idnits 2.17.1 draft-ietf-nfsv4-multi-domain-fs-reqs-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 21, 2015) is 3164 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'CIFS' == Outdated reference: A later version (-17) exists of draft-ietf-nfsv4-rpcsec-gssv3-12 -- Unexpected draft version: The latest known version of draft-ietf-krb-wg-general-pac is -01, but you're referring to -02. -- Possible downref: Non-RFC (?) normative reference: ref. 'PAC' ** Downref: Normative reference to an Experimental RFC: RFC 2307 ** Obsolete normative reference: RFC 5661 (Obsoleted by RFC 8881) ** Downref: Normative reference to an Informational RFC: RFC 5716 Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NFSv4 Working Group W. Adamson 3 Internet-Draft NetApp 4 Intended status: Standards Track N. Williams 5 Expires: February 22, 2016 Cryptonector 6 August 21, 2015 8 Multiple NFSv4 Domain Namespace Deployment Guidelines 9 draft-ietf-nfsv4-multi-domain-fs-reqs-05 11 Abstract 13 This document discusses issues relevant to the deployment of the 14 NFSv4 protocols in situations allowing for the construction of an 15 NFSv4 file namespace supporting the use of multiple NFSv4 domains and 16 utilizing multi-domain capable file systems. Also described are 17 constraints on name resolution and security services appropriate to 18 the administration of such a system. Such a namespace is a suitable 19 way to enable a Federated File System supporting the use of multiple 20 NFSv4 domains. 22 Requirements Language 24 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 25 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 26 document are to be interpreted as described in [RFC2119]. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on February 22, 2016. 45 Copyright Notice 47 Copyright (c) 2015 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 3. Identity Mapping . . . . . . . . . . . . . . . . . . . . . . 5 65 3.1. NFSv4 Server Identity Mapping . . . . . . . . . . . . . . . 5 66 3.2. NFSv4 Client Identity Mapping . . . . . . . . . . . . . . . 6 67 4. Stand-alone NFSv4 Domain Deployment Examples . . . . . . . . 6 68 4.1. AUTH_SYS with Stringified UID/GID . . . . . . . . . . . . . 7 69 4.2. AUTH_SYS with name@domain . . . . . . . . . . . . . . . . . 7 70 4.3. RPCSEC_GSS with name@domain . . . . . . . . . . . . . . . . 7 71 5. Multi-domain Constraints to the NFSv4 Protocol . . . . . . . 8 72 5.1. Name@domain Constraints . . . . . . . . . . . . . . . . . . 8 73 5.1.1. NFSv4 Domain and DNS Services . . . . . . . . . . . . . . 9 74 5.1.2. NFSv4 Domain and Name Services . . . . . . . . . . . . . 9 75 5.2. RPC Security Constraints . . . . . . . . . . . . . . . . . 9 76 5.2.1. NFSv4 Domain and Security Services . . . . . . . . . . . 10 77 6. Resolving Multi-domain Authorization Information . . . . . . 10 78 7. Stand-alone Examples and Multiple NFSv4 Domain Namespaces . . 12 79 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 80 9. Normative References . . . . . . . . . . . . . . . . . . . . 13 81 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 14 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 84 1. Introduction 86 An NFSv4 domain is defined as a set of users and groups named by a 87 particular domain using the NFSv4 name@domain syntax. This includes 88 NFSv4.0 [RFC7530], NFSv4.1 [RFC5661], and minor versions yet to be 89 published. Often, a computer which acts as an NFSv4 client and 90 always acts on behalf of users belonging to a particular NFSv4 domain 91 is thought of a part of that NFSv4 domain. Similarly, a computer 92 acting as an NFSv4 server that is only aware of users within a 93 particular NFSv4 domain may be thought of as part of that NFSv4 94 domain. 96 In this document, the term "multi-domain" always refers to multiple 97 NFSv4 domains. 99 The Federated File System (FedFS) [RFC5716] describes the 100 requirements and administrative tools to construct a uniform NFSv4 101 file server based namespace that is capable of spanning a whole 102 enterprise and that is easy to manage. 104 The FedFS is the standardized method of constructing and 105 administrating an enterprise-wide NFSv4 filesystem, and so is 106 referenced in this document. The issues with multi-domain 107 deployments described in this document apply to all multi-domain 108 deployments, whether they are run as a FedFS or not. 110 Stand-alone NFSv4 domain deployments can be run in many ways. While 111 a FedFS can be run within all stand-alone NFSv4 domain configurations 112 some of these configurations (Section 4) are not compatible with 113 joining a multi-domain FedFS namespace. 115 Multi-domain deployments require support for global identities in 116 name services and security services, and file systems capable of the 117 on-disk representation of identities belonging to multiple NFSv4 118 domains. Typically, stand-alone NFSv4 domain deployments only 119 provide support for identities belonging to a single NFSv4 domain. 121 This document describes administration-related constraints applying 122 to the deployment of the NFSv4 protocols in environments supporting 123 the construction of an NFSv4 file system namespace supporting the use 124 of multiple NFSv4 domains and utilizing multi-domain capable file 125 systems. Also described are constraints regarding the name 126 resolution and security services appropriate to such a deployment. 127 Such a namespace is a suitable way to enable a Federated File System 128 supporting the use of multiple NFSv4 domains. 130 2. Terminology 132 Name Service: Facilities that provides the mapping between {NFSv4 133 domain, group or user name} and the appropriate local 134 representation of identity. Also includes facilities providing 135 mapping between a security principal and local representation of 136 identity. Can be applied to global identities or principals from 137 within local and remote domains. Often provided by a Directory 138 Service such as LDAP. 140 Name Service Switch (nsswitch): a facility in provides a variety 141 of sources for common configuration databases and name resolution 142 mechanisms. 144 Domain: This term is used in multiple contexts where it has 145 different meanings. Definitions of "nfsv4 domain" and "multi- 146 domain" have already appeared above in Section 1. Below we 147 provide other specific definitions used this document. 149 DNS domain: a set of computers, services, or any internet 150 resource identified by an DNS domain name [RFC1034]. 152 Security realm or domain: a set of configured security 153 providers, users, groups, security roles, and security policies 154 running a single security protocol and administered by a single 155 entity, for example a Kerberos realm. 157 FedFS domain: A file namespace that can cross multiple shares 158 on multiple file servers using file-access protocols such as 159 NFSv4. A FedFS domain is typically a single administrative 160 entity, and has a name that is similar to a DNS domain name. 161 Also known as a Federation. 163 Administrative domain: a set of users, groups, computers, and 164 services administered by a single entity. Can include multiple 165 DNS domains, NFSv4 domains, security domains, and FedFS 166 domains. 168 Local representation of identity: A representation of a user or a 169 group of users capable of being stored persistently within a file 170 system. Typically such representations are identical to the form 171 in which users and groups are represented within internal server 172 API's. Examples are numeric id's such as a uidNumber (UID), 173 gidNumber (GID) [RFC2307], or a Windows Security Identifier (SID) 174 [CIFS]. In some case the identifier space for user and groups 175 overlap, requiring anyone using such an id to know a priori 176 whether the identifier is for a user or a group. 178 Global identity: An on-the-wire globally unique form of identity 179 that can be mapped to a local representation. For example, the 180 NFSv4 name@domain or the Kerberos principal@REALM. 182 Multi-domain capable filesystem: A local filesystem that uses a 183 local ID form that can represent NFSv4 identities from multiple 184 domains. 186 Principal: an RPCSEC_GSS [RFC2203] authentication identity. 187 Usually, but not always, a user; rarely, if ever, a group; 188 sometimes a host or server. 190 Authorization Context: A collection of information about a 191 principal such as username, userID, group membership, etcetera 192 used in authorization decisions. 194 Stringified UID or GID: NFSv4 owner and group strings that consist 195 of decimal numeric values with no leading zeros, and which do not 196 contain an '@' sign. See Section 5.9 "Interpreting owner and 197 owner_group" [RFC5661]. 199 3. Identity Mapping 201 3.1. NFSv4 Server Identity Mapping 203 NFSv4 servers deal with two kinds of identities: authentication 204 identities (referred to here as "principals") and authorization 205 identities ("users" and "groups" of users). NFSv4 supports multiple 206 authentication methods, each authenticating an "initiator principal" 207 (typically representing a user) to an "acceptor principal" (always 208 corresponding to the NFSv4 server). NFSv4 does not prescribe how to 209 represent authorization identities on file systems. All file access 210 decisions constitute "authorization" and are made by NFSv4 servers 211 using authorization context information and file metadata related to 212 authorization, such as a file's access control list (ACL). 214 NFSv4 servers therefore must perform two kinds of mappings: 216 1. Auth-to-authz: A mapping between the authentication identity and 217 the authorization context information. 219 2. Wire-to-disk: A mapping between the on-the-wire authorization 220 identity representation and the on-disk authorization identity 221 representation. 223 A Name Service such as LDAP often provides these mappings. 225 Many aspects of these mappings are entirely implementation specific, 226 but some require multi-domain capable name resolution and security 227 services in order to interoperate in a multi-domain environment. 229 NFSv4 servers use these mappings for: 231 1. File access: Both the auth-to-authz and the wire-to-disk mappings 232 may be required for file access decisions. 234 2. Meta-data setting and listing: The auth-to-authz mapping is 235 usually required to service file metadata setting or listing 236 requests such as ACL or unix permission setting or listing. This 237 mapping is needed because NFSv4 messages use identity 238 representations of the form name@domain which normally differs 239 from the server's local representation of identity. 241 3.2. NFSv4 Client Identity Mapping 243 A client setting the owner or group attribute will often need access 244 to identity mapping services. This is because API's within the 245 client will specify the identity in a local form (e.g UNIX using a 246 uid/gid) so that when stringified id's cannot be used, the id must be 247 converted to a global form. 249 A client obtaining values for the owner or group attributes will 250 similarly need access to identity mapping services. This is because 251 the client API will need these attributes in a local form, as above. 252 As a result name services need to be available to convert the global 253 identity to a local form. 255 Note that each of these situations arises because client-side API's 256 require a particular local identity representation. The need for 257 mapping services would not arise if the clients could use the global 258 representation of identity directly. 260 4. Stand-alone NFSv4 Domain Deployment Examples 262 In order to service as many environments as possible, the NFSv4 263 protocol is designed to allow administrators freedom to configure 264 their NFSv4 domains as they please. 266 Stand-alone NFSv4 domains can be run in many ways. Here we list some 267 stand-alone NFSv4 domain deployment examples focusing on the NFSv4 268 server's use of name service mappings (Section 3.1) and security 269 services deployment to demonstrate the need for some multiple NFSv4 270 domain constraints to the NFSv4 protocol, name service configuration, 271 and security service choices. 273 Because all on-disk identities participating in a stand-alone NFSv4 274 domain belong to the same NFSv4 domain, stand-alone NFSv4 domain 275 deployments have no requirement for exporting multi-domain capable 276 file systems. 278 These examples are for a NFSv4 server exporting a POSIX UID/GID based 279 file system, a typical deployment. These examples are listed in the 280 order of increasing NFSv4 administrative complexity. 282 4.1. AUTH_SYS with Stringified UID/GID 284 This example is the closest NFSv4 gets to being run as NFSv3. 286 File access: The AUTH_SYS RPC credential provides a UID as the 287 authentication identity, and a list of GIDs as authorization context 288 information. File access decisions require no name service 289 interaction as the on-the-wire and on-disk representation are the 290 same and the auth-to-authz UID and GID authorization context 291 information is provided in the RPC credential. 293 Meta-data setting and listing: When the NFSv4 clients and servers 294 implement a stringified UID/GID scheme, where a stringified UID or 295 GID is used for the NFSv4 name@domain on-the-wire identity, then a 296 name service is not required for file metadata listing as the UID or 297 GID can be constructed from the stringified form on the fly by the 298 server. 300 4.2. AUTH_SYS with name@domain 302 Another possibility is to express identity using the form 303 'name@domain', rather than using a stringified UID/GID scheme for 304 file metadata setting and listing. 306 File access: This is the same as in Section 4.1. 308 Meta-data setting and listing: The NFSv4 server will need to use a 309 name service for the wire-to-disk mappings to map between the on-the- 310 wire name@domain syntax and the on-disk UID/GID representation. 311 Often, the NFSv4 server will use the nsswitch interface for these 312 mappings. A typical use of the nsswitch name service interface uses 313 no domain component, just the uid attribute [RFC2307] (or login name) 314 as the name component. This is no issue in a stand-alone NFSv4 315 domain deployment as the NFSv4 domain is known to the NFSv4 server 316 and can combined with the login name to form the name@domain syntax 317 after the return of the name service call. 319 4.3. RPCSEC_GSS with name@domain 321 RPCSEC_GSS uses GSS-API [RFC2743] security mechanisms to securely 322 authenticate users to servers. The most common mechanism is Kerberos 323 [RFC4121]. 325 This final example adds the use of RPCSEC_GSS with the Kerberos 5 GSS 326 security mechanism. 328 File Access: The forms of GSS principal names are mechanism-specific. 329 For Kerberos these are of the form principal@REALM. Sometimes 330 authorization context information is delivered with authentication, 331 but this cannot be counted on. Authorization context information not 332 delivered with authentication has timely update considerations (i.e., 333 generally it's not possible to get a timely update). File access 334 decisions therefore require a wire-to-disk mapping of the GSS 335 principal to a UID, and an auth-to-authz mapping to obtain the list 336 of GIDs as the authorization context. 338 Implementations must never blindly drop a Kerberos REALM name from a 339 Kerberos principal name to obtain a POSIX username, but they may be 340 configured to do so for specific REALMs. 342 Meta-data setting and listing: This is the same as in Section 4.2. 344 5. Multi-domain Constraints to the NFSv4 Protocol 346 Joining NFSv4 domains under a single file namespace imposes slightly 347 on the NFSv4 administration freedom. Here we describe the required 348 constraints. 350 5.1. Name@domain Constraints 352 NFSv4 uses a syntax of the form "name@domain" as the on-the-wire 353 representation of the "who" field of an NFSv4 access control entry 354 (ACE) for users and groups. This design provides a level of 355 indirection that allows NFSv4 clients and servers with different 356 internal representations of authorization identity to interoperate 357 even when referring to authorization identities from different NFSv4 358 domains. 360 Multi-domain capable sites need to meet the following requirements in 361 order to ensure that NFSv4 clients and servers can map between 362 name@domain and internal representations reliably. While some of 363 these constraints are basic assumptions in NFSv4.0 [RFC7530] and 364 NFSv4.1 [RFC5661], they need to be clearly stated for the multi- 365 domain case. 367 o The NFSv4 domain portion of name@domain MUST be unique within the 368 multi-domain namespace. See [RFC5661] section 5.9 "Interpreting 369 owner and owner_group" for a discussion on NFSv4 domain 370 configuration. 372 o The name portion of name@domain MUST be unique within the 373 specified NFSv4 domain. 375 Due to UID and GID collisions, stringified UID/GIDs MUST NOT be used 376 in a multi-domain deployment. This means that multi-domain-capable 377 servers MUST reject requests that use stringified UID/GIDs. 379 5.1.1. NFSv4 Domain and DNS Services 381 Here we address the relationship between NFSv4 domain name and DNS 382 domain name in a multi-domain deployment. 384 The definition of an NFSv4 domain name needs clarification to work in 385 a multi-domain file system namespace. Section 5.9 [RFC5661] loosely 386 defines the NFSv4 domain name as a DNS domain name. This loose 387 definition for the NFSv4 domain is a good one, as DNS domain names 388 are globally unique. As noted above in Section 5.1, any choice of 389 NFSv4 domain name can work within a stand-alone NFSv4 domain 390 deployment whereas the NFSv4 domain is required to be unique in a 391 multi-domain deployment. 393 A typical configuration is that there is a single NFSv4 domain that 394 is served by a single DNS domain. In this case the NFSv4 domain name 395 can be the same as the DNS domain name. 397 An NFSv4 domain can span multiple DNS domains. In this case, one of 398 the DNS domain names can be chosen as the NFSv4 domain name. 400 Multiple NFSv4 domains can also share a DNS domain. In this case, 401 only one of the NFSv4 domains can use the DNS domain name, the other 402 NFSv4 domains must choose another unique NFSv4 domain name. 404 5.1.2. NFSv4 Domain and Name Services 406 As noted above in Section 5.1, each name@domain is unique across the 407 multi-domain namespace and maps, on each NFSv4 server, to the local 408 representation of identity used by that server. Typically, this 409 representation consists of an indication of the particular domain 410 combined with the uid/gid corresponding to the name component. To 411 support such an arrangement, each NFSv4 domain needs to have a single 412 name resolution service capable of converting the names defined 413 within the domain to the corresponding local representation. 415 5.2. RPC Security Constraints 417 As described in [RFC5661] section 2.2.1.1 "RPC Security Flavors": 419 NFSv4.1 clients and servers MUST implement RPCSEC_GSS. 420 (This requirement to implement is not a requirement 421 to use.) Other flavors, such as AUTH_NONE, and AUTH_SYS, 422 MAY be implemented as well. 424 The underlying RPCSEC_GSS security mechanism used in a multi-domain 425 namespace is REQUIRED to employ a method of cross NFSv4 domain trust 426 so that a principal from a security service in one NFSv4 domain can 427 be authenticated in another NFSv4 domain that uses a security service 428 with the same security mechanism. Kerberos, and PKU2U 429 [I-D.zhu-pku2u] are examples of such security services. 431 The AUTH_NONE security flavor can be useful in a multi-domain 432 deployment to grant universal access to public data without any 433 credentials. 435 The AUTH_SYS security flavor uses a host-based authentication model 436 where the weakly authenticated host (the NFSv4 client) asserts the 437 user's authorization identities using small integers, uidNumber, and 438 gidNumber [RFC2307], as user and group identity representations. 439 Because this authorization ID representation has no domain component, 440 AUTH_SYS can only be used in a namespace where all NFSv4 clients and 441 servers share an [RFC2307] name service. A shared name service is 442 required because uidNumbers and gidNumbers are passed in the RPC 443 credential; there is no negotiation of namespace in AUTH_SYS. 444 Collisions can occur if multiple name services are used, so AUTH_SYS 445 MUST NOT be used in a multi-domain file system deployment. 447 While the AUTH_SYS security mechanism can not be used (indeed, 448 AUTH_SYS is obsolete and of limited use for all of NFS), RPCSEC_GSSv3 449 [I-D.rpcsec-gssv3] can completely replace all uses of AUTH_SYS in a 450 multi-domain file system. Like AUTH_SYS, and unlike RPCSEC_GSSv1/2, 451 RPCSEC_GSSv3 allows the client to assert and contribute knowledge of 452 the user process' authorization context. 454 5.2.1. NFSv4 Domain and Security Services 456 As noted above in Section 5.2, caveat AUTH_NULL, multiple NFSv4 457 domain security services are RPCSEC_GSS based with the Kerberos 5 458 security mechanism being the most commonly (and as of this writing, 459 the only) deployed service. 461 A single Kerberos 5 security service per NFSv4 domain with the upper 462 case NFSv4 domain name as the Kerberos 5 REALM name is a common 463 deployment. 465 Multiple security services per NFSv4 domain is allowed, and brings 466 the issue of mapping multiple Kerberos 5 principal@REALMs to the same 467 local ID. Methods of achieving this are beyond the scope of this 468 document. 470 6. Resolving Multi-domain Authorization Information 472 When an RPCSEC_GSS principal is seeking access to files on an NFSv4 473 server, after authenticating the principal, the server must obtain in 474 a secure manner the principal's authorization context information 475 from an authoritative source such as the name service in the 476 principal's NFSv4 domain. 478 In the stand-alone NFSv4 domain case where the principal is seeking 479 access to files on an NFSv4 server in the principal's home NFSv4 480 domain, the server administrator has knowledge of the local policies 481 and methods for obtaining the principal's authorization information 482 and the mappings to local representation of identity from an 483 authoritative source. E.g., the administrator can configure secure 484 access to the local NFSv4 domain name service. 486 In the multi-domain case where a principal is seeking access to files 487 on an NFSv4 server not in the principal's home NFSv4 domain, the 488 NFSv4 server may be required to contact the remote name service in 489 the principals NFSv4 domain. In this case there is no assumption of: 491 o Remote name service configuration knowledge. 493 o The syntax of the remote authorization context information 494 presented to the NFSv4 server by the remote name service for 495 mapping to a local representation. 497 There are several methods the NFSv4 server can use to obtain the 498 NFSv4 domain authoritative authorization information for a remote 499 principal from an authoritative source. While any detail is beyond 500 the scope of this document, some general methods are listed here. 502 1. A mechanism specific GSS-API authorization payload containing 503 credential authorization data such as a "privilege attribute 504 certificate" (PAC) [PAC] or a "general PAD" (PAD) 505 [I-D.sorce-krbwg-general-pac]. This is the preferred method as 506 the payload is delivered as part of GSS-API authentication, 507 avoids requiring any knowledge of the remote authoritative 508 service configuration, and its syntax is well known. 510 2. When there is a security agreement between the local and remote 511 NFSv4 domain name services plus regular update data feeds, the 512 NFSv4 server local NFSv4 domain name service can be authoritative 513 for principal's in the remote NFSv4 domain. In this case, the 514 NFSv4 server makes a query to it's local NFSv4 domain name 515 service just as it does when servicing a local domain principal. 516 While this requires detailed knowledge of the remote NFSv4 517 domains name service for the update data feeds, the authorization 518 context information presented to the NFSv4 server is in the same 519 form as a query for a local principal. 521 3. An authenticated direct query from the NFSv4 server to the 522 principal's NFSv4 domain authoritative name service. This 523 requires the NFSv4 server to have detailed knowledge of the 524 remote NFSv4 domain's authoritative name service and detailed 525 knowledge of the syntax of the resultant authorization context 526 information. 528 7. Stand-alone Examples and Multiple NFSv4 Domain Namespaces 530 Revisiting the stand-alone (Section 4) NFSv4 domain deployment 531 examples, we note that due to the use of AUTH_SYS, neither 532 Section 4.1 nor Section 4.2 configurations are suitable for multi- 533 domain deployments. 535 The Section 4.3 configuration example can participate in a multi- 536 domain namespace deployment if: 538 o The NFSv4 domain name is unique across the namespace. 540 o All exported file systems are multi-domain capable. 542 o A secure method is used to resolve remote NFSv4 domain principals 543 authorization information from an authoritative source. 545 8. Security Considerations 547 This RFC discusses security throughout. All the security 548 considerations of the relevant protocols, such as NFSv4.0 [RFC7530], 549 NFSv4.1 [RFC5661], RPCSEC_GSS [RFC2203], GSS-API [RFC4121], LDAP 550 [RFC4511], and others, apply. 552 Authentication and authorization across administrative domains 553 presents security considerations, most of which are treated 554 elsewhere, but we repeat some of them here: 556 o latency in propagation of revocation of authentication credentials 558 o latency in propagation of revocation of authorizations 560 o latency in propagation of granting of authorizations 562 o complications in establishing a foreign domain's users' complete 563 authorization context: only parts may be available to servers 565 o privacy considerations in a federated environment 567 Most of these are security considerations of the mechanisms used to 568 authenticate users to servers and servers to users, and of the 569 mechanisms used to evaluate a user's authorization context. We don't 570 treat them fully here, but implementors should study the protocols in 571 question to get a more complete set of security considerations. 573 Note that clients/users may also need to evaluate a server's 574 authorization context when using labeled security [I-D.NFSv4.2] 575 (e.g., is the server authorized to handle content at a given security 576 level, for the given compartments). Even when not using labeled 577 security, since there could be many realms (credential issuer) for a 578 given server, it's important to verify that the server a client is 579 talking to has a credential for the name the client has for the 580 server, and that that credential's issuer (i.e., its realm) is 581 allowed to issue it. Usually the service principle realm 582 authorization function is implemented by the security mechanism, but 583 the implementor should check this. 585 Implementors may be tempted to assume that realm (or "issuer") and 586 NFSv4 domain are roughly the same thing, but they are not. 587 Configuration and/or lookup protocols (such as LDAP) and associated 588 schemas are generally required in order to evaluate a user 589 principal's authorization context. In the simplest scheme a server 590 has access to a database mapping all known principal names to 591 usernames whose authorization context can be evaluated using 592 operating system interfaces that deal in usernames rather than 593 principal names. 595 9. Normative References 597 [CIFS] Microsoft Corporation, "[MS-CIFS] -- v20130118 Common 598 Internet File System (CIFS) Protocol", January 2013. 600 [I-D.NFSv4.2] 601 Haynes, T., "NFS Version 4 Minor Version 2", draft-ietf- 602 nfsv4-minorversion2-36 (Work In Progress), April 2015. 604 [I-D.rpcsec-gssv3] 605 Adamson, W. and N. Williams, "Remote Procedure Call (RPC) 606 Security Version 3", draft-ietf-nfsv4-rpcsec-gssv3-12 607 (Work In Progress), July 2015. 609 [I-D.sorce-krbwg-general-pac] 610 Sorce, S., Yu, T., and T. Hardjono, "A Generalized PAC for 611 Kerberos V5", draft-ietf-krb-wg-general-pac-02 (Work In 612 Progress awaiting merge with other document ), June 2011. 614 [I-D.zhu-pku2u] 615 Zhu, L., Altman, J., and N. Williams, "Public Key 616 Cryptography Based User-to-User Authentication - (PKU2U)", 617 draft-zhu-pku2u-09 (Work In Progress), November 2008. 619 [PAC] Brezak, J., "Utilizing the Windows 2000 Authorization Data 620 in Kerberos Tickets for Access Control to Resources", 621 October 2002. 623 [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", 624 RFC 1034, November 1987. 626 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 627 Requirement Levels", RFC 2119, March 1997. 629 [RFC2203] Eisler, M. and J. Linn, "RPCSEC_GSS Protocol 630 Specification", RFC 2203, September 1997. 632 [RFC2307] Howard, L., "An Approach for Using LDAP as a Network 633 Information Service", RFC 2307, March 1998. 635 [RFC2743] Linn, J., "Generic Security Service Application Program 636 Interface Version 2, Update 1", RFC 2743, January 2000. 638 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 639 Version 5 Generic Security Service Application Program 640 Interface (GSS-API) Mechanism: Version 2", RFC 4121, July 641 2005. 643 [RFC4511] Sermersheim, Ed., J., "Lightweight Directory Access 644 Protocol (LDAP): The Protocol", RFC 4511, June 2006. 646 [RFC5661] Shepler, S., Eisler, M., and D. Noveck, "Network File 647 System (NFS) Version 4 Minor Version 1 Protocol", RFC 648 5661, January 2010. 650 [RFC5716] Lentini, J., Everhart, C., Ellard, D., Tewari, R., and M. 651 Naik, "Requirements for Federated File Systems", RFC 5716, 652 January 2010. 654 [RFC7530] Haynes, T. and D. Noveck, "Network File System (NFS) 655 version 4 Protocol", RFC 7530, March 2015. 657 Appendix A. Acknowledgments 659 Andy Adamson would like to thank NetApp, Inc. for its funding of his 660 time on this project. 662 We thank Chuck Lever, Tom Haynes, Brian Reitz, Bruce Fields, and 663 David Noveck for their review. 665 Authors' Addresses 667 William A. (Andy) Adamson 668 NetApp 670 Email: andros@netapp.com 672 Nicolas Williams 673 Cryptonector 675 Email: nico@cryptonector.com