idnits 2.17.1 draft-ietf-nfsv4-multi-domain-fs-reqs-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 1, 2015) is 3129 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-17) exists of draft-ietf-nfsv4-rpcsec-gssv3-12 ** Obsolete normative reference: RFC 5661 (Obsoleted by RFC 8881) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NFSv4 Working Group W. Adamson 3 Internet-Draft NetApp 4 Intended status: Standards Track N. Williams 5 Expires: April 3, 2016 Cryptonector 6 October 1, 2015 8 Multiple NFSv4 Domain Namespace Deployment Guidelines 9 draft-ietf-nfsv4-multi-domain-fs-reqs-06 11 Abstract 13 This document discusses issues relevant to the deployment of the 14 NFSv4 protocols in situations allowing for the construction of an 15 NFSv4 file namespace supporting the use of multiple NFSv4 domains and 16 utilizing multi-domain capable file systems. Also described are 17 constraints on name resolution and security services appropriate to 18 the administration of such a system. Such a namespace is a suitable 19 way to enable a Federated File System supporting the use of multiple 20 NFSv4 domains. 22 Requirements Language 24 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 25 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 26 document are to be interpreted as described in [RFC2119]. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on April 3, 2016. 45 Copyright Notice 47 Copyright (c) 2015 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 3. Identity Mapping . . . . . . . . . . . . . . . . . . . . . . 5 65 3.1. NFSv4 Server Identity Mapping . . . . . . . . . . . . . . . 5 66 3.2. NFSv4 Client Identity Mapping . . . . . . . . . . . . . . . 6 67 4. Stand-alone NFSv4 Domain Deployment Examples . . . . . . . . 6 68 4.1. AUTH_SYS with Stringified UID/GID . . . . . . . . . . . . . 7 69 4.2. AUTH_SYS with name@domain . . . . . . . . . . . . . . . . . 7 70 4.3. RPCSEC_GSS with name@domain . . . . . . . . . . . . . . . . 7 71 5. Multi-domain Constraints to the NFSv4 Protocol . . . . . . . 8 72 5.1. Name@domain Constraints . . . . . . . . . . . . . . . . . . 8 73 5.1.1. NFSv4 Domain and DNS Services . . . . . . . . . . . . . . 9 74 5.1.2. NFSv4 Domain and Name Services . . . . . . . . . . . . . 9 75 5.2. RPC Security Constraints . . . . . . . . . . . . . . . . . 9 76 5.2.1. NFSv4 Domain and Security Services . . . . . . . . . . . 10 77 6. Resolving Multi-domain Authorization Information . . . . . . 10 78 7. Stand-alone Examples and Multiple NFSv4 Domain Namespaces . . 12 79 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 80 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 81 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 82 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 83 10.2. Informative References . . . . . . . . . . . . . . . . . . 14 84 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 14 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 87 1. Introduction 89 An NFSv4 domain is defined as a set of users and groups named by a 90 particular domain using the NFSv4 name@domain syntax. This includes 91 NFSv4.0 [RFC7530], NFSv4.1 [RFC5661], and minor versions yet to be 92 published. Often, a computer which acts as an NFSv4 client and 93 always acts on behalf of users belonging to a particular NFSv4 domain 94 is thought of a part of that NFSv4 domain. Similarly, a computer 95 acting as an NFSv4 server that is only aware of users within a 96 particular NFSv4 domain may be thought of as part of that NFSv4 97 domain. 99 In this document, the term "multi-domain" always refers to multiple 100 NFSv4 domains. 102 The Federated File System (FedFS) [RFC5716] describes the 103 requirements and administrative tools to construct a uniform NFSv4 104 file server based namespace that is capable of spanning a whole 105 enterprise and that is easy to manage. 107 The FedFS is the standardized method of constructing and 108 administrating an enterprise-wide NFSv4 filesystem, and so is 109 referenced in this document. The issues with multi-domain 110 deployments described in this document apply to all multi-domain 111 deployments, whether they are run as a FedFS or not. 113 Stand-alone NFSv4 domain deployments can be run in many ways. While 114 a FedFS can be run within all stand-alone NFSv4 domain configurations 115 some of these configurations (Section 4) are not compatible with 116 joining a multi-domain FedFS namespace. 118 Multi-domain deployments require support for global identities in 119 name services and security services, and file systems capable of the 120 on-disk representation of identities belonging to multiple NFSv4 121 domains. Typically, stand-alone NFSv4 domain deployments only 122 provide support for identities belonging to a single NFSv4 domain. 124 This document describes administration-related constraints applying 125 to the deployment of the NFSv4 protocols in environments supporting 126 the construction of an NFSv4 file system namespace supporting the use 127 of multiple NFSv4 domains and utilizing multi-domain capable file 128 systems. Also described are constraints regarding the name 129 resolution and security services appropriate to such a deployment. 130 Such a namespace is a suitable way to enable a Federated File System 131 supporting the use of multiple NFSv4 domains. 133 2. Terminology 135 Name Service: Facilities that provides the mapping between {NFSv4 136 domain, group or user name} and the appropriate local 137 representation of identity. Also includes facilities providing 138 mapping between a security principal and local representation of 139 identity. Can be applied to global identities or principals from 140 within local and remote domains. Often provided by a Directory 141 Service such as LDAP. 143 Name Service Switch (nsswitch): a facility in provides a variety 144 of sources for common configuration databases and name resolution 145 mechanisms. 147 Domain: This term is used in multiple contexts where it has 148 different meanings. Definitions of "nfsv4 domain" and "multi- 149 domain" have already appeared above in Section 1. Below we 150 provide other specific definitions used this document. 152 DNS domain: a set of computers, services, or any internet 153 resource identified by an DNS domain name [RFC1034]. 155 Security realm or domain: a set of configured security 156 providers, users, groups, security roles, and security policies 157 running a single security protocol and administered by a single 158 entity, for example a Kerberos realm. 160 FedFS domain: A file namespace that can cross multiple shares 161 on multiple file servers using file-access protocols such as 162 NFSv4. A FedFS domain is typically a single administrative 163 entity, and has a name that is similar to a DNS domain name. 164 Also known as a Federation. 166 Administrative domain: a set of users, groups, computers, and 167 services administered by a single entity. Can include multiple 168 DNS domains, NFSv4 domains, security domains, and FedFS 169 domains. 171 Local representation of identity: A representation of a user or a 172 group of users capable of being stored persistently within a file 173 system. Typically such representations are identical to the form 174 in which users and groups are represented within internal server 175 API's. Examples are numeric id's such as a uidNumber (UID), 176 gidNumber (GID) [RFC2307], or a Windows Security Identifier (SID) 177 [CIFS]. In some case the identifier space for user and groups 178 overlap, requiring anyone using such an id to know a priori 179 whether the identifier is for a user or a group. 181 Global identity: An on-the-wire globally unique form of identity 182 that can be mapped to a local representation. For example, the 183 NFSv4 name@domain or the Kerberos principal@REALM. 185 Multi-domain capable filesystem: A local filesystem that uses a 186 local ID form that can represent NFSv4 identities from multiple 187 domains. 189 Principal: an RPCSEC_GSS [RFC2203] authentication identity. 190 Usually, but not always, a user; rarely, if ever, a group; 191 sometimes a host or server. 193 Authorization Context: A collection of information about a 194 principal such as username, userID, group membership, etcetera 195 used in authorization decisions. 197 Stringified UID or GID: NFSv4 owner and group strings that consist 198 of decimal numeric values with no leading zeros, and which do not 199 contain an '@' sign. See Section 5.9 "Interpreting owner and 200 owner_group" [RFC5661]. 202 3. Identity Mapping 204 3.1. NFSv4 Server Identity Mapping 206 NFSv4 servers deal with two kinds of identities: authentication 207 identities (referred to here as "principals") and authorization 208 identities ("users" and "groups" of users). NFSv4 supports multiple 209 authentication methods, each authenticating an "initiator principal" 210 (typically representing a user) to an "acceptor principal" (always 211 corresponding to the NFSv4 server). NFSv4 does not prescribe how to 212 represent authorization identities on file systems. All file access 213 decisions constitute "authorization" and are made by NFSv4 servers 214 using authorization context information and file metadata related to 215 authorization, such as a file's access control list (ACL). 217 NFSv4 servers therefore must perform two kinds of mappings: 219 1. Auth-to-authz: A mapping between the authentication identity and 220 the authorization context information. 222 2. Wire-to-disk: A mapping between the on-the-wire authorization 223 identity representation and the on-disk authorization identity 224 representation. 226 A Name Service such as LDAP often provides these mappings. 228 Many aspects of these mappings are entirely implementation specific, 229 but some require multi-domain capable name resolution and security 230 services in order to interoperate in a multi-domain environment. 232 NFSv4 servers use these mappings for: 234 1. File access: Both the auth-to-authz and the wire-to-disk mappings 235 may be required for file access decisions. 237 2. Meta-data setting and listing: The auth-to-authz mapping is 238 usually required to service file metadata setting or listing 239 requests such as ACL or unix permission setting or listing. This 240 mapping is needed because NFSv4 messages use identity 241 representations of the form name@domain which normally differs 242 from the server's local representation of identity. 244 3.2. NFSv4 Client Identity Mapping 246 A client setting the owner or group attribute will often need access 247 to identity mapping services. This is because API's within the 248 client will specify the identity in a local form (e.g UNIX using a 249 uid/gid) so that when stringified id's cannot be used, the id must be 250 converted to a global form. 252 A client obtaining values for the owner or group attributes will 253 similarly need access to identity mapping services. This is because 254 the client API will need these attributes in a local form, as above. 255 As a result name services need to be available to convert the global 256 identity to a local form. 258 Note that each of these situations arises because client-side API's 259 require a particular local identity representation. The need for 260 mapping services would not arise if the clients could use the global 261 representation of identity directly. 263 4. Stand-alone NFSv4 Domain Deployment Examples 265 In order to service as many environments as possible, the NFSv4 266 protocol is designed to allow administrators freedom to configure 267 their NFSv4 domains as they please. 269 Stand-alone NFSv4 domains can be run in many ways. Here we list some 270 stand-alone NFSv4 domain deployment examples focusing on the NFSv4 271 server's use of name service mappings (Section 3.1) and security 272 services deployment to demonstrate the need for some multiple NFSv4 273 domain constraints to the NFSv4 protocol, name service configuration, 274 and security service choices. 276 Because all on-disk identities participating in a stand-alone NFSv4 277 domain belong to the same NFSv4 domain, stand-alone NFSv4 domain 278 deployments have no requirement for exporting multi-domain capable 279 file systems. 281 These examples are for a NFSv4 server exporting a POSIX UID/GID based 282 file system, a typical deployment. These examples are listed in the 283 order of increasing NFSv4 administrative complexity. 285 4.1. AUTH_SYS with Stringified UID/GID 287 This example is the closest NFSv4 gets to being run as NFSv3. 289 File access: The AUTH_SYS RPC credential provides a UID as the 290 authentication identity, and a list of GIDs as authorization context 291 information. File access decisions require no name service 292 interaction as the on-the-wire and on-disk representation are the 293 same and the auth-to-authz UID and GID authorization context 294 information is provided in the RPC credential. 296 Meta-data setting and listing: When the NFSv4 clients and servers 297 implement a stringified UID/GID scheme, where a stringified UID or 298 GID is used for the NFSv4 name@domain on-the-wire identity, then a 299 name service is not required for file metadata listing as the UID or 300 GID can be constructed from the stringified form on the fly by the 301 server. 303 4.2. AUTH_SYS with name@domain 305 Another possibility is to express identity using the form 306 'name@domain', rather than using a stringified UID/GID scheme for 307 file metadata setting and listing. 309 File access: This is the same as in Section 4.1. 311 Meta-data setting and listing: The NFSv4 server will need to use a 312 name service for the wire-to-disk mappings to map between the on-the- 313 wire name@domain syntax and the on-disk UID/GID representation. 314 Often, the NFSv4 server will use the nsswitch interface for these 315 mappings. A typical use of the nsswitch name service interface uses 316 no domain component, just the uid attribute [RFC2307] (or login name) 317 as the name component. This is no issue in a stand-alone NFSv4 318 domain deployment as the NFSv4 domain is known to the NFSv4 server 319 and can combined with the login name to form the name@domain syntax 320 after the return of the name service call. 322 4.3. RPCSEC_GSS with name@domain 324 RPCSEC_GSS uses GSS-API [RFC2743] security mechanisms to securely 325 authenticate users to servers. The most common mechanism is Kerberos 326 [RFC4121]. 328 This final example adds the use of RPCSEC_GSS with the Kerberos 5 GSS 329 security mechanism. 331 File Access: The forms of GSS principal names are mechanism-specific. 332 For Kerberos these are of the form principal@REALM. Sometimes 333 authorization context information is delivered with authentication, 334 but this cannot be counted on. Authorization context information not 335 delivered with authentication has timely update considerations (i.e., 336 generally it's not possible to get a timely update). File access 337 decisions therefore require a wire-to-disk mapping of the GSS 338 principal to a UID, and an auth-to-authz mapping to obtain the list 339 of GIDs as the authorization context. 341 Implementations must never blindly drop a Kerberos REALM name from a 342 Kerberos principal name to obtain a POSIX username, but they may be 343 configured to do so for specific REALMs. 345 Meta-data setting and listing: This is the same as in Section 4.2. 347 5. Multi-domain Constraints to the NFSv4 Protocol 349 Joining NFSv4 domains under a single file namespace imposes slightly 350 on the NFSv4 administration freedom. Here we describe the required 351 constraints. 353 5.1. Name@domain Constraints 355 NFSv4 uses a syntax of the form "name@domain" as the on-the-wire 356 representation of the "who" field of an NFSv4 access control entry 357 (ACE) for users and groups. This design provides a level of 358 indirection that allows NFSv4 clients and servers with different 359 internal representations of authorization identity to interoperate 360 even when referring to authorization identities from different NFSv4 361 domains. 363 Multi-domain capable sites need to meet the following requirements in 364 order to ensure that NFSv4 clients and servers can map between 365 name@domain and internal representations reliably. While some of 366 these constraints are basic assumptions in NFSv4.0 [RFC7530] and 367 NFSv4.1 [RFC5661], they need to be clearly stated for the multi- 368 domain case. 370 o The NFSv4 domain portion of name@domain MUST be unique within the 371 multi-domain namespace. See [RFC5661] section 5.9 "Interpreting 372 owner and owner_group" for a discussion on NFSv4 domain 373 configuration. 375 o The name portion of name@domain MUST be unique within the 376 specified NFSv4 domain. 378 Due to UID and GID collisions, stringified UID/GIDs MUST NOT be used 379 in a multi-domain deployment. This means that multi-domain-capable 380 servers MUST reject requests that use stringified UID/GIDs. 382 5.1.1. NFSv4 Domain and DNS Services 384 Here we address the relationship between NFSv4 domain name and DNS 385 domain name in a multi-domain deployment. 387 The definition of an NFSv4 domain name needs clarification to work in 388 a multi-domain file system namespace. Section 5.9 [RFC5661] loosely 389 defines the NFSv4 domain name as a DNS domain name. This loose 390 definition for the NFSv4 domain is a good one, as DNS domain names 391 are globally unique. As noted above in Section 5.1, any choice of 392 NFSv4 domain name can work within a stand-alone NFSv4 domain 393 deployment whereas the NFSv4 domain is required to be unique in a 394 multi-domain deployment. 396 A typical configuration is that there is a single NFSv4 domain that 397 is served by a single DNS domain. In this case the NFSv4 domain name 398 can be the same as the DNS domain name. 400 An NFSv4 domain can span multiple DNS domains. In this case, one of 401 the DNS domain names can be chosen as the NFSv4 domain name. 403 Multiple NFSv4 domains can also share a DNS domain. In this case, 404 only one of the NFSv4 domains can use the DNS domain name, the other 405 NFSv4 domains must choose another unique NFSv4 domain name. 407 5.1.2. NFSv4 Domain and Name Services 409 As noted above in Section 5.1, each name@domain is unique across the 410 multi-domain namespace and maps, on each NFSv4 server, to the local 411 representation of identity used by that server. Typically, this 412 representation consists of an indication of the particular domain 413 combined with the uid/gid corresponding to the name component. To 414 support such an arrangement, each NFSv4 domain needs to have a single 415 name resolution service capable of converting the names defined 416 within the domain to the corresponding local representation. 418 5.2. RPC Security Constraints 420 As described in [RFC5661] section 2.2.1.1 "RPC Security Flavors": 422 NFSv4.1 clients and servers MUST implement RPCSEC_GSS. 423 (This requirement to implement is not a requirement 424 to use.) Other flavors, such as AUTH_NONE, and AUTH_SYS, 425 MAY be implemented as well. 427 The underlying RPCSEC_GSS security mechanism used in a multi-domain 428 namespace is REQUIRED to employ a method of cross NFSv4 domain trust 429 so that a principal from a security service in one NFSv4 domain can 430 be authenticated in another NFSv4 domain that uses a security service 431 with the same security mechanism. Kerberos is an example of such a 432 security services. 434 The AUTH_NONE security flavor can be useful in a multi-domain 435 deployment to grant universal access to public data without any 436 credentials. 438 The AUTH_SYS security flavor uses a host-based authentication model 439 where the weakly authenticated host (the NFSv4 client) asserts the 440 user's authorization identities using small integers, uidNumber, and 441 gidNumber [RFC2307], as user and group identity representations. 442 Because this authorization ID representation has no domain component, 443 AUTH_SYS can only be used in a namespace where all NFSv4 clients and 444 servers share an [RFC2307] name service. A shared name service is 445 required because uidNumbers and gidNumbers are passed in the RPC 446 credential; there is no negotiation of namespace in AUTH_SYS. 447 Collisions can occur if multiple name services are used, so AUTH_SYS 448 MUST NOT be used in a multi-domain file system deployment. 450 While the AUTH_SYS security mechanism can not be used (indeed, 451 AUTH_SYS is obsolete and of limited use for all of NFS), RPCSEC_GSSv3 452 [I-D.rpcsec-gssv3] can completely replace all uses of AUTH_SYS in a 453 multi-domain file system. Like AUTH_SYS, and unlike RPCSEC_GSSv1/2, 454 RPCSEC_GSSv3 allows the client to assert and contribute knowledge of 455 the user process' authorization context. 457 5.2.1. NFSv4 Domain and Security Services 459 As noted above in Section 5.2, caveat AUTH_NULL, multiple NFSv4 460 domain security services are RPCSEC_GSS based with the Kerberos 5 461 security mechanism being the most commonly (and as of this writing, 462 the only) deployed service. 464 A single Kerberos 5 security service per NFSv4 domain with the upper 465 case NFSv4 domain name as the Kerberos 5 REALM name is a common 466 deployment. 468 Multiple security services per NFSv4 domain is allowed, and brings 469 the issue of mapping multiple Kerberos 5 principal@REALMs to the same 470 local ID. Methods of achieving this are beyond the scope of this 471 document. 473 6. Resolving Multi-domain Authorization Information 475 When an RPCSEC_GSS principal is seeking access to files on an NFSv4 476 server, after authenticating the principal, the server must obtain in 477 a secure manner the principal's authorization context information 478 from an authoritative source such as the name service in the 479 principal's NFSv4 domain. 481 In the stand-alone NFSv4 domain case where the principal is seeking 482 access to files on an NFSv4 server in the principal's home NFSv4 483 domain, the server administrator has knowledge of the local policies 484 and methods for obtaining the principal's authorization information 485 and the mappings to local representation of identity from an 486 authoritative source. E.g., the administrator can configure secure 487 access to the local NFSv4 domain name service. 489 In the multi-domain case where a principal is seeking access to files 490 on an NFSv4 server not in the principal's home NFSv4 domain, the 491 NFSv4 server may be required to contact the remote name service in 492 the principals NFSv4 domain. In this case there is no assumption of: 494 o Remote name service configuration knowledge. 496 o The syntax of the remote authorization context information 497 presented to the NFSv4 server by the remote name service for 498 mapping to a local representation. 500 There are several methods the NFSv4 server can use to obtain the 501 NFSv4 domain authoritative authorization information for a remote 502 principal from an authoritative source. While any detail is beyond 503 the scope of this document, some general methods are listed here. 505 1. A mechanism specific GSS-API authorization payload containing 506 credential authorization data such as a "privilege attribute 507 certificate" (PAC) [PAC] or a "general PAD" (PAD) 508 [I-D.sorce-krbwg-general-pac]. This is the preferred method as 509 the payload is delivered as part of GSS-API authentication, 510 avoids requiring any knowledge of the remote authoritative 511 service configuration, and its syntax is well known. 513 2. When there is a security agreement between the local and remote 514 NFSv4 domain name services plus regular update data feeds, the 515 NFSv4 server local NFSv4 domain name service can be authoritative 516 for principal's in the remote NFSv4 domain. In this case, the 517 NFSv4 server makes a query to it's local NFSv4 domain name 518 service just as it does when servicing a local domain principal. 519 While this requires detailed knowledge of the remote NFSv4 520 domains name service for the update data feeds, the authorization 521 context information presented to the NFSv4 server is in the same 522 form as a query for a local principal. 524 3. An authenticated direct query from the NFSv4 server to the 525 principal's NFSv4 domain authoritative name service. This 526 requires the NFSv4 server to have detailed knowledge of the 527 remote NFSv4 domain's authoritative name service and detailed 528 knowledge of the syntax of the resultant authorization context 529 information. 531 7. Stand-alone Examples and Multiple NFSv4 Domain Namespaces 533 Revisiting the stand-alone (Section 4) NFSv4 domain deployment 534 examples, we note that due to the use of AUTH_SYS, neither 535 Section 4.1 nor Section 4.2 configurations are suitable for multi- 536 domain deployments. 538 The Section 4.3 configuration example can participate in a multi- 539 domain namespace deployment if: 541 o The NFSv4 domain name is unique across the namespace. 543 o All exported file systems are multi-domain capable. 545 o A secure method is used to resolve remote NFSv4 domain principals 546 authorization information from an authoritative source. 548 8. Security Considerations 550 This RFC discusses security throughout. All the security 551 considerations of the relevant protocols, such as NFSv4.0 [RFC7530], 552 NFSv4.1 [RFC5661], RPCSEC_GSS [RFC2203], GSS-API [RFC4121], LDAP 553 [RFC4511], and others, apply. 555 Authentication and authorization across administrative domains 556 presents security considerations, most of which are treated 557 elsewhere, but we repeat some of them here: 559 o latency in propagation of revocation of authentication credentials 561 o latency in propagation of revocation of authorizations 563 o latency in propagation of granting of authorizations 565 o complications in establishing a foreign domain's users' complete 566 authorization context: only parts may be available to servers 568 o privacy considerations in a federated environment 570 Most of these are security considerations of the mechanisms used to 571 authenticate users to servers and servers to users, and of the 572 mechanisms used to evaluate a user's authorization context. We don't 573 treat them fully here, but implementors should study the protocols in 574 question to get a more complete set of security considerations. 576 Note that clients/users may also need to evaluate a server's 577 authorization context when using labeled security [I-D.NFSv4.2] 578 (e.g., is the server authorized to handle content at a given security 579 level, for the given compartments). Even when not using labeled 580 security, since there could be many realms (credential issuer) for a 581 given server, it's important to verify that the server a client is 582 talking to has a credential for the name the client has for the 583 server, and that that credential's issuer (i.e., its realm) is 584 allowed to issue it. Usually the service principle realm 585 authorization function is implemented by the security mechanism, but 586 the implementor should check this. 588 Implementors may be tempted to assume that realm (or "issuer") and 589 NFSv4 domain are roughly the same thing, but they are not. 590 Configuration and/or lookup protocols (such as LDAP) and associated 591 schemas are generally required in order to evaluate a user 592 principal's authorization context. In the simplest scheme a server 593 has access to a database mapping all known principal names to 594 usernames whose authorization context can be evaluated using 595 operating system interfaces that deal in usernames rather than 596 principal names. 598 9. IANA Considerations 600 There are no IANA considerations in this document. 602 10. References 604 10.1. Normative References 606 [I-D.NFSv4.2] 607 Haynes, T., "NFS Version 4 Minor Version 2", draft-ietf- 608 nfsv4-minorversion2-36 (Work In Progress), April 2015. 610 [I-D.rpcsec-gssv3] 611 Adamson, W. and N. Williams, "Remote Procedure Call (RPC) 612 Security Version 3", draft-ietf-nfsv4-rpcsec-gssv3-12 613 (Work In Progress), July 2015. 615 [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", 616 RFC 1034, November 1987. 618 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 619 Requirement Levels", RFC 2119, March 1997. 621 [RFC2203] Eisler, M. and J. Linn, "RPCSEC_GSS Protocol 622 Specification", RFC 2203, September 1997. 624 [RFC2743] Linn, J., "Generic Security Service Application Program 625 Interface Version 2, Update 1", RFC 2743, January 2000. 627 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 628 Version 5 Generic Security Service Application Program 629 Interface (GSS-API) Mechanism: Version 2", RFC 4121, July 630 2005. 632 [RFC4511] Sermersheim, Ed., J., "Lightweight Directory Access 633 Protocol (LDAP): The Protocol", RFC 4511, June 2006. 635 [RFC5661] Shepler, S., Eisler, M., and D. Noveck, "Network File 636 System (NFS) Version 4 Minor Version 1 Protocol", RFC 637 5661, January 2010. 639 [RFC7530] Haynes, T. and D. Noveck, "Network File System (NFS) 640 version 4 Protocol", RFC 7530, March 2015. 642 10.2. Informative References 644 [CIFS] Microsoft Corporation, "[MS-CIFS] -- v20130118 Common 645 Internet File System (CIFS) Protocol", January 2013. 647 [I-D.sorce-krbwg-general-pac] 648 Sorce, S., Yu, T., and T. Hardjono, "A Generalized PAC for 649 Kerberos V5", draft-ietf-krb-wg-general-pac-01 (Work In 650 Progress awaiting merge with other document ), June 2011. 652 [PAC] Brezak, J., "Utilizing the Windows 2000 Authorization Data 653 in Kerberos Tickets for Access Control to Resources", 654 October 2002. 656 [RFC2307] Howard, L., "An Approach for Using LDAP as a Network 657 Information Service", RFC 2307, March 1998. 659 [RFC5716] Lentini, J., Everhart, C., Ellard, D., Tewari, R., and M. 660 Naik, "Requirements for Federated File Systems", RFC 5716, 661 January 2010. 663 Appendix A. Acknowledgments 665 Andy Adamson would like to thank NetApp, Inc. for its funding of his 666 time on this project. 668 We thank Chuck Lever, Tom Haynes, Brian Reitz, Bruce Fields, and 669 David Noveck for their review. 671 Authors' Addresses 673 William A. (Andy) Adamson 674 NetApp 676 Email: andros@netapp.com 678 Nicolas Williams 679 Cryptonector 681 Email: nico@cryptonector.com