summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7861.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7861.txt')
-rw-r--r--doc/rfc/rfc7861.txt1459
1 files changed, 1459 insertions, 0 deletions
diff --git a/doc/rfc/rfc7861.txt b/doc/rfc/rfc7861.txt
new file mode 100644
index 0000000..e728c1e
--- /dev/null
+++ b/doc/rfc/rfc7861.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) W. Adamson
+Request for Comments: 7861 NetApp
+Updates: 5403 N. Williams
+Category: Standards Track Cryptonector
+ISSN: 2070-1721 November 2016
+
+
+ Remote Procedure Call (RPC) Security Version 3
+
+Abstract
+
+ This document specifies version 3 of the Remote Procedure Call (RPC)
+ security protocol (RPCSEC_GSS). This protocol provides support for
+ multi-principal authentication of client hosts and user principals to
+ a server (constructed by generic composition), security label
+ assertions for multi-level security and type enforcement, structured
+ privilege assertions, and channel bindings. This document updates
+ RFC 5403.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7861.
+
+Copyright Notice
+
+ Copyright (c) 2016 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+Adamson & Williams Standards Track [Page 1]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+Table of Contents
+
+ 1. Introduction and Motivation .....................................2
+ 1.1. Requirements Language ......................................3
+ 1.2. Added Functionality ........................................4
+ 1.3. XDR Code Extraction ........................................5
+ 2. The RPCSEC_GSSv3 Protocol .......................................6
+ 2.1. Compatibility with RPCSEC_GSSv2 ............................6
+ 2.2. Version Negotiation ........................................6
+ 2.3. New Reply Verifier .........................................7
+ 2.4. XDR Code Preliminaries .....................................8
+ 2.5. RPCSEC_GSS_BIND_CHANNEL Operation .........................10
+ 2.6. New auth_stat Values ......................................10
+ 2.7. New Control Procedures ....................................10
+ 2.7.1. New Control Procedure - RPCSEC_GSS_CREATE ..........12
+ 2.7.2. New Control Procedure - RPCSEC_GSS_LIST ............20
+ 2.8. Extensibility .............................................21
+ 3. Operational Recommendation for Deployment ......................21
+ 4. Security Considerations ........................................21
+ 5. IANA Considerations ............................................22
+ 5.1. New RPC Authentication Status Numbers .....................22
+ 5.2. Structured Privilege Name Definitions .....................23
+ 5.2.1. Initial Registry ...................................24
+ 5.2.2. Updating Registrations .............................24
+ 6. References .....................................................25
+ 6.1. Normative References ......................................25
+ 6.2. Informative References ....................................26
+ Acknowledgments ...................................................26
+ Authors' Addresses ................................................26
+
+1. Introduction and Motivation
+
+ The original Remote Procedure Call (RPC) security protocol
+ (RPCSEC_GSS) [RFC2203] provided for authentication of RPC clients and
+ servers to each other using the Generic Security Service Application
+ Programming Interface (GSS-API) [RFC2743]. The second version of
+ RPCSEC_GSS [RFC5403] added support for channel bindings [RFC5056].
+
+ Existing GSS-API mechanisms are insufficient for communicating
+ certain authorization and authentication information to a server.
+ The GSS-API and its mechanisms certainly could be extended to address
+ this shortcoming. However, it is addressed here at the application
+ layer, i.e., in RPCSEC_GSS.
+
+ A major motivation for version 3 of RPCSEC_GSS (RPCSEC_GSSv3) is to
+ add support for multi-level (labeled) security and server-side copy
+ for NFSv4.
+
+
+
+
+Adamson & Williams Standards Track [Page 2]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ Multi-Level Security (MLS) is a traditional model where subjects
+ (processes) are given a security level (Unclassified, Secret,
+ Top Secret, etc.) and objects (files) are given security labels that
+ mandate the access of the subject to the object (see Section 9.1 of
+ [RFC7862]).
+
+ Labeled NFS (see Section 9 of [RFC7862]) uses an MLS policy with
+ Mandatory Access Control (MAC) systems as defined in [RFC4949].
+ Labeled NFS stores MAC file object labels on the NFS server and
+ enables client Guest Mode MAC as described in Section 9.5.3 of
+ [RFC7862]. RPCSEC_GSSv3 label assertions assert client MAC process
+ subject labels to enable Full Mode MAC when combined with Labeled NFS
+ as described in Section 9.5.1 of [RFC7862].
+
+ A traditional inter-server file copy entails the user gaining access
+ to a file on the source, reading it, and writing it to a file on the
+ destination. In secure NFSv4 inter-server server-side copy (see
+ Section 4 of [RFC7862]), the user first secures access to both source
+ and destination files and then uses NFSv4.2-defined RPCSEC_GSSv3
+ structured privileges to authorize the destination to copy the file
+ from the source on behalf of the user.
+
+ Multi-principal authentication can be used to address shared cache
+ poisoning attacks (see Section 9 of [AFS-RXGK]) on the client cache
+ by a user. As described in Section 7 of [AFS-RXGK], multi-user
+ machines with a single cache manager can fetch and cache data on a
+ user's behalf and re-display it for another user from the cache
+ without refetching the data from the server. The initial data
+ acquisition is authenticated by the first user's credentials, and if
+ only that user's credentials are used, it may be possible for a
+ malicious user or users to "poison" the cache for other users by
+ introducing bogus data into the cache.
+
+ Another use of the multi-principal assertion is the secure conveyance
+ of privilege information for processes running with more (or even
+ with less) privilege than the user normally would be accorded.
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 3]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+1.2. Added Functionality
+
+ RPCSEC_GSS version 3 (RPCSEC_GSSv3) is the same as RPCSEC_GSSv2
+ [RFC5403], except that the following assertions of authority have
+ been added:
+
+ o Security labels for Full Mode security type enforcement, and other
+ labeled security models (see Section 9.5.1 of [RFC7862]).
+
+ o Application-specific structured privileges. These allow an RPC
+ application client to pass structured information to the
+ corresponding application code in a server to control the use of
+ the privilege and/or the conditions in which the privilege may be
+ exercised. For an example, see server-side copy as described in
+ [RFC7862].
+
+ o Multi-principal authentication of the client host and user to the
+ server, done by binding two RPCSEC_GSS handles.
+
+ o Simplified channel binding.
+
+ Assertions of labels and privileges are evaluated by the server,
+ which may then map the asserted values to other values, all according
+ to server-side policy. See [RFC7862].
+
+ An option for enumerating server-supported Label Format Specifiers
+ (LFSs) is provided. See Section 9.1 of [RFC7862].
+
+ Note that there is no RPCSEC_GSS_CREATE payload that is REQUIRED to
+ implement. RPCSEC_GSSv3 implementations are feature driven. Besides
+ implementing the RPCSEC_GSS_CREATE operation and payloads for the
+ desired features, all RPCSEC_GSSv3 implementations MUST implement:
+
+ o The new RPCSEC_GSS version number (Section 2.2).
+
+ o The new reply verifier (Section 2.3).
+
+ o The new auth_stat values (Section 2.6).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 4]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ RPCSEC_GSSv3 targets implementing a desired feature MUST also
+ implement the RPCSEC_GSS_LIST operation, and the RPCSEC_GSS_CREATE
+ operation replies for unsupported features as follows:
+
+ o For label assertions, the target indicates no support by returning
+ the new RPCSEC_GSS_LABEL_PROBLEM auth_stat value (see
+ Section 2.7.1.3).
+
+ o For structured privilege assertions, the target indicates no
+ support by returning the new RPCSEC_GSS_UNKNOWN_MESSAGE auth_stat
+ value (see Section 2.7.1.4).
+
+ o For multi-principal authentication (Section 2.7.1.1), the target
+ indicates no support by not including an rgss3_gss_mp_auth value
+ in the rgss3_create_res.
+
+ o For channel bindings (Section 2.7.1.2), the target indicates no
+ support by not including an rgss3_chan_binding value in the
+ rgss3_create_res.
+
+1.3. XDR Code Extraction
+
+ This document contains the External Data Representation (XDR)
+ [RFC4506] definitions for the RPCSEC_GSSv3 protocol. The XDR
+ description is provided in this document in a way that makes it
+ simple for the reader to extract it into a form that is ready to
+ compile. The reader can feed this document in the following shell
+ script to produce the machine-readable XDR description of
+ RPCSEC_GSSv3:
+
+ <CODE BEGINS>
+
+ #!/bin/sh
+ grep "^ *///" | sed 's?^ */// ??' | sed 's?^ *///$??'
+
+ <CODE ENDS>
+
+ That is, if the above script is stored in a file called "extract.sh"
+ and this document is in a file called "spec.txt", then the reader
+ can do:
+
+ <CODE BEGINS>
+
+ sh extract.sh < spec.txt > rpcsec_gss_v3.x
+
+ <CODE ENDS>
+
+
+
+
+
+Adamson & Williams Standards Track [Page 5]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ The effect of the script is to remove leading white space from each
+ line, plus a sentinel sequence of "///".
+
+2. The RPCSEC_GSSv3 Protocol
+
+ RPCSEC_GSS version 3 (RPCSEC_GSSv3) is very similar to RPCSEC_GSS
+ version 2 (RPCSEC_GSSv2) [RFC5403]. The difference is that the new
+ support for assertions and channel bindings is implemented via a
+ different mechanism.
+
+ The entire RPCSEC_GSSv3 protocol is not presented here. Only the
+ differences between RPCSEC_GSSv3 and RPCSEC_GSSv2 are shown.
+
+ RPCSEC_GSSv3 is implemented as follows:
+
+ o A client uses an existing RPCSEC_GSSv3 context handle established
+ in the usual manner (see Section 5.2 of [RFC2203]) to protect
+ RPCSEC_GSSv3 exchanges; this will be termed the "parent" handle.
+
+ o The server issues a "child" RPCSEC_GSSv3 handle in the
+ RPCSEC_GSS_CREATE response, which uses the underlying GSS-API
+ security context of the parent handle in all subsequent exchanges
+ that use the child handle.
+
+ o An RPCSEC_GSSv3 child handle MUST NOT be used as the parent handle
+ in an RPCSEC_GSS3_CREATE control message.
+
+2.1. Compatibility with RPCSEC_GSSv2
+
+ The functionality of RPCSEC_GSSv2 [RFC5403] is fully supported by
+ RPCSEC_GSSv3, with the exception of the RPCSEC_GSS_BIND_CHANNEL
+ operation, which is not supported when RPCSEC_GSSv3 is in use (see
+ Section 2.5).
+
+2.2. Version Negotiation
+
+ An initiator that supports version 3 of RPCSEC_GSS simply issues an
+ RPCSEC_GSS request with the rgc_version field set to
+ RPCSEC_GSS_VERS_3. If the target does not recognize
+ RPCSEC_GSS_VERS_3, the target will return an RPC error per
+ Section 5.1 of [RFC2203].
+
+ The initiator MUST NOT attempt to use an RPCSEC_GSS handle returned
+ by version 3 of a target with version 1 or version 2 of the same
+ target. The initiator MUST NOT attempt to use an RPCSEC_GSS handle
+ returned by version 1 or version 2 of a target with version 3 of the
+ same target.
+
+
+
+
+Adamson & Williams Standards Track [Page 6]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+2.3. New Reply Verifier
+
+ A new reply verifier is needed for RPCSEC_GSSv3 because of a
+ situation that arises from the use of the same GSS context by child
+ and parent handles. Because the RPCSEC_GSSv3 child handle uses the
+ same GSS context as the parent handle, a child and parent
+ RPCSEC_GSSv3 handle could have the same RPCSEC_GSS sequence numbers.
+ Since the reply verifier of previous versions of RPCSEC_GSS computes
+ a Message Integrity Code (MIC) on just the sequence number, this
+ provides opportunities for man-in-the-middle attacks.
+
+ This issue is addressed in RPCSEC_GSS version 3 by computing the
+ verifier using exactly the same input as the information used to
+ compute the request verifier, except that the mtype is changed from
+ CALL to REPLY. The new reply verifier computes a MIC over the
+ following RPC reply header data:
+
+ unsigned int xid;
+ msg_type mtype; /* set to REPLY */
+ unsigned int rpcvers;
+ unsigned int prog;
+ unsigned int vers;
+ unsigned int proc;
+ opaque_auth cred; /* binds the RPCSEC_GSS handle */
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 7]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+2.4. XDR Code Preliminaries
+
+ The following code fragment replaces the corresponding preliminary
+ code shown in Figure 1 of [RFC5403]. The values in the code fragment
+ in Section 2.6 are additions to the auth_stat enumeration.
+ Subsequent code fragments are additions to the code for version 2
+ that support the new procedures defined in version 3.
+
+ <CODE BEGINS>
+
+ /// /*
+ /// * Copyright (c) 2016 IETF Trust and the persons
+ /// * identified as the authors. All rights reserved.
+ /// *
+ /// * The authors of the code are identified in RFC 2203,
+ /// * RFC 5403, and RFC 7861.
+ /// *
+ /// * Redistribution and use in source and binary forms,
+ /// * with or without modification, are permitted
+ /// * provided that the following conditions are met:
+ /// *
+ /// * o Redistributions of source code must retain the above
+ /// * copyright notice, this list of conditions and the
+ /// * following disclaimer.
+ /// *
+ /// * o Redistributions in binary form must reproduce the
+ /// * above copyright notice, this list of
+ /// * conditions and the following disclaimer in
+ /// * the documentation and/or other materials
+ /// * provided with the distribution.
+ /// *
+ /// * o Neither the name of Internet Society, IETF or IETF
+ /// * Trust, nor the names of specific contributors, may be
+ /// * used to endorse or promote products derived from this
+ /// * software without specific prior written permission.
+ /// *
+ /// * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS
+ /// * AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ /// * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ /// * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ /// * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+ /// * EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ /// * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ /// * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ /// * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ /// * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ /// * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ /// * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+
+
+
+Adamson & Williams Standards Track [Page 8]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ /// * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ /// * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ /// * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ /// */
+ ///
+ /// /*
+ /// * This code was derived from RFC 2203, RFC 5403,
+ /// * and RFC 7861. Please reproduce this note if possible.
+ /// */
+ ///
+ /// enum rpc_gss_service_t {
+ /// /* Note: The enumerated value for 0 is reserved. */
+ /// rpc_gss_svc_none = 1,
+ /// rpc_gss_svc_integrity = 2,
+ /// rpc_gss_svc_privacy = 3,
+ /// rpc_gss_svc_channel_prot = 4
+ /// };
+ ///
+ /// enum rpc_gss_proc_t {
+ /// RPCSEC_GSS_DATA = 0,
+ /// RPCSEC_GSS_INIT = 1,
+ /// RPCSEC_GSS_CONTINUE_INIT = 2,
+ /// RPCSEC_GSS_DESTROY = 3,
+ /// RPCSEC_GSS_BIND_CHANNEL = 4, /* Not used */
+ /// RPCSEC_GSS_CREATE = 5, /* New */
+ /// RPCSEC_GSS_LIST = 6 /* New */
+ /// };
+ ///
+ /// struct rpc_gss_cred_vers_1_t {
+ /// rpc_gss_proc_t gss_proc; /* Control procedure */
+ /// unsigned int seq_num; /* Sequence number */
+ /// rpc_gss_service_t service; /* Service used */
+ /// opaque handle<>; /* Context handle */
+ /// };
+ ///
+ /// const RPCSEC_GSS_VERS_1 = 1;
+ /// const RPCSEC_GSS_VERS_2 = 2;
+ /// const RPCSEC_GSS_VERS_3 = 3; /* New */
+ ///
+ /// union rpc_gss_cred_t switch (unsigned int rgc_version) {
+ /// case RPCSEC_GSS_VERS_1:
+ /// case RPCSEC_GSS_VERS_2:
+ /// case RPCSEC_GSS_VERS_3: /* New */
+ /// rpc_gss_cred_vers_1_t rgc_cred_v1;
+ /// };
+ ///
+
+ <CODE ENDS>
+
+
+
+Adamson & Williams Standards Track [Page 9]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ As seen above, the RPCSEC_GSSv3 credential has the same format as the
+ RPCSEC_GSSv1 [RFC2203] and RPCSEC_GSSv2 [RFC5403] credential.
+ Setting the rgc_version field to 3 indicates that the initiator and
+ target support the new RPCSEC_GSSv3 control procedures.
+
+2.5. RPCSEC_GSS_BIND_CHANNEL Operation
+
+ RPCSEC_GSSv3 provides a channel-binding assertion that replaces the
+ RPCSEC_GSSv2 RPCSEC_GSS_BIND_CHANNEL operation.
+
+ The RPCSEC_GSS_BIND_CHANNEL operation is not supported on RPCSEC_GSS
+ version 3 handles. If a server receives an RPCSEC_GSS_BIND_CHANNEL
+ operation on an RPCSEC_GSSv3 handle, it MUST return a reply status of
+ MSG_ACCEPTED with an accept_stat of PROC_UNAVAIL [RFC5531].
+
+2.6. New auth_stat Values
+
+ RPCSEC_GSSv3 requires the addition of several values to the auth_stat
+ enumerated type definition. The use of these new auth_stat values is
+ explained throughout this document.
+
+ enum auth_stat {
+ ...
+ /*
+ * RPCSEC_GSSv3 errors
+ */
+ RPCSEC_GSS_INNER_CREDPROBLEM = 15,
+ RPCSEC_GSS_LABEL_PROBLEM = 16,
+ RPCSEC_GSS_PRIVILEGE_PROBLEM = 17,
+ RPCSEC_GSS_UNKNOWN_MESSAGE = 18
+ };
+
+2.7. New Control Procedures
+
+ There are two new RPCSEC_GSSv3 control procedures: RPCSEC_GSS_CREATE
+ and RPCSEC_GSS_LIST.
+
+ The RPCSEC_GSS_CREATE procedure binds any combination of assertions
+ -- multi-principal authentication, labels, structured privileges, or
+ channel bindings -- to a new RPCSEC_GSSv3 context returned in the
+ rgss3_create_res rcr_handle field.
+
+ The RPCSEC_GSS_LIST procedure queries the target for supported
+ assertions.
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 10]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ RPCSEC_GSS version 3 control messages are similar to the RPCSEC_GSS
+ version 1 and version 2 RPCSEC_GSS_DESTROY control message (see
+ Section 5.4 of [RFC2203]) in that the sequence number in the request
+ must be valid and the header checksum in the verifier must be valid.
+ As in RPCSEC_GSS version 1 and version 2, the RPCSEC_GSS version 3
+ control messages may contain call data following the verifier in the
+ body of the NULLPROC procedure. In other words, they look a lot like
+ an RPCSEC_GSS data message with the header procedure set to NULLPROC.
+
+ The client MUST use one of the following security services to protect
+ the RPCSEC_GSS_CREATE or RPCSEC_GSS_LIST control message:
+
+ o rpc_gss_svc_integrity
+
+ o rpc_gss_svc_privacy
+
+ Specifically, the client MUST NOT use rpc_gss_svc_none.
+
+ RPCSEC_GSS_LIST can also use rpc_gss_svc_channel_prot (see
+ RPCSEC_GSSv2 [RFC5403]) if the request is sent using an RPCSEC_GSSv3
+ child handle with channel bindings enabled as described in
+ Section 2.7.1.2.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 11]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+2.7.1. New Control Procedure - RPCSEC_GSS_CREATE
+
+ <CODE BEGINS>
+
+ /// struct rgss3_create_args {
+ /// rgss3_gss_mp_auth *rca_mp_auth;
+ /// rgss3_chan_binding *rca_chan_bind_mic;
+ /// rgss3_assertion_u rca_assertions<>;
+ /// };
+ ///
+ /// struct rgss3_create_res {
+ /// opaque rcr_handle<>;
+ /// rgss3_gss_mp_auth *rcr_mp_auth;
+ /// rgss3_chan_binding *rcr_chan_bind_mic;
+ /// rgss3_assertion_u rcr_assertions<>;
+ /// };
+ ///
+ /// enum rgss3_assertion_type {
+ /// LABEL = 0,
+ /// PRIVS = 1
+ /// };
+ ///
+ /// union rgss3_assertion_u
+ /// switch (rgss3_assertion_type atype) {
+ /// case LABEL:
+ /// rgss3_label rau_label;
+ /// case PRIVS:
+ /// rgss3_privs rau_privs;
+ /// default:
+ /// opaque rau_ext<>;
+ /// };
+ ///
+
+ <CODE ENDS>
+
+ The call data for an RPCSEC_GSS_CREATE request consists of an
+ rgss3_create_args, which binds one or more items of several kinds to
+ the returned rcr_handle RPCSEC_GSSv3 context handle (the child
+ handle):
+
+ o Multi-principal authentication: another RPCSEC_GSS context handle
+
+ o A channel binding
+
+ o Authorization assertions: labels and/or privileges
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 12]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ The reply to this message consists of either an error or an
+ rgss3_create_res structure. As noted in Sections 2.7.1.3 and
+ 2.7.1.4, successful rgss3_assertions are enumerated in rcr_assertions
+ and are REQUIRED to be enumerated in the same order as they appeared
+ in the rca_assertions argument.
+
+ Upon a successful RPCSEC_GSS_CREATE, both the client and the server
+ need to associate the resultant child rcr_handle context handle with
+ the parent context handle in their GSS context caches so as to be
+ able to reference the parent context given the child context handle.
+
+ RPCSEC_GSSv3 child handles MUST be destroyed upon the destruction of
+ the associated parent handle.
+
+ Server implementation and policy MAY result in labels, privileges,
+ and identities being mapped to concepts and values that are local to
+ the server. Server policies should take into account the identity of
+ the client and/or user as authenticated via the GSS-API.
+
+2.7.1.1. Multi-Principal Authentication
+
+ <CODE BEGINS>
+
+ ///
+ /// struct rgss3_gss_mp_auth {
+ /// opaque rgmp_handle<>; /* Inner handle */
+ /// opaque rgmp_rpcheader_mic<>;
+ /// };
+ ///
+
+ <CODE ENDS>
+
+ RPCSEC_GSSv3 clients MAY assert a multi-principal authentication of
+ the RPC client host principal and a user principal. This feature is
+ needed, for example, when an RPC client host wishes to use authority
+ assertions that the server may only grant if a user and an RPC client
+ host are authenticated together to the server. Thus, a server may
+ refuse to grant requested authority to a user acting alone (e.g., via
+ an unprivileged user-space program) or to an RPC client host acting
+ alone (e.g., when an RPC client host is acting on behalf of a user)
+ but may grant requested authority to an RPC client host acting on
+ behalf of a user if the server identifies the user and trusts the RPC
+ client host.
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 13]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ It is assumed that an unprivileged user-space program would not have
+ access to RPC client host credentials needed to establish a GSS-API
+ security context authenticating the RPC client host to the server;
+ therefore, an unprivileged user-space program could not create an
+ RPCSEC_GSSv3 RPCSEC_GSS_CREATE message that successfully binds an RPC
+ client host and a user security context.
+
+ In addition to the parent handle (Section 2), the multi-principal
+ authentication call data has an RPCSEC_GSS version 3 handle
+ referenced via the rgmp_handle field termed the "inner" handle.
+ Clients using RPCSEC_GSSv3 multi-principal authentication MUST use an
+ RPCSEC_GSSv3 context handle that corresponds to a GSS-API security
+ context that authenticates the RPC client host for the parent handle.
+ The inner context handle of the multi-principal authentication
+ assertion MUST use an RPCSEC_GSSv3 context handle that corresponds to
+ a GSS-API security context that authenticates the user. The reverse
+ (parent handle authenticates user, inner context handle authenticates
+ an RPC client host) MUST NOT be used. Other multi-principal parent
+ and inner context handle uses might eventually make sense, but they
+ would need to be introduced in a new revision of the RPCSEC_GSS
+ protocol.
+
+ The child context handle returned by a successful multi-principal
+ assertion binds the inner RPCSEC_GSSv3 context handle to the parent
+ RPCSEC_GSS context handle and MUST be treated by servers as
+ authenticating the GSS-API initiator principal authenticated by the
+ inner context handle's GSS-API security context. This principal may
+ be mapped to a server-side notion of user or principal.
+
+ Multi-principal binding is done by including an assertion of type
+ rgss3_gss_mp_auth in the RPCSEC_GSS_CREATE rgss3_create_args call
+ data. The inner context handle is placed in the rgmp_handle field.
+ A MIC of the RPC header, up to and including the credential, is
+ computed using the GSS-API security context associated with the inner
+ context handle and is placed in the rgmp_rpcheader_mic field. Note
+ that the rgmp_rpcheader_mic only identifies the client host GSS
+ context by its context handle (the parent context handle) in the RPC
+ header.
+
+ An RPCSEC_GSS_CREATE control procedure with a multi-principal
+ authentication payload MUST use the rpc_gss_svc_privacy security
+ service for protection. This prevents an attacker from intercepting
+ the RPCSEC_GSS_CREATE control procedure, reassigning the (parent)
+ context handle, and stealing the user's identity.
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 14]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ The target verifies the multi-principal authentication by first
+ confirming that the parent context used is an RPC client host
+ context; the target then verifies the rgmp_rpcheader_mic using the
+ GSS-API security context associated with the rgmp_handle field.
+
+ On successful verification, the rgss3_gss_mp_auth field in the
+ rgss3_create_res reply MUST be filled in with the inner RPCSEC_GSSv3
+ context handle as the rgmp_handle and a MIC computed over the RPC
+ reply header (see Section 2.3) using the GSS-API security context
+ associated with the inner handle.
+
+ On failure, the rgss3_gss_mp_auth field is not sent
+ (rgss3_gss_mp_auth is an optional field). A MSG_DENIED reply to the
+ RPCSEC_GSS_CREATE call is formulated as usual.
+
+ As described in Section 5.3.3.3 of [RFC2203], the server maintains a
+ list of contexts for the clients that are currently in session with
+ it. When a client request comes in, there may not be a context
+ corresponding to its handle. When this occurs on an
+ RPCSEC_GSS3_CREATE request processing of the parent handle, the
+ server rejects the request with a reply status of MSG_DENIED with the
+ reject_stat of AUTH_ERROR and with an auth_stat value of
+ RPCSEC_GSS_CREDPROBLEM.
+
+ A new value, RPCSEC_GSS_INNER_CREDPROBLEM, has been added to the
+ auth_stat type. With a multi-principal authorization request, the
+ server must also have a context corresponding to the inner context
+ handle. When the server does not have a context handle corresponding
+ to the inner context handle of a multi-principal authorization
+ request, the server sends a reply status of MSG_DENIED with the
+ reject_stat of AUTH_ERROR and with an auth_stat value of
+ RPCSEC_GSS_INNER_CREDPROBLEM.
+
+ When processing the multi-principal authentication request, if the
+ GSS_VerifyMIC() call on the rgmp_rpcheader_mic fails to return
+ GSS_S_COMPLETE, the server sends a reply status of MSG_DENIED with
+ the reject_stat of AUTH_ERROR and with an auth_stat value of
+ RPCSEC_GSS_INNER_CREDPROBLEM.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 15]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+2.7.1.2. Channel Binding
+
+ <CODE BEGINS>
+
+ ///
+ /// typedef opaque rgss3_chan_binding<>;
+ ///
+
+ <CODE ENDS>
+
+ RPCSEC_GSSv3 provides a different way to do channel binding than
+ RPCSEC_GSSv2 [RFC5403]. Specifically:
+
+ a. RPCSEC_GSSv3 builds on RPCSEC_GSSv1 by reusing existing,
+ established context handles rather than providing a different RPC
+ security flavor for establishing context handles.
+
+ b. Channel-bindings data is not hashed because there is now general
+ agreement that it is the secure channel's responsibility to
+ produce channel-bindings data of manageable size.
+
+ (a) is useful in keeping RPCSEC_GSSv3 simple in general, not just for
+ channel binding. (b) is useful in keeping RPCSEC_GSSv3 simple
+ specifically for channel binding.
+
+ Channel binding is accomplished as follows. The client prefixes the
+ channel-bindings data octet string with the channel type as described
+ in [RFC5056]; then, the client calls GSS_GetMIC() to get a MIC of the
+ resulting octet string, using the parent RPCSEC_GSSv3 context
+ handle's GSS-API security context. The MIC is then placed in the
+ rca_chan_bind_mic field of RPCSEC_GSS_CREATE arguments
+ (rgss3_create_args).
+
+ If the rca_chan_bind_mic field of the arguments of an
+ RPCSEC_GSS_CREATE control message is set, then the server MUST verify
+ the client's channel-binding MIC if the server supports this feature.
+ If channel-binding verification succeeds, then the server MUST
+ generate a new MIC of the same channel bindings and place it in the
+ rcr_chan_bind_mic field of the RPCSEC_GSS_CREATE rgss3_create_res
+ results. If channel-binding verification fails or the server doesn't
+ support channel binding, then the server MUST indicate this in its
+ reply by not including an rgss3_chan_binding value in
+ rgss3_create_res (rgss3_chan_binding is an optional field).
+
+ The client MUST verify the result's rcr_chan_bind_mic value by
+ calling GSS_VerifyMIC() with the given MIC and the channel-bindings
+ data (including the channel-type prefix). If client-side channel-
+ binding verification fails, then the client MUST call
+
+
+
+Adamson & Williams Standards Track [Page 16]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ RPCSEC_GSS_DESTROY. If the client requested channel binding but the
+ server did not include an rcr_chan_binding_mic field in the results,
+ then the client MAY continue to use the resulting context handle as
+ though channel binding had never been requested. If the client
+ considers channel binding critical, it MUST call RPCSEC_GSS_DESTROY.
+
+ As per RPCSEC_GSSv2 [RFC5403]:
+
+ Once a successful [channel-binding] procedure has been performed
+ on an [RPCSEC_GSSv3] context handle, the initiator's
+ implementation may map application requests for rpc_gss_svc_none
+ and rpc_gss_svc_integrity to rpc_gss_svc_channel_prot credentials.
+ And if the secure channel has privacy enabled, requests for
+ rpc_gss_svc_privacy can also be mapped to
+ rpc_gss_svc_channel_prot.
+
+ Any RPCSEC_GSSv3 child context handle that has been bound to a secure
+ channel in this way SHOULD be used only with the
+ rpc_gss_svc_channel_prot and SHOULD NOT be used with rpc_gss_svc_none
+ or rpc_gss_svc_integrity -- if the secure channel does not provide
+ privacy protection, then the client MAY use rpc_gss_svc_privacy where
+ privacy protection is needed or desired.
+
+2.7.1.3. Label Assertions
+
+ <CODE BEGINS>
+
+ /// struct rgss3_label {
+ /// rgss3_lfs rl_lfs;
+ /// opaque rl_label<>;
+ /// };
+ ///
+ /// struct rgss3_lfs {
+ /// unsigned int rlf_lfs_id;
+ /// unsigned int rlf_pi_id;
+ /// };
+ ///
+
+ <CODE ENDS>
+
+ The client discovers, via the RPCSEC_GSS_LIST control message, which
+ LFSs the server supports. Full Mode MAC is enabled when an
+ RPCSEC_GSS version 3 process subject label assertion is combined with
+ a file object label provided by the NFSv4.2 sec_label attribute.
+
+ Label encoding is specified to mirror the NFSv4.2 sec_label attribute
+ described in Section 12.2.4 of [RFC7862]. The LFS is an identifier
+ used by the client to establish the syntactic format of the security
+
+
+
+Adamson & Williams Standards Track [Page 17]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ label and the semantic meaning of its components. The Policy
+ Identifier (PI) is an optional part of the definition of an LFS that
+ allows clients and the server to identify specific security policies.
+ The opaque label field (rgss3_label) is dependent on the MAC model to
+ interpret and enforce.
+
+ If a label itself requires privacy protection (i.e., requires that
+ the user can assert that the label is a secret), then the client MUST
+ use the rpc_gss_svc_privacy protection service for the
+ RPCSEC_GSS_CREATE request.
+
+ RPCSEC_GSSv3 clients MAY assert a set of subject security labels in
+ some LFS by binding a label assertion to the RPCSEC_GSSv3 child
+ context handle. This is done by including an assertion of type
+ rgss3_label in the RPCSEC_GSS_CREATE rgss3_create_args rca_assertions
+ call data. The label assertion payload is the set of subject labels
+ asserted by the calling NFS client process. The resultant child
+ context is used for NFS requests asserting the client process subject
+ labels. The NFS server process that handles such requests then
+ asserts the (client) process subject label(s) as it attempts to
+ access a file that has associated Labeled NFS object labels.
+
+ Servers that support labeling in the requested LFS MAY map the
+ requested subject label to a different subject label as a result of
+ server-side policy evaluation.
+
+ The labels that are accepted by the target and bound to the
+ RPCSEC_GSSv3 context MUST be enumerated in the rcr_assertions field
+ of the rgss3_create_res RPCSEC_GSS_CREATE reply.
+
+ Servers that do not support labeling or that do not support the
+ requested LFS reject the label assertion with a reply status of
+ MSG_DENIED, a reject_status of AUTH_ERROR, and an auth_stat of
+ RPCSEC_GSS_LABEL_PROBLEM.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 18]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+2.7.1.4. Structured Privilege Assertions
+
+ <CODE BEGINS>
+
+ ///
+ /// typedef opaque utf8string<>; /* UTF-8 encoding */
+ /// typedef utf8string utf8str_cs; /* Case-sensitive UTF-8 */
+ ///
+ /// struct rgss3_privs {
+ /// utf8str_cs rp_name<>;
+ /// opaque rp_privilege<>;
+ /// };
+
+ <CODE ENDS>
+
+ A structured privilege is a capability defined by a specific RPC
+ application. To support the assertion of this privilege, by a client
+ using the application, in a server that also supports the
+ application, the application may define a private data structure that
+ is understood by clients and servers implementing the RPC
+ application.
+
+ RPCSEC_GSSv3 clients MAY assert a structured privilege by binding the
+ privilege to the RPCSEC_GSSv3 context handle. This is done by
+ including an assertion of type rgss3_privs in the RPCSEC_GSS_CREATE
+ rgss3_create_args rca_assertions call data.
+
+ The privilege is identified by the description string that is used by
+ RPCSEC_GSSv3 to identify the privilege and communicate the private
+ data between the relevant RPC application-specific code without
+ needing to be aware of the details of the structure used. Thus, as
+ far as RPCSEC_GSSv3 is concerned, the defined structure is passed
+ between client and server as opaque data encoded in the
+ rpc_gss3_privs rp_privilege field.
+
+ Encoding, server verification, and any server policies for structured
+ privileges are described by the RPC application definition. The
+ rp_name field of rpc_gss3_privs carries the description string used
+ to identify and list the privilege. The utf8str_cs definition is
+ from [RFC7530].
+
+ A successful structured privilege assertion MUST be enumerated in the
+ rcr_assertions field of the rgss3_create_res RPCSEC_GSS_CREATE reply.
+
+ If a server receives a structured privilege assertion that it does
+ not recognize, the assertion is rejected with a reply status of
+ MSG_DENIED, a reject_status of AUTH_ERROR, and an auth_stat of
+ RPCSEC_GSS_UNKNOWN_MESSAGE.
+
+
+
+Adamson & Williams Standards Track [Page 19]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ It is assumed that a client asserting more than one structured
+ privilege to be bound to a context handle would not require all the
+ privilege assertions to succeed.
+
+ The server MUST NOT reject RPCSEC_GSS_CREATE requests containing
+ supported structured privilege assertions, even if some of those
+ assertions are rejected (e.g., for local policy reasons).
+
+ If a server receives an RPCSEC_GSS_CREATE request containing one or
+ more unsupported structured privilege assertions, the request MUST be
+ rejected with a reply status of MSG_DENIED, a reject_status of
+ AUTH_ERROR, and an auth_stat of RPCSEC_GSS_PRIVILEGE_PROBLEM.
+
+ Section 4.9.1.1 of [RFC7862] ("Inter-Server Copy via ONC RPC with
+ RPCSEC_GSSv3") shows an example of structured privilege definition
+ and use.
+
+2.7.2. New Control Procedure - RPCSEC_GSS_LIST
+
+ <CODE BEGINS>
+
+ /// enum rgss3_list_item {
+ /// LABEL = 0,
+ /// PRIVS = 1
+ /// };
+ ///
+ /// struct rgss3_list_args {
+ /// rgss3_list_item rla_list_what<>;
+ /// };
+ ///
+ /// union rgss3_list_item_u
+ /// switch (rgss3_list_item itype) {
+ /// case LABEL:
+ /// rgss3_label rli_labels<>;
+ /// case PRIVS:
+ /// rgss3_privs rli_privs<>;
+ /// default:
+ /// opaque rli_ext<>;
+ /// };
+ ///
+ /// typedef rgss3_list_item_u rgss3_list_res<>;
+ ///
+
+ <CODE ENDS>
+
+ The call data for an RPCSEC_GSS_LIST request consists of a list of
+ integers (rla_list_what) indicating what assertions are to be listed,
+ and the reply consists of an error or the requested list.
+
+
+
+Adamson & Williams Standards Track [Page 20]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ The result of requesting a list of rgss3_list_item LABEL objects is a
+ list of LFSs supported by the server. The client can then use the
+ LFS list to assert labels via the RPCSEC_GSS_CREATE label assertions.
+ See Section 2.7.1.3.
+
+2.8. Extensibility
+
+ Assertion types may be added in the future by adding arms to the
+ "rgss3_assertion_u" union (Section 2.7.1) and the "rgss3_list_item_u"
+ union (Section 2.7.2). Examples of other potential assertion types
+ include:
+
+ o Client-side assertions of identity:
+
+ * Primary client/user identity.
+
+ * Supplementary group memberships of the client/user, including
+ support for specifying deltas to the membership list as seen on
+ the server.
+
+3. Operational Recommendation for Deployment
+
+ RPCSEC_GSSv3 is a superset of RPCSEC_GSSv2 [RFC5403], which in turn
+ is a superset of RPCSEC_GSSv1 [RFC2203], and so can be used in all
+ situations where RPCSEC_GSSv2 is used, or where RPCSEC_GSSv1 is used
+ and channel-bindings functionality is not needed. RPCSEC_GSSv3
+ should be used when the new functionality is needed.
+
+4. Security Considerations
+
+ This entire document deals with security issues.
+
+ The RPCSEC_GSSv3 protocol allows for client-side assertions of data
+ that is relevant to server-side authorization decisions. These
+ assertions must be evaluated by the server in the context of whether
+ the client and/or user are authenticated, whether multi-principal
+ authentication was used, whether the client is trusted, what ranges
+ of assertions are allowed for the client and the user (separately or
+ together), and any relevant server-side policy.
+
+ The security semantics of assertions carried by RPCSEC_GSSv3 are
+ application protocol-specific.
+
+ Note that RPCSEC_GSSv3 is not a complete solution for labeling: it
+ conveys the labels of actors but not the labels of objects. RPC
+ application protocols may require extending in order to carry object
+ label information.
+
+
+
+
+Adamson & Williams Standards Track [Page 21]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ There may be interactions with NFSv4's callback security scheme and
+ NFSv4.1's [RFC5661] GSS SSV (Secret State Verifier) mechanisms.
+ Specifically, the NFSv4 callback scheme requires that the server
+ initiate GSS-API security contexts, which does not work well in
+ practice; in the context of client-side processes running as the same
+ user but with different privileges and security labels, the NFSv4
+ callback security scheme seems particularly unlikely to work well.
+ NFSv4.1 has the server use an existing, client-initiated RPCSEC_GSS
+ context handle to protect server-initiated callback RPCs. The
+ NFSv4.1 callback security scheme lacks all the problems of the NFSv4
+ scheme; however, it is important that the server pick an appropriate
+ RPCSEC_GSS context handle to protect any callbacks. Specifically, it
+ is important that the server use RPCSEC_GSS context handles that
+ authenticate the client to protect any callbacks related to server
+ state initiated by RPCs protected by RPCSEC_GSSv3 contexts.
+
+ As described in Section 2.10.10 of [RFC5661], the client is permitted
+ to associate multiple RPCSEC_GSS handles with a single SSV GSS
+ context. RPCSEC_GSSv3 handles will work well with SSV in that the
+ man-in-the-middle attacks described in Section 2.10.10 of [RFC5661]
+ are solved by the new reply verifier (Section 2.3). Using an
+ RPCSEC_GSSv3 handle backed by a GSS-SSV mechanism context as a parent
+ handle in an RPCSEC_GSS_CREATE call, while permitted, is complicated
+ by the lifetime rules of SSV contexts and their associated RPCSEC_GSS
+ handles.
+
+5. IANA Considerations
+
+ This section uses terms that are defined in [RFC5226].
+
+5.1. New RPC Authentication Status Numbers
+
+ The following new RPC Authentication Status Numbers have been added
+ to the IANA registry:
+
+ o RPCSEC_GSS_INNER_CREDPROBLEM (15) "No credentials for
+ multi-principal assertion inner context user". See
+ Section 2.7.1.1.
+
+ o RPCSEC_GSS_LABEL_PROBLEM (16) "Problem with label assertion".
+ See Section 2.7.1.3.
+
+ o RPCSEC_GSS_PRIVILEGE_PROBLEM (17) "Problem with structured
+ privilege assertion". See Section 2.7.1.4.
+
+ o RPCSEC_GSS_UNKNOWN_MESSAGE (18) "Unknown structured privilege
+ assertion". See Section 2.7.1.4.
+
+
+
+
+Adamson & Williams Standards Track [Page 22]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+5.2. Structured Privilege Name Definitions
+
+ IANA has created a registry called the "RPCSEC_GSS Structured
+ Privilege Names Registry".
+
+ Structured privilege assertions (Section 2.7.1.4) are defined by a
+ specific RPC application. The namespace identifiers for these
+ assertions (the rp_name) are defined as string names. The
+ RPCSEC_GSSv3 protocol does not define the specific assignment of the
+ namespace for these structured privilege assertion names. The IANA
+ registry promotes interoperability where common interests exist.
+ While RPC application developers are allowed to define and use
+ structured privileges as needed, they are encouraged to register
+ structured privilege assertion names with IANA.
+
+ The registry is to be maintained using the Standards Action policy as
+ defined in Section 4.1 of [RFC5226].
+
+ Under the RPCSEC_GSS version 3 specification, the name of a
+ structured privilege can in theory be up to 2^32 - 1 bytes in length,
+ but in practice RPC application clients and servers will be unable to
+ handle a string that long. IANA should reject any assignment request
+ with a structured privilege name that exceeds 128 UTF-8 characters.
+ To give the IESG the flexibility to set up bases of assignment of
+ Experimental Use, the prefix "EXPE" is Reserved. The structured
+ privilege with a zero-length name is Reserved.
+
+ The prefix "PRIV" is allocated for Private Use. A site that wants to
+ make use of unregistered named attributes without risk of conflicting
+ with an assignment in IANA's registry should use the prefix "PRIV" in
+ all of its structured privilege assertion names.
+
+ Because some RPC application clients and servers have case-
+ insensitive semantics, the fifteen additional lower-case and mixed-
+ case permutations of each of "EXPE" and "PRIV" are Reserved (e.g.,
+ "expe", "expE", and "exPe" are Reserved). Similarly, IANA must not
+ allow two assignments that would conflict if both structured
+ privilege names were converted to a common case.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 23]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+ The registry of structured privilege names is a list of assignments,
+ each containing three fields for each assignment.
+
+ 1. A US-ASCII string name that is the actual name of the structured
+ privilege. This name must be unique. This string name can be 1
+ to 128 UTF-8 characters long.
+
+ 2. A reference to the specification of the RPC-application-defined
+ structured privilege. The reference can consume up to 256 bytes
+ (or more if IANA permits).
+
+ 3. The point of contact of the registrant. The point of contact can
+ consume up to 256 bytes (or more if IANA permits).
+
+5.2.1. Initial Registry
+
+ The initial registry consists of the three structured privileges
+ defined in [RFC7862].
+
+ 1. NAME: copy_to_auth, REFERENCE: RFC 7862, CONTACT: William
+ A.(Andy) Adamson, andros@netapp.com
+
+ 2. NAME: copy_from_auth, REFERENCE: RFC 7862, CONTACT: William
+ A.(Andy) Adamson, andros@netapp.com
+
+ 3. NAME: copy_confirm_auth, REFERENCE: RFC 7862, CONTACT: William
+ A.(Andy) Adamson, andros@netapp.com
+
+5.2.2. Updating Registrations
+
+ The registrant is always permitted to update the point of contact
+ field. To make any other change will require Expert Review or IESG
+ Approval.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 24]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+6. References
+
+6.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2203] Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol
+ Specification", RFC 2203, DOI 10.17487/RFC2203,
+ September 1997, <http://www.rfc-editor.org/info/rfc2203>.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743,
+ DOI 10.17487/RFC2743, January 2000,
+ <http://www.rfc-editor.org/info/rfc2743>.
+
+ [RFC4506] Eisler, M., Ed., "XDR: External Data Representation
+ Standard", STD 67, RFC 4506, DOI 10.17487/RFC4506,
+ May 2006, <http://www.rfc-editor.org/info/rfc4506>.
+
+ [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
+ Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007,
+ <http://www.rfc-editor.org/info/rfc5056>.
+
+ [RFC5403] Eisler, M., "RPCSEC_GSS Version 2", RFC 5403,
+ DOI 10.17487/RFC5403, February 2009,
+ <http://www.rfc-editor.org/info/rfc5403>.
+
+ [RFC5661] Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed.,
+ "Network File System (NFS) Version 4 Minor Version 1
+ Protocol", RFC 5661, DOI 10.17487/RFC5661, January 2010,
+ <http://www.rfc-editor.org/info/rfc5661>.
+
+ [RFC7530] Haynes, T., Ed., and D. Noveck, Ed., "Network File System
+ (NFS) Version 4 Protocol", RFC 7530, DOI 10.17487/RFC7530,
+ March 2015, <http://www.rfc-editor.org/info/rfc7530>.
+
+ [RFC7862] Haynes, T., "Network File System (NFS) Version 4 Minor
+ Version 2 Protocol", RFC 7862, DOI 10.17487/RFC7862,
+ November 2016, <http://www.rfc-editor.org/info/rfc7862>.
+
+
+
+
+
+
+
+
+
+Adamson & Williams Standards Track [Page 25]
+
+RFC 7861 NFSv4 RPC Security November 2016
+
+
+6.2. Informative References
+
+ [AFS-RXGK]
+ Wilkinson, S. and B. Kaduk, "Integrating rxgk with AFS",
+ Work in Progress, draft-wilkinson-afs3-rxgk-afs-08,
+ May 2015.
+
+ [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
+ FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
+ <http://www.rfc-editor.org/info/rfc4949>.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ DOI 10.17487/RFC5226, May 2008,
+ <http://www.rfc-editor.org/info/rfc5226>.
+
+ [RFC5531] Thurlow, R., "RPC: Remote Procedure Call Protocol
+ Specification Version 2", RFC 5531, DOI 10.17487/RFC5531,
+ May 2009, <http://www.rfc-editor.org/info/rfc5531>.
+
+Acknowledgments
+
+ Andy Adamson would like to thank NetApp, Inc. for its funding of his
+ time on this project.
+
+ We thank Lars Eggert, Mike Eisler, Ben Kaduk, Bruce Fields, Tom
+ Haynes, and Dave Noveck for their most helpful reviews.
+
+Authors' Addresses
+
+ William A. (Andy) Adamson
+ NetApp
+ 3629 Wagner Ridge Ct.
+ Ann Arbor, MI 48103
+ United States of America
+
+ Phone: +1 734 665 1204
+ Email: andros@netapp.com
+
+
+ Nico Williams
+ cryptonector.com
+ 13115 Tamayo Dr.
+ Austin, TX 78729
+ United States of America
+
+ Email: nico@cryptonector.com
+
+
+
+
+Adamson & Williams Standards Track [Page 26]
+