory and
299	   file data aggressively, a client could then provide service to the
300	   end user while disconnected from the server or network.

302	   While very desirable, disconnected operation has the potential to
303	   inflict itself upon the NFS protocol in an undesirable way as
304	   compared to traditional client caching.  Given the complexities of
305	   disconnected client operation and subsequent resolution of client
306	   data modification through various playback or data selection
307	   mechanisms, disconnected operation should not be a requirement for
308	   the NFS effort.  Even so, the NFS protocol should consider the
309	   potential layering of disconnected operation solutions on top of the
310	   NFS protocol (as with other server and client solutions).  The
311	   experiences with Coda, disconnected AFS and others should be helpful
312	   in this area. (see references)

314	5.  Interoperability

316	   The NFS protocols are available for many different operating
317	   environments.  Even though this shows the protocol's ability to
318	   provide distributed file system service for more than a single
319	   operating system, the design of NFS is certainly Unix-centric.  The
320	   next NFS protocol needs to be more inclusive of platform or file
321	   system features beyond those of traditional Unix.

323	5.1.  Platform Specific Behavior

325	   Because of Unix-centric origins, NFS version 2 and 3 protocol
326	   requirements have been difficult to implement in some environments.
327	   For example, persistent file handles (unique identifiers of file
328	   system objects), Unix uid/gid mappings, directory modification time,
329	   accurate file sizes, file/directory locking semantics (SHAREs, PC-
330	   style locking). In the design of NFS version 4, these areas and
331	   others not mentioned will need to be considered and, if possible,
332	   cross-platform solutions developed.

334	5.2.  Additional or Extended Attributes

336	   NFS versions 2 and 3 do not provide for file or directory attributes
337	   beyond those that are found in the traditional Unix environment. For
338	   example the user identifier/owner of the file, a permission or access
339	   bitmap, time stamps for modification of the file or directory and
340	   file size to name a few.  While the current set of attributes has
341	   usually been sufficient, the file system's ability to manage
342	   additional information associated with a file or directory can be
343	   useful.

345	   There are many possibilities for additional attributes in the next
346	   version of NFS.  Some of these include: object creation timestamp,
347	   user identifier of file's creator, timestamp of last backup or
348	   archival bit, version number, file content type (MIME type),
349	   existence of data management involvement (i.e. DMAPI [XDSM]).

351	   This list is representative of the possibilities and is meant to show
352	   the need for an additional attribute set.  Enumerating the 'correct'
353	   set of attributes, however, is difficult.  This is one of the reasons
354	   for looking towards a minor versioning mechanism as a way to provide
355	   needed extensibility.  Another way to provide some extensibility is
356	   to support a generalized named attribute mechanism.  This mechanism
357	   would allow a client to name, store and retrieve arbitrary data and
358	   have it associated as an attribute of a file or directory.

360	   One difficulty in providing named attributes is determining if the
361	   protocol should specify the names for the attributes, their type or
362	   structure.  How will the protocol determine or allow for attributes
363	   that can be read but not written is another issue.  Yet another could
364	   be the side effects that these attributes have on the core set of
365	   file properties such as setting a size attribute to 0 and having
366	   associated file data deleted.

368	   As these brief examples show, this type of extended attribute
369	   mechanism brings with it a large set of issues that will need to be
370	   addressed in the protocol specification while keeping the overall
371	   goal of simplicity in mind.

373	   There are operating environments that provide named or extended
374	   attribute mechanisms.  Digital Unix provides for the storage of
375	   extended attributes with some generalized format.  HPFS[HPFS] and
376	   NTFS [Nagar] also provide for named data associated with traditional
377	   files.  SGI's local file system, XFS, also provides for this type of
378	   name/value extended attributes. However, there does not seem to be a
379	   clear direction that can be taken from these or other environments.

381	5.3.  Access Control Lists

383	   Access Control Lists (ACL) can be viewed as one specific type of
384	   extended attribute.  This attribute is a designation of user access
385	   to a file or directory.  Many vendors have created ancillary
386	   protocols to NFS to extend the server's ACL mechanism across the
387	   network.  Generally this has been done for homogeneous operating
388	   environments. Even though the server still interprets the ACL and has
389	   final control over access to a file system object, the client is able
390	   to manipulate the ACL via these additional protocols.  Other
391	   distributed file systems have also provided ACL support (DFS, AFS and
392	   CIFS).

394	   The basic factor driving the requirement for ACL support in all of
395	   these file systems has been the user's desire to grant and restrict
396	   access to file system data on a per user basis.  Based on the desire
397	   of the user and current distributed file system support, it seems to
398	   be a requirement that NFS provide this capability as well.

400	   Because many local and distributed file system ACL implementations
401	   have been done without a common architecture, the major issue is one
402	   of compatibility.  Although the POSIX draft, DCE/DFS [DCEACL] and
403	   Windows NT ACLs have a similar structure in an array of Access
404	   Control Entries consisting of a type field, identity, and permission
405	   bits, the similarity ends there.  Each model defines its own variants
406	   of entry types, identifies users and groups differently, provides
407	   different kinds of permission bits, and describes different
408	   procedures for ACL creation, defaults, and evaluation.

410	   In the least it will be problematic to create a workable ACL
411	   mechanism that will encompass a reasonable set of functionality for
412	   all operating environments.  Even with the complicated nature of ACL
413	   support it is still worthwhile to work towards a solution that can at
414	   least provide basic functionality for the user.

416	6.  RPC Mechanism and Security

418	   NFS relies on the security mechanisms provided by the ONCRPC
419	   [RFC1831] protocol.  Until the introduction of the ONCRPC RPCSEC_GSS
420	   security flavor [RFC2203], NFS security was generally limited to none
421	   (AUTH_SYS) or DES (AUTH_DH).  The AUTH_DH security flavor was not
422	   successful in providing readily available security for NFS because of
423	   a lack of widespread implementation which precluded widespread
424	   deployment.  Also the Diffie-Hellman 192 bit public key modulus used
425	   for the AUTH_DH security flavor quickly became too small for
426	   reasonable security.

428	6.1.  User identification

430	   NFS has been limited to the use of the Unix-centric user
431	   identification mechanism of numeric user id based on the available
432	   file system attributes and the use of the ONCRPC.  However, for NFS
433	   to move beyond the limits of large work groups, user identification
434	   should be string based and the definition of the user identifier
435	   should allow for integration into an external naming service or
436	   services.

438	   Internet scaling should also be considered for this as well.  The
439	   identification mechanism should take into account multiple naming
440	   domains and multiple naming mechanisms.  Flexibility is the key to a
441	   solution that can grow with the needs of the user and administrator.

443	   If NFS is to move among various naming and security services, it may
444	   be necessary to stay with a string based identification.  This would
445	   allow for servers and clients to translate between the external
446	   string representation to a local or internal numeric (or other
447	   identifier) which matches internal implementation needs.

449	   As an example, DFS uses a string based naming scheme but translates
450	   the name to a UUID (16 byte identifier) that is used for internal
451	   protocol representations. The DCE/DFS string name is a combination of
452	   cell (administrative domain) and user name.  As mentioned, NFS
453	   clients and servers map a Unix user name to a 32 bit user identifier
454	   that is then used for ONCRPC and NFS protocol fields requiring the
455	   user identifier.

457	6.2.  Security

459	   Because of the aforementioned problems, user authentication has been
460	   a major issue for ONCRPC and hence NFS.  To satisfy requirements of
461	   the IETF and to address concerns and requirements from users, NFS
462	   version 4 must provide for the use of acceptable security mechanisms.
463	   The various mechanisms currently available should be explored for
464	   their appropriate use with NFS version 4 and ONCRPC.  Some of these
465	   mechanisms are: TLS [RFC2246], SPKM [RFC2025], KerberbosV5 [RFC1510],
466	   IPSEC [RFC2401].  Since ONCRPC is the basis for NFS client and server
467	   interaction, the RPCSEC_GSS [RFC2203] framework should be strongly
468	   considered since it provides a method to employ mechanisms like SPKM
469	   and KerberosV5.  Before a security mechanism can be evaluated, the
470	   NFS environment and requirements must be discussed.

472	6.2.1.  Transport Independence

474	   As mentioned later in this document in the section "Internet
475	   Accessibility", transport independence is an asset for NFS and ONCRPC
476	   and is a general requirement.  This allows for transport choice based
477	   on the target environment and specific application of NFS.  The most
478	   common transports in use with NFS are UDP and TCP.  This ability to
479	   choose transport should be maintained in combination with the user's
480	   choice of a security mechanism.  This implies that "mandatory to
481	   implement" security mechanisms for NFS should allow for both
482	   connection-less and connection-oriented transports.

484	6.2.2.  Authentication

486	   As should be expected, strong authentication is a requirement for NFS
487	   version 4.  Each operation generated via ONCRPC contains user
488	   identification and authentication information.  It is common in NFS
489	   version 2 and 3 implementations to multiplex various users' requests
490	   over a single or few connections to the NFS server.  This allows for
491	   scalability in the number of clients systems.  Security mechanisms or
492	   frameworks should allow for this multiplexing of requests to sustain
493	   the implementation model that is available today.

495	6.2.3.  Data Integrity

497	   Until the introduction of RPCSEC_GSS, the ability to provide data
498	   integrity over ONCRPC and to NFS was not available.  Since file and
499	   directory data is the essence of a distributed file service, the NFS
500	   protocol should provide to the users of the file service a reasonable
501	   level of data integrity.  The security mechanisms chosen must provide
502	   for NFS data protection with a cryptographically strong checksum.  As
503	   with other aspects within NFS version 4, the user or administrator
504	   should be able to choose whether data integrity is employed.  This
505	   will provide needed flexibility for a variety of NFS version 4
506	   solutions.

508	6.2.4.  Data Privacy

510	   Data privacy, while desirable, is not as important in all
511	   environments as authentication and integrity.  For example, in a LAN
512	   environment the performance overhead of data privacy may not be
513	   required to meet an organization's data protection policies.  It may
514	   also be the case that the performance of the distributed file system
515	   solution is more important than the data privacy of that solution.
516	   Even with these considerations, the user or administrator must have
517	   the choice of data privacy and therefore it must be included in NFS
518	   version 4.

520	6.2.5.  Security Negotiation

522	   With the ability to provide security mechanism choices to the user or
523	   administrator, NFS version 4 should offer reasonable flexibility for
524	   application of local security policies.  However, this presents the
525	   problem of negotiating the appropriate security mechanism between
526	   client and server.  It is unreasonable to require the client know the
527	   server's chosen mechanism before initial contact.  The issue is
528	   further complicated by an administrator who may choose more than one
529	   security mechanism for the various file system resources being shared
530	   by an NFS server.  These types of choices and policies require that
531	   NFS version 4 deal with negotiating the appropriate security
532	   mechanism based on mechanism availability and policy deployment at
533	   client and server.  This negotiation will need to take into account
534	   the possibility of a change in policy as an NFS client crosses
535	   certain file system boundaries at the server.  The security
536	   mechanisms required may change at these boundaries and therefore the
537	   negotiation must be included within the NFS protocol itself to be
538	   done properly (i.e. securely).

540	6.3.  Summary

542	   Other distributed file system solutions such as AFS and DFS provide
543	   strong authentication mechanisms.  CIFS does provide authentication
544	   at initial server contact and a message signing option for subsequent
545	   interaction.  Recent NFS version 2 and 3 implementations, with the
546	   use of RPCSEC_GSS, provide strong authentication, integrity, and
547	   privacy.

549	   NFS version 4 must provide for strong authentication, integrity, and
550	   privacy.  This must be part of the protocol so that users have the
551	   choice to use strong security if their environment or policies
552	   warrant such use.

554	   Based on the requirements presented, the ONCRPC RPCSEC_GSS security
555	   flavor seems to provide an appropriate framework for satisfying these
556	   requirements.  RPCSEC_GSS provides for authentication, integrity, and
557	   privacy.  The RPCSEC_GSS is also extensible in that it provides for
558	   both public and private key security mechanisms along with the
559	   ability to plug in various mechanisms in such a way that it does not
560	   significantly disrupt ONCRPC or NFS implementations.

562	   With RPCSEC_GSS' ability to support both public and private key
563	   mechanisms, NFS version 4 should consider "mandatory to implement"
564	   choices from both.  The intent is to provide a security solution that
565	   will flexibly scale to match the needs of end users.  Providing this
566	   range of solutions will allow for appropriate usage based on policy
567	   and available resources for deployment.  Note that, in the end, the
568	   user must have a choice and that choice may be to use all of the
569	   available mechanisms in NFS version 4 or none of them.

571	7.  Internet Accessibility

573	   Being a product of an IETF working group, the NFS protocol should not
574	   only be built upon IETF technologies where possible but should also
575	   work well within the broader Internet environment.

577	7.1.  Congestion Control and Transport Selection

579	   As with any network protocol, congestion control is a major issue and
580	   the transport mechanisms that are chosen for NFS should take this
581	   into account.  Traditionally, implementations of NFS have been
582	   deployed using both UDP and TCP.  With the use of UDP, most
583	   implementations provide a rudimentary attempt control congestion with
584	   simple back-off algorithms and round trip timers.  While this may be
585	   sufficient in today's NFS deployments, as an Internet protocol NFS
586	   will need to ensure sufficient congestion control or management.

588	   With congestion control in mind, NFS must use TCP as a transport (via
589	   ONCRPC).  The UDP transport provides its own advantages in certain
590	   circumstances.  In today's NFS implementations, UDP has been shown to
591	   produce greater throughput as compared to similarly configured
592	   systems that use TCP.  This issue will need to be investigated such
593	   that a determination can be made as to whether the differences are
594	   within implementation details.  If UDP is supplied as an NFS
595	   transport mechanism, then the congestion controls issues will need
596	   resolution to make its use suitable.

598	7.2.  Firewalls and Proxy Servers

600	   NFS's protocol design should allow its use via Internet firewalls.
601	   The protocol should also allow for the use of file system proxy/cache
602	   servers.  Proxy servers can be very useful for scalability and other
603	   reasons.  The NFS protocol needs to address the need of proxy servers
604	   in a way that will deal with the issues of security, access control,
605	   and content control.  It is possible that these issues can be
606	   addressed by documenting the related issues of proxy server usage.
607	   However, it is likely that the NFS protocol will need to support
608	   proxy servers directly through the NFS protocol.

610	   The protocol could allow a request to be sent to a proxy that
611	   contains the name of the target NFS server to which the request might
612	   be forwarded, or from which a response might be cached.  In any case,
613	   the NFS proxy server should be considered during protocol
614	   development.

616	   The problems encountered in making the NFS protocol work through
617	   firewalls are described in detail in [RFC2054] and [RFC2055].

619	7.3.  Multiple RPCs and Latency

621	   As an application at the NFS client performs simple file system
622	   operations, multiple NFS operations or RPCs may be executed to
623	   accomplish the work for the application.  While the NFS version 3
624	   protocol addressed some of this by returning file and directory
625	   attributes for most procedures, hence reducing follow up GETATTR
626	   requests, there is still room for improvement.  Reducing the number
627	   of RPCs will lead to a reduction of processing overhead on the server
628	   (transport and security processing) along with reducing the time
629	   spent at the client waiting for the server's individual responses.
630	   This issue is more prominent in environments with larger degrees of
631	   latency.

633	   The CIFS file access protocol supports 'batched requests' that allow
634	   multiple requests to be batched, therefore reducing the number of
635	   round trip messages between client and server.

637	   This same approach can be used by NFS to allow the grouping of
638	   multiple procedure calls together in a traditional RPC request.  Not
639	   only would this reduce protocol imposed latency but it would reduce
640	   transport and security processing overhead and could allow a client
641	   to complete more complex tasks by combining procedures.

643	8.  File locking / recovery

645	   NFS provided Unix file locking and DOS SHARE capability with the use
646	   of an ancillary protocol (Network Lock Manager / NLM).  The DOS SHARE
647	   mechanism is the DOS equivalent of file locking in that it provides
648	   the basis for sharing or exclusive access to file and directory data
649	   without risk of data corruption. The NLM protocol provides file
650	   locking and recovery of those locks in the event of client or server
651	   failure.  The NLM protocol requires that the server make call backs
652	   to the client for certain scenarios and therefore is not necessarily
653	   well suited for Internet firewall traversal.

655	   Available and correct file locking support for NFS version 2 and 3
656	   clients and servers has historically been problematic.  The
657	   availability of NLM support has traditionally been a problem and
658	   seems to be most related to the fact that NFS and NLM are two
659	   separate protocols.  It is easy to deliver an NFS client and server
660	   implementation and then add NLM support later.  This led to a general
661	   lack of NLM support early on in NFS' lifetime.  One of the reasons
662	   that NLM was delivered separately has been its relative complexity
663	   which has in turn led to poor implementations and testing
664	   difficulties.  Even in later implementations where reliability and
665	   performance had been increased to acceptable levels for NLM, users
666	   still chose to avoid the use of the protocol and its support.  The
667	   last issue with NLM is the presence of minor protocol design flaws
668	   that relate to high network load and recovery.

670	   Based on the experiences with NLM, locking support for NFS version 4
671	   should strive to meet or at least consider the following (in order of
672	   importance):

674	   o    Integration with the NFS protocol and ease of implementation.

676	   o    Interoperability between operating environments. The protocol
677	        should make a reasonable effort to support the locking semantics
678	        of both PC and Unix clients and servers. This will allow for
679	        greater integration of all environments.

681	   o    Scalable solutions - thousands of clients.  The server should
682	        not be required to maintain significant client file locking
683	        state between server instantiations.

685	   o    Internet capable (firewall traversal, latency sensitive).  The
686	        server should not be required to initiate TCP connections to
687	        clients.

689	   o    Timely recovery in the event of client/server or network
690	        failure.  Server recovery should be rapid. The protocol should
691	        allow clients to detect the loss of a lock.

693	9.  Internationalization

695	   NFS version 2 and 3 are currently limited in the character encoding
696	   of strings. In the NFS protocols, strings are used for file and
697	   directory names, and symbolic link contents. Although the XDR
698	   definition [RFC1832] limits strings in the NFS protocol to 7-bit US-
699	   ASCII, common usage is to encode filenames in 8-bit ISO-Latin-1.
700	   However, there is no mechanism available to tag XDR character strings
701	   to indicate the character encoding used by the client or server.
702	   Obviously this limits NFS' usefulness in an environment with clients
703	   that may operate with various character sets.

705	   One approach to address this deficiency is to use the Unicode
706	   Standard [Unicode1] as the means to exchange character strings for
707	   the NFS version 4 protocol. The Unicode Standard is a 16 bit encoding
708	   that supports full multilingual text. The Unicode Standard is code-
709	   for-code identical with International Standard ISO/IEC 10646-1:1993.
710	   "Information Technology -- Universal Multiple-Octet Coded Character
711	   Set (UCS)-Part 1: Architecture and Basic Multilingual Plane." Because
712	   Unicode is a 16 bit encoding, it may be more efficient for the NFS
713	   version 4 protocol to use an encoding for wire transfer that will be
714	   useful for a majority of usage.  One possible encoding is the UCS
715	   transformation format (UTF).  UTF-8 is an encoding method for UCS-4
716	   characters which allows for the direct encoding of US-ASCII
717	   characters but expands for the correct encoding of the full UCS-4 31
718	   bit definitions.  Currently, the UCS-4 and Unicode standards do not
719	   diverge.

721	   This Unicode/UTF-8 encoding can be used for places in the protocol
722	   that a traditional string representation is needed.  This includes
723	   file and directory names along with symlink contents.  This should
724	   also include other file and directory attributes that are eventually
725	   defined as strings.

727	   The Unicode standard is applicable to the well defined strings within
728	   the protocol. Dealing with file content is much more difficult. NFS
729	   has traditionally dealt with file data as an opaque byte stream. No
730	   other structure or content specification has been levied upon the
731	   file content. The main advantage to this approach is its flexibility.
732	   This byte stream can contain any data content and may be accessed in
733	   any sequential or random fashion. Unfortunately, it is left to the
734	   application or user to make the determination of file content and
735	   format. It is possible to construct a mechanism in the protocol that
736	   specifies file data type while maintaining the byte stream model for
737	   data access.  However, this approach may be limiting in ways unclear
738	   to the designers of the NFS version 4 protocol. An expandable and
739	   adaptable approach is to use the previously discussed extended
740	   attributes as the mechanism to specify file content and format. The
741	   use of extended attributes allows for future definition and growth as
742	   various data types are created and allows for maintaining a simple
743	   file data model for the NFS protocol.

745	   It should be noted that as the Unicode standards are currently
746	   defined there is the possibility for minor inconsistencies when
747	   converting from local character representations to Unicode and then
748	   back again.  This should not be a problem with single client and
749	   server interaction but may become apparent with the interaction of
750	   two or more clients with separate conversion implementations.
751	   Therefore, as NFS version 4 progresses in its development, these
752	   types of Unicode issues need to be tracked and understood for their
753	   potential impact on client/server interaction. In any case, Unicode
754	   seems to be the best selection for NFS version 4 based on its
755	   standards background and apparent future direction.

757	10.  Security Considerations

759	   Two previous sections within this document deal with security issues.
760	   The section covering 'Access Control Lists' covers the mechanisms
761	   that need to be investigated for file system level control. The
762	   section that covers RPC security deals with individual user
763	   authentication along with data integrity and privacy issues. This
764	   section also covers negotiation of security mechanisms.  These
765	   sections should be consulted for additional discussion and detail.

767	10.1.  Denial of Service

769	   As with all services, the denial of service by either incorrect
770	   implementations or malicious agents is always a concern.  With the
771	   target of providing NFS version 4 for Internet use, it is all the
772	   more important that all aspects of the NFS version 4 protocol be
773	   reviewed for potential denial of service scenarios.  When found these
774	   potential problems should be mitigated as much as possible.

776	11.  Bibliography

778	   [RFC1094]
779	   Sun Microsystems, Inc., "NFS: Network File System Protocol
780	   Specification", RFC1094, March 1989.

782	   http://www.ietf.org/rfc/rfc1094.txt

784	   [RFC1510]
785	   Kohl, J., Neuman, C., "The Kerberos Network Authentication Service
786	   (V5)", RFC1510, Digital Equipment Corporation, ISI, September 1993.

788	   http://www.ietf.org/rfc/rfc1510.txt

790	   [RFC1813]
791	   Callaghan, B., Pawlowski, B., Staubach, P., "NFS Version 3 Protocol
792	   Specification", RFC1813, Sun Microsystems, Inc., June 1995.

794	   http://www.ietf.org/rfc/rfc1813.txt

796	   [RFC1831]
797	   Srinivasan, R., "RPC: Remote Procedure Call Protocol Specification
798	   Version 2", RFC1831, Sun Microsystems, Inc., August 1995.

800	   http://www.ietf.org/rfc/rfc1831.txt

802	   [RFC1832]
803	   Srinivasan, R., "XDR: External Data Representation Standard",
804	   RFC1832, Sun Microsystems, Inc., August 1995.

806	   http://www.ietf.org/rfc/rfc1832.txt

808	   [RFC1833]
809	   Srinivasan, R., "Binding Protocols for ONC RPC Version 2", RFC1833,
810	   Sun Microsystems, Inc., August 1995.

812	   http://www.ietf.org/rfc/rfc1833.txt

814	   [RFC2025]
815	   Adams, C., "The Simple Public-Key GSS-API Mechanism (SPKM)", RFC2025,
816	   Bell-Northern Research, October 1996.

818	   http://www.ietf.org/rfc/rfc2025.txt

820	   [RFC2054]
821	   Callaghan, B., "WebNFS Client Specification", RFC2054, Sun
822	   Microsystems, Inc., October 1996

824	   http://www.ietf.org/rfc/rfc2054.txt

826	   [RFC2055]
827	   Callaghan, B., "WebNFS Server Specification", RFC2054, Sun
828	   Microsystems, Inc., October 1996

830	   http://www.ietf.org/rfc/rfc2055.txt

832	   [RFC2078]
833	   Linn, J., "Generic Security Service Application Program Interface,
834	   Version 2", RFC2078, OpenVision Technologies, January 1997.

836	   http://www.ietf.org/rfc/rfc2078.txt

838	   [RFC2152]
839	   Goldsmith, D., "UTF-7 A Mail-Safe Transformation Format of Unicode",
840	   RFC2152, Apple Computer, Inc., May 1997

842	   http://www.ietf.org/rfc/rfc2152.txt

844	   [RFC2203]
845	   Eisler, M., Chiu, A., Ling, L., "RPCSEC_GSS Protocol Specification",
846	   RFC2203, Sun Microsystems, Inc., August 1995.

848	   http://www.ietf.org/rfc/rfc2203.txt

850	   [RFC2222]
851	   Myers, J., "Simple Authentication and Security Layer (SASL)",
852	   RFC2222, Netscape Communications, October 1997.

854	   http://www.ietf.org/rfc/rfc2222.txt

856	   [RFC2279]
857	   Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC2279,
858	   Alis Technologies, January 1998.

860	   http://www.ietf.org/rfc/rfc2279.txt

862	   [RFC2246]
863	   Dierks, T., Allen, C. "The TLS Protocols Version 1.0", RFC 2246,
864	   Certicom, January 1999.

866	   http://www.ietf.org/rfc/rfc2246.txt

868	   [RFC2401]
869	   Kent, S., Atkinson, R., "Security Architecture for the Internet
870	   Protocol", RFC2401, BBN Corp., @Home Network, November 1998.

872	   http://www.ietf.org/rfc/rfc2401.txt

874	   [DCEACL]
875	   The Open Group, Open Group Technical Standard, "DCE 1.1:
876	   Authentication and Security Services," Document Number C311, August
877	   1997. Provides a discussion of DEC ACL structure and semantics.

879	   [HPFS]
880	   Les Bell and Associates Pty Ltd, "The HPFS FAQ,"
881	   http://www.lesbell.com.au/hpfsfaq.html

883	   [Hutson]
884	   Huston, L.B., Honeyman, P., "Disconnected Operation for AFS," June
885	   1993. Proc. USENIX Symp. on Mobile and Location-Independent
886	   Computing, Cambridge, August 1993.

888	   [Kistler]
889	   Kistler, James J., Satyanarayanan, M., "Disconnected Operations in
890	   the Coda File System," ACM Trans. on Computer Systems, vol. 10, no.
891	   1, pp. 3-25, Feb. 1992.

893	   [Mummert]
894	   Mummert, L. B., Ebling,  M. R., Satyanarayanan,  M., "Exploiting Weak
895	   Connectivity for Mobile File Access," Proc. of the 15th ACM Symp. on
896	   Operating Systems Principles Dec. 1995.

898	   [Nagar]
899	   Nagar, R., "Windows NT File System Internals," ISBN 1565922492,
900	   O`Reilly & Associates, Inc.

902	   [Sandberg]
903	   Sandberg, R., D. Goldberg, S. Kleiman, D. Walsh, B.  Lyon, "Design
904	   and Implementation of the Sun Network Filesystem," USENIX Conference
905	   Proceedings, USENIX Association, Berkeley, CA, Summer 1985.  The
906	   basic paper describing the SunOS implementation of the NFS version 2
907	   protocol, and discusses the goals, protocol specification and trade-
908	   offs.

910	   [Satyanarayanan1]
911	   Satyanarayanan, M., "Fundamental Challenges in Mobile Computing,"
912	   Proc. of the ACM Principles of Distributed Computing, 1995.

914	   [Satyanarayanan2]
915	   Satyanarayanan, M., Kistler, J. J., Mummert L. B., Ebling M. R.,
916	   Kumar, P. , Lu,  Q., "Experience with disconnected operation in
917	   mobile computing environment," Proc. of the USENIX Symp. on Mobile
918	   and Location-Independent Computing, Jun. 1993.

920	   [Unicode1]
921	   "Unicode Technical Report #8 - The Unicode Standard, Version 2.1",
922	   Unicode, Inc., The Unicode Consortium, P.O. Box 700519, San Jose, CA
923	   95710-0519 USA, September 1998

925	   http://www.unicode.org/unicode/reports/tr8.html

927	   [Unicode2]
928	   "Unsupported Scripts" Unicode, Inc., The Unicode Consortium, P.O. Box
929	   700519, San Jose, CA 95710-0519 USA, October 1998

931	   http://www.unicode.org/unicode/standard/unsupported.html

933	   [XDSM]
934	   The Open Group, Open Group Technical Standard, "Systems Management:
935	   Data Storage Management (XDSM) API," ISBN 1-85912-190-X, January
936	   1997.

938	   [XNFS]
939	   The Open Group, Protocols for Interworking: XNFS, Version 3W, The
940	   Open Group, 1010 El Camino Real Suite 380, Menlo Park, CA 94025, ISBN
941	   1-85912-184-5, February 1998.

943	   HTML version available: http://www.opengroup.org

945	12.  Acknowledgments

947	   o    Brent Callaghan for content contributions.

949	13.  Author's Address

951	   Address comments related to this memorandum to:

953	        spencer.shepler@eng.sun.com -or- nfsv4-wg@sunroof.eng.sun.com

955	   Spencer Shepler
956	   Sun Microsystems, Inc.
957	   7808 Moonflower Drive
958	   Austin, Texas 78750

960	   Phone: (512) 349-9376
961	   E-mail: spencer.shepler@eng.sun.com

963	14.  Full Copyright Statement

965	   "Copyright (C) The Internet Society (1999).  All Rights Reserved.

967	   This document and translations of it may be copied and furnished to
968	   others, and derivative works that comment on or otherwise explain it
969	   or assist in its implmentation may be prepared, copied, published and
970	   distributed, in whole or in part, without restriction of any kind,
971	   provided that the above copyright notice and this paragraph are
972	   included on all such copies and derivative works.  However, this
973	   document itself may not be modified in any way, such as by removing
974	   the copyright notice or references to the Internet Society or other
975	   Internet organizations, except as needed for the purpose of
976	   developing Internet standards in which case the procedures for
977	   copyrights defined in the Internet Standards process must be
978	   followed, or as required to translate it into languages other than
979	   English.

981	   The limited permissions granted above are perpetual and will not be
982	   revoked by the Internet Society or its successors or assigns.

984	   This document and the information contained herein is provided on an
985	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
986	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
987	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
988	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
989	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."