draft-ietf-nfsv4-minorversion1-29.txt   rfc5661.txt 
NFSv4 S. Shepler Internet Engineering Task Force (IETF) S. Shepler, Ed.
Internet-Draft M. Eisler Request for Comments: 5661 Storspeed, Inc.
Intended status: Standards Track D. Noveck Category: Standards Track M. Eisler, Ed.
Expires: June 18, 2009 Editors ISSN: 2070-1721 D. Noveck, Ed.
December 15, 2008 NetApp
January 2010
NFS Version 4 Minor Version 1
draft-ietf-nfsv4-minorversion1-29.txt
Status of this Memo Network File System (NFS) Version 4 Minor Version 1 Protocol
This Internet-Draft is submitted to IETF in full conformance with the Abstract
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This document describes the Network File System (NFS) version 4 minor
Task Force (IETF), its areas, and its working groups. Note that version 1, including features retained from the base protocol (NFS
other groups may also distribute working documents as Internet- version 4 minor version 0, which is specified in RFC 3530) and
Drafts. protocol extensions made subsequently. Major extensions introduced
in NFS version 4 minor version 1 include Sessions, Directory
Delegations, and parallel NFS (pNFS). NFS version 4 minor version 1
has no dependencies on NFS version 4 minor version 0, and it is
considered a separate protocol. Thus, this document neither updates
nor obsoletes RFC 3530. NFS minor version 1 is deemed superior to
NFS minor version 0 with no loss of functionality, and its use is
preferred over version 0. Both NFS minor versions 0 and 1 can be
used simultaneously on the same network, between the same client and
server.
Internet-Drafts are draft documents valid for a maximum of six months Status of This Memo
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This is an Internet Standards Track document.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at This document is a product of the Internet Engineering Task Force
http://www.ietf.org/shadow.html. (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on June 18, 2009. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5661.
Copyright Notice Copyright Notice
Copyright (c) 2008 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Abstract the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document describes NFS version 4 minor version one, including
features retained from the base protocol (NFS version 4 minor version
zero which is specified in RFC3530) and protocol extensions made
subsequently. Major extensions introduced in NFS version 4 minor
version one include: Sessions, Directory Delegations, and parallel
NFS (pNFS). NFS version 4 minor version one has no dependencies on
NFS version 4 minor version zero, and is considered a separate
protocol. Thus this document neither updates nor obsoletes RFC3530.
NFS minor version one is deemed superior to NFS minor version zero
with no loss of functionality, and its use is preferred over version
zero. Both NFS minor version zero and one can be used simultaneously
on the same network, between the same client and server.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction ....................................................9
1.1. The NFS Version 4 Minor Version 1 Protocol . . . . . . . 12 1.1. The NFS Version 4 Minor Version 1 Protocol .................9
1.2. Scope of this Document . . . . . . . . . . . . . . . . . 12 1.2. Requirements Language ......................................9
1.3. NFSv4 Goals . . . . . . . . . . . . . . . . . . . . . . 12 1.3. Scope of This Document .....................................9
1.4. NFSv4.1 Goals . . . . . . . . . . . . . . . . . . . . . 13 1.4. NFSv4 Goals ...............................................10
1.5. General Definitions . . . . . . . . . . . . . . . . . . 13 1.5. NFSv4.1 Goals .............................................10
1.6. Overview of NFSv4.1 Features . . . . . . . . . . . . . . 16 1.6. General Definitions .......................................11
1.6.1. RPC and Security . . . . . . . . . . . . . . . . . . 16 1.7. Overview of NFSv4.1 Features ..............................13
1.6.2. Protocol Structure . . . . . . . . . . . . . . . . . 17 1.8. Differences from NFSv4.0 ..................................17
1.6.3. File System Model . . . . . . . . . . . . . . . . . 17 2. Core Infrastructure ............................................18
1.6.4. Locking Facilities . . . . . . . . . . . . . . . . . 19 2.1. Introduction ..............................................18
1.7. Differences from NFSv4.0 . . . . . . . . . . . . . . . . 20 2.2. RPC and XDR ...............................................19
2. Core Infrastructure . . . . . . . . . . . . . . . . . . . . . 21 2.3. COMPOUND and CB_COMPOUND ..................................22
2.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 21 2.4. Client Identifiers and Client Owners ......................23
2.2. RPC and XDR . . . . . . . . . . . . . . . . . . . . . . 21 2.5. Server Owners .............................................28
2.2.1. RPC-based Security . . . . . . . . . . . . . . . . . 21 2.6. Security Service Negotiation ..............................29
2.3. COMPOUND and CB_COMPOUND . . . . . . . . . . . . . . . . 24 2.7. Minor Versioning ..........................................34
2.4. Client Identifiers and Client Owners . . . . . . . . . . 25 2.8. Non-RPC-Based Security Services ...........................37
2.4.1. Upgrade from NFSv4.0 to NFSv4.1 . . . . . . . . . . 29 2.9. Transport Layers ..........................................37
2.4.2. Server Release of Client ID . . . . . . . . . . . . 29 2.10. Session ..................................................40
2.4.3. Resolving Client Owner Conflicts . . . . . . . . . . 30 3. Protocol Constants and Data Types ..............................86
2.5. Server Owners . . . . . . . . . . . . . . . . . . . . . 31 3.1. Basic Constants ...........................................86
2.6. Security Service Negotiation . . . . . . . . . . . . . . 31 3.2. Basic Data Types ..........................................87
2.6.1. NFSv4.1 Security Tuples . . . . . . . . . . . . . . 32 3.3. Structured Data Types .....................................89
2.6.2. SECINFO and SECINFO_NO_NAME . . . . . . . . . . . . 32 4. Filehandles ....................................................97
2.6.3. Security Error . . . . . . . . . . . . . . . . . . . 32 4.1. Obtaining the First Filehandle ............................98
2.7. Minor Versioning . . . . . . . . . . . . . . . . . . . . 37 4.2. Filehandle Types ..........................................99
2.8. Non-RPC-based Security Services . . . . . . . . . . . . 39 4.3. One Method of Constructing a Volatile Filehandle .........101
2.8.1. Authorization . . . . . . . . . . . . . . . . . . . 39 4.4. Client Recovery from Filehandle Expiration ...............102
2.8.2. Auditing . . . . . . . . . . . . . . . . . . . . . . 39 5. File Attributes ...............................................103
2.8.3. Intrusion Detection . . . . . . . . . . . . . . . . 40 5.1. REQUIRED Attributes ......................................104
2.9. Transport Layers . . . . . . . . . . . . . . . . . . . . 40 5.2. RECOMMENDED Attributes ...................................104
2.9.1. REQUIRED and RECOMMENDED Properties of Transports . 40 5.3. Named Attributes .........................................105
2.9.2. Client and Server Transport Behavior . . . . . . . . 41 5.4. Classification of Attributes .............................106
2.9.3. Ports . . . . . . . . . . . . . . . . . . . . . . . 42 5.5. Set-Only and Get-Only Attributes .........................107
2.10. Session . . . . . . . . . . . . . . . . . . . . . . . . 42 5.6. REQUIRED Attributes - List and Definition References .....107
2.10.1. Motivation and Overview . . . . . . . . . . . . . . 42 5.7. RECOMMENDED Attributes - List and Definition References ..108
2.10.2. NFSv4 Integration . . . . . . . . . . . . . . . . . 44 5.8. Attribute Definitions ....................................110
2.10.3. Channels . . . . . . . . . . . . . . . . . . . . . . 45 5.9. Interpreting owner and owner_group .......................119
2.10.4. Server Scope . . . . . . . . . . . . . . . . . . . . 46 5.10. Character Case Attributes ...............................121
2.10.5. Trunking . . . . . . . . . . . . . . . . . . . . . . 49 5.11. Directory Notification Attributes .......................121
2.10.6. Exactly Once Semantics . . . . . . . . . . . . . . . 52 5.12. pNFS Attribute Definitions ..............................122
2.10.7. RDMA Considerations . . . . . . . . . . . . . . . . 65 5.13. Retention Attributes ....................................123
2.10.8. Sessions Security . . . . . . . . . . . . . . . . . 68 6. Access Control Attributes .....................................126
2.10.9. The Secret State Verifier (SSV) GSS Mechanism . . . 73 6.1. Goals ....................................................126
2.10.10. Session Mechanics - Steady State . . . . . . . . . . 77 6.2. File Attributes Discussion ...............................128
2.10.11. Session Inactivity Timer . . . . . . . . . . . . . . 79 6.3. Common Methods ...........................................144
2.10.12. Session Mechanics - Recovery . . . . . . . . . . . . 80 6.4. Requirements .............................................147
2.10.13. Parallel NFS and Sessions . . . . . . . . . . . . . 84 7. Single-Server Namespace .......................................153
3. Protocol Constants and Data Types . . . . . . . . . . . . . . 85 7.1. Server Exports ...........................................153
3.1. Basic Constants . . . . . . . . . . . . . . . . . . . . 85 7.2. Browsing Exports .........................................153
3.2. Basic Data Types . . . . . . . . . . . . . . . . . . . . 86 7.3. Server Pseudo File System ................................154
3.3. Structured Data Types . . . . . . . . . . . . . . . . . 87 7.4. Multiple Roots ...........................................155
4. Filehandles . . . . . . . . . . . . . . . . . . . . . . . . . 96 7.5. Filehandle Volatility ....................................155
4.1. Obtaining the First Filehandle . . . . . . . . . . . . . 96 7.6. Exported Root ............................................155
4.1.1. Root Filehandle . . . . . . . . . . . . . . . . . . 96 7.7. Mount Point Crossing .....................................156
4.1.2. Public Filehandle . . . . . . . . . . . . . . . . . 97 7.8. Security Policy and Namespace Presentation ...............156
4.2. Filehandle Types . . . . . . . . . . . . . . . . . . . . 97 8. State Management ..............................................157
4.2.1. General Properties of a Filehandle . . . . . . . . . 98 8.1. Client and Session ID ....................................158
4.2.2. Persistent Filehandle . . . . . . . . . . . . . . . 98 8.2. Stateid Definition .......................................158
4.2.3. Volatile Filehandle . . . . . . . . . . . . . . . . 99 8.3. Lease Renewal ............................................167
4.3. One Method of Constructing a Volatile Filehandle . . . . 100 8.4. Crash Recovery ...........................................170
4.4. Client Recovery from Filehandle Expiration . . . . . . . 100 8.5. Server Revocation of Locks ...............................181
5. File Attributes . . . . . . . . . . . . . . . . . . . . . . . 101 8.6. Short and Long Leases ....................................182
5.1. REQUIRED Attributes . . . . . . . . . . . . . . . . . . 103 8.7. Clocks, Propagation Delay, and Calculating Lease
5.2. RECOMMENDED Attributes . . . . . . . . . . . . . . . . . 103 Expiration ...............................................182
5.3. Named Attributes . . . . . . . . . . . . . . . . . . . . 103 8.8. Obsolete Locking Infrastructure from NFSv4.0 .............183
5.4. Classification of Attributes . . . . . . . . . . . . . . 105 9. File Locking and Share Reservations ...........................184
5.5. Set-Only and Get-Only Attributes . . . . . . . . . . . . 106 9.1. Opens and Byte-Range Locks ...............................184
5.6. REQUIRED Attributes - List and Definition References . . 106 9.2. Lock Ranges ..............................................188
5.7. RECOMMENDED Attributes - List and Definition 9.3. Upgrading and Downgrading Locks ..........................188
References . . . . . . . . . . . . . . . . . . . . . . . 107 9.4. Stateid Seqid Values and Byte-Range Locks ................189
5.8. Attribute Definitions . . . . . . . . . . . . . . . . . 109 9.5. Issues with Multiple Open-Owners .........................189
5.8.1. Definitions of REQUIRED Attributes . . . . . . . . . 109 9.6. Blocking Locks ...........................................190
5.8.2. Definitions of Uncategorized RECOMMENDED 9.7. Share Reservations .......................................191
Attributes . . . . . . . . . . . . . . . . . . . . . 111 9.8. OPEN/CLOSE Operations ....................................192
5.9. Interpreting owner and owner_group . . . . . . . . . . . 117 9.9. Open Upgrade and Downgrade ...............................192
5.10. Character Case Attributes . . . . . . . . . . . . . . . 119 9.10. Parallel OPENs ..........................................193
5.11. Directory Notification Attributes . . . . . . . . . . . 120 9.11. Reclaim of Open and Byte-Range Locks ....................194
5.12. pNFS Attribute Definitions . . . . . . . . . . . . . . . 120 10. Client-Side Caching ..........................................194
5.13. Retention Attributes . . . . . . . . . . . . . . . . . . 122 10.1. Performance Challenges for Client-Side Caching ..........195
6. Access Control Attributes . . . . . . . . . . . . . . . . . . 125 10.2. Delegation and Callbacks ................................196
6.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . 125 10.3. Data Caching ............................................200
6.2. File Attributes Discussion . . . . . . . . . . . . . . . 126 10.4. Open Delegation .........................................205
6.2.1. Attribute 12: acl . . . . . . . . . . . . . . . . . 126 10.5. Data Caching and Revocation .............................216
6.2.2. Attribute 58: dacl . . . . . . . . . . . . . . . . . 141 10.6. Attribute Caching .......................................218
6.2.3. Attribute 59: sacl . . . . . . . . . . . . . . . . . 141 10.7. Data and Metadata Caching and Memory Mapped Files .......220
6.2.4. Attribute 33: mode . . . . . . . . . . . . . . . . . 141 10.8. Name and Directory Caching without Directory
6.2.5. Attribute 74: mode_set_masked . . . . . . . . . . . 142 Delegations .............................................222
6.3. Common Methods . . . . . . . . . . . . . . . . . . . . . 143 10.9. Directory Delegations ...................................225
6.3.1. Interpreting an ACL . . . . . . . . . . . . . . . . 143 11. Multi-Server Namespace .......................................228
6.3.2. Computing a Mode Attribute from an ACL . . . . . . . 144 11.1. Location Attributes .....................................228
6.4. Requirements . . . . . . . . . . . . . . . . . . . . . . 145 11.2. File System Presence or Absence .........................229
6.4.1. Setting the mode and/or ACL Attributes . . . . . . . 145 11.3. Getting Attributes for an Absent File System ............230
6.4.2. Retrieving the mode and/or ACL Attributes . . . . . 147 11.4. Uses of Location Information ............................232
6.4.3. Creating New Objects . . . . . . . . . . . . . . . . 147 11.5. Location Entries and Server Identity ....................236
7. Single-server Namespace . . . . . . . . . . . . . . . . . . . 151 11.6. Additional Client-Side Considerations ...................237
7.1. Server Exports . . . . . . . . . . . . . . . . . . . . . 152 11.7. Effecting File System Transitions .......................238
7.2. Browsing Exports . . . . . . . . . . . . . . . . . . . . 152 11.8. Effecting File System Referrals .........................251
7.3. Server Pseudo File System . . . . . . . . . . . . . . . 152 11.9. The Attribute fs_locations ..............................258
7.4. Multiple Roots . . . . . . . . . . . . . . . . . . . . . 153 11.10. The Attribute fs_locations_info ........................261
7.5. Filehandle Volatility . . . . . . . . . . . . . . . . . 153 11.11. The Attribute fs_status ................................273
7.6. Exported Root . . . . . . . . . . . . . . . . . . . . . 154 12. Parallel NFS (pNFS) ..........................................277
7.7. Mount Point Crossing . . . . . . . . . . . . . . . . . . 154 12.1. Introduction ............................................277
7.8. Security Policy and Namespace Presentation . . . . . . . 154 12.2. pNFS Definitions ........................................278
8. State Management . . . . . . . . . . . . . . . . . . . . . . 155 12.3. pNFS Operations .........................................284
8.1. Client and Session ID . . . . . . . . . . . . . . . . . 156 12.4. pNFS Attributes .........................................285
8.2. Stateid Definition . . . . . . . . . . . . . . . . . . . 157 12.5. Layout Semantics ........................................285
8.2.1. Stateid Types . . . . . . . . . . . . . . . . . . . 157 12.6. pNFS Mechanics ..........................................300
8.2.2. Stateid Structure . . . . . . . . . . . . . . . . . 158 12.7. Recovery ................................................302
8.2.3. Special Stateids . . . . . . . . . . . . . . . . . . 160 12.8. Metadata and Storage Device Roles .......................307
8.2.4. Stateid Lifetime and Validation . . . . . . . . . . 161 12.9. Security Considerations for pNFS ........................307
8.2.5. Stateid Use for I/O Operations . . . . . . . . . . . 164 13. NFSv4.1 as a Storage Protocol in pNFS: the File Layout Type ..309
8.2.6. Stateid Use for SETATTR Operations . . . . . . . . . 165 13.1. Client ID and Session Considerations ....................309
8.3. Lease Renewal . . . . . . . . . . . . . . . . . . . . . 165 13.2. File Layout Definitions .................................312
8.4. Crash Recovery . . . . . . . . . . . . . . . . . . . . . 168 13.3. File Layout Data Types ..................................312
8.4.1. Client Failure and Recovery . . . . . . . . . . . . 168 13.4. Interpreting the File Layout ............................317
8.4.2. Server Failure and Recovery . . . . . . . . . . . . 169 13.5. Data Server Multipathing ................................324
8.4.3. Network Partitions and Recovery . . . . . . . . . . 174 13.6. Operations Sent to NFSv4.1 Data Servers .................325
8.5. Server Revocation of Locks . . . . . . . . . . . . . . . 179 13.7. COMMIT through Metadata Server ..........................327
8.6. Short and Long Leases . . . . . . . . . . . . . . . . . 180 13.8. The Layout Iomode .......................................328
8.7. Clocks, Propagation Delay, and Calculating Lease 13.9. Metadata and Data Server State Coordination .............329
Expiration . . . . . . . . . . . . . . . . . . . . . . . 180 13.10. Data Server Component File Size ........................332
8.8. Obsolete Locking Infrastructure From NFSv4.0 . . . . . . 181 13.11. Layout Revocation and Fencing ..........................333
9. File Locking and Share Reservations . . . . . . . . . . . . . 182 13.12. Security Considerations for the File Layout Type .......334
9.1. Opens and Byte-Range Locks . . . . . . . . . . . . . . . 182 14. Internationalization .........................................334
9.1.1. State-owner Definition . . . . . . . . . . . . . . . 182 14.1. Stringprep profile for the utf8str_cs type ..............336
9.1.2. Use of the Stateid and Locking . . . . . . . . . . . 182 14.2. Stringprep profile for the utf8str_cis type .............337
9.2. Lock Ranges . . . . . . . . . . . . . . . . . . . . . . 185 14.3. Stringprep profile for the utf8str_mixed type ...........338
9.3. Upgrading and Downgrading Locks . . . . . . . . . . . . 186 14.4. UTF-8 Capabilities ......................................340
9.4. Stateid Seqid Values and Byte-Range Locks . . . . . . . 186 14.5. UTF-8 Related Errors ....................................340
9.5. Issues with Multiple Open-Owners . . . . . . . . . . . . 187 15. Error Values .................................................341
9.6. Blocking Locks . . . . . . . . . . . . . . . . . . . . . 187 15.1. Error Definitions .......................................341
9.7. Share Reservations . . . . . . . . . . . . . . . . . . . 188 15.2. Operations and Their Valid Errors .......................361
9.8. OPEN/CLOSE Operations . . . . . . . . . . . . . . . . . 189 15.3. Callback Operations and Their Valid Errors ..............376
9.9. Open Upgrade and Downgrade . . . . . . . . . . . . . . . 190 15.4. Errors and the Operations That Use Them .................379
9.10. Parallel OPENs . . . . . . . . . . . . . . . . . . . . . 191 16. NFSv4.1 Procedures ...........................................391
9.11. Reclaim of Open and Byte-Range Locks . . . . . . . . . . 191 16.1. Procedure 0: NULL - No Operation ........................392
10. Client-Side Caching . . . . . . . . . . . . . . . . . . . . . 192 16.2. Procedure 1: COMPOUND - Compound Operations .............392
10.1. Performance Challenges for Client-Side Caching . . . . . 192 17. Operations: REQUIRED, RECOMMENDED, or OPTIONAL ...............403
10.2. Delegation and Callbacks . . . . . . . . . . . . . . . . 193 18. NFSv4.1 Operations ...........................................407
10.2.1. Delegation Recovery . . . . . . . . . . . . . . . . 195 18.1. Operation 3: ACCESS - Check Access Rights ...............407
18.2. Operation 4: CLOSE - Close File .........................413
10.3. Data Caching . . . . . . . . . . . . . . . . . . . . . . 198 18.3. Operation 5: COMMIT - Commit Cached Data ................414
10.3.1. Data Caching and OPENs . . . . . . . . . . . . . . . 198 18.4. Operation 6: CREATE - Create a Non-Regular File Object ..417
10.3.2. Data Caching and File Locking . . . . . . . . . . . 199 18.5. Operation 7: DELEGPURGE - Purge Delegations
10.3.3. Data Caching and Mandatory File Locking . . . . . . 201 Awaiting Recovery .......................................419
10.3.4. Data Caching and File Identity . . . . . . . . . . . 201 18.6. Operation 8: DELEGRETURN - Return Delegation ............420
10.4. Open Delegation . . . . . . . . . . . . . . . . . . . . 202 18.7. Operation 9: GETATTR - Get Attributes ...................421
10.4.1. Open Delegation and Data Caching . . . . . . . . . . 205 18.8. Operation 10: GETFH - Get Current Filehandle ............423
10.4.2. Open Delegation and File Locks . . . . . . . . . . . 206 18.9. Operation 11: LINK - Create Link to a File ..............424
10.4.3. Handling of CB_GETATTR . . . . . . . . . . . . . . . 206 18.10. Operation 12: LOCK - Create Lock .......................426
10.4.4. Recall of Open Delegation . . . . . . . . . . . . . 209 18.11. Operation 13: LOCKT - Test for Lock ....................430
10.4.5. Clients that Fail to Honor Delegation Recalls . . . 211 18.12. Operation 14: LOCKU - Unlock File ......................432
10.4.6. Delegation Revocation . . . . . . . . . . . . . . . 212 18.13. Operation 15: LOOKUP - Lookup Filename .................433
10.4.7. Delegations via WANT_DELEGATION . . . . . . . . . . 212 18.14. Operation 16: LOOKUPP - Lookup Parent Directory ........435
10.5. Data Caching and Revocation . . . . . . . . . . . . . . 213 18.15. Operation 17: NVERIFY - Verify Difference in
10.5.1. Revocation Recovery for Write Open Delegation . . . 214 Attributes .............................................436
10.6. Attribute Caching . . . . . . . . . . . . . . . . . . . 214 18.16. Operation 18: OPEN - Open a Regular File ...............437
10.7. Data and Metadata Caching and Memory Mapped Files . . . 216 18.17. Operation 19: OPENATTR - Open Named Attribute
10.8. Name and Directory Caching without Directory Directory ..............................................458
Delegations . . . . . . . . . . . . . . . . . . . . . . 219 18.18. Operation 21: OPEN_DOWNGRADE - Reduce Open File
10.8.1. Name Caching . . . . . . . . . . . . . . . . . . . . 219 Access .................................................459
10.8.2. Directory Caching . . . . . . . . . . . . . . . . . 220 18.19. Operation 22: PUTFH - Set Current Filehandle ...........461
10.9. Directory Delegations . . . . . . . . . . . . . . . . . 221 18.20. Operation 23: PUTPUBFH - Set Public Filehandle .........461
10.9.1. Introduction to Directory Delegations . . . . . . . 221 18.21. Operation 24: PUTROOTFH - Set Root Filehandle ..........463
10.9.2. Directory Delegation Design . . . . . . . . . . . . 222 18.22. Operation 25: READ - Read from File ....................464
10.9.3. Attributes in Support of Directory Notifications . . 223 18.23. Operation 26: READDIR - Read Directory .................466
10.9.4. Directory Delegation Recall . . . . . . . . . . . . 223 18.24. Operation 27: READLINK - Read Symbolic Link ............469
10.9.5. Directory Delegation Recovery . . . . . . . . . . . 224 18.25. Operation 28: REMOVE - Remove File System Object .......470
11. Multi-Server Namespace . . . . . . . . . . . . . . . . . . . 224 18.26. Operation 29: RENAME - Rename Directory Entry ..........473
11.1. Location Attributes . . . . . . . . . . . . . . . . . . 225 18.27. Operation 31: RESTOREFH - Restore Saved Filehandle .....477
11.2. File System Presence or Absence . . . . . . . . . . . . 225 18.28. Operation 32: SAVEFH - Save Current Filehandle .........478
11.3. Getting Attributes for an Absent File System . . . . . . 226 18.29. Operation 33: SECINFO - Obtain Available Security ......479
11.3.1. GETATTR Within an Absent File System . . . . . . . . 227 18.30. Operation 34: SETATTR - Set Attributes .................482
11.3.2. READDIR and Absent File Systems . . . . . . . . . . 228 18.31. Operation 37: VERIFY - Verify Same Attributes ..........485
11.4. Uses of Location Information . . . . . . . . . . . . . . 228 18.32. Operation 38: WRITE - Write to File ....................486
11.4.1. File System Replication . . . . . . . . . . . . . . 229 18.33. Operation 40: BACKCHANNEL_CTL - Backchannel Control ....491
11.4.2. File System Migration . . . . . . . . . . . . . . . 230 18.34. Operation 41: BIND_CONN_TO_SESSION - Associate
11.4.3. Referrals . . . . . . . . . . . . . . . . . . . . . 231 Connection with Session ................................492
11.5. Location Entries and Server Identity . . . . . . . . . . 233 18.35. Operation 42: EXCHANGE_ID - Instantiate Client ID ......495
11.6. Additional Client-side Considerations . . . . . . . . . 233 18.36. Operation 43: CREATE_SESSION - Create New
11.7. Effecting File System Transitions . . . . . . . . . . . 234 Session and Confirm Client ID ..........................513
11.7.1. File System Transitions and Simultaneous Access . . 235 18.37. Operation 44: DESTROY_SESSION - Destroy a Session ......523
11.7.2. Simultaneous Use and Transparent Transitions . . . . 236 18.38. Operation 45: FREE_STATEID - Free Stateid with
11.7.3. Filehandles and File System Transitions . . . . . . 239 No Locks ...............................................525
11.7.4. Fileids and File System Transitions . . . . . . . . 239 18.39. Operation 46: GET_DIR_DELEGATION - Get a
11.7.5. Fsids and File System Transitions . . . . . . . . . 240 Directory Delegation ...................................526
11.7.6. The Change Attribute and File System Transitions . . 241 18.40. Operation 47: GETDEVICEINFO - Get Device Information ...530
11.7.7. Lock State and File System Transitions . . . . . . . 241 18.41. Operation 48: GETDEVICELIST - Get All Device
11.7.8. Write Verifiers and File System Transitions . . . . 246 Mappings for a File System .............................533
11.7.9. Readdir Cookies and Verifiers and File System 18.42. Operation 49: LAYOUTCOMMIT - Commit Writes Made
Transitions . . . . . . . . . . . . . . . . . . . . 246 Using a Layout .........................................534
11.7.10. File System Data and File System Transitions . . . . 246 18.43. Operation 50: LAYOUTGET - Get Layout Information .......538
11.8. Effecting File System Referrals . . . . . . . . . . . . 248 18.44. Operation 51: LAYOUTRETURN - Release Layout
11.8.1. Referral Example (LOOKUP) . . . . . . . . . . . . . 248 Information ............................................547
11.8.2. Referral Example (READDIR) . . . . . . . . . . . . . 252 18.45. Operation 52: SECINFO_NO_NAME - Get Security on
11.9. The Attribute fs_locations . . . . . . . . . . . . . . . 254 Unnamed Object .........................................552
11.10. The Attribute fs_locations_info . . . . . . . . . . . . 257 18.46. Operation 53: SEQUENCE - Supply Per-Procedure
11.10.1. The fs_locations_server4 Structure . . . . . . . . . 261 Sequencing and Control .................................553
11.10.2. The fs_locations_info4 Structure . . . . . . . . . . 266 18.47. Operation 54: SET_SSV - Update SSV for a Client ID .....559
11.10.3. The fs_locations_item4 Structure . . . . . . . . . . 267 18.48. Operation 55: TEST_STATEID - Test Stateids for
11.11. The Attribute fs_status . . . . . . . . . . . . . . . . 269 Validity ...............................................561
12. Parallel NFS (pNFS) . . . . . . . . . . . . . . . . . . . . . 273 18.49. Operation 56: WANT_DELEGATION - Request Delegation .....563
12.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 273 18.50. Operation 57: DESTROY_CLIENTID - Destroy a Client ID ...566
12.2. pNFS Definitions . . . . . . . . . . . . . . . . . . . . 274 18.51. Operation 58: RECLAIM_COMPLETE - Indicates
12.2.1. Metadata . . . . . . . . . . . . . . . . . . . . . . 275 Reclaims Finished ......................................567
12.2.2. Metadata Server . . . . . . . . . . . . . . . . . . 275 18.52. Operation 10044: ILLEGAL - Illegal Operation ...........569
12.2.3. pNFS Client . . . . . . . . . . . . . . . . . . . . 275 19. NFSv4.1 Callback Procedures ..................................570
12.2.4. Storage Device . . . . . . . . . . . . . . . . . . . 275 19.1. Procedure 0: CB_NULL - No Operation .....................570
12.2.5. Storage Protocol . . . . . . . . . . . . . . . . . . 276 19.2. Procedure 1: CB_COMPOUND - Compound Operations ..........571
12.2.6. Control Protocol . . . . . . . . . . . . . . . . . . 276 20. NFSv4.1 Callback Operations ..................................574
12.2.7. Layout Types . . . . . . . . . . . . . . . . . . . . 277 20.1. Operation 3: CB_GETATTR - Get Attributes ................574
12.2.8. Layout . . . . . . . . . . . . . . . . . . . . . . . 277 20.2. Operation 4: CB_RECALL - Recall a Delegation ............575
12.2.9. Layout Iomode . . . . . . . . . . . . . . . . . . . 278 20.3. Operation 5: CB_LAYOUTRECALL - Recall Layout
12.2.10. Device IDs . . . . . . . . . . . . . . . . . . . . . 278 from Client .............................................576
12.3. pNFS Operations . . . . . . . . . . . . . . . . . . . . 280 20.4. Operation 6: CB_NOTIFY - Notify Client of
12.4. pNFS Attributes . . . . . . . . . . . . . . . . . . . . 281 Directory Changes .......................................580
12.5. Layout Semantics . . . . . . . . . . . . . . . . . . . . 281 20.5. Operation 7: CB_PUSH_DELEG - Offer Previously
12.5.1. Guarantees Provided by Layouts . . . . . . . . . . . 281 Requested Delegation to Client ..........................583
12.5.2. Getting a Layout . . . . . . . . . . . . . . . . . . 282 20.6. Operation 8: CB_RECALL_ANY - Keep Any N
12.5.3. Layout Stateid . . . . . . . . . . . . . . . . . . . 283 Recallable Objects ......................................584
12.5.4. Committing a Layout . . . . . . . . . . . . . . . . 284 20.7. Operation 9: CB_RECALLABLE_OBJ_AVAIL - Signal
12.5.5. Recalling a Layout . . . . . . . . . . . . . . . . . 287 Resources for Recallable Objects ........................588
12.5.6. Revoking Layouts . . . . . . . . . . . . . . . . . . 295 20.8. Operation 10: CB_RECALL_SLOT - Change Flow
12.5.7. Metadata Server Write Propagation . . . . . . . . . 296 Control Limits ..........................................588
12.6. pNFS Mechanics . . . . . . . . . . . . . . . . . . . . . 296 20.9. Operation 11: CB_SEQUENCE - Supply Backchannel
12.7. Recovery . . . . . . . . . . . . . . . . . . . . . . . . 297 Sequencing and Control ..................................589
12.7.1. Recovery from Client Restart . . . . . . . . . . . . 298 20.10. Operation 12: CB_WANTS_CANCELLED - Cancel
12.7.2. Dealing with Lease Expiration on the Client . . . . 298 Pending Delegation Wants ...............................592
12.7.3. Dealing with Loss of Layout State on the Metadata 20.11. Operation 13: CB_NOTIFY_LOCK - Notify Client of
Server . . . . . . . . . . . . . . . . . . . . . . . 299 Possible Lock Availability .............................593
12.7.4. Recovery from Metadata Server Restart . . . . . . . 300 20.12. Operation 14: CB_NOTIFY_DEVICEID - Notify
12.7.5. Operations During Metadata Server Grace Period . . . 302 Client of Device ID Changes ............................594
12.7.6. Storage Device Recovery . . . . . . . . . . . . . . 302 20.13. Operation 10044: CB_ILLEGAL - Illegal Callback
12.8. Metadata and Storage Device Roles . . . . . . . . . . . 302 Operation ..............................................596
12.9. Security Considerations for pNFS . . . . . . . . . . . . 303 21. Security Considerations ......................................597
13. NFSv4.1 as a Storage Protocol in pNFS: the File Layout Type . 304 22. IANA Considerations ..........................................598
13.1. Client ID and Session Considerations . . . . . . . . . . 304 22.1. Named Attribute Definitions .............................598
13.1.1. Sessions Considerations for Data Servers . . . . . . 307 22.2. Device ID Notifications .................................600
13.2. File Layout Definitions . . . . . . . . . . . . . . . . 307 22.3. Object Recall Types .....................................601
13.3. File Layout Data Types . . . . . . . . . . . . . . . . . 308 22.4. Layout Types ............................................603
13.4. Interpreting the File Layout . . . . . . . . . . . . . . 312 22.5. Path Variable Definitions ...............................606
13.4.1. Determining the Stripe Unit Number . . . . . . . . . 312 23. References ...................................................609
13.4.2. Interpreting the File Layout Using Sparse Packing . 312 23.1. Normative References ....................................609
13.4.3. Interpreting the File Layout Using Dense Packing . . 315 23.2. Informative References ..................................612
13.4.4. Sparse and Dense Stripe Unit Packing . . . . . . . . 317 Appendix A. Acknowledgments ....................................615
13.5. Data Server Multipathing . . . . . . . . . . . . . . . . 319
13.6. Operations Sent to NFSv4.1 Data Servers . . . . . . . . 320
13.7. COMMIT Through Metadata Server . . . . . . . . . . . . . 322
13.8. The Layout Iomode . . . . . . . . . . . . . . . . . . . 324
13.9. Metadata and Data Server State Coordination . . . . . . 324
13.9.1. Global Stateid Requirements . . . . . . . . . . . . 324
13.9.2. Data Server State Propagation . . . . . . . . . . . 325
13.10. Data Server Component File Size . . . . . . . . . . . . 327
13.11. Layout Revocation and Fencing . . . . . . . . . . . . . 328
13.12. Security Considerations for the File Layout Type . . . . 328
14. Internationalization . . . . . . . . . . . . . . . . . . . . 329
14.1. Stringprep profile for the utf8str_cs type . . . . . . . 330
14.2. Stringprep profile for the utf8str_cis type . . . . . . 332
14.3. Stringprep profile for the utf8str_mixed type . . . . . 333
14.4. UTF-8 Capabilities . . . . . . . . . . . . . . . . . . . 334
14.5. UTF-8 Related Errors . . . . . . . . . . . . . . . . . . 335
15. Error Values . . . . . . . . . . . . . . . . . . . . . . . . 335
15.1. Error Definitions . . . . . . . . . . . . . . . . . . . 336
15.1.1. General Errors . . . . . . . . . . . . . . . . . . . 338
15.1.2. Filehandle Errors . . . . . . . . . . . . . . . . . 340
15.1.3. Compound Structure Errors . . . . . . . . . . . . . 341
15.1.4. File System Errors . . . . . . . . . . . . . . . . . 343
15.1.5. State Management Errors . . . . . . . . . . . . . . 345
15.1.6. Security Errors . . . . . . . . . . . . . . . . . . 345
15.1.7. Name Errors . . . . . . . . . . . . . . . . . . . . 346
15.1.8. Locking Errors . . . . . . . . . . . . . . . . . . . 347
15.1.9. Reclaim Errors . . . . . . . . . . . . . . . . . . . 348
15.1.10. pNFS Errors . . . . . . . . . . . . . . . . . . . . 349
15.1.11. Session Use Errors . . . . . . . . . . . . . . . . . 350
15.1.12. Session Management Errors . . . . . . . . . . . . . 351
15.1.13. Client Management Errors . . . . . . . . . . . . . . 352
15.1.14. Delegation Errors . . . . . . . . . . . . . . . . . 353
15.1.15. Attribute Handling Errors . . . . . . . . . . . . . 353
15.1.16. Obsoleted Errors . . . . . . . . . . . . . . . . . . 354
15.2. Operations and their valid errors . . . . . . . . . . . 355
15.3. Callback operations and their valid errors . . . . . . . 371
15.4. Errors and the operations that use them . . . . . . . . 373
16. NFSv4.1 Procedures . . . . . . . . . . . . . . . . . . . . . 388
16.1. Procedure 0: NULL - No Operation . . . . . . . . . . . . 388
16.2. Procedure 1: COMPOUND - Compound Operations . . . . . . 389
17. Operations: REQUIRED, RECOMMENDED, or OPTIONAL . . . . . . . 400
18. NFSv4.1 Operations . . . . . . . . . . . . . . . . . . . . . 403
18.1. Operation 3: ACCESS - Check Access Rights . . . . . . . 403
18.2. Operation 4: CLOSE - Close File . . . . . . . . . . . . 409
18.3. Operation 5: COMMIT - Commit Cached Data . . . . . . . . 410
18.4. Operation 6: CREATE - Create a Non-Regular File Object . 413
18.5. Operation 7: DELEGPURGE - Purge Delegations Awaiting
Recovery . . . . . . . . . . . . . . . . . . . . . . . . 416
18.6. Operation 8: DELEGRETURN - Return Delegation . . . . . . 417
18.7. Operation 9: GETATTR - Get Attributes . . . . . . . . . 417
18.8. Operation 10: GETFH - Get Current Filehandle . . . . . . 419
18.9. Operation 11: LINK - Create Link to a File . . . . . . . 420
18.10. Operation 12: LOCK - Create Lock . . . . . . . . . . . . 423
18.11. Operation 13: LOCKT - Test For Lock . . . . . . . . . . 427
18.12. Operation 14: LOCKU - Unlock File . . . . . . . . . . . 428
18.13. Operation 15: LOOKUP - Lookup Filename . . . . . . . . . 430
18.14. Operation 16: LOOKUPP - Lookup Parent Directory . . . . 431
18.15. Operation 17: NVERIFY - Verify Difference in
Attributes . . . . . . . . . . . . . . . . . . . . . . . 433
18.16. Operation 18: OPEN - Open a Regular File . . . . . . . . 434
18.17. Operation 19: OPENATTR - Open Named Attribute
Directory . . . . . . . . . . . . . . . . . . . . . . . 453
18.18. Operation 21: OPEN_DOWNGRADE - Reduce Open File Access . 454
18.19. Operation 22: PUTFH - Set Current Filehandle . . . . . . 456
18.20. Operation 23: PUTPUBFH - Set Public Filehandle . . . . . 456
18.21. Operation 24: PUTROOTFH - Set Root Filehandle . . . . . 458
18.22. Operation 25: READ - Read from File . . . . . . . . . . 459
18.23. Operation 26: READDIR - Read Directory . . . . . . . . . 461
18.24. Operation 27: READLINK - Read Symbolic Link . . . . . . 465
18.25. Operation 28: REMOVE - Remove File System Object . . . . 466
18.26. Operation 29: RENAME - Rename Directory Entry . . . . . 468
18.27. Operation 31: RESTOREFH - Restore Saved Filehandle . . . 472
18.28. Operation 32: SAVEFH - Save Current Filehandle . . . . . 473
18.29. Operation 33: SECINFO - Obtain Available Security . . . 474
18.30. Operation 34: SETATTR - Set Attributes . . . . . . . . . 478
18.31. Operation 37: VERIFY - Verify Same Attributes . . . . . 481
18.32. Operation 38: WRITE - Write to File . . . . . . . . . . 482
18.33. Operation 40: BACKCHANNEL_CTL - Backchannel Control . . 486
18.34. Operation 41: BIND_CONN_TO_SESSION - Associate
Connection with Session . . . . . . . . . . . . . . . . 488
18.35. Operation 42: EXCHANGE_ID - Instantiate Client ID . . . 491
18.36. Operation 43: CREATE_SESSION - Create New Session and
Confirm Client ID . . . . . . . . . . . . . . . . . . . 509
18.37. Operation 44: DESTROY_SESSION - Destroy a Session . . . 519
18.38. Operation 45: FREE_STATEID - Free Stateid with No
Locks . . . . . . . . . . . . . . . . . . . . . . . . . 520
18.39. Operation 46: GET_DIR_DELEGATION - Get a directory
delegation . . . . . . . . . . . . . . . . . . . . . . . 521
18.40. Operation 47: GETDEVICEINFO - Get Device Information . . 525
18.41. Operation 48: GETDEVICELIST - Get All Device Mappings
for a File System . . . . . . . . . . . . . . . . . . . 527
18.42. Operation 49: LAYOUTCOMMIT - Commit Writes Made Using
a Layout . . . . . . . . . . . . . . . . . . . . . . . . 529
18.43. Operation 50: LAYOUTGET - Get Layout Information . . . . 532
18.44. Operation 51: LAYOUTRETURN - Release Layout
Information . . . . . . . . . . . . . . . . . . . . . . 542
18.45. Operation 52: SECINFO_NO_NAME - Get Security on
Unnamed Object . . . . . . . . . . . . . . . . . . . . . 546
18.46. Operation 53: SEQUENCE - Supply Per-Procedure
Sequencing and Control . . . . . . . . . . . . . . . . . 547
18.47. Operation 54: SET_SSV - Update SSV for a Client ID . . . 553
18.48. Operation 55: TEST_STATEID - Test Stateids for
Validity . . . . . . . . . . . . . . . . . . . . . . . . 555
18.49. Operation 56: WANT_DELEGATION - Request Delegation . . . 557
18.50. Operation 57: DESTROY_CLIENTID - Destroy a Client ID . . 561
18.51. Operation 58: RECLAIM_COMPLETE - Indicates Reclaims
Finished . . . . . . . . . . . . . . . . . . . . . . . . 561
18.52. Operation 10044: ILLEGAL - Illegal operation . . . . . . 564
19. NFSv4.1 Callback Procedures . . . . . . . . . . . . . . . . . 564
19.1. Procedure 0: CB_NULL - No Operation . . . . . . . . . . 565
19.2. Procedure 1: CB_COMPOUND - Compound Operations . . . . . 565
20. NFSv4.1 Callback Operations . . . . . . . . . . . . . . . . . 569
20.1. Operation 3: CB_GETATTR - Get Attributes . . . . . . . . 569
20.2. Operation 4: CB_RECALL - Recall a Delegation . . . . . . 570
20.3. Operation 5: CB_LAYOUTRECALL - Recall Layout from
Client . . . . . . . . . . . . . . . . . . . . . . . . . 571
20.4. Operation 6: CB_NOTIFY - Notify Client of Directory
Changes . . . . . . . . . . . . . . . . . . . . . . . . 575
20.5. Operation 7: CB_PUSH_DELEG - Offer Previously
Requested Delegation to Client . . . . . . . . . . . . . 579
20.6. Operation 8: CB_RECALL_ANY - Keep Any N Recallable
Objects . . . . . . . . . . . . . . . . . . . . . . . . 580
20.7. Operation 9: CB_RECALLABLE_OBJ_AVAIL - Signal
Resources for Recallable Objects . . . . . . . . . . . . 583
20.8. Operation 10: CB_RECALL_SLOT - Change Flow Control
Limits . . . . . . . . . . . . . . . . . . . . . . . . . 584
20.9. Operation 11: CB_SEQUENCE - Supply Backchannel
Sequencing and Control . . . . . . . . . . . . . . . . . 585
20.10. Operation 12: CB_WANTS_CANCELLED - Cancel Pending
Delegation Wants . . . . . . . . . . . . . . . . . . . . 587
20.11. Operation 13: CB_NOTIFY_LOCK - Notify Client of
Possible Lock Availability . . . . . . . . . . . . . . . 588
20.12. Operation 14: CB_NOTIFY_DEVICEID - Notify Client of
Device ID Changes . . . . . . . . . . . . . . . . . . . 590
20.13. Operation 10044: CB_ILLEGAL - Illegal Callback
Operation . . . . . . . . . . . . . . . . . . . . . . . 592
21. Security Considerations . . . . . . . . . . . . . . . . . . . 592
22. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 594
22.1. Named Attribute Definitions . . . . . . . . . . . . . . 594
22.1.1. Initial Registry . . . . . . . . . . . . . . . . . . 595
22.1.2. Updating Registrations . . . . . . . . . . . . . . . 595
22.2. Device ID Notifications . . . . . . . . . . . . . . . . 595
22.2.1. Initial Registry . . . . . . . . . . . . . . . . . . 596
22.2.2. Updating Registrations . . . . . . . . . . . . . . . 596
22.3. Object Recall Types . . . . . . . . . . . . . . . . . . 596
22.3.1. Initial Registry . . . . . . . . . . . . . . . . . . 598
22.3.2. Updating Registrations . . . . . . . . . . . . . . . 598
22.4. Layout Types . . . . . . . . . . . . . . . . . . . . . . 598
22.4.1. Initial Registry . . . . . . . . . . . . . . . . . . 599
22.4.2. Updating Registrations . . . . . . . . . . . . . . . 599
22.4.3. Guidelines for Writing Layout Type Specifications . 599
22.5. Path Variable Definitions . . . . . . . . . . . . . . . 601
22.5.1. Path Variables Registry . . . . . . . . . . . . . . 601
22.5.2. Values for the ${ietf.org:CPU_ARCH} Variable . . . . 603
22.5.3. Values for the ${ietf.org:OS_TYPE} Variable . . . . 603
23. References . . . . . . . . . . . . . . . . . . . . . . . . . 604
23.1. Normative References . . . . . . . . . . . . . . . . . . 604
23.2. Informative References . . . . . . . . . . . . . . . . . 607
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 608
Appendix B. RFC Editor Notes . . . . . . . . . . . . . . . . . . 611
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 611
1. Introduction 1. Introduction
1.1. The NFS Version 4 Minor Version 1 Protocol 1.1. The NFS Version 4 Minor Version 1 Protocol
The NFS version 4 minor version 1 (NFSv4.1) protocol is the second The NFS version 4 minor version 1 (NFSv4.1) protocol is the second
minor version of the NFS version 4 (NFSv4) protocol. The first minor minor version of the NFS version 4 (NFSv4) protocol. The first minor
version, NFSv4.0 is described in [29]. It generally follows the version, NFSv4.0, is described in [30]. It generally follows the
guidelines for minor versioning model listed in Section 10 of RFC guidelines for minor versioning that are listed in Section 10 of RFC
3530. However, it diverges from guidelines 11 ("a client and server 3530. However, it diverges from guidelines 11 ("a client and server
that supports minor version X must support minor versions 0 through that support minor version X must support minor versions 0 through
X-1"), and 12 ("no features may be introduced as mandatory in a minor X-1") and 12 ("no new features may be introduced as mandatory in a
version"). These divergences are due to the introduction of the minor version"). These divergences are due to the introduction of
sessions model for managing non-idempotent operations and the the sessions model for managing non-idempotent operations and the
RECLAIM_COMPLETE operation. These two new features are RECLAIM_COMPLETE operation. These two new features are
infrastructural in nature and simplify implementation of existing and infrastructural in nature and simplify implementation of existing and
other new features. Making them anything but REQUIRED would add other new features. Making them anything but REQUIRED would add
undue complexity to protocol definition and implementation. NFSv4.1 undue complexity to protocol definition and implementation. NFSv4.1
accordingly updates the Minor Versioning guidelines (Section 2.7). accordingly updates the minor versioning guidelines (Section 2.7).
As a minor version, NFSv4.1 is consistent with the overall goals for As a minor version, NFSv4.1 is consistent with the overall goals for
NFSv4, but extends the protocol so as to better meet those goals, NFSv4, but extends the protocol so as to better meet those goals,
based on experiences with NFSv4.0. In addition, NFSv4.1 has adopted based on experiences with NFSv4.0. In addition, NFSv4.1 has adopted
some additional goals, which motivate some of the major extensions in some additional goals, which motivate some of the major extensions in
NFSv4.1. NFSv4.1.
1.2. Scope of this Document 1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
1.3. Scope of This Document
This document describes the NFSv4.1 protocol. With respect to This document describes the NFSv4.1 protocol. With respect to
NFSv4.0, this document does not: NFSv4.0, this document does not:
o describe the NFSv4.0 protocol, except where needed to contrast o describe the NFSv4.0 protocol, except where needed to contrast
with NFSv4.1. with NFSv4.1.
o modify the specification of the NFSv4.0 protocol. o modify the specification of the NFSv4.0 protocol.
o clarify the NFSv4.0 protocol. o clarify the NFSv4.0 protocol.
1.3. NFSv4 Goals 1.4. NFSv4 Goals
The NFSv4 protocol is a further revision of the NFS protocol defined The NFSv4 protocol is a further revision of the NFS protocol defined
already by NFSv3 [30]. It retains the essential characteristics of already by NFSv3 [31]. It retains the essential characteristics of
previous versions: easy recovery; independence of transport previous versions: easy recovery; independence of transport
protocols, operating systems and file systems; simplicity; and good protocols, operating systems, and file systems; simplicity; and good
performance. NFSv4 has the following goals: performance. NFSv4 has the following goals:
o Improved access and good performance on the Internet. o Improved access and good performance on the Internet
The protocol is designed to transit firewalls easily, perform well The protocol is designed to transit firewalls easily, perform well
where latency is high and bandwidth is low, and scale to very where latency is high and bandwidth is low, and scale to very
large numbers of clients per server. large numbers of clients per server.
o Strong security with negotiation built into the protocol. o Strong security with negotiation built into the protocol
The protocol builds on the work of the ONCRPC working group in The protocol builds on the work of the ONCRPC working group in
supporting the RPCSEC_GSS protocol. Additionally, the NFSv4.1 supporting the RPCSEC_GSS protocol. Additionally, the NFSv4.1
protocol provides a mechanism to allow clients and servers the protocol provides a mechanism to allow clients and servers the
ability to negotiate security and require clients and servers to ability to negotiate security and require clients and servers to
support a minimal set of security schemes. support a minimal set of security schemes.
o Good cross-platform interoperability. o Good cross-platform interoperability
The protocol features a file system model that provides a useful, The protocol features a file system model that provides a useful,
common set of features that does not unduly favor one file system common set of features that does not unduly favor one file system
or operating system over another. or operating system over another.
o Designed for protocol extensions. o Designed for protocol extensions
The protocol is designed to accept standard extensions within a The protocol is designed to accept standard extensions within a
framework that enable and encourages backward compatibility. framework that enables and encourages backward compatibility.
1.4. NFSv4.1 Goals 1.5. NFSv4.1 Goals
NFSv4.1 has the following goals, within the framework established by NFSv4.1 has the following goals, within the framework established by
the overall NFSv4 goals. the overall NFSv4 goals.
o To correct significant structural weaknesses and oversights o To correct significant structural weaknesses and oversights
discovered in the base protocol. discovered in the base protocol.
o To add clarity and specificity to areas left unaddressed or not o To add clarity and specificity to areas left unaddressed or not
addressed in sufficient detail in the base protocol. However, as addressed in sufficient detail in the base protocol. However, as
stated in Section 1.2, it is not a goal to clarify the NFSv4.0 stated in Section 1.3, it is not a goal to clarify the NFSv4.0
protocol in the NFSv4.1 specification. protocol in the NFSv4.1 specification.
o To add specific features based on experience with the existing o To add specific features based on experience with the existing
protocol and recent industry developments. protocol and recent industry developments.
o To provide protocol support to take advantage of clustered server o To provide protocol support to take advantage of clustered server
deployments including the ability to provide scalable parallel deployments including the ability to provide scalable parallel
access to files distributed among multiple servers. access to files distributed among multiple servers.
1.5. General Definitions 1.6. General Definitions
The following definitions are provided for the purpose of providing The following definitions provide an appropriate context for the
an appropriate context for the reader. reader.
Byte This document defines a byte as an octet, i.e. a datum exactly Byte: In this document, a byte is an octet, i.e., a datum exactly 8
8 bits in length. bits in length.
Client The "client" is the entity that accesses the NFS server's Client: The client is the entity that accesses the NFS server's
resources. The client may be an application which contains the resources. The client may be an application that contains the
logic to access the NFS server directly. The client may also be logic to access the NFS server directly. The client may also be
the traditional operating system client that provides remote file the traditional operating system client that provides remote file
system services for a set of applications. system services for a set of applications.
A client is uniquely identified by a Client Owner. A client is uniquely identified by a client owner.
With reference to file locking, the client is also the entity that With reference to byte-range locking, the client is also the
maintains a set of locks on behalf of one or more applications. entity that maintains a set of locks on behalf of one or more
This client is responsible for crash or failure recovery for those applications. This client is responsible for crash or failure
locks it manages. recovery for those locks it manages.
Note that multiple clients may share the same transport and Note that multiple clients may share the same transport and
connection and multiple clients may exist on the same network connection and multiple clients may exist on the same network
node. node.
Client ID A 64-bit quantity used as a unique, short-hand reference Client ID: The client ID is a 64-bit quantity used as a unique,
to a client supplied Verifier and client owner. The server is short-hand reference to a client-supplied verifier and client
responsible for supplying the client ID. owner. The server is responsible for supplying the client ID.
Client Owner The client owner is a unique string, opaque to the Client Owner: The client owner is a unique string, opaque to the
server, which identifies a client. Multiple network connections server, that identifies a client. Multiple network connections
and source network addresses originating from those connections and source network addresses originating from those connections
may share a client owner. The server is expected to treat may share a client owner. The server is expected to treat
requests from connections with the same client owner as coming requests from connections with the same client owner as coming
from the same client. from the same client.
File System The collection of objects on a server (as identified by File System: The file system is the collection of objects on a
the major identifier of a Server Owner, which is defined later in server (as identified by the major identifier of a server owner,
this section), that share the same fsid attribute (see which is defined later in this section) that share the same fsid
Section 5.8.1.9). attribute (see Section 5.8.1.9).
Lease An interval of time defined by the server for which the client Lease: A lease is an interval of time defined by the server for
is irrevocably granted a lock. At the end of a lease period the which the client is irrevocably granted locks. At the end of a
lock may be revoked if the lease has not been extended. The lock lease period, locks may be revoked if the lease has not been
must be revoked if a conflicting lock has been granted after the extended. A lock must be revoked if a conflicting lock has been
lease interval. granted after the lease interval.
All leases granted by a server have the same fixed interval. Note A server grants a client a single lease for all state.
that the fixed interval was chosen to alleviate the expense a
server would have in maintaining state about variable length
leases across server failures.
Lock The term "lock" is used to refer to byte-range (in UNIX Lock: The term "lock" is used to refer to byte-range (in UNIX
environments, also known as record) locks, share reservations, environments, also known as record) locks, share reservations,
delegations, or layouts unless specifically stated otherwise. delegations, or layouts unless specifically stated otherwise.
Secret State Verifier (SSV) The SSV is a unique secret key shared Secret State Verifier (SSV): The SSV is a unique secret key shared
between a client and server. The SSV serves as the secret key for between a client and server. The SSV serves as the secret key for
an internal (that is, internal to NFSv4.1) GSS mechanism (the SSV an internal (that is, internal to NFSv4.1) Generic Security
GSS mechanism, see Section 2.10.9). The SSV GSS mechanism uses Services (GSS) mechanism (the SSV GSS mechanism; see
the SSV to compute Message Integrity Code (MIC) and Wrap tokens. Section 2.10.9). The SSV GSS mechanism uses the SSV to compute
See Section 2.10.8.3 for more details on how NFSv4.1 uses the SSV message integrity code (MIC) and Wrap tokens. See
and the SSV GSS mechanism. Section 2.10.8.3 for more details on how NFSv4.1 uses the SSV and
the SSV GSS mechanism.
Server The "Server" is the entity responsible for coordinating Server: The Server is the entity responsible for coordinating client
client access to a set of file systems and is identified by a access to a set of file systems and is identified by a server
Server owner. A server can span multiple network addresses. owner. A server can span multiple network addresses.
Server Owner The "Server Owner" identifies the server to the client. Server Owner: The server owner identifies the server to the client.
The server owner consists of a major and minor identifier. When The server owner consists of a major identifier and a minor
the client has two connections each to a peer with the same major identifier. When the client has two connections each to a peer
identifier, the client assumes both peers are the same server (the with the same major identifier, the client assumes that both peers
server namespace is the same via each connection), and assumes and are the same server (the server namespace is the same via each
lock state is sharable across both connections. When each peer connection) and that lock state is sharable across both
has both the same major and minor identifier, the client assumes connections. When each peer has both the same major and minor
each connection might be associable with the same session. identifiers, the client assumes that each connection might be
associable with the same session.
Stable Storage Stable storage is storage from which data stored by Stable Storage: Stable storage is storage from which data stored by
an NFSv4.1 server can be recovered without data loss from multiple an NFSv4.1 server can be recovered without data loss from multiple
power failures (including cascading power failures, that is, power failures (including cascading power failures, that is,
several power failures in quick succession), operating system several power failures in quick succession), operating system
failures, and/or hardware failure of components other than the failures, and/or hardware failure of components other than the
storage medium itself (such as disk, nonvolatile RAM, flash storage medium itself (such as disk, nonvolatile RAM, flash
memory, etc.). memory, etc.).
Some examples of stable storage that are allowable for an NFS Some examples of stable storage that are allowable for an NFS
server include: server include:
1. Media commit of data, that is, the modified data has been 1. Media commit of data; that is, the modified data has been
successfully written to the disk media, for example, the disk successfully written to the disk media, for example, the disk
platter. platter.
2. An immediate reply disk drive with battery-backed on- drive 2. An immediate reply disk drive with battery-backed, on-drive
intermediate storage or uninterruptible power system (UPS). intermediate storage or uninterruptible power system (UPS).
3. Server commit of data with battery-backed intermediate storage 3. Server commit of data with battery-backed intermediate storage
and recovery software. and recovery software.
4. Cache commit with uninterruptible power system (UPS) and 4. Cache commit with uninterruptible power system (UPS) and
recovery software. recovery software.
Stateid A 128-bit quantity returned by a server that uniquely Stateid: A stateid is a 128-bit quantity returned by a server that
defines the open and locking state provided by the server for a uniquely defines the open and locking states provided by the
specific open-owner or lock-owner/open-owner pair for a specific server for a specific open-owner or lock-owner/open-owner pair for
file and type of lock. a specific file and type of lock.
Verifier A 64-bit quantity generated by the client that the server Verifier: A verifier is a 64-bit quantity generated by the client
can use to determine if the client has restarted and lost all that the server can use to determine if the client has restarted
previous lock state. and lost all previous lock state.
1.6. Overview of NFSv4.1 Features 1.7. Overview of NFSv4.1 Features
To provide a reasonable context for the reader, the major features of The major features of the NFSv4.1 protocol will be reviewed in brief.
the NFSv4.1 protocol will be reviewed in brief. This will be done to This will be done to provide an appropriate context for both the
provide an appropriate context for both the reader who is familiar reader who is familiar with the previous versions of the NFS protocol
with the previous versions of the NFS protocol and the reader that is and the reader who is new to the NFS protocols. For the reader new
new to the NFS protocols. For the reader new to the NFS protocols, to the NFS protocols, there is still a set of fundamental knowledge
there is still a set of fundamental knowledge that is expected. The that is expected. The reader should be familiar with the External
reader should be familiar with the XDR and RPC protocols as described Data Representation (XDR) and Remote Procedure Call (RPC) protocols
in [2] and [3]. A basic knowledge of file systems and distributed as described in [2] and [3]. A basic knowledge of file systems and
file systems is expected as well. distributed file systems is expected as well.
In general this specification of NFSv4.1 will not distinguish those In general, this specification of NFSv4.1 will not distinguish those
features added in minor version one from those present in the base features added in minor version 1 from those present in the base
protocol but will treat NFSv4.1 as a unified whole. See Section 1.7 protocol but will treat NFSv4.1 as a unified whole. See Section 1.8
for a summary of the differences between NFSv4.0 and NFSv4.1. for a summary of the differences between NFSv4.0 and NFSv4.1.
1.6.1. RPC and Security 1.7.1. RPC and Security
As with previous versions of NFS, the External Data Representation As with previous versions of NFS, the External Data Representation
(XDR) and Remote Procedure Call (RPC) mechanisms used for the NFSv4.1 (XDR) and Remote Procedure Call (RPC) mechanisms used for the NFSv4.1
protocol are those defined in [2] and [3]. To meet end-to-end protocol are those defined in [2] and [3]. To meet end-to-end
security requirements, the RPCSEC_GSS framework [4] is used to extend security requirements, the RPCSEC_GSS framework [4] is used to extend
the basic RPC security. With the use of RPCSEC_GSS, various the basic RPC security. With the use of RPCSEC_GSS, various
mechanisms can be provided to offer authentication, integrity, and mechanisms can be provided to offer authentication, integrity, and
privacy to the NFSv4 protocol. Kerberos V5 is used as described in privacy to the NFSv4 protocol. Kerberos V5 is used as described in
[5] to provide one security framework. With the use of RPCSEC_GSS, [5] to provide one security framework. With the use of RPCSEC_GSS,
other mechanisms may also be specified and used for NFSv4.1 security. other mechanisms may also be specified and used for NFSv4.1 security.
To enable in-band security negotiation, the NFSv4.1 protocol has To enable in-band security negotiation, the NFSv4.1 protocol has
operations which provide the client a method of querying the server operations that provide the client a method of querying the server
about its policies regarding which security mechanisms must be used about its policies regarding which security mechanisms must be used
for access to the server's file system resources. With this, the for access to the server's file system resources. With this, the
client can securely match the security mechanism that meets the client can securely match the security mechanism that meets the
policies specified at both the client and server. policies specified at both the client and server.
NFSv4.1 introduces parallel access (see Section 1.6.2.2), which is NFSv4.1 introduces parallel access (see Section 1.7.2.2), which is
called pNFS. The security framework described in this section is called pNFS. The security framework described in this section is
significantly modified by the introduction of pNFS (see significantly modified by the introduction of pNFS (see
Section 12.9), because data access is sometimes not over RPC. The Section 12.9), because data access is sometimes not over RPC. The
level of significance varies with the Storage Protocol (see level of significance varies with the storage protocol (see
Section 12.2.5) and can be as low as zero impact (see Section 13.12). Section 12.2.5) and can be as low as zero impact (see Section 13.12).
1.6.2. Protocol Structure 1.7.2. Protocol Structure
1.6.2.1. Core Protocol 1.7.2.1. Core Protocol
Unlike NFSv3, which used a series of ancillary protocols (e.g. NLM, Unlike NFSv3, which used a series of ancillary protocols (e.g., NLM,
NSM, MOUNT), within all minor versions of NFSv4 a single RPC protocol NSM (Network Status Monitor), MOUNT), within all minor versions of
is used to make requests to the server. Facilities that had been NFSv4 a single RPC protocol is used to make requests to the server.
separate protocols, such as locking, are now integrated within a Facilities that had been separate protocols, such as locking, are now
single unified protocol. integrated within a single unified protocol.
1.6.2.2. Parallel Access 1.7.2.2. Parallel Access
Minor version one supports high-performance data access to a Minor version 1 supports high-performance data access to a clustered
clustered server implementation by enabling a separation of metadata server implementation by enabling a separation of metadata access and
access and data access, with the latter done to multiple servers in data access, with the latter done to multiple servers in parallel.
parallel.
Such parallel data access is controlled by recallable objects known Such parallel data access is controlled by recallable objects known
as "layouts", which are integrated into the protocol locking model. as "layouts", which are integrated into the protocol locking model.
Clients direct requests for data access to a set of data servers Clients direct requests for data access to a set of data servers
specified by the layout via a data storage protocol which may be specified by the layout via a data storage protocol which may be
NFSv4.1 or may be another protocol. NFSv4.1 or may be another protocol.
Because the protocols used for parallel data access are not Because the protocols used for parallel data access are not
necessarily RPC-based, the RPC-based security model (Section 1.6.1) necessarily RPC-based, the RPC-based security model (Section 1.7.1)
is obviously impacted (see Section 12.9). The degree of impact is obviously impacted (see Section 12.9). The degree of impact
varies with the Storage Protocol (see Section 12.2.5) used for data varies with the storage protocol (see Section 12.2.5) used for data
access, and can be as low as zero (see Section 13.12). access, and can be as low as zero (see Section 13.12).
1.6.3. File System Model 1.7.3. File System Model
The general file system model used for the NFSv4.1 protocol is the The general file system model used for the NFSv4.1 protocol is the
same as previous versions. The server file system is hierarchical same as previous versions. The server file system is hierarchical
with the regular files contained within being treated as opaque byte with the regular files contained within being treated as opaque byte
streams. In a slight departure, file and directory names are encoded streams. In a slight departure, file and directory names are encoded
with UTF-8 to deal with the basics of internationalization. with UTF-8 to deal with the basics of internationalization.
The NFSv4.1 protocol does not require a separate protocol to provide The NFSv4.1 protocol does not require a separate protocol to provide
for the initial mapping between path name and filehandle. All file for the initial mapping between path name and filehandle. All file
systems exported by a server are presented as a tree so that all file systems exported by a server are presented as a tree so that all file
systems are reachable from a special per-server global root systems are reachable from a special per-server global root
filehandle. This allows LOOKUP operations to be used to perform filehandle. This allows LOOKUP operations to be used to perform
functions previously provided by the MOUNT protocol. The server functions previously provided by the MOUNT protocol. The server
provides any necessary pseudo file systems to bridge any gaps that provides any necessary pseudo file systems to bridge any gaps that
arise due to unexported gaps between exported file systems. arise due to unexported gaps between exported file systems.
1.6.3.1. Filehandles 1.7.3.1. Filehandles
As in previous versions of the NFS protocol, opaque filehandles are As in previous versions of the NFS protocol, opaque filehandles are
used to identify individual files and directories. Lookup-type and used to identify individual files and directories. Lookup-type and
create operations translate file and directory names to filehandles create operations translate file and directory names to filehandles,
which are then used to identify objects in subsequent operations. which are then used to identify objects in subsequent operations.
The NFSv4.1 protocol provides support for persistent filehandles, The NFSv4.1 protocol provides support for persistent filehandles,
guaranteed to be valid for the lifetime of the file system object guaranteed to be valid for the lifetime of the file system object
designated. In addition it provides support to servers to provide designated. In addition, it provides support to servers to provide
filehandles with more limited validity guarantees, called volatile filehandles with more limited validity guarantees, called volatile
filehandles. filehandles.
1.6.3.2. File Attributes 1.7.3.2. File Attributes
The NFSv4.1 protocol has a rich and extensible file object attribute The NFSv4.1 protocol has a rich and extensible file object attribute
structure, which is divided into REQUIRED, RECOMMENDED, and named structure, which is divided into REQUIRED, RECOMMENDED, and named
attributes (see Section 5). attributes (see Section 5).
Several (but not all) of the REQUIRED attributes are derived from the Several (but not all) of the REQUIRED attributes are derived from the
attributes of NFSv3 (see the definition of the fattr3 data type in attributes of NFSv3 (see the definition of the fattr3 data type in
[30]). An example of a REQUIRED attribute is the file object's type [31]). An example of a REQUIRED attribute is the file object's type
(Section 5.8.1.2) so that regular files can be distinguished from (Section 5.8.1.2) so that regular files can be distinguished from
directories (also known as folders in some operating environments) directories (also known as folders in some operating environments)
and other types of objects. REQUIRED attributes are discussed in and other types of objects. REQUIRED attributes are discussed in
Section 5.1. Section 5.1.
An example of three RECOMMENDED attributes are acl, sacl, and dacl. An example of three RECOMMENDED attributes are acl, sacl, and dacl.
These attributes define an Access Control List (ACL) on a file object These attributes define an Access Control List (ACL) on a file object
(Section 6). An ACL provides directory and file access control (Section 6). An ACL provides directory and file access control
beyond the model used in NFSv3. The ACL definition allows for beyond the model used in NFSv3. The ACL definition allows for
specification of specific sets of permissions for individual users specification of specific sets of permissions for individual users
and groups. In addition, ACL inheritance allows propagation of and groups. In addition, ACL inheritance allows propagation of
access permissions and restriction down a directory tree as file access permissions and restrictions down a directory tree as file
system objects are created. RECOMMENDED attributes are discussed in system objects are created. RECOMMENDED attributes are discussed in
Section 5.2. Section 5.2.
A named attribute is an opaque byte stream that is associated with a A named attribute is an opaque byte stream that is associated with a
directory or file and referred to by a string name. Named attributes directory or file and referred to by a string name. Named attributes
are meant to be used by client applications as a method to associate are meant to be used by client applications as a method to associate
application-specific data with a regular file or directory. NFSv4.1 application-specific data with a regular file or directory. NFSv4.1
modifies named attributes relative to NFSv4.0 by tightening the modifies named attributes relative to NFSv4.0 by tightening the
allowed operations in order to prevent the development of non- allowed operations in order to prevent the development of non-
interoperable implementations. Named attributes are discussed in interoperable implementations. Named attributes are discussed in
Section 5.3. Section 5.3.
1.6.3.3. Multi-server Namespace 1.7.3.3. Multi-Server Namespace
NFSv4.1 contains a number of features to allow implementation of NFSv4.1 contains a number of features to allow implementation of
namespaces that cross server boundaries and that allow and facilitate namespaces that cross server boundaries and that allow and facilitate
a non-disruptive transfer of support for individual file systems a non-disruptive transfer of support for individual file systems
between servers. They are all based upon attributes that allow one between servers. They are all based upon attributes that allow one
file system to specify alternate or new locations for that file file system to specify alternate or new locations for that file
system. system.
These attributes may be used together with the concept of absent file These attributes may be used together with the concept of absent file
systems, which provide specifications for additional locations but no systems, which provide specifications for additional locations but no
skipping to change at page 19, line 33 skipping to change at page 16, line 47
o Location attributes may be provided for present file systems to o Location attributes may be provided for present file systems to
provide the locations of alternate file system instances or provide the locations of alternate file system instances or
replicas to be used in the event that the current file system replicas to be used in the event that the current file system
instance becomes unavailable. instance becomes unavailable.
o Location attributes may be provided when a previously present file o Location attributes may be provided when a previously present file
system becomes absent. This allows non-disruptive migration of system becomes absent. This allows non-disruptive migration of
file systems to alternate servers. file systems to alternate servers.
1.6.4. Locking Facilities 1.7.4. Locking Facilities
As mentioned previously, NFS v4.1 is a single protocol which includes As mentioned previously, NFSv4.1 is a single protocol that includes
locking facilities. These locking facilities include support for locking facilities. These locking facilities include support for
many types of locks including a number of sorts of recallable locks. many types of locks including a number of sorts of recallable locks.
Recallable locks such as delegations allow the client to be assured Recallable locks such as delegations allow the client to be assured
that certain events will not occur so long as that lock is held. that certain events will not occur so long as that lock is held.
When circumstances change, the lock is recalled via a callback When circumstances change, the lock is recalled via a callback
request. The assurances provided by delegations allow more extensive request. The assurances provided by delegations allow more extensive
caching to be done safely when circumstances allow it. caching to be done safely when circumstances allow it.
The types of locks are: The types of locks are:
o Share reservations as established by OPEN operations. o Share reservations as established by OPEN operations.
skipping to change at page 20, line 11 skipping to change at page 17, line 27
o File delegations, which are recallable locks that assure the o File delegations, which are recallable locks that assure the
holder that inconsistent opens and file changes cannot occur so holder that inconsistent opens and file changes cannot occur so
long as the delegation is held. long as the delegation is held.
o Directory delegations, which are recallable locks that assure the o Directory delegations, which are recallable locks that assure the
holder that inconsistent directory modifications cannot occur so holder that inconsistent directory modifications cannot occur so
long as the delegation is held. long as the delegation is held.
o Layouts, which are recallable objects that assure the holder that o Layouts, which are recallable objects that assure the holder that
direct access to the file data may be performed directly by the direct access to the file data may be performed directly by the
client and that no change to the data's location inconsistent with client and that no change to the data's location that is
that access may be made so long as the layout is held. inconsistent with that access may be made so long as the layout is
held.
All locks for a given client are tied together under a single client- All locks for a given client are tied together under a single client-
wide lease. All requests made on sessions associated with the client wide lease. All requests made on sessions associated with the client
renew that lease. When leases are not promptly renewed locks are renew that lease. When the client's lease is not promptly renewed,
subject to revocation. In the event of server restart, clients have the client's locks are subject to revocation. In the event of server
the opportunity to safely reclaim their locks within a special grace restart, clients have the opportunity to safely reclaim their locks
period. within a special grace period.
1.7. Differences from NFSv4.0 1.8. Differences from NFSv4.0
The following summarizes the major differences between minor version The following summarizes the major differences between minor version
one and the base protocol: 1 and the base protocol:
o Implementation of the sessions model (Section 2.10). o Implementation of the sessions model (Section 2.10).
o Parallel access to data (Section 12). o Parallel access to data (Section 12).
o Addition of the RECLAIM_COMPLETE operation to better structure the o Addition of the RECLAIM_COMPLETE operation to better structure the
lock reclamation process (Section 18.51). lock reclamation process (Section 18.51).
o Enhanced delegation support as follows. o Enhanced delegation support as follows.
* Delegations on directories and other file types in addition to * Delegations on directories and other file types in addition to
regular files (Section 18.39, Section 18.49). regular files (Section 18.39, Section 18.49).
* Operations to optimize acquisition of recalled or denied * Operations to optimize acquisition of recalled or denied
delegations (Section 18.49, Section 20.5, Section 20.7). delegations (Section 18.49, Section 20.5, Section 20.7).
* Notifications of changes to files and directories * Notifications of changes to files and directories
(Section 18.39, Section 20.4). (Section 18.39, Section 20.4).
* A method to allow a server to indicate it is recalling one or * A method to allow a server to indicate that it is recalling one
more delegations for resource management reasons, and thus a or more delegations for resource management reasons, and thus a
method to allow the client to pick which delegations to return method to allow the client to pick which delegations to return
(Section 20.6). (Section 20.6).
o Attributes can be set atomically during exclusive file create via o Attributes can be set atomically during exclusive file create via
the OPEN operation (see the new EXCLUSIVE4_1 creation method in the OPEN operation (see the new EXCLUSIVE4_1 creation method in
Section 18.16). Section 18.16).
o Open files can be preserved if removed and the hard link count o Open files can be preserved if removed and the hard link count
("hard link" is defined in an Open Group [6] standard) goes to ("hard link" is defined in an Open Group [6] standard) goes to
zero thus obviating the need for clients to rename deleted files zero, thus obviating the need for clients to rename deleted files
to partially hidden names -- colloquially called "silly rename" to partially hidden names -- colloquially called "silly rename"
(see the new OPEN4_RESULT_PRESERVE_UNLINKED reply flag in (see the new OPEN4_RESULT_PRESERVE_UNLINKED reply flag in
Section 18.16). Section 18.16).
o Improved compatibility with Microsoft Windows for Access Control o Improved compatibility with Microsoft Windows for Access Control
Lists (Section 6.2.3, Section 6.2.2, Section 6.4.3.2). Lists (Section 6.2.3, Section 6.2.2, Section 6.4.3.2).
o Data retention (Section 5.13). o Data retention (Section 5.13).
o Identification of the implementation of the NFS client and server o Identification of the implementation of the NFS client and server
(Section 18.35). (Section 18.35).
o Support for notification of the availability of byte-range locks o Support for notification of the availability of byte-range locks
(see the new OPEN4_RESULT_MAY_NOTIFY_LOCK reply flag in (see the new OPEN4_RESULT_MAY_NOTIFY_LOCK reply flag in
Section 18.16 and see Section 20.11). Section 18.16 and see Section 20.11).
o In NFSv4.1, LIPKEY and SPKM-3 are not required security mechanisms o In NFSv4.1, LIPKEY and SPKM-3 are not required security mechanisms
[31]. [32].
2. Core Infrastructure 2. Core Infrastructure
2.1. Introduction 2.1. Introduction
NFSv4.1 relies on core infrastructure common to nearly every NFSv4.1 relies on core infrastructure common to nearly every
operation. This core infrastructure is described in the remainder of operation. This core infrastructure is described in the remainder of
this section. this section.
2.2. RPC and XDR 2.2. RPC and XDR
The NFSv4.1 protocol is a Remote Procedure Call (RPC) application The NFSv4.1 protocol is a Remote Procedure Call (RPC) application
that uses RPC version 2 and the corresponding eXternal Data that uses RPC version 2 and the corresponding eXternal Data
Representation (XDR) as defined in [3] and [2]. Representation (XDR) as defined in [3] and [2].
2.2.1. RPC-based Security 2.2.1. RPC-Based Security
Previous NFS versions have been thought of as having a host-based Previous NFS versions have been thought of as having a host-based
authentication model, where the NFS server authenticates the NFS authentication model, where the NFS server authenticates the NFS
client, and trusts the client to authenticate all users. Actually, client, and trusts the client to authenticate all users. Actually,
NFS has always depended on RPC for authentication. One of the first NFS has always depended on RPC for authentication. One of the first
forms of RPC authentication, AUTH_SYS, had no strong authentication, forms of RPC authentication, AUTH_SYS, had no strong authentication
and required a host-based authentication approach. NFSv4.1 also and required a host-based authentication approach. NFSv4.1 also
depends on RPC for basic security services, and mandates RPC support depends on RPC for basic security services and mandates RPC support
for a user-based authentication model. The user-based authentication for a user-based authentication model. The user-based authentication
model has user principals authenticated by a server, and in turn the model has user principals authenticated by a server, and in turn the
server authenticated by user principals. RPC provides some basic server authenticated by user principals. RPC provides some basic
security services which are used by NFSv4.1. security services that are used by NFSv4.1.
2.2.1.1. RPC Security Flavors 2.2.1.1. RPC Security Flavors
As described in section 7.2 "Authentication" of [3], RPC security is As described in Section 7.2 ("Authentication") of [3], RPC security
encapsulated in the RPC header, via a security or authentication is encapsulated in the RPC header, via a security or authentication
flavor, and information specific to the specified security flavor. flavor, and information specific to the specified security flavor.
Every RPC header conveys information used to identify and Every RPC header conveys information used to identify and
authenticate a client and server. As discussed in Section 2.2.1.1.1, authenticate a client and server. As discussed in Section 2.2.1.1.1,
some security flavors provide additional security services. some security flavors provide additional security services.
NFSv4.1 clients and servers MUST implement RPCSEC_GSS. (This NFSv4.1 clients and servers MUST implement RPCSEC_GSS. (This
requirement to implement is not a requirement to use.) Other requirement to implement is not a requirement to use.) Other
flavors, such as AUTH_NONE, and AUTH_SYS, MAY be implemented as well. flavors, such as AUTH_NONE and AUTH_SYS, MAY be implemented as well.
2.2.1.1.1. RPCSEC_GSS and Security Services 2.2.1.1.1. RPCSEC_GSS and Security Services
RPCSEC_GSS ([4]) uses the functionality of GSS-API [7]. This allows RPCSEC_GSS [4] uses the functionality of GSS-API [7]. This allows
for the use of various security mechanisms by the RPC layer without for the use of various security mechanisms by the RPC layer without
the additional implementation overhead of adding RPC security the additional implementation overhead of adding RPC security
flavors. flavors.
2.2.1.1.1.1. Identification, Authentication, Integrity, Privacy 2.2.1.1.1.1. Identification, Authentication, Integrity, Privacy
Via the GSS-API, RPCSEC_GSS can be used to identify and authenticate Via the GSS-API, RPCSEC_GSS can be used to identify and authenticate
users on clients to servers, and servers to users. It can also users on clients to servers, and servers to users. It can also
perform integrity checking on the entire RPC message, including the perform integrity checking on the entire RPC message, including the
RPC header, and the arguments or results. Finally, privacy, usually RPC header, and on the arguments or results. Finally, privacy,
via encryption, is a service available with RPCSEC_GSS. Privacy is usually via encryption, is a service available with RPCSEC_GSS.
performed on the arguments and results. Note that if privacy is Privacy is performed on the arguments and results. Note that if
selected, integrity, authentication, and identification are enabled. privacy is selected, integrity, authentication, and identification
If privacy is not selected, but integrity is selected, authentication are enabled. If privacy is not selected, but integrity is selected,
and identification are enabled. If integrity and privacy are not authentication and identification are enabled. If integrity and
selected, but authentication is enabled, identification is enabled. privacy are not selected, but authentication is enabled,
RPCSEC_GSS does not provide identification as a separate service. identification is enabled. RPCSEC_GSS does not provide
identification as a separate service.
Although GSS-API has an authentication service distinct from its Although GSS-API has an authentication service distinct from its
privacy and integrity services, GSS-API's authentication service is privacy and integrity services, GSS-API's authentication service is
not used for RPCSEC_GSS's authentication service. Instead, each RPC not used for RPCSEC_GSS's authentication service. Instead, each RPC
request and response header is integrity protected with the GSS-API request and response header is integrity protected with the GSS-API
integrity service, and this allows RPCSEC_GSS to offer per-RPC integrity service, and this allows RPCSEC_GSS to offer per-RPC
authentication and identity. See [4] for more information. authentication and identity. See [4] for more information.
NFSv4.1 client and servers MUST support RPCSEC_GSS's integrity and NFSv4.1 client and servers MUST support RPCSEC_GSS's integrity and
authentication service. NFSv4.1 servers MUST support RPCSEC_GSS's authentication service. NFSv4.1 servers MUST support RPCSEC_GSS's
privacy service. NFSv4.1 clients SHOULD support RPCSEC_GSS's privacy privacy service. NFSv4.1 clients SHOULD support RPCSEC_GSS's privacy
service. service.
2.2.1.1.1.2. Security mechanisms for NFSv4.1 2.2.1.1.1.2. Security Mechanisms for NFSv4.1
RPCSEC_GSS, via GSS-API, normalizes access to mechanisms that provide RPCSEC_GSS, via GSS-API, normalizes access to mechanisms that provide
security services. Therefore NFSv4.1 clients and servers MUST security services. Therefore, NFSv4.1 clients and servers MUST
support the Kerberos V5 security mechanism. support the Kerberos V5 security mechanism.
The use of RPCSEC_GSS requires selection of: mechanism, quality of The use of RPCSEC_GSS requires selection of mechanism, quality of
protection (QOP), and service (authentication, integrity, privacy). protection (QOP), and service (authentication, integrity, privacy).
For the mandated security mechanisms, NFSv4.1 specifies that a QOP of For the mandated security mechanisms, NFSv4.1 specifies that a QOP of
zero (0) is used, leaving it up to the mechanism or the mechanism's zero is used, leaving it up to the mechanism or the mechanism's
configuration to map QOP zero to an appropriate level of protection. configuration to map QOP zero to an appropriate level of protection.
Each mandated mechanism specifies minimum set of cryptographic Each mandated mechanism specifies a minimum set of cryptographic
algorithms for implementing integrity and privacy. NFSv4.1 clients algorithms for implementing integrity and privacy. NFSv4.1 clients
and servers MUST be implemented on operating environments that comply and servers MUST be implemented on operating environments that comply
with the REQUIRED cryptographic algorithms of each REQUIRED with the REQUIRED cryptographic algorithms of each REQUIRED
mechanism. mechanism.
2.2.1.1.1.2.1. Kerberos V5 2.2.1.1.1.2.1. Kerberos V5
The Kerberos V5 GSS-API mechanism as described in [5] MUST be The Kerberos V5 GSS-API mechanism as described in [5] MUST be
implemented with the RPCSEC_GSS services as specified in the implemented with the RPCSEC_GSS services as specified in the
following table: following table:
skipping to change at page 23, line 42 skipping to change at page 21, line 19
4 == RPCSEC_GSS service 4 == RPCSEC_GSS service
5 == NFSv4.1 clients MUST support 5 == NFSv4.1 clients MUST support
6 == NFSv4.1 servers MUST support 6 == NFSv4.1 servers MUST support
1 2 3 4 5 6 1 2 3 4 5 6
------------------------------------------------------------------ ------------------------------------------------------------------
390003 krb5 1.2.840.113554.1.2.2 rpc_gss_svc_none yes yes 390003 krb5 1.2.840.113554.1.2.2 rpc_gss_svc_none yes yes
390004 krb5i 1.2.840.113554.1.2.2 rpc_gss_svc_integrity yes yes 390004 krb5i 1.2.840.113554.1.2.2 rpc_gss_svc_integrity yes yes
390005 krb5p 1.2.840.113554.1.2.2 rpc_gss_svc_privacy no yes 390005 krb5p 1.2.840.113554.1.2.2 rpc_gss_svc_privacy no yes
Note that the number and name of the pseudo flavor is presented here Note that the number and name of the pseudo flavor are presented here
as a mapping aid to the implementor. Because the NFSv4.1 protocol as a mapping aid to the implementor. Because the NFSv4.1 protocol
includes a method to negotiate security and it understands the GSS- includes a method to negotiate security and it understands the GSS-
API mechanism, the pseudo flavor is not needed. The pseudo flavor is API mechanism, the pseudo flavor is not needed. The pseudo flavor is
needed for the NFSv3 since the security negotiation is done via the needed for the NFSv3 since the security negotiation is done via the
MOUNT protocol as described in [32]. MOUNT protocol as described in [33].
At the time NFSv4.1 was specified, AES with HMAC-SHA1 was a REQUIRED At the time NFSv4.1 was specified, the Advanced Encryption Standard
algorithm set for Kerberos V5. In contrast, when NFSv4.0 was (AES) with HMAC-SHA1 was a REQUIRED algorithm set for Kerberos V5.
specified, weaker algorithm sets were REQUIRED for Kerberos V5, and In contrast, when NFSv4.0 was specified, weaker algorithm sets were
were REQUIRED in the NFSv4.0 specification, because the Kerberos V5 REQUIRED for Kerberos V5, and were REQUIRED in the NFSv4.0
specification at the time did not specify stronger algorithms. The specification, because the Kerberos V5 specification at the time did
NFSv4.1 specification does not specify REQUIRED algorithms for not specify stronger algorithms. The NFSv4.1 specification does not
Kerberos V5, and instead, the implementor is expected to track the specify REQUIRED algorithms for Kerberos V5, and instead, the
evolution of the Kerberos V5 standard if and when stronger algorithms implementor is expected to track the evolution of the Kerberos V5
are specified. standard if and when stronger algorithms are specified.
2.2.1.1.1.2.1.1. Security Considerations for Cryptographic Algorithms 2.2.1.1.1.2.1.1. Security Considerations for Cryptographic Algorithms
in Kerberos V5 in Kerberos V5
When deploying NFSv4.1, the strength of the security achieved depends When deploying NFSv4.1, the strength of the security achieved depends
on the existing Kerberos V5 infrastructure. The algorithms of on the existing Kerberos V5 infrastructure. The algorithms of
Kerberos V5 are not directly exposed to or selectable by the client Kerberos V5 are not directly exposed to or selectable by the client
or server, so there is some due diligence required by the user of or server, so there is some due diligence required by the user of
NFSv4.1 to ensure that security is acceptable where where needed. NFSv4.1 to ensure that security is acceptable where needed.
2.2.1.1.1.3. GSS Server Principal 2.2.1.1.1.3. GSS Server Principal
Regardless of what security mechanism under RPCSEC_GSS is being used, Regardless of what security mechanism under RPCSEC_GSS is being used,
the NFS server, MUST identify itself in GSS-API via a the NFS server MUST identify itself in GSS-API via a
GSS_C_NT_HOSTBASED_SERVICE name type. GSS_C_NT_HOSTBASED_SERVICE GSS_C_NT_HOSTBASED_SERVICE name type. GSS_C_NT_HOSTBASED_SERVICE
names are of the form: names are of the form:
service@hostname service@hostname
For NFS, the "service" element is For NFS, the "service" element is
nfs nfs
Implementations of security mechanisms will convert nfs@hostname to Implementations of security mechanisms will convert nfs@hostname to
various different forms. For Kerberos V5 the following form is various different forms. For Kerberos V5, the following form is
RECOMMENDED: RECOMMENDED:
nfs/hostname nfs/hostname
2.3. COMPOUND and CB_COMPOUND 2.3. COMPOUND and CB_COMPOUND
A significant departure from the versions of the NFS protocol before A significant departure from the versions of the NFS protocol before
NFSv4 is the introduction of the COMPOUND procedure. For the NFSv4 NFSv4 is the introduction of the COMPOUND procedure. For the NFSv4
protocol, in all minor versions, there are exactly two RPC protocol, in all minor versions, there are exactly two RPC
procedures, NULL and COMPOUND. The COMPOUND procedure is defined as procedures, NULL and COMPOUND. The COMPOUND procedure is defined as
skipping to change at page 25, line 9 skipping to change at page 22, line 33
The operations combined within a COMPOUND request are evaluated in The operations combined within a COMPOUND request are evaluated in
order by the server, without any atomicity guarantees. A limited set order by the server, without any atomicity guarantees. A limited set
of facilities exist to pass results from one operation to another. of facilities exist to pass results from one operation to another.
Once an operation returns a failing result, the evaluation ends and Once an operation returns a failing result, the evaluation ends and
the results of all evaluated operations are returned to the client. the results of all evaluated operations are returned to the client.
With the use of the COMPOUND procedure, the client is able to build With the use of the COMPOUND procedure, the client is able to build
simple or complex requests. These COMPOUND requests allow for a simple or complex requests. These COMPOUND requests allow for a
reduction in the number of RPCs needed for logical file system reduction in the number of RPCs needed for logical file system
operations. For example, multi-component lookup requests can be operations. For example, multi-component look up requests can be
constructed by combining multiple LOOKUP operations. Those can be constructed by combining multiple LOOKUP operations. Those can be
further combined with operations such as GETATTR, READDIR, or OPEN further combined with operations such as GETATTR, READDIR, or OPEN
plus READ to do more complicated sets of operation without incurring plus READ to do more complicated sets of operation without incurring
additional latency. additional latency.
NFSv4.1 also contains a considerable set of callback operations in NFSv4.1 also contains a considerable set of callback operations in
which the server makes an RPC directed at the client. Callback RPCs which the server makes an RPC directed at the client. Callback RPCs
have a similar structure to that of the normal server requests. In have a similar structure to that of the normal server requests. In
all minor versions of the NFSv4 protocol there are two callback RPC all minor versions of the NFSv4 protocol, there are two callback RPC
procedures, CB_NULL and CB_COMPOUND. The CB_COMPOUND procedure is procedures: CB_NULL and CB_COMPOUND. The CB_COMPOUND procedure is
defined in an analogous fashion to that of COMPOUND with its own set defined in an analogous fashion to that of COMPOUND with its own set
of callback operations. of callback operations.
The addition of new server and callback operations within the The addition of new server and callback operations within the
COMPOUND and CB_COMPOUND request framework provides a means of COMPOUND and CB_COMPOUND request framework provides a means of
extending the protocol in subsequent minor versions. extending the protocol in subsequent minor versions.
Except for a small number of operations needed for session creation, Except for a small number of operations needed for session creation,
server requests and callback requests are performed within the server requests and callback requests are performed within the
context of a session. Sessions provide a client context for every context of a session. Sessions provide a client context for every
skipping to change at page 26, line 11 skipping to change at page 23, line 36
Unlike NFSv4.0, the only NFSv4.1 operations possible before a client Unlike NFSv4.0, the only NFSv4.1 operations possible before a client
ID is established are those needed to establish the client ID. ID is established are those needed to establish the client ID.
A sequence of an EXCHANGE_ID operation followed by a CREATE_SESSION A sequence of an EXCHANGE_ID operation followed by a CREATE_SESSION
operation using that client ID (eir_clientid as returned from operation using that client ID (eir_clientid as returned from
EXCHANGE_ID) is required to establish and confirm the client ID on EXCHANGE_ID) is required to establish and confirm the client ID on
the server. Establishment of identification by a new incarnation of the server. Establishment of identification by a new incarnation of
the client also has the effect of immediately releasing any locking the client also has the effect of immediately releasing any locking
state that a previous incarnation of that same client might have had state that a previous incarnation of that same client might have had
on the server. Such released state would include all lock, share on the server. Such released state would include all byte-range
reservation, layout state, and where the server is not supporting the lock, share reservation, layout state, and -- where the server
CLAIM_DELEGATE_PREV claim type, all delegation state associated with supports neither the CLAIM_DELEGATE_PREV nor CLAIM_DELEG_CUR_FH claim
the same client with the same identity. For discussion of delegation types -- all delegation state associated with the same client with
state recovery, see Section 10.2.1. For discussion of layout state the same identity. For discussion of delegation state recovery, see
recovery see Section 12.7.1. Section 10.2.1. For discussion of layout state recovery, see
Section 12.7.1.
Releasing such state requires that the server be able to determine Releasing such state requires that the server be able to determine
that one client instance is the successor of another. Where this that one client instance is the successor of another. Where this
cannot be done, for any of a number of reasons, the locking state cannot be done, for any of a number of reasons, the locking state
will remain for a time subject to lease expiration (see Section 8.3) will remain for a time subject to lease expiration (see Section 8.3)
and the new client will need to wait for such state to be removed, if and the new client will need to wait for such state to be removed, if
it makes conflicting lock requests. it makes conflicting lock requests.
Client identification is encapsulated in the following Client Owner Client identification is encapsulated in the following client owner
data type: data type:
struct client_owner4 { struct client_owner4 {
verifier4 co_verifier; verifier4 co_verifier;
opaque co_ownerid<NFS4_OPAQUE_LIMIT>; opaque co_ownerid<NFS4_OPAQUE_LIMIT>;
}; };
The first field, co_verifier, is a client incarnation verifier. The The first field, co_verifier, is a client incarnation verifier. The
server will start the process of canceling the client's leased state server will start the process of canceling the client's leased state
if co_verifier is different than what the server has previously if co_verifier is different than what the server has previously
recorded for the identified client (as specified in the co_ownerid recorded for the identified client (as specified in the co_ownerid
field). field).
The second field, co_ownerid is a variable length string that The second field, co_ownerid, is a variable length string that
uniquely defines the client so that subsequent instances of the same uniquely defines the client so that subsequent instances of the same
client bear the same co_ownerid with a different verifier. client bear the same co_ownerid with a different verifier.
There are several considerations for how the client generates the There are several considerations for how the client generates the
co_ownerid string: co_ownerid string:
o The string should be unique so that multiple clients do not o The string should be unique so that multiple clients do not
present the same string. The consequences of two clients present the same string. The consequences of two clients
presenting the same string range from one client getting an error presenting the same string range from one client getting an error
to one client having its leased state abruptly and unexpectedly to one client having its leased state abruptly and unexpectedly
canceled. cancelled.
o The string should be selected so that subsequent incarnations o The string should be selected so that subsequent incarnations
(e.g. restarts) of the same client cause the client to present the (e.g., restarts) of the same client cause the client to present
same string. The implementor is cautioned from an approach that the same string. The implementor is cautioned from an approach
requires the string to be recorded in a local file because this that requires the string to be recorded in a local file because
precludes the use of the implementation in an environment where this precludes the use of the implementation in an environment
there is no local disk and all file access is from an NFSv4.1 where there is no local disk and all file access is from an
server. NFSv4.1 server.
o The string should be the same for each server network address that o The string should be the same for each server network address that
the client accesses. This way, if a server has multiple the client accesses. This way, if a server has multiple
interfaces, the client can trunk traffic over multiple network interfaces, the client can trunk traffic over multiple network
paths as described in Section 2.10.5. (Note: the precise opposite paths as described in Section 2.10.5. (Note: the precise opposite
was advised in the NFSv4.0 specification [29].) was advised in the NFSv4.0 specification [30].)
o The algorithm for generating the string should not assume that the o The algorithm for generating the string should not assume that the
client's network address will not change, unless the client client's network address will not change, unless the client
implementation knows it is using statically assigned network implementation knows it is using statically assigned network
addresses. This includes changes between client incarnations and addresses. This includes changes between client incarnations and
even changes while the client is still running in its current even changes while the client is still running in its current
incarnation. Thus with dynamic address assignment, if the client incarnation. Thus, with dynamic address assignment, if the client
includes just the client's network address in the co_ownerid includes just the client's network address in the co_ownerid
string, there is a real risk that after the client gives up the string, there is a real risk that after the client gives up the
network address, another client, using a similar algorithm for network address, another client, using a similar algorithm for
generating the co_ownerid string, would generate a conflicting generating the co_ownerid string, would generate a conflicting
co_ownerid string. co_ownerid string.
Given the above considerations, an example of a well generated Given the above considerations, an example of a well-generated
co_ownerid string is one that includes: co_ownerid string is one that includes:
o If applicable, the client's statically assigned network address. o If applicable, the client's statically assigned network address.
o Additional information that tends to be unique, such as one or o Additional information that tends to be unique, such as one or
more of: more of:
* The client machine's serial number (for privacy reasons, it is * The client machine's serial number (for privacy reasons, it is
best to perform some one way function on the serial number). best to perform some one-way function on the serial number).
* A MAC address (again, a one way function should be performed). * A Media Access Control (MAC) address (again, a one-way function
should be performed).
* The timestamp of when the NFSv4.1 software was first installed * The timestamp of when the NFSv4.1 software was first installed
on the client (though this is subject to the previously on the client (though this is subject to the previously
mentioned caution about using information that is stored in a mentioned caution about using information that is stored in a
file, because the file might only be accessible over NFSv4.1). file, because the file might only be accessible over NFSv4.1).
* A true random number. However since this number ought to be * A true random number. However, since this number ought to be
the same between client incarnations, this shares the same the same between client incarnations, this shares the same
problem as that of using the timestamp of the software problem as that of using the timestamp of the software
installation. installation.
o For a user level NFSv4.1 client, it should contain additional o For a user-level NFSv4.1 client, it should contain additional
information to distinguish the client from other user level information to distinguish the client from other user-level
clients running on the same host, such as a process identifier or clients running on the same host, such as a process identifier or
other unique sequence. other unique sequence.
The client ID is assigned by the server (the eir_clientid result from The client ID is assigned by the server (the eir_clientid result from
EXCHANGE_ID) and should be chosen so that it will not conflict with a EXCHANGE_ID) and should be chosen so that it will not conflict with a
client ID previously assigned by the server. This applies across client ID previously assigned by the server. This applies across
server restarts. server restarts.
In the event of a server restart, a client may find out that its In the event of a server restart, a client may find out that its
current client ID is no longer valid when it receives an current client ID is no longer valid when it receives an
skipping to change at page 28, line 39 skipping to change at page 26, line 18
a server restart. When the existing client ID is presented to a a server restart. When the existing client ID is presented to a
server as part of creating a session and that client ID is not server as part of creating a session and that client ID is not
recognized, as would happen after a server restart, the server will recognized, as would happen after a server restart, the server will
reject the request with the error NFS4ERR_STALE_CLIENTID. reject the request with the error NFS4ERR_STALE_CLIENTID.
In the case of the session being persistent, the client will re- In the case of the session being persistent, the client will re-
establish communication using the existing session after the restart. establish communication using the existing session after the restart.
This session will be associated with the existing client ID but may This session will be associated with the existing client ID but may
only be used to retransmit operations that the client previously only be used to retransmit operations that the client previously
transmitted and did not see replies to. Replies to operations that transmitted and did not see replies to. Replies to operations that
the server previously performed will come from the reply cache, the server previously performed will come from the reply cache;
otherwise NFS4ERR_DEADSESSION will be returned. Hence, such a otherwise, NFS4ERR_DEADSESSION will be returned. Hence, such a
session is referred to as "dead". In this situation, in order to session is referred to as "dead". In this situation, in order to
perform new operations, the client needs to establish a new session. perform new operations, the client needs to establish a new session.
If an attempt is made to establish this new session with the existing If an attempt is made to establish this new session with the existing
client ID, the server will reject the request with client ID, the server will reject the request with
NFS4ERR_STALE_CLIENTID. NFS4ERR_STALE_CLIENTID.
When NFS4ERR_STALE_CLIENTID is received in either of these When NFS4ERR_STALE_CLIENTID is received in either of these
situations, the client needs to obtain a new client ID by use of the situations, the client needs to obtain a new client ID by use of the
EXCHANGE_ID operation, then use that client ID as the basis of a new EXCHANGE_ID operation, then use that client ID as the basis of a new
session, and then proceed to any other necessary recovery for the session, and then proceed to any other necessary recovery for the
server restart case (See Section 8.4.2). server restart case (see Section 8.4.2).
See the descriptions of EXCHANGE_ID (Section 18.35) and See the descriptions of EXCHANGE_ID (Section 18.35) and
CREATE_SESSION (Section 18.36) for a complete specification of these CREATE_SESSION (Section 18.36) for a complete specification of these
operations. operations.
2.4.1. Upgrade from NFSv4.0 to NFSv4.1 2.4.1. Upgrade from NFSv4.0 to NFSv4.1
To facilitate upgrade from NFSv4.0 to NFSv4.1, a server may compare a To facilitate upgrade from NFSv4.0 to NFSv4.1, a server may compare a
client_owner4 in an EXCHANGE_ID with an nfs_client_id4 established value of data type client_owner4 in an EXCHANGE_ID with a value of
using the SETCLIENTID operation of NFSv4.0. A server that does so data type nfs_client_id4 that was established using the SETCLIENTID
will allow an upgraded client to avoid waiting until the lease (i.e. operation of NFSv4.0. A server that does so will allow an upgraded
the lease established by the NFSv4.0 instance client) expires. This client to avoid waiting until the lease (i.e., the lease established
requires the client_owner4 be constructed the same way as the by the NFSv4.0 instance client) expires. This requires that the
nfs_client_id4. If the latter's contents included the server's value of data type client_owner4 be constructed the same way as the
network address (per the recommendations of the NFSv4.0 specification value of data type nfs_client_id4. If the latter's contents included
[29]), and the NFSv4.1 client does not wish to use a client ID that the server's network address (per the recommendations of the NFSv4.0
prevents trunking, it should send two EXCHANGE_ID operations. The specification [30]), and the NFSv4.1 client does not wish to use a
first EXCHANGE_ID will have a client_owner4 equal to the client ID that prevents trunking, it should send two EXCHANGE_ID
nfs_client_id4. This will clear the state created by the NFSv4.0 operations. The first EXCHANGE_ID will have a client_owner4 equal to
the nfs_client_id4. This will clear the state created by the NFSv4.0
client. The second EXCHANGE_ID will not have the server's network client. The second EXCHANGE_ID will not have the server's network
address. The state created for the second EXCHANGE_ID will not have address. The state created for the second EXCHANGE_ID will not have
to wait for lease expiration, because there will be no state to to wait for lease expiration, because there will be no state to
expire. expire.
2.4.2. Server Release of Client ID 2.4.2. Server Release of Client ID
NFSv4.1 introduces a new operation called DESTROY_CLIENTID NFSv4.1 introduces a new operation called DESTROY_CLIENTID
(Section 18.50) which the client SHOULD use to destroy a client ID it (Section 18.50), which the client SHOULD use to destroy a client ID
no longer needs. This permits graceful, bilateral release of a it no longer needs. This permits graceful, bilateral release of a
client ID. The operation cannot be used if there are sessions client ID. The operation cannot be used if there are sessions
associated with the client ID, or state with an unexpired lease. associated with the client ID, or state with an unexpired lease.
If the server determines that the client holds no associated state If the server determines that the client holds no associated state
for its client ID (including sessions, opens, locks, delegations, for its client ID (associated state includes unrevoked sessions,
layouts, and wants), the server may choose to unilaterally release opens, locks, delegations, layouts, and wants), the server MAY choose
the client ID in order to conserve resources. If the client contacts to unilaterally release the client ID in order to conserve resources.
the server after this release, the server MUST ensure the client If the client contacts the server after this release, the server MUST
receives the appropriate error so that it will use the EXCHANGE_ID/ ensure that the client receives the appropriate error so that it will
CREATE_SESSION sequence to establish a new client ID. The server use the EXCHANGE_ID/CREATE_SESSION sequence to establish a new client
ought to be very hesitant to release a client ID since the resulting ID. The server ought to be very hesitant to release a client ID
work on the client to recover from such an event will be the same since the resulting work on the client to recover from such an event
burden as if the server had failed and restarted. Typically a server will be the same burden as if the server had failed and restarted.
would not release a client ID unless there had been no activity from Typically, a server would not release a client ID unless there had
that client for many minutes. As long as there are sessions, opens, been no activity from that client for many minutes. As long as there
locks, delegations, layouts, or wants, the server MUST NOT release are sessions, opens, locks, delegations, layouts, or wants, the
the client ID. See Section 2.10.12.1.4 for discussion on releasing server MUST NOT release the client ID. See Section 2.10.13.1.4 for
inactive sessions. discussion on releasing inactive sessions.
2.4.3. Resolving Client Owner Conflicts 2.4.3. Resolving Client Owner Conflicts
When the server gets an EXCHANGE_ID for a client owner that currently When the server gets an EXCHANGE_ID for a client owner that currently
has no state, or that has state, but the lease has expired, the has no state, or that has state but the lease has expired, the server
server MUST allow the EXCHANGE_ID, and confirm the new client ID if MUST allow the EXCHANGE_ID and confirm the new client ID if followed
followed by the appropriate CREATE_SESSION. by the appropriate CREATE_SESSION.
When the server gets an EXCHANGE_ID for a new incarnation of a client When the server gets an EXCHANGE_ID for a new incarnation of a client
owner that currently has an old incarnation with state and an owner that currently has an old incarnation with state and an
unexpired lease, the server is allowed to dispose of the state of the unexpired lease, the server is allowed to dispose of the state of the
previous incarnation of the client owner if one of the following are previous incarnation of the client owner if one of the following is
true: true:
o The principal that created the client ID for the client owner is o The principal that created the client ID for the client owner is
the same as the principal that is issuing the EXCHANGE_ID. Note the same as the principal that is sending the EXCHANGE_ID
that if the client ID was created with SP4_MACH_CRED state operation. Note that if the client ID was created with
protection (Section 18.35), the principal MUST be based on SP4_MACH_CRED state protection (Section 18.35), the principal MUST
RPCSEC_GSS authentication, the RPCSEC_GSS service used MUST be be based on RPCSEC_GSS authentication, the RPCSEC_GSS service used
integrity or privacy, and the same GSS mechanism and principal MUST be integrity or privacy, and the same GSS mechanism and
MUST be used as that used when the client ID was created. principal MUST be used as that used when the client ID was
created.
o The client ID was established with SP4_SSV protection o The client ID was established with SP4_SSV protection
(Section 18.35, Section 2.10.8.3) and the client sends the (Section 18.35, Section 2.10.8.3) and the client sends the
EXCHANGE_ID with the security flavor set to RPCSEC_GSS using the EXCHANGE_ID with the security flavor set to RPCSEC_GSS using the
GSS SSV mechanism (Section 2.10.9). GSS SSV mechanism (Section 2.10.9).
o The client ID was established with SP4_SSV protection, and under o The client ID was established with SP4_SSV protection, and under
the conditions described herein, the EXCHANGE_ID was sent with the conditions described herein, the EXCHANGE_ID was sent with
SP4_MACH_CRED state protection. Because the SSV might not persist SP4_MACH_CRED state protection. Because the SSV might not persist
across client and server restart, and because the first time a across client and server restart, and because the first time a
skipping to change at page 30, line 51 skipping to change at page 28, line 33
client ID was created. client ID was created.
If none of the above situations apply, the server MUST return If none of the above situations apply, the server MUST return
NFS4ERR_CLID_INUSE. NFS4ERR_CLID_INUSE.
If the server accepts the principal and co_ownerid as matching that If the server accepts the principal and co_ownerid as matching that
which created the client ID, and the co_verifier in the EXCHANGE_ID which created the client ID, and the co_verifier in the EXCHANGE_ID
differs from the co_verifier used when the client ID was created, differs from the co_verifier used when the client ID was created,
then after the server receives a CREATE_SESSION that confirms the then after the server receives a CREATE_SESSION that confirms the
client ID, the server deletes state. If the co_verifier values are client ID, the server deletes state. If the co_verifier values are
the same, (e.g. the client is either updating properties of the the same (e.g., the client either is updating properties of the
client ID (Section 18.35), or the client is attempting trunking client ID (Section 18.35) or is attempting trunking (Section 2.10.5),
(Section 2.10.5) the server MUST NOT delete state. the server MUST NOT delete state.
2.5. Server Owners 2.5. Server Owners
The Server Owner is similar to a Client Owner (Section 2.4), but The server owner is similar to a client owner (Section 2.4), but
unlike the Client Owner, there is no shorthand server ID. The Server unlike the client owner, there is no shorthand server ID. The server
Owner is defined in the following data type: owner is defined in the following data type:
struct server_owner4 { struct server_owner4 {
uint64_t so_minor_id; uint64_t so_minor_id;
opaque so_major_id<NFS4_OPAQUE_LIMIT>; opaque so_major_id<NFS4_OPAQUE_LIMIT>;
}; };
The Server Owner is returned from EXCHANGE_ID. When the so_major_id The server owner is returned from EXCHANGE_ID. When the so_major_id
fields are the same in two EXCHANGE_ID results, the connections each fields are the same in two EXCHANGE_ID results, the connections that
EXCHANGE_ID were sent over can be assumed to address the same Server each EXCHANGE_ID were sent over can be assumed to address the same
(as defined in Section 1.5). If the so_minor_id fields are also the server (as defined in Section 1.6). If the so_minor_id fields are
same, then not only do both connections connect to the same server, also the same, then not only do both connections connect to the same
but the session can be shared across both connections. The reader is server, but the session can be shared across both connections. The
cautioned that multiple servers may deliberately or accidentally reader is cautioned that multiple servers may deliberately or
claim to have the same so_major_id or so_major_id/so_minor_id; the accidentally claim to have the same so_major_id or so_major_id/
reader should examine Section 2.10.5 and Section 18.35 in order to so_minor_id; the reader should examine Sections 2.10.5 and 18.35 in
avoid acting on falsely matching Server Owner values. order to avoid acting on falsely matching server owner values.
The considerations for generating a so_major_id are similar to that The considerations for generating a so_major_id are similar to that
for generating a co_ownerid string (see Section 2.4). The for generating a co_ownerid string (see Section 2.4). The
consequences of two servers generating conflicting so_major_id values consequences of two servers generating conflicting so_major_id values
are less dire than they are for co_ownerid conflicts because the are less dire than they are for co_ownerid conflicts because the
client can use RPCSEC_GSS to compare the authenticity of each server client can use RPCSEC_GSS to compare the authenticity of each server
(see Section 2.10.5). (see Section 2.10.5).
2.6. Security Service Negotiation 2.6. Security Service Negotiation
With the NFSv4.1 server potentially offering multiple security With the NFSv4.1 server potentially offering multiple security
mechanisms, the client needs a method to determine or negotiate which mechanisms, the client needs a method to determine or negotiate which
mechanism is to be used for its communication with the server. The mechanism is to be used for its communication with the server. The
NFS server may have multiple points within its file system namespace NFS server may have multiple points within its file system namespace
that are available for use by NFS clients. These points can be that are available for use by NFS clients. These points can be
considered security policy boundaries, and in some NFS considered security policy boundaries, and, in some NFS
implementations are tied to NFS export points. In turn the NFS implementations, are tied to NFS export points. In turn, the NFS
server may be configured such that each of these security policy server may be configured such that each of these security policy
boundaries may have different or multiple security mechanisms in use. boundaries may have different or multiple security mechanisms in use.
The security negotiation between client and server SHOULD be done The security negotiation between client and server SHOULD be done
with a secure channel to eliminate the possibility of a third party with a secure channel to eliminate the possibility of a third party
intercepting the negotiation sequence and forcing the client and intercepting the negotiation sequence and forcing the client and
server to choose a lower level of security than required or desired. server to choose a lower level of security than required or desired.
See Section 21 for further discussion. See Section 21 for further discussion.
2.6.1. NFSv4.1 Security Tuples 2.6.1. NFSv4.1 Security Tuples
An NFS server can assign one or more "security tuples" to each An NFS server can assign one or more "security tuples" to each
security policy boundary in its namespace. Each security tuple security policy boundary in its namespace. Each security tuple
consists of a security flavor (see Section 2.2.1.1), and if the consists of a security flavor (see Section 2.2.1.1) and, if the
flavor is RPCSEC_GSS, a GSS-API mechanism OID, a GSS-API quality of flavor is RPCSEC_GSS, a GSS-API mechanism Object Identifier (OID), a
protection, and an RPCSEC_GSS service. GSS-API quality of protection, and an RPCSEC_GSS service.
2.6.2. SECINFO and SECINFO_NO_NAME 2.6.2. SECINFO and SECINFO_NO_NAME
The SECINFO and SECINFO_NO_NAME operations allow the client to The SECINFO and SECINFO_NO_NAME operations allow the client to
determine, on a per filehandle basis, what security tuple is to be determine, on a per-filehandle basis, what security tuple is to be
used for server access. In general, the client will not have to use used for server access. In general, the client will not have to use
either operation except during initial communication with the server either operation except during initial communication with the server
or when the client crosses security policy boundaries at the server. or when the client crosses security policy boundaries at the server.
However, the server's policies may also change at any time and force However, the server's policies may also change at any time and force
the client to negotiate a new security tuple. the client to negotiate a new security tuple.
Where the use of different security tuples would affect the type of Where the use of different security tuples would affect the type of
access that would be allowed if a request was sent over the same access that would be allowed if a request was sent over the same
connection used for the SECINFO or SECINFO_NO_NAME operation (e.g. connection used for the SECINFO or SECINFO_NO_NAME operation (e.g.,
read-only vs. read-write) access, security tuples that allow greater read-only vs. read-write) access, security tuples that allow greater
access should be presented first. Where the general level of access access should be presented first. Where the general level of access
is the same and different security flavors limit the range of is the same and different security flavors limit the range of
principals whose privileges are recognized (e.g. allowing or principals whose privileges are recognized (e.g., allowing or
disallowing root access), flavors supporting the greatest range of disallowing root access), flavors supporting the greatest range of
principals should be listed first. principals should be listed first.
2.6.3. Security Error 2.6.3. Security Error
Based on the assumption that each NFSv4.1 client and server MUST Based on the assumption that each NFSv4.1 client and server MUST
support a minimum set of security (i.e., Kerberos V5 under support a minimum set of security (i.e., Kerberos V5 under
RPCSEC_GSS), the NFS client will initiate file access to the server RPCSEC_GSS), the NFS client will initiate file access to the server
with one of the minimal security tuples. During communication with with one of the minimal security tuples. During communication with
the server, the client may receive an NFS error of NFS4ERR_WRONGSEC. the server, the client may receive an NFS error of NFS4ERR_WRONGSEC.
This error allows the server to notify the client that the security This error allows the server to notify the client that the security
tuple currently being used contravenes the server's security policy. tuple currently being used contravenes the server's security policy.
The client is then responsible for determining (see Section 2.6.3.1) The client is then responsible for determining (see Section 2.6.3.1)
what security tuples are available at the server and choosing one what security tuples are available at the server and choosing one
which is appropriate for the client. that is appropriate for the client.
2.6.3.1. Using NFS4ERR_WRONGSEC, SECINFO, and SECINFO_NO_NAME 2.6.3.1. Using NFS4ERR_WRONGSEC, SECINFO, and SECINFO_NO_NAME
This section explains of the mechanics of NFSv4.1 security This section explains the mechanics of NFSv4.1 security negotiation.
negotiation.
2.6.3.1.1. Put Filehandle Operations 2.6.3.1.1. Put Filehandle Operations
The term "put filehandle operation" refers to PUTROOTFH, PUTPUBFH, The term "put filehandle operation" refers to PUTROOTFH, PUTPUBFH,
PUTFH, and RESTOREFH. Each of the subsections herein describes how PUTFH, and RESTOREFH. Each of the subsections herein describes how
the server handles a subseries of operations that starts with a put the server handles a subseries of operations that starts with a put
filehandle operation. filehandle operation.
2.6.3.1.1.1. Put Filehandle Operation + SAVEFH 2.6.3.1.1.1. Put Filehandle Operation + SAVEFH
The client is saving a filehandle for a future RESTOREFH, LINK, or The client is saving a filehandle for a future RESTOREFH, LINK, or
RENAME. SAVEFH MUST NOT return NFS4ERR_WRONGSEC. To determine RENAME. SAVEFH MUST NOT return NFS4ERR_WRONGSEC. To determine
whether the put filehandle operation returns NFS4ERR_WRONGSEC or not, whether or not the put filehandle operation returns NFS4ERR_WRONGSEC,
the server implementation pretends SAVEFH is not in the series of the server implementation pretends SAVEFH is not in the series of
operations and examines which of the situations described in the operations and examines which of the situations described in the
other subsections of Section 2.6.3.1.1 apply. other subsections of Section 2.6.3.1.1 apply.
2.6.3.1.1.2. Two or More Put Filehandle Operations 2.6.3.1.1.2. Two or More Put Filehandle Operations
For a series of N put filehandle operations, the server MUST NOT For a series of N put filehandle operations, the server MUST NOT
return NFS4ERR_WRONGSEC to the first N-1 put filehandle operations. return NFS4ERR_WRONGSEC to the first N-1 put filehandle operations.
The N'th put filehandle operation is handled as if it is the first in The Nth put filehandle operation is handled as if it is the first in
a subseries of operations. For example if the server received PUTFH, a subseries of operations. For example, if the server received a
PUTROOTFH, LOOKUP, then the PUTFH is ignored for NFS4ERR_WRONGSEC COMPOUND request with this series of operations -- PUTFH, PUTROOTFH,
LOOKUP -- then the PUTFH operation is ignored for NFS4ERR_WRONGSEC
purposes, and the PUTROOTFH, LOOKUP subseries is processed as purposes, and the PUTROOTFH, LOOKUP subseries is processed as
according to Section 2.6.3.1.1.3. according to Section 2.6.3.1.1.3.
2.6.3.1.1.3. Put Filehandle Operation + LOOKUP (or OPEN of an Existing 2.6.3.1.1.3. Put Filehandle Operation + LOOKUP (or OPEN of an Existing
Name) Name)
This situation also applies to a put filehandle operation followed by This situation also applies to a put filehandle operation followed by
a LOOKUP or an OPEN operation that specifies an existing component a LOOKUP or an OPEN operation that specifies an existing component
name. name.
In this situation, the client is potentially crossing a security In this situation, the client is potentially crossing a security
policy boundary, and the set of security tuples the parent directory policy boundary, and the set of security tuples the parent directory
supports may differ from those of the child. The server supports may differ from those of the child. The server
implementation may decide whether to impose any restrictions on implementation may decide whether to impose any restrictions on
security policy administration. There are at least three approaches security policy administration. There are at least three approaches
(sec_policy_child is the tuple set of the child export, (sec_policy_child is the tuple set of the child export,
sec_policy_parent is that of the parent). sec_policy_parent is that of the parent).
a) sec_policy_child <= sec_policy_parent (<= for subset). This (a) sec_policy_child <= sec_policy_parent (<= for subset). This
means that the set of security tuples specified on the security means that the set of security tuples specified on the security
policy of a child directory is always a subset of that of its policy of a child directory is always a subset of its parent
parent directory. directory.
b) sec_policy_child ^ sec_policy_parent != {} (^ for intersection, (b) sec_policy_child ^ sec_policy_parent != {} (^ for intersection,
{} for the empty set). This means that the security tuples {} for the empty set). This means that the set of security
specified on the security policy of a child directory always has a tuples specified on the security policy of a child directory
non empty intersection with that of the parent. always has a non-empty intersection with that of the parent.
c) sec_policy_child ^ sec_policy_parent == {}. This means that (c) sec_policy_child ^ sec_policy_parent == {}. This means that the
the set of tuples specified on the security policy of a child set of security tuples specified on the security policy of a
directory may not intersect with that of the parent. In other child directory may not intersect with that of the parent. In
words, there are no restrictions on how the system administrator other words, there are no restrictions on how the system
may set up these tuples. administrator may set up these tuples.
In order for a server to support approaches (b) (for the case when a In order for a server to support approaches (b) (for the case when a
client chooses a flavor that is not a member of sec_policy_parent) client chooses a flavor that is not a member of sec_policy_parent)
and (c), the put filehandle operation cannot return NFS4ERR_WRONGSEC and (c), the put filehandle operation cannot return NFS4ERR_WRONGSEC
when there is a security tuple mismatch. Instead, it should be when there is a security tuple mismatch. Instead, it should be
returned from the LOOKUP (or OPEN by existing component name) that returned from the LOOKUP (or OPEN by existing component name) that
follows. follows.
Since the above guideline does not contradict approach (a), it should Since the above guideline does not contradict approach (a), it should
be followed in general. Even if approach (a) is implemented, it is be followed in general. Even if approach (a) is implemented, it is
skipping to change at page 35, line 7 skipping to change at page 32, line 37
the client's only recourse is to send the put filehandle operation, the client's only recourse is to send the put filehandle operation,
LOOKUPP, GETFH sequence of operations with every security tuple it LOOKUPP, GETFH sequence of operations with every security tuple it
supports. supports.
Regardless of whether SECINFO_NO_NAME is supported, an NFSv4.1 server Regardless of whether SECINFO_NO_NAME is supported, an NFSv4.1 server
MUST NOT return NFS4ERR_WRONGSEC in response to a put filehandle MUST NOT return NFS4ERR_WRONGSEC in response to a put filehandle
operation if the operation is immediately followed by a LOOKUPP. operation if the operation is immediately followed by a LOOKUPP.
2.6.3.1.1.5. Put Filehandle Operation + SECINFO/SECINFO_NO_NAME 2.6.3.1.1.5. Put Filehandle Operation + SECINFO/SECINFO_NO_NAME
A security sensitive client is allowed to choose a strong security A security-sensitive client is allowed to choose a strong security
tuple when querying a server to determine a file object's permitted tuple when querying a server to determine a file object's permitted
security tuples. The security tuple chosen by the client does not security tuples. The security tuple chosen by the client does not
have to be included in the tuple list of the security policy of the have to be included in the tuple list of the security policy of
either parent directory indicated in the put filehandle operation, or either the parent directory indicated in the put filehandle operation
the child file object indicated in SECINFO (or any parent directory or the child file object indicated in SECINFO (or any parent
indicated in SECINFO_NO_NAME). Of course the server has to be directory indicated in SECINFO_NO_NAME). Of course, the server has
configured for whatever security tuple the client selects, otherwise to be configured for whatever security tuple the client selects;
the request will fail at RPC layer with an appropriate authentication otherwise, the request will fail at the RPC layer with an appropriate
error. authentication error.
In theory, there is no connection between the security flavor used by In theory, there is no connection between the security flavor used by
SECINFO or SECINFO_NO_NAME and those supported by the security SECINFO or SECINFO_NO_NAME and those supported by the security
policy. But in practice, the client may start looking for strong policy. But in practice, the client may start looking for strong
flavors from those supported by the security policy, followed by flavors from those supported by the security policy, followed by
those in the REQUIRED set. those in the REQUIRED set.
The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC to a put The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC to a put
filehandle operation that is immediately followed by SECINFO or filehandle operation that is immediately followed by SECINFO or
SECINFO_NO_NAME. The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC SECINFO_NO_NAME. The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC
skipping to change at page 35, line 38 skipping to change at page 33, line 19
2.6.3.1.1.6. Put Filehandle Operation + Nothing 2.6.3.1.1.6. Put Filehandle Operation + Nothing
The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC. The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC.
2.6.3.1.1.7. Put Filehandle Operation + Anything Else 2.6.3.1.1.7. Put Filehandle Operation + Anything Else
"Anything Else" includes OPEN by filehandle. "Anything Else" includes OPEN by filehandle.
The security policy enforcement applies to the filehandle specified The security policy enforcement applies to the filehandle specified
in the put filehandle operation. Therefore the put filehandle in the put filehandle operation. Therefore, the put filehandle
operation MUST return NFS4ERR_WRONGSEC when there is a security tuple operation MUST return NFS4ERR_WRONGSEC when there is a security tuple
mismatch. This avoids the complexity adding NFS4ERR_WRONGSEC as an mismatch. This avoids the complexity of adding NFS4ERR_WRONGSEC as
allowable error to every other operation. an allowable error to every other operation.
A COMPOUND containing the series put filehandle operation + A COMPOUND containing the series put filehandle operation +
SECINFO_NO_NAME (style SECINFO_STYLE4_CURRENT_FH) is an efficient way SECINFO_NO_NAME (style SECINFO_STYLE4_CURRENT_FH) is an efficient way
for the client to recover from NFS4ERR_WRONGSEC. for the client to recover from NFS4ERR_WRONGSEC.
The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC to any operation The NFSv4.1 server MUST NOT return NFS4ERR_WRONGSEC to any operation
other than a put filehandle operation, LOOKUP, LOOKUPP, and OPEN (by other than a put filehandle operation, LOOKUP, LOOKUPP, and OPEN (by
component name). component name).
2.6.3.1.1.8. Operations after SECINFO and SECINFO_NO_NAME 2.6.3.1.1.8. Operations after SECINFO and SECINFO_NO_NAME
skipping to change at page 36, line 20 skipping to change at page 33, line 47
Section 2.6.3.1.1.5), neither PUTFH nor SECINFO_NO_NAME can return Section 2.6.3.1.1.5), neither PUTFH nor SECINFO_NO_NAME can return
NFS4ERR_WRONGSEC. By rule (see Section 2.6.3.1.1.7), READ cannot NFS4ERR_WRONGSEC. By rule (see Section 2.6.3.1.1.7), READ cannot
return NFS4ERR_WRONGSEC. The issue is resolved by the fact that return NFS4ERR_WRONGSEC. The issue is resolved by the fact that
SECINFO and SECINFO_NO_NAME consume the current filehandle (note that SECINFO and SECINFO_NO_NAME consume the current filehandle (note that
this is a change from NFSv4.0). This leaves no current filehandle this is a change from NFSv4.0). This leaves no current filehandle
for READ to use, and READ returns NFS4ERR_NOFILEHANDLE. for READ to use, and READ returns NFS4ERR_NOFILEHANDLE.
2.6.3.1.2. LINK and RENAME 2.6.3.1.2. LINK and RENAME
The LINK and RENAME operations use both the current and saved The LINK and RENAME operations use both the current and saved
filehandles. When the current filehandle is injected into a series filehandles. Technically, the server MAY return NFS4ERR_WRONGSEC
of operations via a put filehandle operation, the server MUST return from LINK or RENAME if the security policy of the saved filehandle
NFS4ERR_WRONGSEC, per Section 2.6.3.1.1. LINK and RENAME MAY return
NFS4ERR_WRONGSEC if the security policy of the saved filehandle
rejects the security flavor used in the COMPOUND request's rejects the security flavor used in the COMPOUND request's
credentials. If the server does so, then if there is no intersection credentials. If the server does so, then if there is no intersection
between the security policies of saved and current filehandles, this between the security policies of saved and current filehandles, this
means it will be impossible for client to perform the intended LINK means that it will be impossible for the client to perform the
or RENAME operation. intended LINK or RENAME operation.
For example, suppose the client sends this COMPOUND request: For example, suppose the client sends this COMPOUND request:
SEQUENCE, PUTFH bFH, SAVEFH, PUTFH aFH, RENAME "c" "d", where SEQUENCE, PUTFH bFH, SAVEFH, PUTFH aFH, RENAME "c" "d", where
filehandles bFH and aFH refer to different directories. Suppose no filehandles bFH and aFH refer to different directories. Suppose no
common security tuple exists between the security policies of aFH and common security tuple exists between the security policies of aFH and
bFH. If the client sends the request using credentials acceptable to bFH. If the client sends the request using credentials acceptable to
bFH's security policy but not aFH's policy, then the PUTFH aFH bFH's security policy but not aFH's policy, then the PUTFH aFH
operation will fail with NFS4ERR_WRONGSEC. After a SECINFO_NO_NAME operation will fail with NFS4ERR_WRONGSEC. After a SECINFO_NO_NAME
request, the client sends SEQUENCE, PUTFH bFH, SAVEFH, PUTFH aFH, request, the client sends SEQUENCE, PUTFH bFH, SAVEFH, PUTFH aFH,
RENAME "c" "d", using credentials acceptable to aFH's security RENAME "c" "d", using credentials acceptable to aFH's security policy
policy, but not bFH's policy. The server returns NFS4ERR_WRONGSEC on but not bFH's policy. The server returns NFS4ERR_WRONGSEC on the
the RENAME operation. RENAME operation.
To prevent a client from an endless sequence of a request containing To prevent a client from an endless sequence of a request containing
LINK or RENAME, followed by a request containing SECINFO_NO_NAME, the LINK or RENAME, followed by a request containing SECINFO_NO_NAME or
server MUST detect when the security policies of the current and SECINFO, the server MUST detect when the security policies of the
saved filehandles have no mutually acceptable security tuple, and current and saved filehandles have no mutually acceptable security
MUST NOT return NFS4ERR_WRONGSEC in that situation. Instead the tuple, and MUST NOT return NFS4ERR_WRONGSEC from LINK or RENAME in
server MUST return NFS4ERR_XDEV. that situation. Instead the server MUST do one of two things:
Thus while a server MAY return NFS4ERR_WRONGSEC from LINK and RENAME, o The server can return NFS4ERR_XDEV.
the server implementor may reasonably decide the consequences are not
worth the security benefits, and so allow the security policy of the o The server can allow the security policy of the current filehandle
current filehandle to override that of the saved filehandle. to override that of the saved filehandle, and so return NFS4_OK.
2.7. Minor Versioning 2.7. Minor Versioning
To address the requirement of an NFS protocol that can evolve as the To address the requirement of an NFS protocol that can evolve as the
need arises, the NFSv4.1 protocol contains the rules and framework to need arises, the NFSv4.1 protocol contains the rules and framework to
allow for future minor changes or versioning. allow for future minor changes or versioning.
The base assumption with respect to minor versioning is that any The base assumption with respect to minor versioning is that any
future accepted minor version will be documented in one or more future accepted minor version will be documented in one or more
standards track RFCs. Minor version zero of the NFSv4 protocol is Standards Track RFCs. Minor version 0 of the NFSv4 protocol is
represented by [29], and minor version one is represented by this represented by [30], and minor version 1 is represented by this RFC.
document [[Comment.1: RFC Editor: change "document" to "RFC" when we The COMPOUND and CB_COMPOUND procedures support the encoding of the
publish]]. The COMPOUND and CB_COMPOUND procedures support the minor version being requested by the client.
encoding of the minor version being requested by the client.
The following items represent the basic rules for the development of The following items represent the basic rules for the development of
minor versions. Note that a future minor version may modify or add minor versions. Note that a future minor version may modify or add
to the following rules as part of the minor version definition. to the following rules as part of the minor version definition.
1. Procedures are not added or deleted 1. Procedures are not added or deleted.
To maintain the general RPC model, NFSv4 minor versions will not To maintain the general RPC model, NFSv4 minor versions will not
add to or delete procedures from the NFS program. add to or delete procedures from the NFS program.
2. Minor versions may add operations to the COMPOUND and 2. Minor versions may add operations to the COMPOUND and
CB_COMPOUND procedures. CB_COMPOUND procedures.
The addition of operations to the COMPOUND and CB_COMPOUND The addition of operations to the COMPOUND and CB_COMPOUND
procedures does not affect the RPC model. procedures does not affect the RPC model.
* Minor versions may append attributes to the bitmap4 that * Minor versions may append attributes to the bitmap4 that
represents sets of attributes and the fattr4 that represents represents sets of attributes and to the fattr4 that
sets of attribute values. represents sets of attribute values.
This allows for the expansion of the attribute model to allow This allows for the expansion of the attribute model to allow
for future growth or adaptation. for future growth or adaptation.
* Minor version X must append any new attributes after the last * Minor version X must append any new attributes after the last
documented attribute. documented attribute.
Since attribute results are specified as an opaque array of Since attribute results are specified as an opaque array of
per-attribute XDR encoded results, the complexity of adding per-attribute, XDR-encoded results, the complexity of adding
new attributes in the midst of the current definitions would new attributes in the midst of the current definitions would
be too burdensome. be too burdensome.
3. Minor versions must not modify the structure of an existing 3. Minor versions must not modify the structure of an existing
operation's arguments or results. operation's arguments or results.
Again the complexity of handling multiple structure definitions Again, the complexity of handling multiple structure definitions
for a single operation is too burdensome. New operations should for a single operation is too burdensome. New operations should
be added instead of modifying existing structures for a minor be added instead of modifying existing structures for a minor
version. version.
This rule does not preclude the following adaptations in a minor This rule does not preclude the following adaptations in a minor
version. version:
* adding bits to flag fields such as new attributes to * adding bits to flag fields, such as new attributes to
GETATTR's bitmap4 data type and providing corresponding GETATTR's bitmap4 data type, and providing corresponding
variants of opaque arrays, such as a notify4 used together variants of opaque arrays, such as a notify4 used together
with such bitmaps. with such bitmaps
* adding bits to existing attributes like ACLs that have flag * adding bits to existing attributes like ACLs that have flag
words words
* extending enumerated types (including NFS4ERR_*) with new * extending enumerated types (including NFS4ERR_*) with new
values values
* adding cases to a switched union * adding cases to a switched union
4. Minor versions must not modify the structure of existing 4. Minor versions must not modify the structure of existing
skipping to change at page 38, line 38 skipping to change at page 36, line 21
This prevents the potential reuse of a particular operation This prevents the potential reuse of a particular operation
"slot" in a future minor version. "slot" in a future minor version.
6. Minor versions must not delete attributes. 6. Minor versions must not delete attributes.
7. Minor versions must not delete flag bits or enumeration values. 7. Minor versions must not delete flag bits or enumeration values.
8. Minor versions may declare an operation MUST NOT be implemented. 8. Minor versions may declare an operation MUST NOT be implemented.
Specifying an operation MUST NOT be implemented is equivalent to Specifying that an operation MUST NOT be implemented is
obsoleting an operation. For the client, it means that the equivalent to obsoleting an operation. For the client, it means
operation should not be sent to the server. For the server, an that the operation MUST NOT be sent to the server. For the
NFS error can be returned as opposed to "dropping" the request server, an NFS error can be returned as opposed to "dropping"
as an XDR decode error. This approach allows for the the request as an XDR decode error. This approach allows for
obsolescence of an operation while maintaining its structure so the obsolescence of an operation while maintaining its structure
that a future minor version can reintroduce the operation. so that a future minor version can reintroduce the operation.
1. Minor versions may declare an attribute MUST NOT be 1. Minor versions may declare that an attribute MUST NOT be
implemented. implemented.
2. Minor versions may declare a flag bit or enumeration value 2. Minor versions may declare that a flag bit or enumeration
MUST NOT be implemented. value MUST NOT be implemented.
9. Minor versions may downgrade features from REQUIRED to 9. Minor versions may downgrade features from REQUIRED to
RECOMMENDED, or RECOMMENDED to OPTIONAL. RECOMMENDED, or RECOMMENDED to OPTIONAL.
10. Minor versions may upgrade features from OPTIONAL to RECOMMENDED 10. Minor versions may upgrade features from OPTIONAL to
or RECOMMENDED to REQUIRED. RECOMMENDED, or RECOMMENDED to REQUIRED.
11. A client and server that supports minor version X should support 11. A client and server that support minor version X SHOULD support
minor versions 0 (zero) through X-1 as well. minor versions zero through X-1 as well.
12. Except for infrastructural changes, a minor version must not 12. Except for infrastructural changes, a minor version must not
introduce REQUIRED new features. introduce REQUIRED new features.
This rule allows for the introduction of new functionality and This rule allows for the introduction of new functionality and
forces the use of implementation experience before designating a forces the use of implementation experience before designating a
feature as REQUIRED. On the other hand, some classes of feature as REQUIRED. On the other hand, some classes of
features are infrastructural and have broad effects. Allowing features are infrastructural and have broad effects. Allowing
infrastructural features to be RECOMMENDED or OPTIONAL infrastructural features to be RECOMMENDED or OPTIONAL
complicates implementation of the minor version. complicates implementation of the minor version.
13. A client MUST NOT attempt to use a stateid, filehandle, or 13. A client MUST NOT attempt to use a stateid, filehandle, or
similar returned object from the COMPOUND procedure with minor similar returned object from the COMPOUND procedure with minor
version X for another COMPOUND procedure with minor version Y, version X for another COMPOUND procedure with minor version Y,
where X != Y. where X != Y.
2.8. Non-RPC-based Security Services 2.8. Non-RPC-Based Security Services
As described in Section 2.2.1.1.1.1, NFSv4.1 relies on RPC for As described in Section 2.2.1.1.1.1, NFSv4.1 relies on RPC for
identification, authentication, integrity, and privacy. NFSv4.1 identification, authentication, integrity, and privacy. NFSv4.1
itself provides or enables additional security services as described itself provides or enables additional security services as described
in the next several subsections. in the next several subsections.
2.8.1. Authorization 2.8.1. Authorization
Authorization to access a file object via an NFSv4.1 operation is Authorization to access a file object via an NFSv4.1 operation is
ultimately determined by the NFSv4.1 server. A client can ultimately determined by the NFSv4.1 server. A client can
predetermine its access to a file object via the OPEN (Section 18.16) predetermine its access to a file object via the OPEN (Section 18.16)
and the ACCESS (Section 18.1) operations. and the ACCESS (Section 18.1) operations.
Principals with appropriate access rights can modify the Principals with appropriate access rights can modify the
authorization on a file object via the SETATTR (Section 18.30) authorization on a file object via the SETATTR (Section 18.30)
operation. Attributes that affect access rights include: mode, operation. Attributes that affect access rights include mode, owner,
owner, owner_group, acl, dacl, and sacl. See Section 5. owner_group, acl, dacl, and sacl. See Section 5.
2.8.2. Auditing 2.8.2. Auditing
NFSv4.1 provides auditing on a per file object basis, via the acl and NFSv4.1 provides auditing on a per-file object basis, via the acl and
sacl attributes as described in Section 6. It is outside the scope sacl attributes as described in Section 6. It is outside the scope
of this specification to specify audit log formats or management of this specification to specify audit log formats or management
policies. policies.
2.8.3. Intrusion Detection 2.8.3. Intrusion Detection
NFSv4.1 provides alarm control on a per file object basis, via the NFSv4.1 provides alarm control on a per-file object basis, via the
acl and sacl attributes as described in Section 6. Alarms may serve acl and sacl attributes as described in Section 6. Alarms may serve
as the basis for intrusion detection. It is outside the scope of as the basis for intrusion detection. It is outside the scope of
this specification to specify heuristics for detecting intrusion via this specification to specify heuristics for detecting intrusion via
alarms. alarms.
2.9. Transport Layers 2.9. Transport Layers
2.9.1. REQUIRED and RECOMMENDED Properties of Transports 2.9.1. REQUIRED and RECOMMENDED Properties of Transports
NFSv4.1 works over RDMA and non-RDMA-based transports with the NFSv4.1 works over Remote Direct Memory Access (RDMA) and non-RDMA-
following attributes: based transports with the following attributes:
o The transport supports reliable delivery of data, which NFSv4.1 o The transport supports reliable delivery of data, which NFSv4.1
requires but neither NFSv4.1 nor RPC has facilities for ensuring. requires but neither NFSv4.1 nor RPC has facilities for ensuring
[33] [34].
o The transport delivers data in the order it was sent. Ordered o The transport delivers data in the order it was sent. Ordered
delivery simplifies detection of transmit errors, and simplifies delivery simplifies detection of transmit errors, and simplifies
the sending of arbitrary sized requests and responses, via the the sending of arbitrary sized requests and responses via the
record marking protocol [3]. record marking protocol [3].
Where an NFSv4.1 implementation supports operation over the IP Where an NFSv4.1 implementation supports operation over the IP
network protocol, any transport used between NFS and IP MUST be among network protocol, any transport used between NFS and IP MUST be among
the IETF-approved congestion control transport protocols. At the the IETF-approved congestion control transport protocols. At the
time this document was written, the only two transports that had the time this document was written, the only two transports that had the
above attributes were TCP and SCTP. To enhance the possibilities for above attributes were TCP and the Stream Control Transmission
interoperability, an NFSv4.1 implementation MUST support operation Protocol (SCTP). To enhance the possibilities for interoperability,
over the TCP transport protocol. an NFSv4.1 implementation MUST support operation over the TCP
transport protocol.
Even if NFSv4.1 is used over a non-IP network protocol, it is Even if NFSv4.1 is used over a non-IP network protocol, it is
RECOMMENDED that the transport support congestion control. RECOMMENDED that the transport support congestion control.
It is permissible for a connectionless transport to be used under It is permissible for a connectionless transport to be used under
NFSv4.1, however reliable and in-order delivery of data combined with NFSv4.1; however, reliable and in-order delivery of data combined
congestion control by the connectionless transport is REQUIRED; as a with congestion control by the connectionless transport is REQUIRED.
consequence UDP by itself MUST NOT be used as an NFSv4.1 transport. As a consequence, UDP by itself MUST NOT be used as an NFSv4.1
NFSv4.1 assumes that a client transport address and server transport transport. NFSv4.1 assumes that a client transport address and
address used to send data over a transport together constitute a server transport address used to send data over a transport together
connection, even if the underlying transport eschews the concept of a constitute a connection, even if the underlying transport eschews the
connection. concept of a connection.
2.9.2. Client and Server Transport Behavior 2.9.2. Client and Server Transport Behavior
If a connection-oriented transport (e.g. TCP) is used, the client If a connection-oriented transport (e.g., TCP) is used, the client
and server SHOULD use long lived connections for at least three and server SHOULD use long-lived connections for at least three
reasons: reasons:
1. This will prevent the weakening of the transport's congestion 1. This will prevent the weakening of the transport's congestion
control mechanisms via short lived connections. control mechanisms via short-lived connections.
2. This will improve performance for the WAN environment by 2. This will improve performance for the WAN environment by
eliminating the need for connection setup handshakes. eliminating the need for connection setup handshakes.
3. The NFSv4.1 callback model differs from NFSv4.0, and requires the 3. The NFSv4.1 callback model differs from NFSv4.0, and requires the
client and server to maintain a client-created backchannel (see client and server to maintain a client-created backchannel (see
Section 2.10.3.1) for the server to use. Section 2.10.3.1) for the server to use.
In order to reduce congestion, if a connection-oriented transport is In order to reduce congestion, if a connection-oriented transport is
used, and the request is not the NULL procedure, used, and the request is not the NULL procedure:
o A requester MUST NOT retry a request unless the connection the o A requester MUST NOT retry a request unless the connection the
request was sent over was lost before the reply was received. request was sent over was lost before the reply was received.
o A replier MUST NOT silently drop a request, even if the request is o A replier MUST NOT silently drop a request, even if the request is
a retry. (The silent drop behavior of RPCSEC_GSS [4] does not a retry. (The silent drop behavior of RPCSEC_GSS [4] does not
apply because this behavior happens at the RPCSEC_GSS layer, a apply because this behavior happens at the RPCSEC_GSS layer, a
lower layer in the request processing). Instead, the replier lower layer in the request processing.) Instead, the replier
SHOULD return an appropriate error (see Section 2.10.6.1) or it SHOULD return an appropriate error (see Section 2.10.6.1), or it
MAY disconnect the connection. MAY disconnect the connection.
When sending a reply, the replier MUST send the reply to the same When sending a reply, the replier MUST send the reply to the same
full network address (e.g. if using an IP-based transport, the source full network address (e.g., if using an IP-based transport, the
port of the requester is part of the full network address) that the source port of the requester is part of the full network address)
requester sent the request from. If using a connection-oriented from which the requester sent the request. If using a connection-
transport, replies MUST be sent on the same connection the request oriented transport, replies MUST be sent on the same connection from
was received from. which the request was received.
If a connection is dropped after the replier receives the request but If a connection is dropped after the replier receives the request but
before the replier sends the reply, the replier might have an pending before the replier sends the reply, the replier might have a pending
reply. If a connection is established with the same source and reply. If a connection is established with the same source and
destination full network address as the dropped connection, then the destination full network address as the dropped connection, then the
replier MUST NOT send the reply until the client retries the request. replier MUST NOT send the reply until the requester retries the
The reason for this prohibition is that the client MAY retry a request. The reason for this prohibition is that the requester MAY
request over a different connection than is associated with the retry a request over a different connection (provided that connection
session. is associated with the original request's session).
When using RDMA transports there are other reasons for not tolerating When using RDMA transports, there are other reasons for not
retries over the same connection: tolerating retries over the same connection:
o RDMA transports use "credits" to enforce flow control, where a o RDMA transports use "credits" to enforce flow control, where a
credit is a right to a peer to transmit a message. If one peer credit is a right to a peer to transmit a message. If one peer
were to retransmit a request (or reply), it would consume an were to retransmit a request (or reply), it would consume an
additional credit. If the replier retransmitted a reply, it would additional credit. If the replier retransmitted a reply, it would
certainly result in an RDMA connection loss, since the requester certainly result in an RDMA connection loss, since the requester
would typically only post a single receive buffer for each would typically only post a single receive buffer for each
request. If the requester retransmitted a request, the additional request. If the requester retransmitted a request, the additional
credit consumed on the server might lead to RDMA connection credit consumed on the server might lead to RDMA connection
failure unless the client accounted for it and decreased its failure unless the client accounted for it and decreased its
skipping to change at page 42, line 31 skipping to change at page 40, line 11
contents must not be blindly used when replies are sent from it, contents must not be blindly used when replies are sent from it,
and credit information appropriate to the channel must be and credit information appropriate to the channel must be
refreshed by the RPC layer. refreshed by the RPC layer.
In addition, as described in Section 2.10.6.2, while a session is In addition, as described in Section 2.10.6.2, while a session is
active, the NFSv4.1 requester MUST NOT stop waiting for a reply. active, the NFSv4.1 requester MUST NOT stop waiting for a reply.
2.9.3. Ports 2.9.3. Ports
Historically, NFSv3 servers have listened over TCP port 2049. The Historically, NFSv3 servers have listened over TCP port 2049. The
registered port 2049 [34] for the NFS protocol should be the default registered port 2049 [35] for the NFS protocol should be the default
configuration. NFSv4.1 clients SHOULD NOT use the RPC binding configuration. NFSv4.1 clients SHOULD NOT use the RPC binding
protocols as described in [35]. protocols as described in [36].
2.10. Session 2.10. Session
NFSv4.1 clients and servers MUST support and MUST use the session NFSv4.1 clients and servers MUST support and MUST use the session
feature as described in this section. feature as described in this section.
2.10.1. Motivation and Overview 2.10.1. Motivation and Overview
Previous versions and minor versions of NFS have suffered from the Previous versions and minor versions of NFS have suffered from the
following: following:
skipping to change at page 43, line 20 skipping to change at page 40, line 47
shortfalls with practical solutions: shortfalls with practical solutions:
o EOS is enabled by a reply cache with a bounded size, making it o EOS is enabled by a reply cache with a bounded size, making it
feasible to keep the cache in persistent storage and enable EOS feasible to keep the cache in persistent storage and enable EOS
through server failure and recovery. One reason that previous through server failure and recovery. One reason that previous
revisions of NFS did not support EOS was because some EOS revisions of NFS did not support EOS was because some EOS
approaches often limited parallelism. As will be explained in approaches often limited parallelism. As will be explained in
Section 2.10.6, NFSv4.1 supports both EOS and unlimited Section 2.10.6, NFSv4.1 supports both EOS and unlimited
parallelism. parallelism.
o The NFSv4.1 client (defined in Section 1.5, Paragraph 2) creates o The NFSv4.1 client (defined in Section 1.6, Paragraph 2) creates
transport connections and provides them to the server to use for transport connections and provides them to the server to use for
sending callback requests, thus solving the firewall issue sending callback requests, thus solving the firewall issue
(Section 18.34). Races between responses from client requests, (Section 18.34). Races between responses from client requests and
and callbacks caused by the requests are detected via the callbacks caused by the requests are detected via the session's
session's sequencing properties which are a consequence of EOS sequencing properties that are a consequence of EOS
(Section 2.10.6.3). (Section 2.10.6.3).
o The NFSv4.1 client can add an arbitrary number of connections to o The NFSv4.1 client can associate an arbitrary number of
the session, and thus provide trunking (Section 2.10.5). connections with the session, and thus provide trunking
(Section 2.10.5).
o The NFSv4.1 client and server produces a session key independent o The NFSv4.1 client and server produces a session key independent
of client and server machine credentials which can be used to of client and server machine credentials which can be used to
compute a digest for protecting critical session management compute a digest for protecting critical session management
operations (Section 2.10.8.3). operations (Section 2.10.8.3).
o The NFSv4.1 client can also create secure RPCSEC_GSS contexts for o The NFSv4.1 client can also create secure RPCSEC_GSS contexts for
use by the session's backchannel that do not require the server to use by the session's backchannel that do not require the server to
authenticate to a client machine principal (Section 2.10.8.2). authenticate to a client machine principal (Section 2.10.8.2).
A session is a dynamically created, long-lived server object created A session is a dynamically created, long-lived server object created
by a client, used over time from one or more transport connections. by a client and used over time from one or more transport
Its function is to maintain the server's state relative to the connections. Its function is to maintain the server's state relative
connection(s) belonging to a client instance. This state is entirely to the connection(s) belonging to a client instance. This state is
independent of the connection itself, and indeed the state exists entirely independent of the connection itself, and indeed the state
whether the connection exists or not. A client may have one or more exists whether or not the connection exists. A client may have one
sessions associated with it so that client-associated state may be or more sessions associated with it so that client-associated state
accessed using any of the sessions associated with that client's may be accessed using any of the sessions associated with that
client ID, when connections are associated with those sessions. When client's client ID, when connections are associated with those
no connections are associated with any of a client ID's sessions for sessions. When no connections are associated with any of a client
an extended time, such objects as locks, opens, delegations, layouts, ID's sessions for an extended time, such objects as locks, opens,
etc. are subject to expiration. The session serves as an object delegations, layouts, etc. are subject to expiration. The session
representing a means of access by a client to the associated client serves as an object representing a means of access by a client to the
state on the server, independent of the physical means of access to associated client state on the server, independent of the physical
that state. means of access to that state.
A single client may create multiple sessions. A single session MUST A single client may create multiple sessions. A single session MUST
NOT serve multiple clients. NOT serve multiple clients.
2.10.2. NFSv4 Integration 2.10.2. NFSv4 Integration
Sessions are part of NFSv4.1 and not NFSv4.0. Normally, a major Sessions are part of NFSv4.1 and not NFSv4.0. Normally, a major
infrastructure change such as sessions would require a new major infrastructure change such as sessions would require a new major
version number to an ONC RPC program like NFS. However, because version number to an Open Network Computing (ONC) RPC program like
NFSv4 encapsulates its functionality in a single procedure, COMPOUND, NFS. However, because NFSv4 encapsulates its functionality in a
and because COMPOUND can support an arbitrary number of operations, single procedure, COMPOUND, and because COMPOUND can support an
sessions have been added to NFSv4.1 with little difficulty. COMPOUND arbitrary number of operations, sessions have been added to NFSv4.1
includes a minor version number field, and for NFSv4.1 this minor with little difficulty. COMPOUND includes a minor version number
version is set to 1. When the NFSv4 server processes a COMPOUND with field, and for NFSv4.1 this minor version is set to 1. When the
the minor version set to 1, it expects a different set of operations NFSv4 server processes a COMPOUND with the minor version set to 1, it
than it does for NFSv4.0. NFSv4.1 defines the SEQUENCE operation, expects a different set of operations than it does for NFSv4.0.
which is required for every COMPOUND that operates over an
established session, with the exception of some session NFSv4.1 defines the SEQUENCE operation, which is required for every
administration operations, such as DESTROY_SESSION (Section 18.37). COMPOUND that operates over an established session, with the
exception of some session administration operations, such as
DESTROY_SESSION (Section 18.37).
2.10.2.1. SEQUENCE and CB_SEQUENCE 2.10.2.1. SEQUENCE and CB_SEQUENCE
In NFSv4.1, when the SEQUENCE operation is present, it MUST be the In NFSv4.1, when the SEQUENCE operation is present, it MUST be the
first operation in the COMPOUND procedure. The primary purpose of first operation in the COMPOUND procedure. The primary purpose of
SEQUENCE is to carry the session identifier. The session identifier SEQUENCE is to carry the session identifier. The session identifier
associates all other operations in the COMPOUND procedure with a associates all other operations in the COMPOUND procedure with a
particular session. SEQUENCE also contains required information for particular session. SEQUENCE also contains required information for
maintaining EOS (see Section 2.10.6). Session-enabled NFSv4.1 maintaining EOS (see Section 2.10.6). Session-enabled NFSv4.1
COMPOUND requests thus have the form: COMPOUND requests thus have the form:
skipping to change at page 45, line 15 skipping to change at page 42, line 47
"callback_ident", which is superfluous in NFSv4.1 and MUST be ignored "callback_ident", which is superfluous in NFSv4.1 and MUST be ignored
by the client. CB_SEQUENCE has the same information as SEQUENCE, and by the client. CB_SEQUENCE has the same information as SEQUENCE, and
also includes other information needed to resolve callback races also includes other information needed to resolve callback races
(Section 2.10.6.3). (Section 2.10.6.3).
2.10.2.2. Client ID and Session Association 2.10.2.2. Client ID and Session Association
Each client ID (Section 2.4) can have zero or more active sessions. Each client ID (Section 2.4) can have zero or more active sessions.
A client ID and associated session are required to perform file A client ID and associated session are required to perform file
access in NFSv4.1. Each time a session is used (whether by a client access in NFSv4.1. Each time a session is used (whether by a client
sending a request to the server, or the client replying to a callback sending a request to the server or the client replying to a callback
request from the server), the state leased to its associated client request from the server), the state leased to its associated client
ID is automatically renewed. ID is automatically renewed.
State such as share reservations, locks, delegations, and layouts State (which can consist of share reservations, locks, delegations,
(Section 1.6.4) is tied to the client ID. Client state is not tied and layouts (Section 1.7.4)) is tied to the client ID. Client state
to any individual session. Successive state changing operations from is not tied to any individual session. Successive state changing
a given state owner MAY go over different sessions, provided the operations from a given state owner MAY go over different sessions,
session is associated with the same client ID. A callback MAY arrive provided the session is associated with the same client ID. A
over a different session than from the session that originally callback MAY arrive over a different session than that of the request
acquired the state pertaining to the callback. For example, if that originally acquired the state pertaining to the callback. For
session A is used to acquire a delegation, a request to recall the example, if session A is used to acquire a delegation, a request to
delegation MAY arrive over session B if both sessions are associated recall the delegation MAY arrive over session B if both sessions are
with the same client ID. Section 2.10.8.1 and Section 2.10.8.2 associated with the same client ID. Sections 2.10.8.1 and 2.10.8.2
discuss the security considerations around callbacks. discuss the security considerations around callbacks.
2.10.3. Channels 2.10.3. Channels
A channel is not a connection. A channel represents the direction A channel is not a connection. A channel represents the direction
ONC RPC requests are sent. ONC RPC requests are sent.
Each session has one or two channels: the fore channel and the Each session has one or two channels: the fore channel and the
backchannel. Because there are at most two channels per session, and backchannel. Because there are at most two channels per session, and
because each channel has a distinct purpose, channels are not because each channel has a distinct purpose, channels are not
assigned identifiers. assigned identifiers.
The fore channel is used for ordinary requests from the client to the The fore channel is used for ordinary requests from the client to the
server, and carries COMPOUND requests and responses. A session server, and carries COMPOUND requests and responses. A session
always has a fore channel. always has a fore channel.
The backchannel used for callback requests from server to client, and The backchannel is used for callback requests from server to client,
carries CB_COMPOUND requests and responses. Whether there is a and carries CB_COMPOUND requests and responses. Whether or not there
backchannel or not is a decision by the client, however many features is a backchannel is a decision made by the client; however, many
of NFSv4.1 require a backchannel. NFSv4.1 servers MUST support features of NFSv4.1 require a backchannel. NFSv4.1 servers MUST
backchannels. support backchannels.
Each session has resources for each channel, including separate reply Each session has resources for each channel, including separate reply
caches (see Section 2.10.6.1). Note that even the backchannel caches (see Section 2.10.6.1). Note that even the backchannel
requires a reply cache because some callback operations are requires a reply cache (or, at least, a slot table in order to detect
nonidempotent. retries) because some callback operations are nonidempotent.
2.10.3.1. Association of Connections, Channels, and Sessions 2.10.3.1. Association of Connections, Channels, and Sessions
Each channel is associated with zero or more transport connections Each channel is associated with zero or more transport connections
(whether of the same transport protocol or different transport (whether of the same transport protocol or different transport
protocols). A connection can be associated with one channel or both protocols). A connection can be associated with one channel or both
channels of a session; the client and server negotiate whether a channels of a session; the client and server negotiate whether a
connection will carry traffic for one channel or both channels via connection will carry traffic for one channel or both channels via
the CREATE_SESSION (Section 18.36) and the BIND_CONN_TO_SESSION the CREATE_SESSION (Section 18.36) and the BIND_CONN_TO_SESSION
(Section 18.34) operations. When a session is created via (Section 18.34) operations. When a session is created via
skipping to change at page 46, line 31 skipping to change at page 44, line 16
SEQUENCE is transmitted on a different connection, the connection is SEQUENCE is transmitted on a different connection, the connection is
automatically associated with the fore channel of the session automatically associated with the fore channel of the session
specified in the SEQUENCE operation. specified in the SEQUENCE operation.
A connection's association with a session is not exclusive. A A connection's association with a session is not exclusive. A
connection associated with the channel(s) of one session may be connection associated with the channel(s) of one session may be
simultaneously associated with the channel(s) of other sessions simultaneously associated with the channel(s) of other sessions
including sessions associated with other client IDs. including sessions associated with other client IDs.
It is permissible for connections of multiple transport types to be It is permissible for connections of multiple transport types to be
associated with the same channel. For example both a TCP and RDMA associated with the same channel. For example, both TCP and RDMA
connection can be associated with the fore channel. In the event an connections can be associated with the fore channel. In the event an
RDMA and non-RDMA connection are associated with the same channel, RDMA and non-RDMA connection are associated with the same channel,
the maximum number of slots SHOULD be at least one more than the the maximum number of slots SHOULD be at least one more than the
total number of RDMA credits (Section 2.10.6.1. This way if all RDMA total number of RDMA credits (Section 2.10.6.1). This way, if all
credits are used, the non-RDMA connection can have at least one RDMA credits are used, the non-RDMA connection can have at least one
outstanding request. If a server supports multiple transport types, outstanding request. If a server supports multiple transport types,
it MUST allow a client to associate connections from each transport it MUST allow a client to associate connections from each transport
to a channel. to a channel.
It is permissible for a connection of one type of transport to be It is permissible for a connection of one type of transport to be
associated with the fore channel, and a connection of a different associated with the fore channel, and a connection of a different
type to be associated with the backchannel. type to be associated with the backchannel.
2.10.4. Server Scope 2.10.4. Server Scope
Servers each specify a server scope value in the form of an opaque Servers each specify a server scope value in the form of an opaque
string eir_server_scope returned as part of the results of an string eir_server_scope returned as part of the results of an
EXCHANGE_ID operation. The purpose of the server scope is to allow a EXCHANGE_ID operation. The purpose of the server scope is to allow a
group of servers to indicate to clients that a set of servers sharing group of servers to indicate to clients that a set of servers sharing
the same server scope value have arranged to use compatible values of the same server scope value has arranged to use compatible values of
otherwise opaque identifiers. Thus the identifiers generated by one otherwise opaque identifiers. Thus, the identifiers generated by one
server of that set may be presented to another of that same scope. server of that set may be presented to another of that same scope.
The use of such compatible values does not imply that a value The use of such compatible values does not imply that a value
generated by one server will always be accepted by another. In most generated by one server will always be accepted by another. In most
cases, it will not. However, a server will not accept a value cases, it will not. However, a server will not accept a value
generated by another inadvertently. When it does accept it, it will generated by another inadvertently. When it does accept it, it will
be because it is recognized as valid and carrying the same meaning as be because it is recognized as valid and carrying the same meaning as
on another server of the same scope. on another server of the same scope.
When servers are of the same server scope, this compatibility of When servers are of the same server scope, this compatibility of
values applies to the follow identifiers: values applies to the follow identifiers:
o Filehandle values. A filehandle value accepted by two servers of o Filehandle values. A filehandle value accepted by two servers of
the same server scope denotes the same object. A write done to the same server scope denotes the same object. A WRITE operation
one server is reflected immediately in a read done to the other sent to one server is reflected immediately in a READ sent to the
and locks obtained on one server conflict with those requested on other, and locks obtained on one server conflict with those
the other. requested on the other.
o Session ID values. A session ID value accepted by two servers of o Session ID values. A session ID value accepted by two servers of
the same server scope denotes the same session. the same server scope denotes the same session.
o Client ID values. A client ID value accepted as valid by two o Client ID values. A client ID value accepted as valid by two
servers of the same server scope is associated with two clients servers of the same server scope is associated with two clients
with the same client owner and verifier. with the same client owner and verifier.
o State ID values when the corresponding client ID is recognized as o State ID values. A state ID value is recognized as valid when the
valid. If the same stateid value is accepted as valid on two corresponding client ID is recognized as valid. If the same
servers of the same scope and the client IDs on the two servers stateid value is accepted as valid on two servers of the same
represent the same client owner and verifier, then the two stateid scope and the client IDs on the two servers represent the same
values designate the same set of locks and are for the same file client owner and verifier, then the two stateid values designate
the same set of locks and are for the same file.
o Server owner values. When the server scope values are the same, o Server owner values. When the server scope values are the same,
server owner value may be validly compared. In cases where the server owner value may be validly compared. In cases where the
server scope are different, server owner values are treated as server scope values are different, server owner values are treated
different even if they contain all identical bytes. as different even if they contain all identical bytes.
The co-ordination among servers required to provide such The coordination among servers required to provide such compatibility
compatibility can be quite minimal, and limited to a simple partition can be quite minimal, and limited to a simple partition of the ID
of the ID space. The recognition of common values requires space. The recognition of common values requires additional
additional implementation, but this can be tailored to the specific implementation, but this can be tailored to the specific situations
situations in which that recognition is desired. in which that recognition is desired.
Clients will have occasion to compare the server scope values of Clients will have occasion to compare the server scope values of
multiple servers under a number of circumstances, each of which will multiple servers under a number of circumstances, each of which will
be discussed under the appropriate functional section. be discussed under the appropriate functional section:
o When server owner values received in response to EXCHANGE_ID o When server owner values received in response to EXCHANGE_ID
operations issued to multiple network addresses are compared for operations sent to multiple network addresses are compared for the
the purpose of determining the validity of various forms of purpose of determining the validity of various forms of trunking,
trunking, as described in Section 2.10.5. as described in Section 2.10.5.
o When network or server reconfiguration causes the same network o When network or server reconfiguration causes the same network
address to possibly be directed to different servers, with the address to possibly be directed to different servers, with the
necessity for the client to determine when lock reclaim should be necessity for the client to determine when lock reclaim should be
attempted, as described in Section 8.4.2.1 attempted, as described in Section 8.4.2.1.
o When file system migration causes the transfer of responsibility o When file system migration causes the transfer of responsibility
for a file system between servers and the client needs to for a file system between servers and the client needs to
determine whether state has been transferred with the file system determine whether state has been transferred with the file system
(as described in Section 11.7.7) or whether the client needs to (as described in Section 11.7.7) or whether the client needs to
reclaim state on a similar basis as in the case of server restart, reclaim state on a similar basis as in the case of server restart,
as described in Section 8.4.2. as described in Section 8.4.2.
When two replies from EXCHANGE_ID each from two different server When two replies from EXCHANGE_ID, each from two different server
network addresses have the same server scope, there are a number of network addresses, have the same server scope, there are a number of
ways a client can validate that the common server scope is due to two ways a client can validate that the common server scope is due to two
servers cooperating in a group. servers cooperating in a group.
o If both EXCHANGE_ID requests were sent with RPCSEC_GSS o If both EXCHANGE_ID requests were sent with RPCSEC_GSS
authentication and the server principal is the same for both authentication and the server principal is the same for both
targets, the equality of server scope is validated. It is targets, the equality of server scope is validated. It is
RECOMMENDED that two servers intending to share the same server RECOMMENDED that two servers intending to share the same server
scope also share the same principal name. scope also share the same principal name.
o The client may accept the appearance of the second server in o The client may accept the appearance of the second server in the
fs_locations or fs_locations_info attribute for a relevant file fs_locations or fs_locations_info attribute for a relevant file
system. For example, if there is a migration event for a system. For example, if there is a migration event for a
particular file system or there are locks to be reclaimed on a particular file system or there are locks to be reclaimed on a
particular file system, the attributes for that particular file particular file system, the attributes for that particular file
system may be used. The client sends the GETATTR request to the system may be used. The client sends the GETATTR request to the
first server for the fs_locations or fs_locations_info attribute first server for the fs_locations or fs_locations_info attribute
with RPCSEC_GSS authentication. It may need to do this in advance with RPCSEC_GSS authentication. It may need to do this in advance
of the need to verify the common server scope. If the client of the need to verify the common server scope. If the client
successfully authenticates the reply to GETATTR, and the GETATTR successfully authenticates the reply to GETATTR, and the GETATTR
request and reply containing the fs_locations or fs_locations_info request and reply containing the fs_locations or fs_locations_info
skipping to change at page 49, line 26 skipping to change at page 47, line 8
MAY allow network addresses for different servers to use client ID MAY allow network addresses for different servers to use client ID
trunking. trunking.
Clients may use either form of trunking as long as they do not, when Clients may use either form of trunking as long as they do not, when
trunking between different server network addresses, violate the trunking between different server network addresses, violate the
servers' mandates as to the kinds of trunking to be allowed (see servers' mandates as to the kinds of trunking to be allowed (see
below). With regard to callback channels, the client MUST allow the below). With regard to callback channels, the client MUST allow the
server to choose among all callback channels valid for a given client server to choose among all callback channels valid for a given client
ID and MUST support trunking when the connections supporting the ID and MUST support trunking when the connections supporting the
backchannel allow session or client ID trunking to be used for backchannel allow session or client ID trunking to be used for
callbacks callbacks.
Session trunking is essentially the association of multiple Session trunking is essentially the association of multiple
connections, each with potentially different target and/or source connections, each with potentially different target and/or source
network addresses, to the same session. When the target network network addresses, to the same session. When the target network
addresses (server addresses) of the two connections are the same, the addresses (server addresses) of the two connections are the same, the
server MUST support such session trunking. When the target network server MUST support such session trunking. When the target network
addresses are different, the server MAY indicate such support using addresses are different, the server MAY indicate such support using
the data returned by the EXCHANGE_ID operation (see below). the data returned by the EXCHANGE_ID operation (see below).
Client ID trunking is the association of multiple sessions to the Client ID trunking is the association of multiple sessions to the
same client ID. Servers MUST support client ID trunking for two same client ID. Servers MUST support client ID trunking for two
target network addresses whenever they allow session trunking for target network addresses whenever they allow session trunking for
those same two network addresses. In addition, a server MAY, by those same two network addresses. In addition, a server MAY, by
presenting the same major server owner ID (Section 2.5), and server presenting the same major server owner ID (Section 2.5) and server
scope (Section 2.10.4) allow an additional case of client ID scope (Section 2.10.4), allow an additional case of client ID
trunking. When two servers return the same major server owner and trunking. When two servers return the same major server owner and
server scope, it means that the two servers are cooperating on server scope, it means that the two servers are cooperating on
locking state management which is a prerequisite for client ID locking state management, which is a prerequisite for client ID
trunking. trunking.
Understanding and distinguishing when the client is allowed to use Distinguishing when the client is allowed to use session and client
session and client ID trunking requires understanding how the results ID trunking requires understanding how the results of the EXCHANGE_ID
of the EXCHANGE_ID (Section 18.35) operation identify a server. (Section 18.35) operation identify a server. Suppose a client sends
Suppose a client sends EXCHANGE_ID over two different connections EXCHANGE_IDs over two different connections, each with a possibly
each with a possibly different target network address but each different target network address, but each EXCHANGE_ID operation has
EXCHANGE_ID operation has the same value in the eia_clientowner the same value in the eia_clientowner field. If the same NFSv4.1
field. If the same NFSv4.1 server is listening over each connection, server is listening over each connection, then each EXCHANGE_ID
then each EXCHANGE_ID result MUST return the same values of result MUST return the same values of eir_clientid,
eir_clientid, eir_server_owner.so_major_id and eir_server_scope. The eir_server_owner.so_major_id, and eir_server_scope. The client can
client can then treat each connection as referring to the same server then treat each connection as referring to the same server (subject
(subject to verification, see Paragraph 8 later in this section), and to verification; see Section 2.10.5.1 later in this section), and it
it can use each connection to trunk requests and replies. The can use each connection to trunk requests and replies. The client's
client's choice is whether session trunking or client ID trunking choice is whether session trunking or client ID trunking applies.
applies.
Session Trunking. If the eia_clientowner argument is the same in two Session Trunking. If the eia_clientowner argument is the same in two
different EXCHANGE_ID requests, and the eir_clientid, different EXCHANGE_ID requests, and the eir_clientid,
eir_server_owner.so_major_id, eir_server_owner.so_minor_id, and eir_server_owner.so_major_id, eir_server_owner.so_minor_id, and
eir_server_scope results match in both EXCHANGE_ID results, then eir_server_scope results match in both EXCHANGE_ID results, then
the client is permitted to perform session trunking. If the the client is permitted to perform session trunking. If the
client has no session mapping to the tuple of eir_clientid, client has no session mapping to the tuple of eir_clientid,
eir_server_owner.so_major_id, eir_server_scope, eir_server_owner.so_major_id, eir_server_scope, and
eir_server_owner.so_minor_id, then it creates the session via a eir_server_owner.so_minor_id, then it creates the session via a
CREATE_SESSION operation over one of the connections, which CREATE_SESSION operation over one of the connections, which
associates the connection to the session. If there is a session associates the connection to the session. If there is a session
for the tuple, the client can send BIND_CONN_TO_SESSION to for the tuple, the client can send BIND_CONN_TO_SESSION to
associate the connection to the session. associate the connection to the session.
Of course, if the client does not desire to use session trunking, Of course, if the client does not desire to use session trunking,
it is not required to do so. It can invoke CREATE_SESSION on the it is not required to do so. It can invoke CREATE_SESSION on the
connection. This will result in client ID trunking as described connection. This will result in client ID trunking as described
below. It can also decide to drop the connection if it does not below. It can also decide to drop the connection if it does not
choose to use trunking. choose to use trunking.
Client ID Trunking. If the eia_clientowner argument is the same in Client ID Trunking. If the eia_clientowner argument is the same in
two different EXCHANGE_ID requests, and the eir_clientid, two different EXCHANGE_ID requests, and the eir_clientid,
eir_server_owner.so_major_id, and eir_server_scope results match eir_server_owner.so_major_id, and eir_server_scope results match
in both EXCHANGE_ID results, then the client is permitted to in both EXCHANGE_ID results, then the client is permitted to
perform client ID trunking (regardless whether the perform client ID trunking (regardless of whether the
eir_server_owner.so_minor_id results match). The client can eir_server_owner.so_minor_id results match). The client can
associate each connection with different sessions, where each associate each connection with different sessions, where each
session is associated with the same server. session is associated with the same server.
The client completes the act of client ID trunking by invoking The client completes the act of client ID trunking by invoking
CREATE_SESSION on each connection, using the same client ID that CREATE_SESSION on each connection, using the same client ID that
was returned in eir_clientid. These invocations create two was returned in eir_clientid. These invocations create two
sessions and also associate each connection with its respective sessions and also associate each connection with its respective
session. The client is free to choose not to use client ID session. The client is free to decline to use client ID trunking
trunking by simply dropping the connection at this point. by simply dropping the connection at this point.
When doing client ID trunking, locking state is shared across When doing client ID trunking, locking state is shared across
sessions associated with that same client ID. This requires the sessions associated with that same client ID. This requires the
server to coordinate state across sessions. server to coordinate state across sessions.
The client should be prepared for the possibility that The client should be prepared for the possibility that
eir_server_owner values may be different on subsequent EXCHANGE_ID eir_server_owner values may be different on subsequent EXCHANGE_ID
requests made to the same network address, as a result of various requests made to the same network address, as a result of various
sorts of reconfiguration events. When this happens and the changes sorts of reconfiguration events. When this happens and the changes
result in the invalidation of previously valid forms of trunking, the result in the invalidation of previously valid forms of trunking, the
client should cease to use those forms, either by dropping client should cease to use those forms, either by dropping
connections or by adding sessions. For a discussion of lock reclaim connections or by adding sessions. For a discussion of lock reclaim
as it relates to such reconfiguration events, see Section 8.4.2.1. as it relates to such reconfiguration events, see Section 8.4.2.1.
2.10.5.1. Verifying Claims of Matching Server Identity
When two servers over two connections claim matching or partially When two servers over two connections claim matching or partially
matching eir_server_owner, eir_server_scope, and eir_clientid values, matching eir_server_owner, eir_server_scope, and eir_clientid values,
the client does not have to trust the servers' claims. The client the client does not have to trust the servers' claims. The client
may verify these claims before trunking traffic in the following may verify these claims before trunking traffic in the following
ways: ways:
o For session trunking, clients SHOULD reliably verify if o For session trunking, clients SHOULD reliably verify if
connections between different network paths are in fact associated connections between different network paths are in fact associated
with the same NFSv4.1 server and usable on the same session, and with the same NFSv4.1 server and usable on the same session, and
servers MUST allow clients to perform reliable verification. When servers MUST allow clients to perform reliable verification. When
skipping to change at page 52, line 10 skipping to change at page 49, line 44
If the client specified SP4_MACH_CRED state protection, the If the client specified SP4_MACH_CRED state protection, the
BIND_CONN_TO_SESSION operation will use RPCSEC_GSS integrity or BIND_CONN_TO_SESSION operation will use RPCSEC_GSS integrity or
privacy, using the same credential that was used when the client privacy, using the same credential that was used when the client
ID was created. Mutual authentication via RPCSEC_GSS assures the ID was created. Mutual authentication via RPCSEC_GSS assures the
client that the connection is associated with the correct session client that the connection is associated with the correct session
of the correct server. of the correct server.
o For client ID trunking, the client has at least two options for o For client ID trunking, the client has at least two options for
verifying that the same client ID obtained from two different verifying that the same client ID obtained from two different
EXCHANGE_ID operations came from the same server. The first EXCHANGE_ID operations came from the same server. The first
option is to use RPCSEC_GSS authentication when issuing each option is to use RPCSEC_GSS authentication when sending each
EXCHANGE_ID. Each time an EXCHANGE_ID is sent with RPCSEC_GSS EXCHANGE_ID operation. Each time an EXCHANGE_ID is sent with
authentication, the client notes the principal name of the GSS RPCSEC_GSS authentication, the client notes the principal name of
target. If the EXCHANGE_ID results indicate client ID trunking is the GSS target. If the EXCHANGE_ID results indicate that client
possible, and the GSS targets' principal names are the same, the ID trunking is possible, and the GSS targets' principal names are
servers are the same and client ID trunking is allowed. the same, the servers are the same and client ID trunking is
allowed.
The second option for verification is to use SP4_SSV protection. The second option for verification is to use SP4_SSV protection.
When the client sends EXCHANGE_ID it specifies SP4_SSV protection. When the client sends EXCHANGE_ID, it specifies SP4_SSV
The first EXCHANGE_ID the client sends always has to be confirmed protection. The first EXCHANGE_ID the client sends always has to
by a CREATE_SESSION call. The client then sends SET_SSV. Later be confirmed by a CREATE_SESSION call. The client then sends
the client sends EXCHANGE_ID to a second destination network SET_SSV. Later, the client sends EXCHANGE_ID to a second
address different from the one the first EXCHANGE_ID was sent to. destination network address different from the one the first
The client checks that each EXCHANGE_ID reply has the same EXCHANGE_ID was sent to. The client checks that each EXCHANGE_ID
eir_clientid, eir_server_owner.so_major_id, and eir_server_scope. reply has the same eir_clientid, eir_server_owner.so_major_id, and
If so, the client verifies the claim by issuing a CREATE_SESSION eir_server_scope. If so, the client verifies the claim by sending
to the second destination address, protected with RPCSEC_GSS a CREATE_SESSION operation to the second destination address,
integrity using an RPCSEC_GSS handle returned by the second protected with RPCSEC_GSS integrity using an RPCSEC_GSS handle
EXCHANGE_ID. If the server accepts the CREATE_SESSION request, returned by the second EXCHANGE_ID. If the server accepts the
and if the client verifies the RPCSEC_GSS verifier and integrity CREATE_SESSION request, and if the client verifies the RPCSEC_GSS
codes, then the client has proof the second server knows the SSV, verifier and integrity codes, then the client has proof the second
and thus the two servers are co-operating for the purposes of server knows the SSV, and thus the two servers are cooperating for
specifying server scope and client ID trunking. the purposes of specifying server scope and client ID trunking.
2.10.6. Exactly Once Semantics 2.10.6. Exactly Once Semantics
Via the session, NFSv4.1 offers Exactly Once Semantics (EOS) for Via the session, NFSv4.1 offers exactly once semantics (EOS) for
requests sent over a channel. EOS is supported on both the fore and requests sent over a channel. EOS is supported on both the fore
back channels. channel and backchannel.
Each COMPOUND or CB_COMPOUND request that is sent with a leading Each COMPOUND or CB_COMPOUND request that is sent with a leading
SEQUENCE or CB_SEQUENCE operation MUST be executed by the receiver SEQUENCE or CB_SEQUENCE operation MUST be executed by the receiver
exactly once. This requirement holds regardless of whether the exactly once. This requirement holds regardless of whether the
request is sent with reply caching specified (see request is sent with reply caching specified (see
Section 2.10.6.1.3). The requirement holds even if the requester is Section 2.10.6.1.3). The requirement holds even if the requester is
issuing the request over a session created between a pNFS data client sending the request over a session created between a pNFS data client
and pNFS data server. To understand the rationale for this and pNFS data server. To understand the rationale for this
requirement, divide the requests into three classifications: requirement, divide the requests into three classifications:
o Nonidempotent requests. o Non-idempotent requests.
o Idempotent modifying requests. o Idempotent modifying requests.
o Idempotent non-modifying requests. o Idempotent non-modifying requests.
An example of a non-idempotent request is RENAME. If is obvious that An example of a non-idempotent request is RENAME. Obviously, if a
if a replier executes the same RENAME request twice, and the first replier executes the same RENAME request twice, and the first
execution succeeds, the re-execution will fail. If the replier execution succeeds, the re-execution will fail. If the replier
returns the result from the re-execution, this result is incorrect. returns the result from the re-execution, this result is incorrect.
Therefore, EOS is required for nonidempotent requests. Therefore, EOS is required for non-idempotent requests.
An example of an idempotent modifying request is a COMPOUND request An example of an idempotent modifying request is a COMPOUND request
containing a WRITE operation. Repeated execution of the same WRITE containing a WRITE operation. Repeated execution of the same WRITE
has the same effect as execution of that write a single time. has the same effect as execution of that WRITE a single time.
Nevertheless, enforcing EOS for WRITEs and other idempotent modifying Nevertheless, enforcing EOS for WRITEs and other idempotent modifying
requests is necessary to avoid data corruption. requests is necessary to avoid data corruption.
Suppose a client sends WRITE A to a noncompliant server that does not Suppose a client sends WRITE A to a noncompliant server that does not
enforce EOS, and receives no response, perhaps due to a network enforce EOS, and receives no response, perhaps due to a network
partition. The client reconnects to the server and re-sends WRITE A. partition. The client reconnects to the server and re-sends WRITE A.
Now, the server has outstanding two instances of A. The server can be Now, the server has outstanding two instances of A. The server can
in a situation in which it executes and replies to the retry of A, be in a situation in which it executes and replies to the retry of A,
while the first A is still waiting in the server's internal I/O while the first A is still waiting in the server's internal I/O
system for some resource. Upon receiving the reply to the second system for some resource. Upon receiving the reply to the second
attempt of WRITE A, the client believes its write is done so it is attempt of WRITE A, the client believes its WRITE is done so it is
free to send WRITE B which overlaps the range of A. When the original free to send WRITE B, which overlaps the byte-range of A. When the
A is dispatched from the server's I/O system, and executed (thus the original A is dispatched from the server's I/O system and executed
second time A will have been written), then what has been written by (thus the second time A will have been written), then what has been
B can be overwritten and thus corrupted. written by B can be overwritten and thus corrupted.
An example of an idempotent non-modifying request is a COMPOUND An example of an idempotent non-modifying request is a COMPOUND
containing SEQUENCE, PUTFH, READLINK and nothing else. The re- containing SEQUENCE, PUTFH, READLINK, and nothing else. The re-
execution of a such a request will not cause data corruption, or execution of such a request will not cause data corruption or produce
produce an incorrect result. Nonetheless, to keep the implementation an incorrect result. Nonetheless, to keep the implementation simple,
simple, the replier MUST enforce EOS for all requests whether the replier MUST enforce EOS for all requests, whether or not
idempotent and non-modifying or not. idempotent and non-modifying.
Note that true and complete EOS is not possible unless the server Note that true and complete EOS is not possible unless the server
persists the reply cache in stable storage, unless the server is persists the reply cache in stable storage, and unless the server is
somehow implemented to never require a restart (indeed if such a somehow implemented to never require a restart (indeed, if such a
server exists, the distinction between a reply cache kept in stable server exists, the distinction between a reply cache kept in stable
storage versus one that is not is one without meaning). See storage versus one that is not is one without meaning). See
Section 2.10.6.5 for a discussion of persistence in the reply cache. Section 2.10.6.5 for a discussion of persistence in the reply cache.
Regardless, even if the server does not persist the reply cache, EOS Regardless, even if the server does not persist the reply cache, EOS
improves robustness and correctness over previous versions of NFS improves robustness and correctness over previous versions of NFS
because the legacy duplicate request/reply caches were based on the because the legacy duplicate request/reply caches were based on the
ONC RPC transaction identifier (XID). Section 2.10.6.1 explains the ONC RPC transaction identifier (XID). Section 2.10.6.1 explains the
shortcomings of the XID as a basis for a reply cache and describes shortcomings of the XID as a basis for a reply cache and describes
how NFSv4.1 sessions improve upon the XID. how NFSv4.1 sessions improve upon the XID.
2.10.6.1. Slot Identifiers and Reply Cache 2.10.6.1. Slot Identifiers and Reply Cache
The RPC layer provides a transaction ID (XID), which, while required The RPC layer provides a transaction ID (XID), which, while required
to be unique, is not convenient for tracking requests for two to be unique, is not convenient for tracking requests for two
reasons. First, the XID is only meaningful to the requester; it reasons. First, the XID is only meaningful to the requester; it
cannot be interpreted by the replier except to test for equality with cannot be interpreted by the replier except to test for equality with
previously sent requests. When consulting an RPC-based duplicate previously sent requests. When consulting an RPC-based duplicate
request cache, the opaqueness of the XID requires a computationally request cache, the opaqueness of the XID requires a computationally
expensive lookup (often via a hash that includes XID and source expensive look up (often via a hash that includes XID and source
address). NFSv4.1 requests use a non-opaque slot ID which is an address). NFSv4.1 requests use a non-opaque slot ID, which is an
index into a slot table, which is far more efficient. Second, index into a slot table, which is far more efficient. Second,
because RPC requests can be executed by the replier in any order, because RPC requests can be executed by the replier in any order,
there is no bound on the number of requests that may be outstanding there is no bound on the number of requests that may be outstanding
at any time. To achieve perfect EOS using ONC RPC would require at any time. To achieve perfect EOS, using ONC RPC would require
storing all replies in the reply cache. XIDs are 32 bits; storing storing all replies in the reply cache. XIDs are 32 bits; storing
over four billion (2^32) replies in the reply cache is not practical. over four billion (2^32) replies in the reply cache is not practical.
In practice, previous versions of NFS have chosen to store a fixed In practice, previous versions of NFS have chosen to store a fixed
number of replies in the cache, and use a least recently used (LRU) number of replies in the cache, and to use a least recently used
approach to replacing cache entries with new entries when the cache (LRU) approach to replacing cache entries with new entries when the
is full. In NFSv4.1, the number of outstanding requests is bounded cache is full. In NFSv4.1, the number of outstanding requests is
by the size of the slot table, and a sequence ID per slot is used to bounded by the size of the slot table, and a sequence ID per slot is
tell the replier when it is safe to delete a cached reply. used to tell the replier when it is safe to delete a cached reply.
In the NFSv4.1 reply cache, when the requester sends a new request, In the NFSv4.1 reply cache, when the requester sends a new request,
it selects a slot ID in the range 0..N, where N is the replier's it selects a slot ID in the range 0..N, where N is the replier's
current maximum slot ID granted to the requester on the session over current maximum slot ID granted to the requester on the session over
which the request is to be sent. The value of N starts out as equal which the request is to be sent. The value of N starts out as equal
to ca_maxrequests - 1 (Section 18.36), but can be adjusted by the to ca_maxrequests - 1 (Section 18.36), but can be adjusted by the
response to SEQUENCE or CB_SEQUENCE as described later in this response to SEQUENCE or CB_SEQUENCE as described later in this
section. The slot ID must be unused by any of the requests which the section. The slot ID must be unused by any of the requests that the
requester has already active on the session. "Unused" here means the requester has already active on the session. "Unused" here means the
requester has no outstanding request for that slot ID. requester has no outstanding request for that slot ID.
A slot contains a sequence ID and the cached reply corresponding to A slot contains a sequence ID and the cached reply corresponding to
the request sent with that sequence ID. The sequence ID is a 32 bit the request sent with that sequence ID. The sequence ID is a 32-bit
unsigned value, and is therefore in the range 0..0xFFFFFFFF (2^32 - unsigned value, and is therefore in the range 0..0xFFFFFFFF (2^32 -
1). The first time a slot is used, the requester MUST specify a 1). The first time a slot is used, the requester MUST specify a
sequence ID of one (1) (Section 18.36). Each time a slot is reused, sequence ID of one (Section 18.36). Each time a slot is reused, the
the request MUST specify a sequence ID that is one greater than that request MUST specify a sequence ID that is one greater than that of
of the previous request on the slot. If the previous sequence ID was the previous request on the slot. If the previous sequence ID was
0xFFFFFFFF, then the next request for the slot MUST have the sequence 0xFFFFFFFF, then the next request for the slot MUST have the sequence
ID set to zero (i.e. (2^32 - 1) + 1 mod 2^32). ID set to zero (i.e., (2^32 - 1) + 1 mod 2^32).
The sequence ID accompanies the slot ID in each request. It is for The sequence ID accompanies the slot ID in each request. It is for
the critical check at the server: it used to efficiently determine the critical check at the replier: it used to efficiently determine
whether a request using a certain slot ID is a retransmit or a new, whether a request using a certain slot ID is a retransmit or a new,
never-before-seen request. It is not feasible for the client to never-before-seen request. It is not feasible for the requester to
assert that it is retransmitting to implement this, because for any assert that it is retransmitting to implement this, because for any
given request the client cannot know whether the server has seen it given request the requester cannot know whether the replier has seen
unless the server actually replies. Of course, if the client has it unless the replier actually replies. Of course, if the requester
seen the server's reply, the client would not retransmit. has seen the reply, the requester would not retransmit.
The replier compares each received request's sequence ID with the The replier compares each received request's sequence ID with the
last one previously received for that slot ID, to see if the new last one previously received for that slot ID, to see if the new
request is: request is:
o A new request, in which the sequence ID is one greater than that o A new request, in which the sequence ID is one greater than that
previously seen in the slot (accounting for sequence wraparound). previously seen in the slot (accounting for sequence wraparound).
The replier proceeds to execute the new request, and the replier The replier proceeds to execute the new request, and the replier
MUST increase the slot's sequence ID by one. MUST increase the slot's sequence ID by one.
skipping to change at page 55, line 29 skipping to change at page 53, line 22
executed to completion, the replier returns the cached reply. See executed to completion, the replier returns the cached reply. See
Section 2.10.6.2 for direction on how the replier deals with Section 2.10.6.2 for direction on how the replier deals with
retries of requests that are still in progress. retries of requests that are still in progress.
o A misordered retry, in which the sequence ID is less than o A misordered retry, in which the sequence ID is less than
(accounting for sequence wraparound) that previously seen in the (accounting for sequence wraparound) that previously seen in the
slot. The replier MUST return NFS4ERR_SEQ_MISORDERED (as the slot. The replier MUST return NFS4ERR_SEQ_MISORDERED (as the
result from SEQUENCE or CB_SEQUENCE). result from SEQUENCE or CB_SEQUENCE).
o A misordered new request, in which the sequence ID is two or more o A misordered new request, in which the sequence ID is two or more
than (accounting for sequence wraparound) than that previously than (accounting for sequence wraparound) that previously seen in
seen in the slot. Note that because the sequence ID MUST the slot. Note that because the sequence ID MUST wrap around to
wraparound to zero (0) once it reaches 0xFFFFFFFF, a misordered zero once it reaches 0xFFFFFFFF, a misordered new request and a
new request and a misordered retry cannot be distinguished. Thus, misordered retry cannot be distinguished. Thus, the replier MUST
the replier MUST return NFS4ERR_SEQ_MISORDERED (as the result from return NFS4ERR_SEQ_MISORDERED (as the result from SEQUENCE or
SEQUENCE or CB_SEQUENCE). CB_SEQUENCE).
Unlike the XID, the slot ID is always within a specific range; this Unlike the XID, the slot ID is always within a specific range; this
has two implications. The first implication is that for a given has two implications. The first implication is that for a given
session, the replier need only cache the results of a limited number session, the replier need only cache the results of a limited number
of COMPOUND requests . The second implication derives from the of COMPOUND requests. The second implication derives from the first,
first, which is that unlike XID-indexed reply caches (also known as which is that unlike XID-indexed reply caches (also known as
duplicate request caches - DRCs), the slot ID-based reply cache duplicate request caches - DRCs), the slot ID-based reply cache
cannot be overflowed. Through use of the sequence ID to identify cannot be overflowed. Through use of the sequence ID to identify
retransmitted requests, the replier does not need to actually cache retransmitted requests, the replier does not need to actually cache
the request itself, reducing the storage requirements of the reply the request itself, reducing the storage requirements of the reply
cache further. These facilities make it practical to maintain all cache further. These facilities make it practical to maintain all
the required entries for an effective reply cache. the required entries for an effective reply cache.
The slot ID, sequence ID, and session ID therefore take over the The slot ID, sequence ID, and session ID therefore take over the
traditional role of the XID and source network address in the traditional role of the XID and source network address in the
replier's reply cache implementation. This approach is considerably replier's reply cache implementation. This approach is considerably
more portable and completely robust - it is not subject to the more portable and completely robust -- it is not subject to the
reassignment of ports as clients reconnect over IP networks. In reassignment of ports as clients reconnect over IP networks. In
addition, the RPC XID is not used in the reply cache, enhancing addition, the RPC XID is not used in the reply cache, enhancing
robustness of the cache in the face of any rapid reuse of XIDs by the robustness of the cache in the face of any rapid reuse of XIDs by the
requester. While the replier does not care about the XID for the requester. While the replier does not care about the XID for the
purposes of reply cache management (but the replier MUST return the purposes of reply cache management (but the replier MUST return the
same XID that was in the request), nonetheless there are same XID that was in the request), nonetheless there are
considerations for the XID in NFSv4.1 that are the same as all other considerations for the XID in NFSv4.1 that are the same as all other
previous versions of NFS. The RPC XID remains in each message and previous versions of NFS. The RPC XID remains in each message and
needs to be formulated in NFSv4.1 requests as in any other ONC RPC needs to be formulated in NFSv4.1 requests as in any other ONC RPC
request. The reasons include: request. The reasons include:
o The RPC layer retains its existing semantics and implementation. o The RPC layer retains its existing semantics and implementation.
o The requester and replier must be able to interoperate at the RPC o The requester and replier must be able to interoperate at the RPC
layer, prior to the NFSv4.1 decoding of the SEQUENCE or layer, prior to the NFSv4.1 decoding of the SEQUENCE or
CB_SEQUENCE operation. CB_SEQUENCE operation.
o If an operation is being used that does not start with SEQUENCE or o If an operation is being used that does not start with SEQUENCE or
CB_SEQUENCE (e.g. BIND_CONN_TO_SESSION), then the RPC XID is CB_SEQUENCE (e.g., BIND_CONN_TO_SESSION), then the RPC XID is
needed for correct operation to match the reply to the request. needed for correct operation to match the reply to the request.
o The SEQUENCE or CB_SEQUENCE operation may generate an error. If o The SEQUENCE or CB_SEQUENCE operation may generate an error. If
so, the embedded slot ID, sequence ID, and session ID (if present) so, the embedded slot ID, sequence ID, and session ID (if present)
in the request will not be in the reply, and the requester has in the request will not be in the reply, and the requester has
only the XID to match the reply to the request. only the XID to match the reply to the request.
Given that well formulated XIDs continue to be required, this begs Given that well-formulated XIDs continue to be required, this begs
the question why SEQUENCE and CB_SEQUENCE replies have a session ID, the question: why do SEQUENCE and CB_SEQUENCE replies have a session
slot ID and sequence ID? Having the session ID in the reply means ID, slot ID, and sequence ID? Having the session ID in the reply
the requester does not have to use the XID to lookup the session ID, means that the requester does not have to use the XID to look up the
which would be necessary if the connection were associated with session ID, which would be necessary if the connection were
multiple sessions. Having the slot ID and sequence ID in the reply associated with multiple sessions. Having the slot ID and sequence
means requester does not have to use the XID to lookup the slot ID ID in the reply means that the requester does not have to use the XID
and sequence ID. Furthermore, since the XID is only 32 bits, it is to look up the slot ID and sequence ID. Furthermore, since the XID
too small to guarantee the re-association of a reply with its request is only 32 bits, it is too small to guarantee the re-association of a
([36]); having session ID, slot ID, and sequence ID in the reply reply with its request [37]; having session ID, slot ID, and sequence
allows the client to validate that the reply in fact belongs to the ID in the reply allows the client to validate that the reply in fact
matched request. belongs to the matched request.
The SEQUENCE (and CB_SEQUENCE) operation also carries a The SEQUENCE (and CB_SEQUENCE) operation also carries a
"highest_slotid" value which carries additional requester slot usage "highest_slotid" value, which carries additional requester slot usage
information. The requester MUST always indicate the slot ID information. The requester MUST always indicate the slot ID
representing the outstanding request with the highest-numbered slot representing the outstanding request with the highest-numbered slot
value. The requester should in all cases provide the most value. The requester should in all cases provide the most
conservative value possible, although it can be increased somewhat conservative value possible, although it can be increased somewhat
above the actual instantaneous usage to maintain some minimum or above the actual instantaneous usage to maintain some minimum or
optimal level. This provides a way for the requester to yield unused optimal level. This provides a way for the requester to yield unused
request slots back to the replier, which in turn can use the request slots back to the replier, which in turn can use the
information to reallocate resources. information to reallocate resources.
The replier responds with both a new target highest_slotid, and an The replier responds with both a new target highest_slotid and an
enforced highest_slotid, described as follows: enforced highest_slotid, described as follows:
o The target highest_slotid is an indication to the requester of the o The target highest_slotid is an indication to the requester of the
highest_slotid the replier wishes the requester to be using. This highest_slotid the replier wishes the requester to be using. This
permits the replier to withdraw (or add) resources from a permits the replier to withdraw (or add) resources from a
requester that has been found to not be using them, in order to requester that has been found to not be using them, in order to
more fairly share resources among a varying level of demand from more fairly share resources among a varying level of demand from
other requesters. The requester must always comply with the other requesters. The requester must always comply with the
replier's value updates, since they indicate newly established replier's value updates, since they indicate newly established
hard limits on the requester's access to session resources. hard limits on the requester's access to session resources.
However, because of request pipelining, the requester may have However, because of request pipelining, the requester may have
active requests in flight reflecting prior values, therefore the active requests in flight reflecting prior values; therefore, the
replier must not immediately require the requester to comply. replier must not immediately require the requester to comply.
o The enforced highest_slotid indicates the highest slot ID the o The enforced highest_slotid indicates the highest slot ID the
requester is permitted to use on a subsequent SEQUENCE or requester is permitted to use on a subsequent SEQUENCE or
CB_SEQUENCE operation. The replier's enforced highest_slotid CB_SEQUENCE operation. The replier's enforced highest_slotid
SHOULD be no less than the highest_slotid the requester indicated SHOULD be no less than the highest_slotid the requester indicated
in the SEQUENCE or CB_SEQUENCE arguments. in the SEQUENCE or CB_SEQUENCE arguments.
If a replier detects the client is being intransigent, i.e. it A requester can be intransigent with respect to lowering its
fails in a series of requests to honor the target highest_slotid highest_slotid argument to a Sequence operation, i.e. the
even though the replier knows there are no outstanding requests a requester continues to ignore the target highest_slotid in the
higher slot ids, it MAY take more forceful action. When faced response to a Sequence operation, and continues to set its
with intransigence, the replier MAY reply with a new enforced highest_slotid argument to be higher than the target
highest_slotid that is less than its previous enforced highest_slotid. This can be considered particularly egregious
highest_slotid. Thereafter, if the requester continues to send behavior when the replier knows there are no outstanding requests
requests with a highest_slotid that is greater than the replier's with slot IDs higher than its target highest_slotid. When faced
new enforced highest_slotid the server MAY return with such intransigence, the replier is free to take more forceful
NFS4ERR_BAD_HIGHSLOT, unless the slot ID in the request is greater action, and MAY reply with a new enforced highest_slotid that is
than the new enforced highest_slotid, and the request is a retry. less than its previous enforced highest_slotid. Thereafter, if
the requester continues to send requests with a highest_slotid
that is greater than the replier's new enforced highest_slotid,
the server MAY return NFS4ERR_BAD_HIGH_SLOT, unless the slot ID in
the request is greater than the new enforced highest_slotid and
the request is a retry.
The replier SHOULD retain the slots it wants to retire until the The replier SHOULD retain the slots it wants to retire until the
requester sends a request with a highest_slotid less than or equal requester sends a request with a highest_slotid less than or equal
to the replier's new enforced highest_slotid. Also if a request to the replier's new enforced highest_slotid.
is received with a slot that is higher than the new enforced
highest_slotid, and the sequence ID is one higher than what is in
the slot's reply cache, then the server can both retire the slot
and return NFS4ERR_BADSLOT (however the server MUST NOT do one and
not the other). (The reason it is safe to retire the slot is
because that by using the next sequence ID, the client is
indicating it has received the previous reply for the slot.) Once
the replier has forcibly lowered the enforced highest_slotid, the
requester is only allowed to send retries to the to-be-retired
slots.
o The requester SHOULD use the lowest available slot when issuing a The requester can also be intransigent with respect to sending
non-retry requests that have a slot ID that exceeds the replier's
highest_slotid. Once the replier has forcibly lowered the
enforced highest_slotid, the requester is only allowed to send
retries on slots that exceed the replier's highest_slotid. If a
request is received with a slot ID that is higher than the new
enforced highest_slotid, and the sequence ID is one higher than
what is in the slot's reply cache, then the server can both retire
the slot and return NFS4ERR_BADSLOT (however, the server MUST NOT
do one and not the other). The reason it is safe to retire the
slot is because by using the next sequence ID, the requester is
indicating it has received the previous reply for the slot.
o The requester SHOULD use the lowest available slot when sending a
new request. This way, the replier may be able to retire slot new request. This way, the replier may be able to retire slot
entries faster. However, where the replier is actively adjusting entries faster. However, where the replier is actively adjusting
its granted highest_slotid, it will not be able to use only the its granted highest_slotid, it will not be able to use only the
receipt of the slot ID and highest_slotid in the request. Neither receipt of the slot ID and highest_slotid in the request. Neither
the slot ID nor the highest_slotid used in a request may reflect the slot ID nor the highest_slotid used in a request may reflect
the replier's current idea of the requester's session limit, the replier's current idea of the requester's session limit,
because the request may have been sent from the requester before because the request may have been sent from the requester before
the update was received. Therefore, in the downward adjustment the update was received. Therefore, in the downward adjustment
case, the replier may have to retain a number of reply cache case, the replier may have to retain a number of reply cache
entries at least as large as the old value of maximum requests entries at least as large as the old value of maximum requests
outstanding, until it can infer that the requester has seen a outstanding, until it can infer that the requester has seen a
reply containing the new granted highest_slotid. The replier can reply containing the new granted highest_slotid. The replier can
infer that requester as seen such a reply when it receives a new infer that the requester has seen such a reply when it receives a
request with the same slot ID as the request replied to and the new request with the same slot ID as the request replied to and
next higher sequence ID. the next higher sequence ID.
2.10.6.1.1. Caching of SEQUENCE and CB_SEQUENCE Replies 2.10.6.1.1. Caching of SEQUENCE and CB_SEQUENCE Replies
When a SEQUENCE or CB_SEQUENCE operation is successfully executed, When a SEQUENCE or CB_SEQUENCE operation is successfully executed,
its reply MUST always be cached. Specifically, session ID, sequence its reply MUST always be cached. Specifically, session ID, sequence
ID, and slot ID MUST be cached in the reply cache. The reply from ID, and slot ID MUST be cached in the reply cache. The reply from
SEQUENCE also includes the highest slot ID, target highest slot ID, SEQUENCE also includes the highest slot ID, target highest slot ID,
and status flags. Instead of caching these values, the server MAY and status flags. Instead of caching these values, the server MAY
re-compute the values from the current state of the fore channel, re-compute the values from the current state of the fore channel,
session and/or client ID as appropriate. Similarly, the reply from session, and/or client ID as appropriate. Similarly, the reply from
CB_SEQUENCE includes a highest slot ID and target highest slot ID. CB_SEQUENCE includes a highest slot ID and target highest slot ID.
The client MAY re-compute the values from the current state of the The client MAY re-compute the values from the current state of the
session as appropriate. session as appropriate.
Regardless of whether a replier is re-computing highest slot ID, Regardless of whether or not a replier is re-computing highest slot
target slot ID, and status on replies to retries or not, the ID, target slot ID, and status on replies to retries, the requester
requester MUST NOT assume the values are being re-computed whenever MUST NOT assume that the values are being re-computed whenever it
it receives a reply after a retry is sent, since it has no way of receives a reply after a retry is sent, since it has no way of
knowing whether the reply it has received was sent by the server in knowing whether the reply it has received was sent by the replier in
response to the retry, or is a delayed response to the original response to the retry or is a delayed response to the original
request. Therefore, it may be the case that highest slot ID, target request. Therefore, it may be the case that highest slot ID, target
slot ID, or status bits may reflect the state of affairs when the slot ID, or status bits may reflect the state of affairs when the
request was first executed. Although acting based on such delayed request was first executed. Although acting based on such delayed
information is valid, it may cause the receiver to do unneeded work. information is valid, it may cause the receiver of the reply to do
Requesters MAY choose to send additional requests to get the current unneeded work. Requesters MAY choose to send additional requests to
state of affairs or use the state of affairs reported by subsequent get the current state of affairs or use the state of affairs reported
requests, in preference to acting immediately on data which may be by subsequent requests, in preference to acting immediately on data
out of date. that might be out of date.
2.10.6.1.2. Errors from SEQUENCE and CB_SEQUENCE 2.10.6.1.2. Errors from SEQUENCE and CB_SEQUENCE
Any time SEQUENCE or CB_SEQUENCE return an error, the sequence ID of Any time SEQUENCE or CB_SEQUENCE returns an error, the sequence ID of
the slot MUST NOT change. The replier MUST NOT modify the reply the slot MUST NOT change. The replier MUST NOT modify the reply
cache entry for the slot whenever an error is returned from SEQUENCE cache entry for the slot whenever an error is returned from SEQUENCE
or CB_SEQUENCE. or CB_SEQUENCE.
2.10.6.1.3. Optional Reply Caching 2.10.6.1.3. Optional Reply Caching
On a per-request basis the requester can choose to direct the replier On a per-request basis, the requester can choose to direct the
to cache the reply to all operations after the first operation replier to cache the reply to all operations after the first
(SEQUENCE or CB_SEQUENCE) via the sa_cachethis or csa_cachethis operation (SEQUENCE or CB_SEQUENCE) via the sa_cachethis or
fields of the arguments to SEQUENCE or CB_SEQUENCE. The reason it csa_cachethis fields of the arguments to SEQUENCE or CB_SEQUENCE.
would not direct the replier to cache the entire reply is that the The reason it would not direct the replier to cache the entire reply
request is composed of all idempotent operations [33]. Caching the is that the request is composed of all idempotent operations [34].
reply may offer little benefit. If the reply is too large (see Caching the reply may offer little benefit. If the reply is too
Section 2.10.6.4), it may not be cacheable anyway. Even if the reply large (see Section 2.10.6.4), it may not be cacheable anyway. Even
to idempotent request is small enough to cache, unnecessarily caching if the reply to idempotent request is small enough to cache,
the reply slows down the server and increases RPC latency. unnecessarily caching the reply slows down the server and increases
RPC latency.
Whether the requester requests the reply to be cached or not has no Whether or not the requester requests the reply to be cached has no
effect on the slot processing. If the results of SEQUENCE or effect on the slot processing. If the results of SEQUENCE or
CB_SEQUENCE are NFS4_OK, then the slot's sequence ID MUST be CB_SEQUENCE are NFS4_OK, then the slot's sequence ID MUST be
incremented by one. If a requester does not direct the replier to incremented by one. If a requester does not direct the replier to
cache the reply, the replier MUST do one of following: cache the reply, the replier MUST do one of following:
o The replier can cache the entire original reply. Even though o The replier can cache the entire original reply. Even though
sa_cachethis or csa_cachethis are FALSE, the replier is always sa_cachethis or csa_cachethis is FALSE, the replier is always free
free to cache. It may choose this approach in order to simplify to cache. It may choose this approach in order to simplify
implementation. implementation.
o The replier enters into its reply cache a reply consisting of the o The replier enters into its reply cache a reply consisting of the
original results to the SEQUENCE or CB_SEQUENCE operation, and original results to the SEQUENCE or CB_SEQUENCE operation, and
with the next operation in COMPOUND or CB_COMPOUND having the with the next operation in COMPOUND or CB_COMPOUND having the
error NFS4ERR_RETRY_UNCACHED_REP. Thus if the requester later error NFS4ERR_RETRY_UNCACHED_REP. Thus, if the requester later
retries the request, it will get NFS4ERR_RETRY_UNCACHED_REP. retries the request, it will get NFS4ERR_RETRY_UNCACHED_REP. If a
replier receives a retried Sequence operation where the reply to
the COMPOUND or CB_COMPOUND was not cached, then the replier,
* MAY return NFS4ERR_RETRY_UNCACHED_REP in reply to a Sequence
operation if the Sequence operation is not the first operation
(granted, a requester that does so is in violation of the
NFSv4.1 protocol).
* MUST NOT return NFS4ERR_RETRY_UNCACHED_REP in reply to a
Sequence operation if the Sequence operation is the first
operation.
o If the second operation is an illegal operation, or an operation
that was legal in a previous minor version of NFSv4 and MUST NOT
be supported in the current minor version (e.g., SETCLIENTID), the
replier MUST NOT ever return NFS4ERR_RETRY_UNCACHED_REP. Instead
the replier MUST return NFS4ERR_OP_ILLEGAL or NFS4ERR_BADXDR or
NFS4ERR_NOTSUPP as appropriate.
o If the second operation can result in another error status, the
replier MAY return a status other than NFS4ERR_RETRY_UNCACHED_REP,
provided the operation is not executed in such a way that the
state of the replier is changed. Examples of such an error status
include: NFS4ERR_NOTSUPP returned for an operation that is legal
but not REQUIRED in the current minor versions, and thus not
supported by the replier; NFS4ERR_SEQUENCE_POS; and
NFS4ERR_REQ_TOO_BIG.
The discussion above assumes that the retried request matches the
original one. Section 2.10.6.1.3.1 discusses what the replier might
do, and MUST do when original and retried requests do not match.
Since the replier may only cache a small amount of the information
that would be required to determine whether this is a case of a false
retry, the replier may send to the client any of the following
responses:
o The cached reply to the original request (if the replier has
cached it in its entirety and the users of the original request
and retry match).
o A reply that consists only of the Sequence operation with the
error NFS4ERR_FALSE_RETRY.
o A reply consisting of the response to Sequence with the status
NFS4_OK, together with the second operation as it appeared in the
retried request with an error of NFS4ERR_RETRY_UNCACHED_REP or
other error as described above.
o A reply that consists of the response to Sequence with the status
NFS4_OK, together with the second operation as it appeared in the
original request with an error of NFS4ERR_RETRY_UNCACHED_REP or
other error as described above.
2.10.6.1.3.1. False Retry
If a requester sent a Sequence operation with a slot ID and sequence
ID that are in the reply cache but the replier detected that the
retried request is not the same as the original request, including a
retry that has different operations or different arguments in the
operations from the original and a retry that uses a different
principal in the RPC request's credential field that translates to a
different user, then this is a false retry. When the replier detects
a false retry, it is permitted (but not always obligated) to return
NFS4ERR_FALSE_RETRY in response to the Sequence operation when it
detects a false retry.
Translations of particularly privileged user values to other users
due to the lack of appropriately secure credentials, as configured on
the replier, should be applied before determining whether the users
are the same or different. If the replier determines the users are
different between the original request and a retry, then the replier
MUST return NFS4ERR_FALSE_RETRY.
If an operation of the retry is an illegal operation, or an operation
that was legal in a previous minor version of NFSv4 and MUST NOT be
supported in the current minor version (e.g., SETCLIENTID), the
replier MAY return NFS4ERR_FALSE_RETRY (and MUST do so if the users
of the original request and retry differ). Otherwise, the replier
MAY return NFS4ERR_OP_ILLEGAL or NFS4ERR_BADXDR or NFS4ERR_NOTSUPP as
appropriate. Note that the handling is in contrast for how the
replier deals with retries requests with no cached reply. The
difference is due to NFS4ERR_FALSE_RETRY being a valid error for only
Sequence operations, whereas NFS4ERR_RETRY_UNCACHED_REP is a valid
error for all operations except illegal operations and operations
that MUST NOT be supported in the current minor version of NFSv4.
2.10.6.2. Retry and Replay of Reply 2.10.6.2. Retry and Replay of Reply
A requester MUST NOT retry a request, unless the connection it used A requester MUST NOT retry a request, unless the connection it used
to send the request disconnects. The requester can then reconnect to send the request disconnects. The requester can then reconnect
and re-send the request, or it can re-send the request over a and re-send the request, or it can re-send the request over a
different connection that is associated with the same session. different connection that is associated with the same session.
If the requester is a server wanting to re-send a callback operation If the requester is a server wanting to re-send a callback operation
over the backchannel of session, the requester of course cannot over the backchannel of a session, the requester of course cannot
reconnect because only the client can associate connections with the reconnect because only the client can associate connections with the
backchannel. The server can re-send the request over another backchannel. The server can re-send the request over another
connection that is bound to the same session's backchannel. If there connection that is bound to the same session's backchannel. If there
is no such connection, the server MUST indicate that the session has is no such connection, the server MUST indicate that the session has
no backchannel by setting the SEQ4_STATUS_CB_PATH_DOWN_SESSION flag no backchannel by setting the SEQ4_STATUS_CB_PATH_DOWN_SESSION flag
bit in the response to the next SEQUENCE operation from the client. bit in the response to the next SEQUENCE operation from the client.
The client MUST then associate a connection with the session (or The client MUST then associate a connection with the session (or
destroy the session). destroy the session).
Note that it is not fatal for a client to retry without a disconnect Note that it is not fatal for a requester to retry without a
between the request and retry. However the retry does consume disconnect between the request and retry. However, the retry does
resources, especially with RDMA, where each request, retry or not, consume resources, especially with RDMA, where each request, retry or
consumes a credit. Retries for no reason, especially retries sent not, consumes a credit. Retries for no reason, especially retries
shortly after the previous attempt, are a poor use of network sent shortly after the previous attempt, are a poor use of network
bandwidth and defeat the purpose of a transport's inherent congestion bandwidth and defeat the purpose of a transport's inherent congestion
control system. control system.
A requester MUST wait for a reply to a request before using the slot A requester MUST wait for a reply to a request before using the slot
for another request. If it does not wait for a reply, then the for another request. If it does not wait for a reply, then the
requester does not know what sequence ID to use for the slot on its requester does not know what sequence ID to use for the slot on its
next request. For example, suppose a requester sends a request with next request. For example, suppose a requester sends a request with
sequence ID 1, and does not wait for the response. The next time it sequence ID 1, and does not wait for the response. The next time it
uses the slot, it sends the new request with sequence ID 2. If the uses the slot, it sends the new request with sequence ID 2. If the
replier has not seen the request with sequence ID 1, then the replier replier has not seen the request with sequence ID 1, then the replier
is not expecting sequence ID 2, and rejects the requester's new is not expecting sequence ID 2, and rejects the requester's new
request with NFS4ERR_SEQ_MISORDERED (as the result from SEQUENCE or request with NFS4ERR_SEQ_MISORDERED (as the result from SEQUENCE or
CB_SEQUENCE). CB_SEQUENCE).
RDMA fabrics do not guarantee that the memory handles (Steering Tags) RDMA fabrics do not guarantee that the memory handles (Steering Tags)
within each RPC/RDMA "chunk" ([8]) are valid on a scope outside that within each RPC/RDMA "chunk" [8] are valid on a scope outside that of
of a single connection. Therefore, handles used by the direct a single connection. Therefore, handles used by the direct
operations become invalid after connection loss. The server must operations become invalid after connection loss. The server must
ensure that any RDMA operations which must be replayed from the reply ensure that any RDMA operations that must be replayed from the reply
cache use the newly provided handle(s) from the most recent request. cache use the newly provided handle(s) from the most recent request.
A retry might be sent while the original request is still in progress A retry might be sent while the original request is still in progress
on the replier. The replier SHOULD deal with the issue by returning on the replier. The replier SHOULD deal with the issue by returning
NFS4ERR_DELAY as the reply to SEQUENCE or CB_SEQUENCE operation, but NFS4ERR_DELAY as the reply to SEQUENCE or CB_SEQUENCE operation, but
implementations MAY return NFS4ERR_MISORDERED. Since errors from implementations MAY return NFS4ERR_MISORDERED. Since errors from
SEQUENCE and CB_SEQUENCE are never recorded in the reply cache, this SEQUENCE and CB_SEQUENCE are never recorded in the reply cache, this
approach allows the results of the execution of the original request approach allows the results of the execution of the original request
to be properly recorded in the reply cache (assuming the requester to be properly recorded in the reply cache (assuming that the
specified the reply to be cached). requester specified the reply to be cached).
2.10.6.3. Resolving Server Callback Races 2.10.6.3. Resolving Server Callback Races
It is possible for server callbacks to arrive at the client before It is possible for server callbacks to arrive at the client before
the reply from related fore channel operations. For example, a the reply from related fore channel operations. For example, a
client may have been granted a delegation to a file it has opened, client may have been granted a delegation to a file it has opened,
but the reply to the OPEN (informing the client of the granting of but the reply to the OPEN (informing the client of the granting of
the delegation) may be delayed in the network. If a conflicting the delegation) may be delayed in the network. If a conflicting
operation arrives at the server, it will recall the delegation using operation arrives at the server, it will recall the delegation using
the backchannel, which may be on a different transport connection, the backchannel, which may be on a different transport connection,
perhaps even a different network, or even a different session perhaps even a different network, or even a different session
associated with the same client ID associated with the same client ID.
The presence of a session between client and server alleviates this The presence of a session between the client and server alleviates
issue. When a session is in place, each client request is uniquely this issue. When a session is in place, each client request is
identified by its { session ID, slot ID, sequence ID } triple. By uniquely identified by its { session ID, slot ID, sequence ID }
the rules under which slot entries (reply cache entries) are retired, triple. By the rules under which slot entries (reply cache entries)
the server has knowledge whether the client has "seen" each of the are retired, the server has knowledge whether the client has "seen"
server's replies. The server can therefore provide sufficient each of the server's replies. The server can therefore provide
information to the client to allow it to disambiguate between an sufficient information to the client to allow it to disambiguate
erroneous or conflicting callback race condition. between an erroneous or conflicting callback race condition.
For each client operation which might result in some sort of server For each client operation that might result in some sort of server
callback, the server SHOULD "remember" the { session ID, slot ID, callback, the server SHOULD "remember" the { session ID, slot ID,
sequence ID } triple of the client request until the slot ID sequence ID } triple of the client request until the slot ID
retirement rules allow the server to determine that the client has, retirement rules allow the server to determine that the client has,
in fact, seen the server's reply. Until the time the { session ID, in fact, seen the server's reply. Until the time the { session ID,
slot ID, sequence ID } request triple can be retired, any recalls of slot ID, sequence ID } request triple can be retired, any recalls of
the associated object MUST carry an array of these referring the associated object MUST carry an array of these referring
identifiers (in the CB_SEQUENCE operation's arguments), for the identifiers (in the CB_SEQUENCE operation's arguments), for the
benefit of the client. After this time, it is not necessary for the benefit of the client. After this time, it is not necessary for the
server to provide this information in related callbacks, since it is server to provide this information in related callbacks, since it is
certain that a race condition can no longer occur. certain that a race condition can no longer occur.
The CB_SEQUENCE operation which begins each server callback carries a The CB_SEQUENCE operation that begins each server callback carries a
list of "referring" { session ID, slot ID, sequence ID } triples. If list of "referring" { session ID, slot ID, sequence ID } triples. If
the client finds the request corresponding to the referring session the client finds the request corresponding to the referring session
ID, slot ID and sequence ID to be currently outstanding (i.e. the ID, slot ID, and sequence ID to be currently outstanding (i.e., the
server's reply has not been seen by the client), it can determine server's reply has not been seen by the client), it can determine
that the callback has raced the reply, and act accordingly. If the that the callback has raced the reply, and act accordingly. If the
client does not find the request corresponding the referring triple client does not find the request corresponding to the referring
to be outstanding (including the case of a session ID referring to a triple to be outstanding (including the case of a session ID
destroyed session), then there is no race with respect to this referring to a destroyed session), then there is no race with respect
triple. The server SHOULD limit the referring triples to requests to this triple. The server SHOULD limit the referring triples to
that refer to just those that apply to the objects referred to in the requests that refer to just those that apply to the objects referred
CB_COMPOUND procedure. to in the CB_COMPOUND procedure.
The client must not simply wait forever for the expected server reply The client must not simply wait forever for the expected server reply
to arrive before responding to the CB_COMPOUND that won the race, to arrive before responding to the CB_COMPOUND that won the race,
because it is possible that it will be delayed indefinitely. The because it is possible that it will be delayed indefinitely. The
client should assume the likely case that the reply will arrive client should assume the likely case that the reply will arrive
within the average round trip time for COMPOUND requests to the within the average round-trip time for COMPOUND requests to the
server, and wait that period of time. If that period of time expires server, and wait that period of time. If that period of time
it can respond to the CB_COMPOUND with NFS4ERR_DELAY. expires, it can respond to the CB_COMPOUND with NFS4ERR_DELAY. There
are other scenarios under which callbacks may race replies. Among
There are other scenarios under which callbacks may race replies. them are pNFS layout recalls as described in Section 12.5.5.2.
Among them are pNFS layout recalls as described in Section 12.5.5.2.
2.10.6.4. COMPOUND and CB_COMPOUND Construction Issues 2.10.6.4. COMPOUND and CB_COMPOUND Construction Issues
Very large requests and replies may pose both buffer management Very large requests and replies may pose both buffer management
issues (especially with RDMA) and reply cache issues. When the issues (especially with RDMA) and reply cache issues. When the
session is created, (Section 18.36), for each channel (fore and session is created (Section 18.36), for each channel (fore and back),
back), the client and server negotiate the maximum sized request they the client and server negotiate the maximum-sized request they will
will send or process (ca_maxrequestsize), the maximum sized reply send or process (ca_maxrequestsize), the maximum-sized reply they
they will return or process (ca_maxresponsesize), and the maximum will return or process (ca_maxresponsesize), and the maximum-sized
sized reply they will store in the reply cache reply they will store in the reply cache (ca_maxresponsesize_cached).
(ca_maxresponsesize_cached).
If a request exceeds ca_maxrequestsize, the reply will have the If a request exceeds ca_maxrequestsize, the reply will have the
status NFS4ERR_REQ_TOO_BIG. A replier MAY return NFS4ERR_REQ_TOO_BIG status NFS4ERR_REQ_TOO_BIG. A replier MAY return NFS4ERR_REQ_TOO_BIG
as the status for first operation (SEQUENCE or CB_SEQUENCE) in the as the status for the first operation (SEQUENCE or CB_SEQUENCE) in
request (which means no operations in the request executed, and the the request (which means that no operations in the request executed
state of the slot in the reply cache is unchanged), or it MAY opt to and that the state of the slot in the reply cache is unchanged), or
return it on a subsequent operation in the same COMPOUND or it MAY opt to return it on a subsequent operation in the same
CB_COMPOUND request (which means at least one operation did execute COMPOUND or CB_COMPOUND request (which means that at least one
and the state of the slot in reply cache does change). The replier operation did execute and that the state of the slot in the reply
SHOULD set NFS4ERR_REQ_TOO_BIG on the operation that exceeds cache does change). The replier SHOULD set NFS4ERR_REQ_TOO_BIG on
ca_maxrequestsize. the operation that exceeds ca_maxrequestsize.
If a reply exceeds ca_maxresponsesize, the reply will have the status If a reply exceeds ca_maxresponsesize, the reply will have the status
NFS4ERR_REP_TOO_BIG. A replier MAY return NFS4ERR_REP_TOO_BIG as the NFS4ERR_REP_TOO_BIG. A replier MAY return NFS4ERR_REP_TOO_BIG as the
status for first operation (SEQUENCE or CB_SEQUENCE) in the request, status for the first operation (SEQUENCE or CB_SEQUENCE) in the
or it MAY opt to return it on a subsequent operation (in the same request, or it MAY opt to return it on a subsequent operation (in the
COMPOUND or CB_COMPOUND reply). A replier MAY return same COMPOUND or CB_COMPOUND reply). A replier MAY return
NFS4ERR_REP_TOO_BIG in the reply to SEQUENCE or CB_SEQUENCE, even if NFS4ERR_REP_TOO_BIG in the reply to SEQUENCE or CB_SEQUENCE, even if
the response would still exceed ca_maxresponsesize. the response would still exceed ca_maxresponsesize.
If sa_cachethis or csa_cachethis are TRUE, then the replier MUST If sa_cachethis or csa_cachethis is TRUE, then the replier MUST cache
cache a reply except if an error is returned by the SEQUENCE or a reply except if an error is returned by the SEQUENCE or CB_SEQUENCE
CB_SEQUENCE operation (see Section 2.10.6.1.2). If the reply exceeds operation (see Section 2.10.6.1.2). If the reply exceeds
ca_maxresponsesize_cached, (and sa_cachethis or csa_cachethis are ca_maxresponsesize_cached (and sa_cachethis or csa_cachethis is
TRUE) then the server MUST return NFS4ERR_REP_TOO_BIG_TO_CACHE. Even TRUE), then the server MUST return NFS4ERR_REP_TOO_BIG_TO_CACHE.
if NFS4ERR_REP_TOO_BIG_TO_CACHE (or any other error for that matter) Even if NFS4ERR_REP_TOO_BIG_TO_CACHE (or any other error for that
is returned on a operation other than first operation (SEQUENCE or matter) is returned on an operation other than the first operation
CB_SEQUENCE), then the reply MUST be cached if sa_cachethis or (SEQUENCE or CB_SEQUENCE), then the reply MUST be cached if
csa_cachethis are TRUE. For example, if a COMPOUND has eleven sa_cachethis or csa_cachethis is TRUE. For example, if a COMPOUND
operations, including SEQUENCE, the fifth operation is a RENAME, and has eleven operations, including SEQUENCE, the fifth operation is a
the tenth operation is a READ for one million bytes, the server may RENAME, and the tenth operation is a READ for one million bytes, the
return NFS4ERR_REP_TOO_BIG_TO_CACHE on the tenth operation. Since server may return NFS4ERR_REP_TOO_BIG_TO_CACHE on the tenth
the server executed several operations, especially the non-idempotent operation. Since the server executed several operations, especially
RENAME, the client's request to cache the reply needs to be honored the non-idempotent RENAME, the client's request to cache the reply
in order for correct operation of exactly once semantics. If the needs to be honored in order for the correct operation of exactly
client retries the request, the server will have cached a reply that once semantics. If the client retries the request, the server will
contains results for ten of the eleven requested operations, with the have cached a reply that contains results for ten of the eleven
tenth operation having a status of NFS4ERR_REP_TOO_BIG_TO_CACHE. requested operations, with the tenth operation having a status of
NFS4ERR_REP_TOO_BIG_TO_CACHE.
A client needs to take care that when sending operations that change A client needs to take care that when sending operations that change
the current filehandle (except for PUTFH, PUTPUBFH, PUTROOTFH and the current filehandle (except for PUTFH, PUTPUBFH, PUTROOTFH, and
RESTOREFH) that it not exceed the maximum reply buffer before the RESTOREFH), it not exceed the maximum reply buffer before the GETFH
GETFH operation. Otherwise the client will have to retry the operation. Otherwise, the client will have to retry the operation
operation that changed the current filehandle, in order to obtain the that changed the current filehandle, in order to obtain the desired
desired filehandle. For the OPEN operation (see Section 18.16), filehandle. For the OPEN operation (see Section 18.16), retry is not
retry is not always available as an option. The following guidelines always available as an option. The following guidelines for the
for the handling of filehandle changing operations are advised: handling of filehandle-changing operations are advised:
o Within the same COMPOUND procedure, a client SHOULD send GETFH o Within the same COMPOUND procedure, a client SHOULD send GETFH
immediately after a current filehandle changing operation. A immediately after a current filehandle-changing operation. A
client MUST send GETFH after a current filehandle changing client MUST send GETFH after a current filehandle-changing
operation that is also non-idempotent (e.g., the OPEN operation), operation that is also non-idempotent (e.g., the OPEN operation),
unless the operation is RESTOREFH. RESTOREFH is an exception, unless the operation is RESTOREFH. RESTOREFH is an exception,
because even though it is non-idempotent, the filehandle RESTOREFH because even though it is non-idempotent, the filehandle RESTOREFH
produced originated from an operation that is either idempotent produced originated from an operation that is either idempotent
(e.g. PUTFH, LOOKUP), or non-idempotent (e.g. OPEN, CREATE). If (e.g., PUTFH, LOOKUP), or non-idempotent (e.g., OPEN, CREATE). If
the origin is non-idempotent, then because the client MUST send the origin is non-idempotent, then because the client MUST send
GETFH after the origin operation, the client can recover if GETFH after the origin operation, the client can recover if
RESTOREFH returns an error. RESTOREFH returns an error.
o A server MAY return NFS4ERR_REP_TOO_BIG or o A server MAY return NFS4ERR_REP_TOO_BIG or
NFS4ERR_REP_TOO_BIG_TO_CACHE (if sa_cachethis is TRUE) on a NFS4ERR_REP_TOO_BIG_TO_CACHE (if sa_cachethis is TRUE) on a
filehandle changing operation if the reply would be too large on filehandle-changing operation if the reply would be too large on
the next operation. the next operation.
o A server SHOULD return NFS4ERR_REP_TOO_BIG or o A server SHOULD return NFS4ERR_REP_TOO_BIG or
NFS4ERR_REP_TOO_BIG_TO_CACHE (if sa_cachethis is TRUE) on a NFS4ERR_REP_TOO_BIG_TO_CACHE (if sa_cachethis is TRUE) on a
filehandle changing non-idempotent operation if the reply would be filehandle-changing, non-idempotent operation if the reply would
too large on the next operation, especially if the operation is be too large on the next operation, especially if the operation is
OPEN. OPEN.
o A server MAY return NFS4ERR_UNSAFE_COMPOUND to a non-idempotent o A server MAY return NFS4ERR_UNSAFE_COMPOUND to a non-idempotent
current filehandle changing operation, if it looks at the next current filehandle-changing operation, if it looks at the next
operation (in the same COMPOUND procedure) and finds it is not operation (in the same COMPOUND procedure) and finds it is not
GETFH. The server SHOULD do this if it is unable to determine in GETFH. The server SHOULD do this if it is unable to determine in
advance whether the total response size would exceed advance whether the total response size would exceed
ca_maxresponsesize_cached or ca_maxresponsesize. ca_maxresponsesize_cached or ca_maxresponsesize.
2.10.6.5. Persistence 2.10.6.5. Persistence
Since the reply cache is bounded, it is practical for the reply cache Since the reply cache is bounded, it is practical for the reply cache
to persist across server restarts. The replier MUST persist the to persist across server restarts. The replier MUST persist the
following information if it agreed to persist the session (when the following information if it agreed to persist the session (when the
session was created; see Section 18.36): session was created; see Section 18.36):
o The session ID. o The session ID.
o The slot table including the sequence ID and cached reply for each o The slot table including the sequence ID and cached reply for each
slot. slot.
The above are sufficient for a replier to provide EOS semantics for The above are sufficient for a replier to provide EOS semantics for
any requests that were sent and executed before the server restarted. any requests that were sent and executed before the server restarted.
If the replier is a client then there is no need for it to persist If the replier is a client, then there is no need for it to persist
any more information, unless the client will be persisting all other any more information, unless the client will be persisting all other
state across client restart. In which case, the server will never state across client restart, in which case, the server will never see
see any NFSv4.1-level protocol manifestation of a client restart. If any NFSv4.1-level protocol manifestation of a client restart. If the
the replier is a server, with just the slot table and session ID replier is a server, with just the slot table and session ID
persisting, any requests the client retries after the server restart persisting, any requests the client retries after the server restart
will return the results that are cached in reply cache. and any new will return the results that are cached in the reply cache, and any
requests (i.e. the sequence ID is one (1) greater than the slot's new requests (i.e., the sequence ID is one greater than the slot's
sequence ID) MUST be rejected with NFS4ERR_DEADSESSION (returned by sequence ID) MUST be rejected with NFS4ERR_DEADSESSION (returned by
SEQUENCE). Such a session is considered dead. A server MAY re- SEQUENCE). Such a session is considered dead. A server MAY re-
animate a session after a server restart so that the session will animate a session after a server restart so that the session will
accept new requests as well as retries. To re-animate a session the accept new requests as well as retries. To re-animate a session, the
server needs to persist additional information through server server needs to persist additional information through server
restart: restart:
o The client ID. This is a prerequisite to let the client to create o The client ID. This is a prerequisite to let the client create
more sessions associated with the same client ID as the more sessions associated with the same client ID as the re-
animated session.
o The client ID's sequence ID that is used for creating sessions o The client ID's sequence ID that is used for creating sessions
(see Section 18.35 and Section 18.36). This is a prerequisite to (see Sections 18.35 and 18.36). This is a prerequisite to let the
let the client create more sessions. client create more sessions.
o The principal that created the client ID. This allows the server o The principal that created the client ID. This allows the server
to authenticate the client when it sends EXCHANGE_ID. to authenticate the client when it sends EXCHANGE_ID.
o The SSV, if SP4_SSV state protection was specified when the client o The SSV, if SP4_SSV state protection was specified when the client
ID was created (see Section 18.35). This lets the client create ID was created (see Section 18.35). This lets the client create
new sessions, and associate connections with the new and existing new sessions, and associate connections with the new and existing
sessions. sessions.
o The properties of the client ID as defined in Section 18.35. o The properties of the client ID as defined in Section 18.35.
A persistent reply cache places certain demands on the server. The A persistent reply cache places certain demands on the server. The
execution of the sequence of operations (starting with SEQUENCE) and execution of the sequence of operations (starting with SEQUENCE) and
placement of its results in the persistent cache MUST be atomic. If placement of its results in the persistent cache MUST be atomic. If
a client retries an sequence of operations that was previously a client retries a sequence of operations that was previously
executed on the server the only acceptable outcomes are either the executed on the server, the only acceptable outcomes are either the
original cached reply or an indication that client ID or session has original cached reply or an indication that the client ID or session
been lost (indicating a catastrophic loss of the reply cache or a has been lost (indicating a catastrophic loss of the reply cache or a
session that has been deleted because the client failed to use the session that has been deleted because the client failed to use the
session for an extended period of time). session for an extended period of time).
A server could fail and restart in the middle of a COMPOUND procedure A server could fail and restart in the middle of a COMPOUND procedure
that contains one or more non-idempotent or idempotent-but-modifying that contains one or more non-idempotent or idempotent-but-modifying
operations. This creates an even higher challenge for atomic operations. This creates an even higher challenge for atomic
execution and placement of results in the reply cache. One way to execution and placement of results in the reply cache. One way to
view the problem is as a single transaction consisting of each view the problem is as a single transaction consisting of each
operation in the COMPOUND followed by storing the result in operation in the COMPOUND followed by storing the result in
persistent storage, then finally a transaction commit. If there is a persistent storage, then finally a transaction commit. If there is a
failure before the transaction is committed, then the server rolls failure before the transaction is committed, then the server rolls
back the transaction. If server itself fails, then when it restarts, back the transaction. If the server itself fails, then when it
its recovery logic could roll back the transaction before starting restarts, its recovery logic could roll back the transaction before
the NFSv4.1 server. starting the NFSv4.1 server.
While the description of the implementation for atomic execution of While the description of the implementation for atomic execution of
the request and caching of the reply is beyond the scope of this the request and caching of the reply is beyond the scope of this
document, an example implementation for NFSv2 [37] is described in document, an example implementation for NFSv2 [38] is described in
[38]. [39].
2.10.7. RDMA Considerations 2.10.7. RDMA Considerations
A complete discussion of the operation of RPC-based protocols over A complete discussion of the operation of RPC-based protocols over
RDMA transports is in [8]. A discussion of the operation of NFSv4, RDMA transports is in [8]. A discussion of the operation of NFSv4,
including NFSv4.1, over RDMA is in [9]. Where RDMA is considered, including NFSv4.1, over RDMA is in [9]. Where RDMA is considered,
this specification assumes the use of such a layering; it addresses this specification assumes the use of such a layering; it addresses
only the upper layer issues relevant to making best use of RPC/RDMA. only the upper-layer issues relevant to making best use of RPC/RDMA.
2.10.7.1. RDMA Connection Resources 2.10.7.1. RDMA Connection Resources
RDMA requires its consumers to register memory and post buffers of a RDMA requires its consumers to register memory and post buffers of a
specific size and number for receive operations. specific size and number for receive operations.
Registration of memory can be a relatively high-overhead operation, Registration of memory can be a relatively high-overhead operation,
since it requires pinning of buffers, assignment of attributes (e.g. since it requires pinning of buffers, assignment of attributes (e.g.,
readable/writable), and initialization of hardware translation. readable/writable), and initialization of hardware translation.
Preregistration is desirable to reduce overhead. These registrations Preregistration is desirable to reduce overhead. These registrations
are specific to hardware interfaces and even to RDMA connection are specific to hardware interfaces and even to RDMA connection
endpoints, therefore negotiation of their limits is desirable to endpoints; therefore, negotiation of their limits is desirable to
manage resources effectively. manage resources effectively.
Following basic registration, these buffers must be posted by the RPC Following basic registration, these buffers must be posted by the RPC
layer to handle receives. These buffers remain in use by the RPC/ layer to handle receives. These buffers remain in use by the RPC/
NFSv4.1 implementation; the size and number of them must be known to NFSv4.1 implementation; the size and number of them must be known to
the remote peer in order to avoid RDMA errors which would cause a the remote peer in order to avoid RDMA errors that would cause a
fatal error on the RDMA connection. fatal error on the RDMA connection.
NFSv4.1 manages slots as resources on a per session basis (see NFSv4.1 manages slots as resources on a per-session basis (see
Section 2.10), while RDMA connections manage credits on a per Section 2.10), while RDMA connections manage credits on a per-
connection basis. This means that in order for a peer to send data connection basis. This means that in order for a peer to send data
over RDMA to a remote buffer, it has to have both an NFSv4.1 slot, over RDMA to a remote buffer, it has to have both an NFSv4.1 slot and
and an RDMA credit. If multiple RDMA connections are associated with an RDMA credit. If multiple RDMA connections are associated with a
a session, then if the total number of credits across all RDMA session, then if the total number of credits across all RDMA
connections associated with the session is X, and the number slots in connections associated with the session is X, and the number of slots
the session is Y, then the maximum number of outstanding requests is in the session is Y, then the maximum number of outstanding requests
lesser of X and Y. is the lesser of X and Y.
2.10.7.2. Flow Control 2.10.7.2. Flow Control
Previous versions of NFS do not provide flow control; instead they Previous versions of NFS do not provide flow control; instead, they
rely on the windowing provided by transports like TCP to throttle rely on the windowing provided by transports like TCP to throttle
requests. This does not work with RDMA, which provides no operation requests. This does not work with RDMA, which provides no operation
flow control and will terminate a connection in error when limits are flow control and will terminate a connection in error when limits are
exceeded. Limits such as maximum number of requests outstanding are exceeded. Limits such as maximum number of requests outstanding are
therefore negotiated when a session is created (see the therefore negotiated when a session is created (see the
ca_maxrequests field in Section 18.36). These limits then provide ca_maxrequests field in Section 18.36). These limits then provide
the maxima which each connection associated with the session's the maxima within which each connection associated with the session's
channel(s) must remain within. RDMA connections are managed within channel(s) must remain. RDMA connections are managed within these
these limits as described in section 3.3 ("Flow Control"[[Comment.2: limits as described in Section 3.3 of [8]; if there are multiple RDMA
RFC Editor: please verify section and title of the RPCRDMA document connections, then the maximum number of requests for a channel will
which is currently at be divided among the RDMA connections. Put a different way, the onus
http://tools.ietf.org/html/draft-ietf-nfsv4-rpcrdma-08#section-3.3]]) is on the replier to ensure that the total number of RDMA credits
of [8]; if there are multiple RDMA connections, then the maximum across all connections associated with the replier's channel does
number of requests for a channel will be divided among the RDMA exceed the channel's maximum number of outstanding requests.
connections. Put a different way, the onus is on the replier to
ensure that total number of RDMA credits across all connections
associated with the replier's channel does exceed the channel's
maximum number of outstanding requests.
The limits may also be modified dynamically at the replier's choosing The limits may also be modified dynamically at the replier's choosing
by manipulating certain parameters present in each NFSv4.1 reply. In by manipulating certain parameters present in each NFSv4.1 reply. In
addition, the CB_RECALL_SLOT callback operation (see Section 20.8) addition, the CB_RECALL_SLOT callback operation (see Section 20.8)
can be sent by a server to a client to return RDMA credits to the can be sent by a server to a client to return RDMA credits to the
server, thereby lowering the maximum number of requests a client can server, thereby lowering the maximum number of requests a client can
have outstanding to the server. have outstanding to the server.
2.10.7.3. Padding 2.10.7.3. Padding
Header padding is requested by each peer at session initiation (see Header padding is requested by each peer at session initiation (see
the ca_headerpadsize argument to CREATE_SESSION in Section 18.36), the ca_headerpadsize argument to CREATE_SESSION in Section 18.36),
and subsequently used by the RPC RDMA layer, as described in [8]. and subsequently used by the RPC RDMA layer, as described in [8].
Zero padding is permitted. Zero padding is permitted.
Padding leverages the useful property that RDMA preserve alignment of Padding leverages the useful property that RDMA preserve alignment of
data, even when they are placed into anonymous (untagged) buffers. data, even when they are placed into anonymous (untagged) buffers.
If requested, client inline writes will insert appropriate pad bytes If requested, client inline writes will insert appropriate pad bytes
within the request header to align the data payload on the specified within the request header to align the data payload on the specified
boundary. The client is encouraged to add sufficient padding (up to boundary. The client is encouraged to add sufficient padding (up to
the negotiated size) so that the "data" field of the NFSv4.1 WRITE the negotiated size) so that the "data" field of the WRITE operation
operation is aligned. Most servers can make good use of such is aligned. Most servers can make good use of such padding, which
padding, which allows them to chain receive buffers in such a way allows them to chain receive buffers in such a way that any data
that any data carried by client requests will be placed into carried by client requests will be placed into appropriate buffers at
appropriate buffers at the server, ready for file system processing. the server, ready for file system processing. The receiver's RPC
The receiver's RPC layer encounters no overhead from skipping over layer encounters no overhead from skipping over pad bytes, and the
pad bytes, and the RDMA layer's high performance makes the insertion RDMA layer's high performance makes the insertion and transmission of
and transmission of padding on the sender a significant optimization. padding on the sender a significant optimization. In this way, the
In this way, the need for servers to perform RDMA Read to satisfy all need for servers to perform RDMA Read to satisfy all but the largest
but the largest client writes is obviated. An added benefit is the client writes is obviated. An added benefit is the reduction of
reduction of message round trips on the network - a potentially good message round trips on the network -- a potentially good trade, where
trade, where latency is present. latency is present.
The value to choose for padding is subject to a number of criteria. The value to choose for padding is subject to a number of criteria.
A primary source of variable-length data in the RPC header is the A primary source of variable-length data in the RPC header is the
authentication information, the form of which is client-determined, authentication information, the form of which is client-determined,
possibly in response to server specification. The contents of possibly in response to server specification. The contents of
COMPOUNDs, sizes of strings such as those passed to RENAME, etc. all COMPOUNDs, sizes of strings such as those passed to RENAME, etc. all
go into the determination of a maximal NFSv4.1 request size and go into the determination of a maximal NFSv4.1 request size and
therefore minimal buffer size. The client must select its offered therefore minimal buffer size. The client must select its offered
value carefully, so as not to overburden the server, and vice- versa. value carefully, so as to avoid overburdening the server, and vice
The benefit of an appropriate padding value is higher performance. versa. The benefit of an appropriate padding value is higher
[[Comment.3: RFC editor please keep this diagram on one page.]] performance.
Sender gather: Sender gather:
|RPC Request|Pad bytes|Length| -> |User data...| |RPC Request|Pad bytes|Length| -> |User data...|
\------+----------------------/ \ \------+----------------------/ \
\ \ \ \
\ Receiver scatter: \-----------+- ... \ Receiver scatter: \-----------+- ...
/-----+----------------\ \ \ /-----+----------------\ \ \
|RPC Request|Pad|Length| -> |FS buffer|->|FS buffer|->... |RPC Request|Pad|Length| -> |FS buffer|->|FS buffer|->...
In the above case, the server may recycle unused buffers to the next In the above case, the server may recycle unused buffers to the next
posted receive if unused by the actual received request, or may pass posted receive if unused by the actual received request, or may pass
the now-complete buffers by reference for normal write processing. the now-complete buffers by reference for normal write processing.
For a server which can make use of it, this removes any need for data For a server that can make use of it, this removes any need for data
copies of incoming data, without resorting to complicated end-to-end copies of incoming data, without resorting to complicated end-to-end
buffer advertisement and management. This includes most kernel-based buffer advertisement and management. This includes most kernel-based
and integrated server designs, among many others. The client may and integrated server designs, among many others. The client may
perform similar optimizations, if desired. perform similar optimizations, if desired.
2.10.7.4. Dual RDMA and Non-RDMA Transports 2.10.7.4. Dual RDMA and Non-RDMA Transports
Some RDMA transports (e.g., RFC5040 [10]), permit a "streaming" (non- Some RDMA transports (e.g., RFC 5040 [10]) permit a "streaming" (non-
RDMA) phase, where ordinary traffic might flow before "stepping up" RDMA) phase, where ordinary traffic might flow before "stepping up"
to RDMA mode, commencing RDMA traffic. Some RDMA transports start to RDMA mode, commencing RDMA traffic. Some RDMA transports start
connections always in RDMA mode. NFSv4.1 allows, but does not connections always in RDMA mode. NFSv4.1 allows, but does not
assume, a streaming phase before RDMA mode. When a connection is assume, a streaming phase before RDMA mode. When a connection is
associated with a session, the client and server negotiate whether associated with a session, the client and server negotiate whether
the connection is used in RDMA or non-RDMA mode (see Section 18.36 the connection is used in RDMA or non-RDMA mode (see Sections 18.36
and Section 18.34). and 18.34).
2.10.8. Sessions Security 2.10.8. Session Security
2.10.8.1. Session Callback Security 2.10.8.1. Session Callback Security
Via session / connection association, NFSv4.1 improves security over Via session/connection association, NFSv4.1 improves security over
that provided by NFSv4.0 for the backchannel. The connection is that provided by NFSv4.0 for the backchannel. The connection is
client-initiated (see Section 18.34), and subject to the same client-initiated (see Section 18.34) and subject to the same firewall
firewall and routing checks as the fore channel. At the client's and routing checks as the fore channel. At the client's option (see
option (see Section 18.35), connection association is fully Section 18.35), connection association is fully authenticated before
authenticated before being activated (see Section 18.34). Traffic being activated (see Section 18.34). Traffic from the server over
from the server over the backchannel is authenticated exactly as the the backchannel is authenticated exactly as the client specifies (see
client specifies (see Section 2.10.8.2). Section 2.10.8.2).
2.10.8.2. Backchannel RPC Security 2.10.8.2. Backchannel RPC Security
When the NFSv4.1 client establishes the backchannel, it informs the When the NFSv4.1 client establishes the backchannel, it informs the
server of the security flavors and principals to use when sending server of the security flavors and principals to use when sending
requests. If the security flavor is RPCSEC_GSS, the client expresses requests. If the security flavor is RPCSEC_GSS, the client expresses
the principal in the form of an established RPCSEC_GSS context. The the principal in the form of an established RPCSEC_GSS context. The
server is free to use any of the flavor/principal combinations the server is free to use any of the flavor/principal combinations the
client offers, but it MUST NOT use unoffered combinations. This way, client offers, but it MUST NOT use unoffered combinations. This way,
the client need not provide a target GSS principal for the the client need not provide a target GSS principal for the
backchannel as it did with NFSv4.0, nor the server have to implement backchannel as it did with NFSv4.0, nor does the server have to
an RPCSEC_GSS initiator as it did with NFSv4.0 [29]. implement an RPCSEC_GSS initiator as it did with NFSv4.0 [30].
The CREATE_SESSION (Section 18.36) and BACKCHANNEL_CTL The CREATE_SESSION (Section 18.36) and BACKCHANNEL_CTL
(Section 18.33) operations allow the client to specify flavor/ (Section 18.33) operations allow the client to specify flavor/
principal combinations. principal combinations.
Also note that the SP4_SSV state protection mode (see Section 18.35 Also note that the SP4_SSV state protection mode (see Sections 18.35
and Section 2.10.8.3) has the side benefit of providing SSV-derived and 2.10.8.3) has the side benefit of providing SSV-derived
RPCSEC_GSS contexts (Section 2.10.9). RPCSEC_GSS contexts (Section 2.10.9).
2.10.8.3. Protection from Unauthorized State Changes 2.10.8.3. Protection from Unauthorized State Changes
As described to this point in the specification, the state model of As described to this point in the specification, the state model of
NFSv4.1 is vulnerable to an attacker that sends a SEQUENCE operation NFSv4.1 is vulnerable to an attacker that sends a SEQUENCE operation
with a forged session ID and with a slot ID that it expects the with a forged session ID and with a slot ID that it expects the
legitimate client to use next. When the legitimate client uses the legitimate client to use next. When the legitimate client uses the
slot ID with the same sequence number, the server returns the slot ID with the same sequence number, the server returns the
attacker's result from the reply cache which disrupts the legitimate attacker's result from the reply cache, which disrupts the legitimate
client and thus denies service to it. Similarly an attacker could client and thus denies service to it. Similarly, an attacker could
send a CREATE_SESSION with a forged client ID to create a new session send a CREATE_SESSION with a forged client ID to create a new session
associated with the client ID. The attacker could send requests associated with the client ID. The attacker could send requests
using the new session that change locking state, such as LOCKU using the new session that change locking state, such as LOCKU
operations to release locks the legitimate client has acquired. operations to release locks the legitimate client has acquired.
Setting a security policy on the file which requires RPCSEC_GSS Setting a security policy on the file that requires RPCSEC_GSS
credentials when manipulating the file's state is one potential work credentials when manipulating the file's state is one potential work
around, but has the disadvantage of preventing a legitimate client around, but has the disadvantage of preventing a legitimate client
from releasing state when RPCSEC_GSS is required to do so, but a GSS from releasing state when RPCSEC_GSS is required to do so, but a GSS
context cannot be obtained (possibly because the user has logged off context cannot be obtained (possibly because the user has logged off
the client). the client).
NFSv4.1 provides three options to a client for state protection which NFSv4.1 provides three options to a client for state protection,
are specified when a client creates a client ID via EXCHANGE_ID which are specified when a client creates a client ID via EXCHANGE_ID
(Section 18.35). (Section 18.35).
The first (SP4_NONE) is to simply waive state protection. The first (SP4_NONE) is to simply waive state protection.
The other two options (SP4_MACH_CRED and SP4_SSV) share several The other two options (SP4_MACH_CRED and SP4_SSV) share several
traits: traits:
o An RPCSEC_GSS-based credential is used to authenticate client ID o An RPCSEC_GSS-based credential is used to authenticate client ID
and session maintenance operations, including creating and and session maintenance operations, including creating and
destroying a session, associating a connection with the session, destroying a session, associating a connection with the session,
skipping to change at page 69, line 50 skipping to change at page 69, line 44
might have to be the same as the one that acquired the state). might have to be the same as the one that acquired the state).
However, the client might not have an RPCSEC_GSS context for such However, the client might not have an RPCSEC_GSS context for such
a principal, and might not be able to create such a context a principal, and might not be able to create such a context
(perhaps because the user has logged off). When the client (perhaps because the user has logged off). When the client
establishes SP4_MACH_CRED or SP4_SSV protection, it can specify a establishes SP4_MACH_CRED or SP4_SSV protection, it can specify a
list of operations that the server MUST allow using the machine list of operations that the server MUST allow using the machine
credential (if SP4_MACH_CRED is used) or the SSV credential (if credential (if SP4_MACH_CRED is used) or the SSV credential (if
SP4_SSV is used). SP4_SSV is used).
The SP4_MACH_CRED state protection option uses a machine credential The SP4_MACH_CRED state protection option uses a machine credential
where the principal that creates the client ID, MUST also be the where the principal that creates the client ID MUST also be the
principal that performs client ID and session maintenance operations. principal that performs client ID and session maintenance operations.
The security of the machine credential state protection approach The security of the machine credential state protection approach
depends entirely on safe guarding the per-machine credential. depends entirely on safe guarding the per-machine credential.
Assuming a proper safe guard, using the per-machine credential for Assuming a proper safeguard using the per-machine credential for
operations like CREATE_SESSION, BIND_CONN_TO_SESSION, operations like CREATE_SESSION, BIND_CONN_TO_SESSION,
DESTROY_SESSION, and DESTROY_CLIENTID will prevent an attacker from DESTROY_SESSION, and DESTROY_CLIENTID will prevent an attacker from
associating a rogue connection with a session, or associating a rogue associating a rogue connection with a session, or associating a rogue
session with a client ID. session with a client ID.
There are at least three scenarios for the SP4_MACH_CRED option: There are at least three scenarios for the SP4_MACH_CRED option:
1. That the system administrator configures a unique, permanent per- 1. The system administrator configures a unique, permanent per-
machine credential for one of the mandated GSS mechanisms (e.g., machine credential for one of the mandated GSS mechanisms (e.g.,
if Kerberos V5 is used, a "keytab" containing a principal derived if Kerberos V5 is used, a "keytab" containing a principal derived
from a client host name could be used). from a client host name could be used).
2. The client is used by a single user, and so the client ID and its 2. The client is used by a single user, and so the client ID and its
sessions are used by just that user. If the user's credential sessions are used by just that user. If the user's credential
expires, then session and client ID maintenance cannot occur, but expires, then session and client ID maintenance cannot occur, but
since the client has a single user, only that user is since the client has a single user, only that user is
inconvenienced. inconvenienced.
3. The physical client has multiple users, but the client 3. The physical client has multiple users, but the client
implementation has a unique client ID for each user. This is implementation has a unique client ID for each user. This is
effectively the same as the second scenario, but a disadvantage effectively the same as the second scenario, but a disadvantage
is that each user needs to be allocated at least one session is that each user needs to be allocated at least one session
each, so the approach suffers from lack of economy. each, so the approach suffers from lack of economy.
The SP4_SSV protection option uses the SSV (Section 1.5), via The SP4_SSV protection option uses the SSV (Section 1.6), via
RPCSEC_GSS and the SSV GSS mechanism (Section 2.10.9) to protect RPCSEC_GSS and the SSV GSS mechanism (Section 2.10.9), to protect
state from attack. The SP4_SSV protection option is intended for the state from attack. The SP4_SSV protection option is intended for the
situation comprised of a client that has multiple active users, and a situation comprised of a client that has multiple active users and a
system administrator who wants to avoid the burden of installing a system administrator who wants to avoid the burden of installing a
permanent machine credential on each client. The SSV is established permanent machine credential on each client. The SSV is established
and updated on the server via SET_SSV (see Section 18.47). To and updated on the server via SET_SSV (see Section 18.47). To
prevent eavesdropping, a client SHOULD send SET_SSV via RPCSEC_GSS prevent eavesdropping, a client SHOULD send SET_SSV via RPCSEC_GSS
with the privacy service. Several aspects of the SSV make it with the privacy service. Several aspects of the SSV make it
intractable for an attacker to guess the SSV, and thus associate intractable for an attacker to guess the SSV, and thus associate
rogue connections with a session, and rogue sessions with a client rogue connections with a session, and rogue sessions with a client
ID: ID:
o The arguments to and results of SET_SSV include digests of the old o The arguments to and results of SET_SSV include digests of the old
skipping to change at page 71, line 26 skipping to change at page 71, line 23
named Eve on a victim named Bob, and how SP4_SSV protection foils named Eve on a victim named Bob, and how SP4_SSV protection foils
each attack: each attack:
o Suppose Eve is the first user to log into a legitimate client. o Suppose Eve is the first user to log into a legitimate client.
Eve's use of an NFSv4.1 file system will cause the legitimate Eve's use of an NFSv4.1 file system will cause the legitimate
client to create a client ID with SP4_SSV protection, specifying client to create a client ID with SP4_SSV protection, specifying
that the BIND_CONN_TO_SESSION operation MUST use the SSV that the BIND_CONN_TO_SESSION operation MUST use the SSV
credential. Eve's use of the file system also causes an SSV to be credential. Eve's use of the file system also causes an SSV to be
created. The SET_SSV operation that creates the SSV will be created. The SET_SSV operation that creates the SSV will be
protected by the RPCSEC_GSS context created by the legitimate protected by the RPCSEC_GSS context created by the legitimate
client which uses Eve's GSS principal and credentials. Eve can client, which uses Eve's GSS principal and credentials. Eve can
eavesdrop on the network while her RPCSEC_GSS context is created, eavesdrop on the network while her RPCSEC_GSS context is created
and the SET_SSV using her context is sent. Even if the legitimate and the SET_SSV using her context is sent. Even if the legitimate
client sends the SET_SSV with RPC_GSS_SVC_PRIVACY, because Eve client sends the SET_SSV with RPC_GSS_SVC_PRIVACY, because Eve
knows her own credentials, she can decrypt the SSV. Eve can knows her own credentials, she can decrypt the SSV. Eve can
compute an RPCSEC_GSS credential that BIND_CONN_TO_SESSION will compute an RPCSEC_GSS credential that BIND_CONN_TO_SESSION will
accept, and so associate a new connection with the legitimate accept, and so associate a new connection with the legitimate
session. Eve can change the slot ID and sequence state of a session. Eve can change the slot ID and sequence state of a
legitimate session, and/or the SSV state, in such a way that when legitimate session, and/or the SSV state, in such a way that when
Bob accesses the server via the same legitimate client, the Bob accesses the server via the same legitimate client, the
legitimate client will be unable to use the session. legitimate client will be unable to use the session.
The client's only recourse is to create a new client ID for Bob to The client's only recourse is to create a new client ID for Bob to
use, and establish a new SSV for the client ID. The client will use, and establish a new SSV for the client ID. The client will
be unable to delete the old client ID, and will let the lease on be unable to delete the old client ID, and will let the lease on
the old client ID expire. the old client ID expire.
Once the legitimate client establishes an SSV over the new session Once the legitimate client establishes an SSV over the new session
using Bob's RPCSEC_GSS context, Eve can use the new session via using Bob's RPCSEC_GSS context, Eve can use the new session via
the legitimate client, but she cannot disrupt Bob. Moreover, the legitimate client, but she cannot disrupt Bob. Moreover,
because the client SHOULD have modified the SSV due to Eve using because the client SHOULD have modified the SSV due to Eve using
the new session, Bob cannot get revenge on Eve by associating a the new session, Bob cannot get revenge on Eve by associating a
rogue connection with the session. rogue connection with the session.
The question is how did the legitimate client detect that Eve has The question is how did the legitimate client detect that Eve has
hijacked the old session? When the client detects that a new hijacked the old session? When the client detects that a new
principal, Bob, wants to use the session, it SHOULD have sent a principal, Bob, wants to use the session, it SHOULD have sent a
SET_SSV, which leads to following sub-scenarios: SET_SSV, which leads to the following sub-scenarios:
* Let us suppose that from the rogue connection, Eve sent a * Let us suppose that from the rogue connection, Eve sent a
SET_SSV with the same slot ID and sequence ID that the SET_SSV with the same slot ID and sequence ID that the
legitimate client later uses. The server will assume the legitimate client later uses. The server will assume the
SET_SSV sent with Bob's credentials is a retry, and return to SET_SSV sent with Bob's credentials is a retry, and return to
the legitimate client the reply it sent Eve. However, unless the legitimate client the reply it sent Eve. However, unless
Eve can correctly guess the SSV the legitimate client will use, Eve can correctly guess the SSV the legitimate client will use,
the digest verification checks in the SET_SSV response will the digest verification checks in the SET_SSV response will
fail. That is an indication to the client that the session has fail. That is an indication to the client that the session has
apparently been hijacked. apparently been hijacked.
* Alternatively, Eve sent a SET_SSV with a different slot ID than * Alternatively, Eve sent a SET_SSV with a different slot ID than
the legitimate client uses for its SET_SSV. Then the digest the legitimate client uses for its SET_SSV. Then the digest
verification of the SET_SSV sent with Bob's credentials fails verification of the SET_SSV sent with Bob's credentials fails
on the server, and the error returned to the client makes it on the server, and the error returned to the client makes it
apparent that the session has been hijacked. apparent that the session has been hijacked.
* Alternatively, Eve sent an operation other than SET_SSV, but * Alternatively, Eve sent an operation other than SET_SSV, but
with the same slot ID and sequence that the legitimate client with the same slot ID and sequence that the legitimate client
uses for its SET_SSV. The server returns to the legitimate uses for its SET_SSV. The server returns to the legitimate
client the response it sent Eve. The client sees that the client the response it sent Eve. The client sees that the
response is not at all what it expects. The client assumes response is not at all what it expects. The client assumes
either session hijacking or a server bug, and either way either session hijacking or a server bug, and either way
destroys the old session. destroys the old session.
o Eve associates a rogue connection with the session as above, and o Eve associates a rogue connection with the session as above, and
then destroys the session. Again, Bob goes to use the server from then destroys the session. Again, Bob goes to use the server from
the legitimate client, which sends a SET_SSV using Bob's the legitimate client, which sends a SET_SSV using Bob's
credentials. The client receives an error that indicates the credentials. The client receives an error that indicates that the
session does not exist. When the client tries to create a new session does not exist. When the client tries to create a new
session, this will fail because the SSV it has does not match that session, this will fail because the SSV it has does not match that
the server has, and now the client knows the session was hijacked. which the server has, and now the client knows the session was
The legitimate client establishes a new client ID. hijacked. The legitimate client establishes a new client ID.
o If Eve creates a connection before the legitimate client o If Eve creates a connection before the legitimate client
establishes an SSV, because the initial value of the SSV is zero establishes an SSV, because the initial value of the SSV is zero
and therefore known, Eve can send a SET_SSV that will pass the and therefore known, Eve can send a SET_SSV that will pass the
digest verification check. However because the new connection has digest verification check. However, because the new connection
not been associated with the session, the SET_SSV is rejected for has not been associated with the session, the SET_SSV is rejected
that reason. for that reason.
In summary, an attacker's disruption of state when SP4_SSV protection In summary, an attacker's disruption of state when SP4_SSV protection
is in use is limited to the formative period of a client ID, its is in use is limited to the formative period of a client ID, its
first session, and the establishment of the SSV. Once a non- first session, and the establishment of the SSV. Once a non-
malicious user uses the client ID, the client quickly detects any malicious user uses the client ID, the client quickly detects any
hijack and rectifies the situation. Once a non-malicious user hijack and rectifies the situation. Once a non-malicious user
successfully modifies the SSV, the attacker cannot use NFSv4.1 successfully modifies the SSV, the attacker cannot use NFSv4.1
operations to disrupt the non-malicious user. operations to disrupt the non-malicious user.
Note that neither the SP4_MACH_CRED nor SP4_SSV protection approaches Note that neither the SP4_MACH_CRED nor SP4_SSV protection approaches
prevent hijacking of a transport connection that has previously been prevent hijacking of a transport connection that has previously been
associated with a session. If the goal of a counter threat strategy associated with a session. If the goal of a counter-threat strategy
is to prevent connection hijacking, the use of IPsec is RECOMMENDED. is to prevent connection hijacking, the use of IPsec is RECOMMENDED.
If a connection hijack occurs, the hijacker could in theory change If a connection hijack occurs, the hijacker could in theory change
locking state and negatively impact the service to legitimate locking state and negatively impact the service to legitimate
clients. However if the server is configured to require the use of clients. However, if the server is configured to require the use of
RPCSEC_GSS with integrity or privacy on the affected file objects, RPCSEC_GSS with integrity or privacy on the affected file objects,
and if EXCHGID4_FLAG_BIND_PRINC_STATEID capability (Section 18.35), and if EXCHGID4_FLAG_BIND_PRINC_STATEID capability (Section 18.35) is
is in force, this will thwart unauthorized attempts to change locking in force, this will thwart unauthorized attempts to change locking
state. state.
2.10.9. The Secret State Verifier (SSV) GSS Mechanism 2.10.9. The Secret State Verifier (SSV) GSS Mechanism
The SSV provides the secret key for a GSS mechanism internal to The SSV provides the secret key for a GSS mechanism internal to
NFSv4.1 that NFSv4.1 uses for state protection. Contexts for this NFSv4.1 that NFSv4.1 uses for state protection. Contexts for this
mechanism are not established via the RPCSEC_GSS protocol. Instead, mechanism are not established via the RPCSEC_GSS protocol. Instead,
the contexts are automatically created when EXCHANGE_ID specifies the contexts are automatically created when EXCHANGE_ID specifies
SP4_SSV protection. The only tokens defined are the PerMsgToken SP4_SSV protection. The only tokens defined are the PerMsgToken
(emitted by GSS_GetMIC) and the SealedMessage token (emitted by (emitted by GSS_GetMIC) and the SealedMessage token (emitted by
GSS_Wrap). GSS_Wrap).
The mechanism OID for the SSV mechanism is: The mechanism OID for the SSV mechanism is
iso.org.dod.internet.private.enterprise.Michael Eisler.nfs.ssv_mech iso.org.dod.internet.private.enterprise.Michael Eisler.nfs.ssv_mech
(1.3.6.1.4.1.28882.1.1). While the SSV mechanism does not define any (1.3.6.1.4.1.28882.1.1). While the SSV mechanism does not define any
initial context tokens, the OID can be used to let servers indicate initial context tokens, the OID can be used to let servers indicate
that the SSV mechanism is acceptable whenever the client sends a that the SSV mechanism is acceptable whenever the client sends a
SECINFO or SECINFO_NO_NAME operation (see Section 2.6). SECINFO or SECINFO_NO_NAME operation (see Section 2.6).
The SSV mechanism defines four subkeys derived from the SSV value. The SSV mechanism defines four subkeys derived from the SSV value.
Each time SET_SSV is invoked the subkeys are recalculated by the Each time SET_SSV is invoked, the subkeys are recalculated by the
client and server. The calculation of each of the four subkeys client and server. The calculation of each of the four subkeys
depends on each of the four respective ssv_subkey4 enumerated values. depends on each of the four respective ssv_subkey4 enumerated values.
The calculation uses the HMAC [11], algorithm, using the current SSV The calculation uses the HMAC [11] algorithm, using the current SSV
as the key, the one way hash algorithm as negotiated by EXCHANGE_ID, as the key, the one-way hash algorithm as negotiated by EXCHANGE_ID,
and the input text as represented by the XDR encoded enumeration and the input text as represented by the XDR encoded enumeration
value for that subkey of data type ssv_subkey4. If the length of the value for that subkey of data type ssv_subkey4. If the length of the
output of the HMAC algorithm exceeds the length of key of encryption output of the HMAC algorithm exceeds the length of key of the
algorithm (which is also negotiated by EXCHANGE_ID), then the subkey encryption algorithm (which is also negotiated by EXCHANGE_ID), then
MUST be truncated from the HMAC output, i.e. if the subkey is of N the subkey MUST be truncated from the HMAC output, i.e., if the
bytes long, then the first N bytes of the HMAC output MUST be used subkey is of N bytes long, then the first N bytes of the HMAC output
for the subkey. The specification of EXCHANGE_ID states that the MUST be used for the subkey. The specification of EXCHANGE_ID states
length of the output of the HMAC algorithm MUST NOT be less than that the length of the output of the HMAC algorithm MUST NOT be less
length of subkey needed for the encryption algorithm (see than the length of subkey needed for the encryption algorithm (see
Section 18.35). Section 18.35).
/* Input for computing subkeys */ /* Input for computing subkeys */
enum ssv_subkey4 { enum ssv_subkey4 {
SSV4_SUBKEY_MIC_I2T = 1, SSV4_SUBKEY_MIC_I2T = 1,
SSV4_SUBKEY_MIC_T2I = 2, SSV4_SUBKEY_MIC_T2I = 2,
SSV4_SUBKEY_SEAL_I2T = 3, SSV4_SUBKEY_SEAL_I2T = 3,
SSV4_SUBKEY_SEAL_T2I = 4 SSV4_SUBKEY_SEAL_T2I = 4
}; };
The subkey derived from SSV4_SUBKEY_MIC_I2T is used for calculating The subkey derived from SSV4_SUBKEY_MIC_I2T is used for calculating
message integrity codes (MICs) that originate from the NFSv4.1 message integrity codes (MICs) that originate from the NFSv4.1
client, whether as part of a request over the fore channel, or a client, whether as part of a request over the fore channel or a
response over the backchannel. The subkey derived from response over the backchannel. The subkey derived from
SSV4_SUBKEY_MIC_T2I is used for MICs originating from the NFSv4.1 SSV4_SUBKEY_MIC_T2I is used for MICs originating from the NFSv4.1
server. The subkey derived from SSV4_SUBKEY_SEAL_I2T is used for server. The subkey derived from SSV4_SUBKEY_SEAL_I2T is used for
encryption text originating from the NFSv4.1 client and the subkey encryption text originating from the NFSv4.1 client, and the subkey
derived from SSV4_SUBKEY_SEAL_T2I is used for encryption text derived from SSV4_SUBKEY_SEAL_T2I is used for encryption text
originating from the NFSv4.1 server. originating from the NFSv4.1 server.
The PerMsgToken description is based on an XDR definition: The PerMsgToken description is based on an XDR definition:
/* Input for computing smt_hmac */ /* Input for computing smt_hmac */
struct ssv_mic_plain_tkn4 { struct ssv_mic_plain_tkn4 {
uint32_t smpt_ssv_seq; uint32_t smpt_ssv_seq;
opaque smpt_orig_plain<>; opaque smpt_orig_plain<>;
}; };
/* SSV GSS PerMsgToken token */ /* SSV GSS PerMsgToken token */
struct ssv_mic_tkn4 { struct ssv_mic_tkn4 {
uint32_t smt_ssv_seq; uint32_t smt_ssv_seq;
opaque smt_hmac<>; opaque smt_hmac<>;
}; };
The field smt_hmac is an HMAC calculated by using the subkey derived The field smt_hmac is an HMAC calculated by using the subkey derived
from SSV4_SUBKEY_MIC_I2T or SSV4_SUBKEY_MIC_T2I as the key, the one from SSV4_SUBKEY_MIC_I2T or SSV4_SUBKEY_MIC_T2I as the key, the one-
way hash algorithm as negotiated by EXCHANGE_ID, and the input text way hash algorithm as negotiated by EXCHANGE_ID, and the input text
as represented by data of type ssv_mic_plain_tkn4. The field as represented by data of type ssv_mic_plain_tkn4. The field
smpt_ssv_seq is the same as smt_ssv_seq. The field smpt_orig_plain smpt_ssv_seq is the same as smt_ssv_seq. The field smpt_orig_plain
is the "message" input passed to GSS_GetMIC() (see Section 2.3.1 of is the "message" input passed to GSS_GetMIC() (see Section 2.3.1 of
[7]). The caller of GSS_GetMIC() provides a pointer to a buffer [7]). The caller of GSS_GetMIC() provides a pointer to a buffer
containing the plain text. The SSV mechanism's entry point for containing the plain text. The SSV mechanism's entry point for
GSS_GetMIC() encodes this into an opaque array, and the encoding will GSS_GetMIC() encodes this into an opaque array, and the encoding will
include an initial four byte length, plus any necessary padding. include an initial four-byte length, plus any necessary padding.
Prepended to this will be the XDR encoded value of smpt_ssv_seq thus Prepended to this will be the XDR encoded value of smpt_ssv_seq, thus
making up an XDR encoding of a value of data type ssv_mic_plain_tkn4, making up an XDR encoding of a value of data type ssv_mic_plain_tkn4,
which in turn is the input into the HMAC. which in turn is the input into the HMAC.
The token emitted by GSS_GetMIC() is XDR encoded and of XDR data type The token emitted by GSS_GetMIC() is XDR encoded and of XDR data type
ssv_mic_tkn4. The field smt_ssv_seq comes from the SSV sequence ssv_mic_tkn4. The field smt_ssv_seq comes from the SSV sequence
number which is equal to 1 after SET_SSV (Section 18.47) is called number, which is equal to one after SET_SSV (Section 18.47) is called
the first time on a client ID. Thereafter, the SSV sequence number the first time on a client ID. Thereafter, the SSV sequence number
is incremented on each SET_SSV. Thus smt_ssv_seq represents the is incremented on each SET_SSV. Thus, smt_ssv_seq represents the
version of the SSV at the time GSS_GetMIC() was called. As noted in version of the SSV at the time GSS_GetMIC() was called. As noted in
Section 18.35, the client and server can maintain multiple concurrent Section 18.35, the client and server can maintain multiple concurrent
versions of the SSV. This allows the SSV to be changed without versions of the SSV. This allows the SSV to be changed without
serializing all RPC calls that use the SSV mechanism with SET_SSV serializing all RPC calls that use the SSV mechanism with SET_SSV
operations. Once the HMAC is calculated, it is XDR encoded into operations. Once the HMAC is calculated, it is XDR encoded into
smt_hmac, which will include an initial four byte length, and any smt_hmac, which will include an initial four-byte length, and any
necessary padding. Prepended to this will be the XDR encoded value necessary padding. Prepended to this will be the XDR encoded value
of smt_ssv_seq. of smt_ssv_seq.
The SealedMessage description is based on an XDR definition: The SealedMessage description is based on an XDR definition:
/* Input for computing ssct_encr_data and ssct_hmac */ /* Input for computing ssct_encr_data and ssct_hmac */
struct ssv_seal_plain_tkn4 { struct ssv_seal_plain_tkn4 {
opaque sspt_confounder<>; opaque sspt_confounder<>;
uint32_t sspt_ssv_seq; uint32_t sspt_ssv_seq;
opaque sspt_orig_plain<>; opaque sspt_orig_plain<>;
skipping to change at page 76, line 16 skipping to change at page 75, line 49
The ssct_ssv_seq field has the same meaning as smt_ssv_seq. The ssct_ssv_seq field has the same meaning as smt_ssv_seq.
The ssct_encr_data field is the result of encrypting a value of the The ssct_encr_data field is the result of encrypting a value of the
XDR encoded data type ssv_seal_plain_tkn4. The encryption key is the XDR encoded data type ssv_seal_plain_tkn4. The encryption key is the
subkey derived from SSV4_SUBKEY_SEAL_I2T or SSV4_SUBKEY_SEAL_T2I, and subkey derived from SSV4_SUBKEY_SEAL_I2T or SSV4_SUBKEY_SEAL_T2I, and
the encryption algorithm is that negotiated by EXCHANGE_ID. the encryption algorithm is that negotiated by EXCHANGE_ID.
The ssct_iv field is the initialization vector (IV) for the The ssct_iv field is the initialization vector (IV) for the
encryption algorithm (if applicable) and is sent in clear text. The encryption algorithm (if applicable) and is sent in clear text. The
content and size of the IV MUST comply with specification of the content and size of the IV MUST comply with the specification of the
encryption algorithm. For example, the id-aes256-CBC algorithm MUST encryption algorithm. For example, the id-aes256-CBC algorithm MUST
use a 16 byte initialization vector (IV) which MUST be unpredictable use a 16-byte initialization vector (IV), which MUST be unpredictable
for each instance of a value of type ssv_seal_plain_tkn4 that is for each instance of a value of data type ssv_seal_plain_tkn4 that is
encrypted with a particular SSV key. encrypted with a particular SSV key.
The ssct_hmac field is the result of computing an HMAC using value of The ssct_hmac field is the result of computing an HMAC using the
the XDR encoded data type ssv_seal_plain_tkn4 as the input text. The value of the XDR encoded data type ssv_seal_plain_tkn4 as the input
key is the subkey derived from SSV4_SUBKEY_MIC_I2T or text. The key is the subkey derived from SSV4_SUBKEY_MIC_I2T or
SSV4_SUBKEY_MIC_T2I, and the one way hash algorithm is that SSV4_SUBKEY_MIC_T2I, and the one-way hash algorithm is that
negotiated by EXCHANGE_ID. negotiated by EXCHANGE_ID.
The sspt_confounder field is a random value. The sspt_confounder field is a random value.
The sspt_ssv_seq field is the same as ssvt_ssv_seq. The sspt_ssv_seq field is the same as ssvt_ssv_seq.
The field sspt_orig_plain field is the original plaintext and is the The field sspt_orig_plain field is the original plaintext and is the
"input_message" input passed to GSS_Wrap() (see Section 2.3.3 of "input_message" input passed to GSS_Wrap() (see Section 2.3.3 of
[7]). As with the handling of the plaintext by the SSV mechanism's [7]). As with the handling of the plaintext by the SSV mechanism's
GSS_GetMIC() entry point, the entry point for GSS_Wrap() expects a GSS_GetMIC() entry point, the entry point for GSS_Wrap() expects a
pointer to the plaintext, and will XDR encode an opaque array into pointer to the plaintext, and will XDR encode an opaque array into
sspt_orig_plain representing the plain text, along with the other sspt_orig_plain representing the plain text, along with the other
fields of an instance of data type ssv_seal_plain_tkn4. fields of an instance of data type ssv_seal_plain_tkn4.
The sspt_pad field is present to support encryption algorithms that The sspt_pad field is present to support encryption algorithms that
require inputs to be in fixed sized blocks. The content of sspt_pad require inputs to be in fixed-sized blocks. The content of sspt_pad
is zero filled except for the length. Beware that the XDR encoding is zero filled except for the length. Beware that the XDR encoding
of ssv_seal_plain_tkn4 contains three variable length arrays, and so of ssv_seal_plain_tkn4 contains three variable-length arrays, and so
each array consumes four bytes for an array length, and each array each array consumes four bytes for an array length, and each array
that follows the length is always padded to a multiple of four bytes that follows the length is always padded to a multiple of four bytes
per the XDR standard. per the XDR standard.
For example suppose the encryption algorithm uses 16 byte blocks, and For example, suppose the encryption algorithm uses 16-byte blocks,
the sspt_confounder is three bytes long, and the sspt_orig_plain and the sspt_confounder is three bytes long, and the sspt_orig_plain
field is 15 bytes long. The XDR encoding of sspt_confounder uses field is 15 bytes long. The XDR encoding of sspt_confounder uses
eight bytes (4 + 3 + 1 byte pad), the XDR encoding of sspt_ssv_seq eight bytes (4 + 3 + 1 byte pad), the XDR encoding of sspt_ssv_seq
uses four bytes, the XDR encoding of sspt_orig_plain uses 20 bytes (4 uses four bytes, the XDR encoding of sspt_orig_plain uses 20 bytes (4
+ 15 + 1 byte pad), and the smallest XDR encoding of the sspt_pad + 15 + 1 byte pad), and the smallest XDR encoding of the sspt_pad
field is four bytes. This totals 36 bytes. The next multiple of 16 field is four bytes. This totals 36 bytes. The next multiple of 16
is 48, thus the length field of sspt_pad needs to be set to 12 bytes, is 48; thus, the length field of sspt_pad needs to be set to 12
or a total encoding of 16 bytes. The total number of XDR encoded bytes, or a total encoding of 16 bytes. The total number of XDR
bytes is thus 8 + 4 + 20 + 16 = 48. encoded bytes is thus 8 + 4 + 20 + 16 = 48.
GSS_Wrap() emits a token that is an XDR encoding of a value of data GSS_Wrap() emits a token that is an XDR encoding of a value of data
type ssv_seal_cipher_tkn4. Note that regardless whether the caller type ssv_seal_cipher_tkn4. Note that regardless of whether or not
of GSS_Wrap() requests confidentiality or not, the token always has the caller of GSS_Wrap() requests confidentiality, the token always
confidentiality. This is because the SSV mechanism is for has confidentiality. This is because the SSV mechanism is for
RPCSEC_GSS, and RPCSEC_GSS never produces GSS_wrap() tokens without RPCSEC_GSS, and RPCSEC_GSS never produces GSS_wrap() tokens without
confidentiality. confidentiality.
There is one SSV per client ID. Effectively there is a single GSS There is one SSV per client ID. There is a single GSS context for a
context for a client ID / SSV pair. All SSV mechanism RPCSEC_GSS client ID / SSV pair. All SSV mechanism RPCSEC_GSS handles of a
handles of a client ID / SSV pair share the same GSS context. SSV client ID / SSV pair share the same GSS context. SSV GSS contexts do
GSS contexts do not expire except when the SSV is destroyed (causes not expire except when the SSV is destroyed (causes would include the
would include the client ID being destroyed or a server restart). client ID being destroyed or a server restart). Since one purpose of
Since one purpose of context expiration is to replace keys that have context expiration is to replace keys that have been in use for "too
been in use for "too long" hence vulnerable to compromise by brute long", hence vulnerable to compromise by brute force or accident, the
force or accident, the client can replace the SSV key by sending client can replace the SSV key by sending periodic SET_SSV
periodic SET_SSV operations, by cycling through different users' operations, which is done by cycling through different users'
RPCSEC_GSS credentials. This way the SSV is replaced without RPCSEC_GSS credentials. This way, the SSV is replaced without
destroying the SSV's GSS contexts. destroying the SSV's GSS contexts.
SSV RPCSEC_GSS handles can be expired or deleted by the server at any SSV RPCSEC_GSS handles can be expired or deleted by the server at any
time and the EXCHANGE_ID operation can be used to create more SSV time, and the EXCHANGE_ID operation can be used to create more SSV
RPCSEC_GSS handles. Expiration of SSV RPCSEC_GSS handles does not RPCSEC_GSS handles. Expiration of SSV RPCSEC_GSS handles does not
imply that the SSV or its GSS context have expired. imply that the SSV or its GSS context has expired.
The client MUST establish an SSV via SET_SSV before the SSV GSS The client MUST establish an SSV via SET_SSV before the SSV GSS
context can be used to emit tokens from GSS_Wrap() and GSS_GetMIC(). context can be used to emit tokens from GSS_Wrap() and GSS_GetMIC().
If SET_SSV has not been successfully called, attempts to emit tokens If SET_SSV has not been successfully called, attempts to emit tokens
MUST fail. MUST fail.
The SSV mechanism does not support replay detection and sequencing in The SSV mechanism does not support replay detection and sequencing in
its tokens because RPCSEC_GSS does not use those features (See its tokens because RPCSEC_GSS does not use those features (See
Section 5.2.2 "Context Creation Requests" in [4]). Section 5.2.2, "Context Creation Requests", in [4]). However,
Section 2.10.10 discusses special considerations for the SSV
mechanism when used with RPCSEC_GSS.
2.10.10. Session Mechanics - Steady State 2.10.10. Security Considerations for RPCSEC_GSS When Using the SSV
Mechanism
2.10.10.1. Obligations of the Server When a client ID is created with SP4_SSV state protection (see
Section 18.35), the client is permitted to associate multiple
RPCSEC_GSS handles with the single SSV GSS context (see
Section 2.10.9). Because of the way RPCSEC_GSS (both version 1 and
version 2, see [4] and [12]) calculate the verifier of the reply,
special care must be taken by the implementation of the NFSv4.1
client to prevent attacks by a man-in-the-middle. The verifier of an
RPCSEC_GSS reply is the output of GSS_GetMIC() applied to the input
value of the seq_num field of the RPCSEC_GSS credential (data type
rpc_gss_cred_ver_1_t) (see Section 5.3.3.2 of [4]). If multiple
RPCSEC_GSS handles share the same GSS context, then if one handle is
used to send a request with the same seq_num value as another handle,
an attacker could block the reply, and replace it with the verifier
used for the other handle.
There are multiple ways to prevent the attack on the SSV RPCSEC_GSS
verifier in the reply. The simplest is believed to be as follows.
o Each time one or more new SSV RPCSEC_GSS handles are created via
EXCHANGE_ID, the client SHOULD send a SET_SSV operation to modify
the SSV. By changing the SSV, the new handles will not result in
the re-use of an SSV RPCSEC_GSS verifier in a reply.
o When a requester decides to use N SSV RPCSEC_GSS handles, it
SHOULD assign a unique and non-overlapping range of seq_nums to
each SSV RPCSEC_GSS handle. The size of each range SHOULD be
equal to MAXSEQ / N (see Section 5 of [4] for the definition of
MAXSEQ). When an SSV RPCSEC_GSS handle reaches its maximum, it
SHOULD force the replier to destroy the handle by sending a NULL
RPC request with seq_num set to MAXSEQ + 1 (see Section 5.3.3.3 of
[4]).
o When the requester wants to increase or decrease N, it SHOULD
force the replier to destroy all N handles by sending a NULL RPC
request on each handle with seq_num set to MAXSEQ + 1. If the
requester is the client, it SHOULD send a SET_SSV operation before
using new handles. If the requester is the server, then the
client SHOULD send a SET_SSV operation when it detects that the
server has forced it to destroy a backchannel's SSV RPCSEC_GSS
handle. By sending a SET_SSV operation, the SSV will change, and
so the attacker will be unavailable to successfully replay a
previous verifier in a reply to the requester.
Note that if the replier carefully creates the SSV RPCSEC_GSS
handles, the related risk of a man-in-the-middle splicing a forged
SSV RPCSEC_GSS credential with a verifier for another handle does not
exist. This is because the verifier in an RPCSEC_GSS request is
computed from input that includes both the RPCSEC_GSS handle and
seq_num (see Section 5.3.1 of [4]). Provided the replier takes care
to avoid re-using the value of an RPCSEC_GSS handle that it creates,
such as by including a generation number in the handle, the man-in-
the-middle will not be able to successfully replay a previous
verifier in the request to a replier.
2.10.11. Session Mechanics - Steady State
2.10.11.1. Obligations of the Server
The server has the primary obligation to monitor the state of The server has the primary obligation to monitor the state of
backchannel resources that the client has created for the server backchannel resources that the client has created for the server
(RPCSEC_GSS contexts and backchannel connections). If these (RPCSEC_GSS contexts and backchannel connections). If these
resources vanish, the server takes action as specified in resources vanish, the server takes action as specified in
Section 2.10.12.2. Section 2.10.13.2.
2.10.10.2. Obligations of the Client 2.10.11.2. Obligations of the Client
The client SHOULD honor the following obligations in order to utilize The client SHOULD honor the following obligations in order to utilize
the session: the session:
o Keep a necessary session from going idle on the server. A client o Keep a necessary session from going idle on the server. A client
that requires a session, but nonetheless is not sending operations that requires a session but nonetheless is not sending operations
risks having the session be destroyed by the server. This is risks having the session be destroyed by the server. This is
because sessions consume resources, and resource limitations may because sessions consume resources, and resource limitations may
force the server to cull an inactive session. A server MAY force the server to cull an inactive session. A server MAY
consider a session to be inactive if the client has not used the consider a session to be inactive if the client has not used the
session before the session inactivity timer (Section 2.10.11) has session before the session inactivity timer (Section 2.10.12) has
expired. expired.
o Destroy the session when not needed. If a client has multiple o Destroy the session when not needed. If a client has multiple
sessions, one of which has no requests waiting for replies, and sessions, one of which has no requests waiting for replies, and
has been idle for some period of time, it SHOULD destroy the has been idle for some period of time, it SHOULD destroy the
session. session.
o Maintain GSS contexts for the backchannel. If the client requires o Maintain GSS contexts and RPCSEC_GSS handles for the backchannel.
the server to use the RPCSEC_GSS security flavor for callbacks, If the client requires the server to use the RPCSEC_GSS security
then it needs to be sure the contexts handed to the server via flavor for callbacks, then it needs to be sure the RPCSEC_GSS
BACKCHANNEL_CTL are unexpired. handles and/or their GSS contexts that are handed to the server
via BACKCHANNEL_CTL or CREATE_SESSION are unexpired.
o Preserve a connection for a backchannel. The server requires a o Preserve a connection for a backchannel. The server requires a
backchannel in order to gracefully recall recallable state, or backchannel in order to gracefully recall recallable state or
notify the client of certain events. Note that if the connection notify the client of certain events. Note that if the connection
is not being used for the fore channel, there is no way for the is not being used for the fore channel, there is no way for the
client tell if the connection is still alive (e.g., the server client to tell if the connection is still alive (e.g., the server
restarted without sending a disconnect). The onus is on the restarted without sending a disconnect). The onus is on the
server, not the client, to determine if the backchannel's server, not the client, to determine if the backchannel's
connection is alive, and to indicate in the response to a SEQUENCE connection is alive, and to indicate in the response to a SEQUENCE
operation when the last connection associated with a session's operation when the last connection associated with a session's
backchannel has disconnected. backchannel has disconnected.
2.10.10.3. Steps the Client Takes To Establish a Session 2.10.11.3. Steps the Client Takes to Establish a Session
If the client does not have a client ID, the client sends EXCHANGE_ID If the client does not have a client ID, the client sends EXCHANGE_ID
to establish a client ID. If it opts for SP4_MACH_CRED or SP4_SSV to establish a client ID. If it opts for SP4_MACH_CRED or SP4_SSV
protection, in the spo_must_enforce list of operations, it SHOULD at protection, in the spo_must_enforce list of operations, it SHOULD at
minimum specify: CREATE_SESSION, DESTROY_SESSION, minimum specify CREATE_SESSION, DESTROY_SESSION,
BIND_CONN_TO_SESSION, BACKCHANNEL_CTL, and DESTROY_CLIENTID. If opts BIND_CONN_TO_SESSION, BACKCHANNEL_CTL, and DESTROY_CLIENTID. If it
for SP4_SSV protection, the client needs to ask for SSV-based opts for SP4_SSV protection, the client needs to ask for SSV-based
RPCSEC_GSS handles. RPCSEC_GSS handles.
The client uses the client ID to send a CREATE_SESSION on a The client uses the client ID to send a CREATE_SESSION on a
connection to the server. The results of CREATE_SESSION indicate connection to the server. The results of CREATE_SESSION indicate
whether the server will persist the session reply cache through a whether or not the server will persist the session reply cache
server restarted or not, and the client notes this for future through a server that has restarted, and the client notes this for
reference. future reference.
If the client specified SP4_SSV state protection when the client ID If the client specified SP4_SSV state protection when the client ID
was created, then it SHOULD send SET_SSV in the first COMPOUND after was created, then it SHOULD send SET_SSV in the first COMPOUND after
the session is created. Each time a new principal goes to use the the session is created. Each time a new principal goes to use the
client ID, it SHOULD send a SET_SSV again. client ID, it SHOULD send a SET_SSV again.
If the client wants to use delegations, layouts, directory If the client wants to use delegations, layouts, directory
notifications, or any other state that requires a backchannel, then notifications, or any other state that requires a backchannel, then
it needs to add a connection to the backchannel if CREATE_SESSION did it needs to add a connection to the backchannel if CREATE_SESSION did
not already do so. The client creates a connection, and calls not already do so. The client creates a connection, and calls
skipping to change at page 79, line 33 skipping to change at page 80, line 35
protection when it called EXCHANGE_ID, then the client SHOULD specify protection when it called EXCHANGE_ID, then the client SHOULD specify
that the backchannel use RPCSEC_GSS contexts for security. that the backchannel use RPCSEC_GSS contexts for security.
If the client wants to use additional connections for the If the client wants to use additional connections for the
backchannel, then it needs to call BIND_CONN_TO_SESSION on each backchannel, then it needs to call BIND_CONN_TO_SESSION on each
connection it wants to use with the session. If the client wants to connection it wants to use with the session. If the client wants to
use additional connections for the fore channel, then it needs to use additional connections for the fore channel, then it needs to
call BIND_CONN_TO_SESSION if it specified SP4_SSV or SP4_MACH_CRED call BIND_CONN_TO_SESSION if it specified SP4_SSV or SP4_MACH_CRED
state protection when the client ID was created. state protection when the client ID was created.
At this point the session has reached steady state. At this point, the session has reached steady state.
2.10.11. Session Inactivity Timer 2.10.12. Session Inactivity Timer
The server MAY maintain a session inactivity timer for each session. The server MAY maintain a session inactivity timer for each session.
If the session inactivity timer expires, then the server MAY destroy If the session inactivity timer expires, then the server MAY destroy
the session. To avoid losing a session due to inactivity, the client the session. To avoid losing a session due to inactivity, the client
MUST renew the session inactivity timer. The length of session MUST renew the session inactivity timer. The length of session
inactivity timer MUST NOT be less than the lease_time attribute inactivity timer MUST NOT be less than the lease_time attribute
(Section 5.8.1.11). As with lease renewal (Section 8.3), when the (Section 5.8.1.11). As with lease renewal (Section 8.3), when the
server receives a SEQUENCE operation, it resets the session server receives a SEQUENCE operation, it resets the session
inactivity timer, and MUST NOT allow the timer to expire while the inactivity timer, and MUST NOT allow the timer to expire while the
rest of the operations in the COMPOUND procedure's request are still rest of the operations in the COMPOUND procedure's request are still
executing. Once the last operation has finished, the server MUST set executing. Once the last operation has finished, the server MUST set
the session inactivity timer to expire no sooner that the sum of the the session inactivity timer to expire no sooner than the sum of the
current time and the value of the lease_time attribute. current time and the value of the lease_time attribute.
2.10.12. Session Mechanics - Recovery 2.10.13. Session Mechanics - Recovery
2.10.12.1. Events Requiring Client Action 2.10.13.1. Events Requiring Client Action
The following events require client action to recover. The following events require client action to recover.
2.10.12.1.1. RPCSEC_GSS Context Loss by Callback Path 2.10.13.1.1. RPCSEC_GSS Context Loss by Callback Path
If all RPCSEC_GSS contexts granted by the client to the server for If all RPCSEC_GSS handles granted by the client to the server for
callback use have expired, the client MUST establish a new context callback use have expired, the client MUST establish a new handle via
via BACKCHANNEL_CTL. The sr_status_flags field of the SEQUENCE BACKCHANNEL_CTL. The sr_status_flags field of the SEQUENCE results
results indicates when callback contexts are nearly expired, or fully indicates when callback handles are nearly expired, or fully expired
expired (see Section 18.46.3). (see Section 18.46.3).
2.10.12.1.2. Connection Loss 2.10.13.1.2. Connection Loss
If the client loses the last connection of the session, and if wants If the client loses the last connection of the session and wants to
to retain the session, then it needs to create a new connection, and retain the session, then it needs to create a new connection, and if,
if, when the client ID was created, BIND_CONN_TO_SESSION was when the client ID was created, BIND_CONN_TO_SESSION was specified in
specified in the spo_must_enforce list, the client MUST use the spo_must_enforce list, the client MUST use BIND_CONN_TO_SESSION
BIND_CONN_TO_SESSION to associate the connection with the session. to associate the connection with the session.
If there was a request outstanding at the time the of connection If there was a request outstanding at the time of connection loss,
loss, then if client wants to continue to use the session it MUST then if the client wants to continue to use the session, it MUST
retry the request, as described in Section 2.10.6.2. Note that it is retry the request, as described in Section 2.10.6.2. Note that it is
not necessary to retry requests over a connection with the same not necessary to retry requests over a connection with the same
source network address or the same destination network address as the source network address or the same destination network address as the
lost connection. As long as the session ID, slot ID, and sequence ID lost connection. As long as the session ID, slot ID, and sequence ID
in the retry match that of the original request, the server will in the retry match that of the original request, the server will
recognize the request as a retry if it executed the request prior to recognize the request as a retry if it executed the request prior to
disconnect. disconnect.
If the connection that was lost was the last one associated with the If the connection that was lost was the last one associated with the
backchannel, and the client wants to retain the backchannel and/or backchannel, and the client wants to retain the backchannel and/or
not put recallable state subject to revocation, the client needs to prevent revocation of recallable state, the client needs to
reconnect, and if it does, it MUST associate the connection to the reconnect, and if it does, it MUST associate the connection to the
session and backchannel via BIND_CONN_TO_SESSION. The server SHOULD session and backchannel via BIND_CONN_TO_SESSION. The server SHOULD
indicate when it has no callback connection via the sr_status_flags indicate when it has no callback connection via the sr_status_flags
result from SEQUENCE. result from SEQUENCE.
2.10.12.1.3. Backchannel GSS Context Loss 2.10.13.1.3. Backchannel GSS Context Loss
Via the sr_status_flags result of the SEQUENCE operation or other Via the sr_status_flags result of the SEQUENCE operation or other
means, the client will learn if some or all of the RPCSEC_GSS means, the client will learn if some or all of the RPCSEC_GSS
contexts it assigned to the backchannel have been lost. If the contexts it assigned to the backchannel have been lost. If the
client wants to the retain the backchannel and/or not put recallable client wants to retain the backchannel and/or not put recallable
state subjection to revocation, the client needs to use state subject to revocation, the client needs to use BACKCHANNEL_CTL
BACKCHANNEL_CTL to assign new contexts. to assign new contexts.
2.10.12.1.4. Loss of Session 2.10.13.1.4. Loss of Session
The replier might lose a record of the session. Causes include: The replier might lose a record of the session. Causes include:
o Replier failure and restart o Replier failure and restart.
o A catastrophe that causes the reply cache to be corrupted or lost o A catastrophe that causes the reply cache to be corrupted or lost
on the media it was stored on. This applies even if the replier on the media on which it was stored. This applies even if the
indicated in the CREATE_SESSION results that it would persist the replier indicated in the CREATE_SESSION results that it would
cache. persist the cache.
o The server purges the session of a client that has been inactive o The server purges the session of a client that has been inactive
for a very extended period of time. for a very extended period of time.
o As a result of configuration changes among a set of clustered o As a result of configuration changes among a set of clustered
servers, a network address previously connected to one server servers, a network address previously connected to one server
becomes connected to a different server which has no knowledge of becomes connected to a different server that has no knowledge of
the session in question. Such a configuration change will the session in question. Such a configuration change will
generally only happen when the original server ceases to function generally only happen when the original server ceases to function
for a time. for a time.
Loss of reply cache is equivalent to loss of session. The replier Loss of reply cache is equivalent to loss of session. The replier
indicates loss of session to the requester by returning indicates loss of session to the requester by returning
NFS4ERR_BADSESSION on the next operation that uses the session ID NFS4ERR_BADSESSION on the next operation that uses the session ID
that refers to the lost session. that refers to the lost session.
After an event like a server restart, the client may have lost its After an event like a server restart, the client may have lost its
skipping to change at page 81, line 46 skipping to change at page 82, line 46
SEQUENCE. If BIND_CONN_TO_SESSION or SEQUENCE returns SEQUENCE. If BIND_CONN_TO_SESSION or SEQUENCE returns
NFS4ERR_BADSESSION, the client knows the session is not available to NFS4ERR_BADSESSION, the client knows the session is not available to
it when communicating with that network address. If the connection it when communicating with that network address. If the connection
survives session loss, then the next SEQUENCE operation the client survives session loss, then the next SEQUENCE operation the client
sends over the connection will get back NFS4ERR_BADSESSION. The sends over the connection will get back NFS4ERR_BADSESSION. The
client again knows the session was lost. client again knows the session was lost.
Here is one suggested algorithm for the client when it gets Here is one suggested algorithm for the client when it gets
NFS4ERR_BADSESSION. It is not obligatory in that, if a client does NFS4ERR_BADSESSION. It is not obligatory in that, if a client does
not want to take advantage of such features as trunking, it may omit not want to take advantage of such features as trunking, it may omit
parts of it. However, it is a useful example which draws attention parts of it. However, it is a useful example that draws attention to
to various possible recovery issues: various possible recovery issues:
1. If the client has other connections to other server network 1. If the client has other connections to other server network
addresses associated with the same session, attempt a COMPOUND addresses associated with the same session, attempt a COMPOUND
with a single operation, SEQUENCE, on each of the other with a single operation, SEQUENCE, on each of the other
connections. connections.
2. If the attempts succeed, the session is still alive, and this is 2. If the attempts succeed, the session is still alive, and this is
a strong indicator the server's network address has moved. The a strong indicator that the server's network address has moved.
client might send an EXCHANGE_ID on the connection that returned The client might send an EXCHANGE_ID on the connection that
NFS4ERR_BADSESSION to see if there are opportunities for client returned NFS4ERR_BADSESSION to see if there are opportunities for
ID trunking (i.e. the same client ID and so_major are returned). client ID trunking (i.e., the same client ID and so_major are
The client might use DNS to see if the moved network address was returned). The client might use DNS to see if the moved network
replaced with another, so that the performance and availability address was replaced with another, so that the performance and
benefits of session trunking can continue. availability benefits of session trunking can continue.
3. If the SEQUENCE requests fail with NFS4ERR_BADSESSION then the 3. If the SEQUENCE requests fail with NFS4ERR_BADSESSION, then the
session no longer exists on any of the server network addresses session no longer exists on any of the server network addresses
the client has connections associated with that session ID. It for which the client has connections associated with that session
is possible the session is still alive and available on other ID. It is possible the session is still alive and available on
network addresses. The client sends an EXCHANGE_ID on all the other network addresses. The client sends an EXCHANGE_ID on all
connections to see if the server owner is still listening on the connections to see if the server owner is still listening on
those network addresses. If the same server owner is returned, those network addresses. If the same server owner is returned
but a new client ID is returned, this is a strong indicator of a but a new client ID is returned, this is a strong indicator of a
server restart. If both the same server owner and same client ID server restart. If both the same server owner and same client ID
are returned, then this is a strong indication that the server are returned, then this is a strong indication that the server
did delete the session, and the client will need to send a did delete the session, and the client will need to send a
CREATE_SESSION if it has no other sessions for that client ID. CREATE_SESSION if it has no other sessions for that client ID.
If a different server owner is returned, the client can use DNS If a different server owner is returned, the client can use DNS
to find other network addresses. If it does not, or if DNS does to find other network addresses. If it does not, or if DNS does
not find any other addresses for the server, then the client will not find any other addresses for the server, then the client will
be unable to provide NFSv4.1 service, and fatal errors should be be unable to provide NFSv4.1 service, and fatal errors should be
returned to processes that were using the server. If the client returned to processes that were using the server. If the client
is using a "mount" paradigm, unmounting the server is advised. is using a "mount" paradigm, unmounting the server is advised.
4. If the client knows of no other connections associated with the 4. If the client knows of no other connections associated with the
session ID, and server network addresses that are, or have been session ID and server network addresses that are, or have been,
associated with the session ID, then the client can use DNS to associated with the session ID, then the client can use DNS to
find other network addresses. If it does not, or if DNS does not find other network addresses. If it does not, or if DNS does not
find any other addresses for the server, then the client will be find any other addresses for the server, then the client will be
unable to provide NFSv4.1 service, and fatal errors should be unable to provide NFSv4.1 service, and fatal errors should be
returned to processes that were using the server. If the client returned to processes that were using the server. If the client
is using a "mount" paradigm, unmounting the server is advised. is using a "mount" paradigm, unmounting the server is advised.
If there is a reconfiguration event which results in the same network If there is a reconfiguration event that results in the same network
address being assigned to servers where the eir_server_scope value is address being assigned to servers where the eir_server_scope value is
different, it cannot be guaranteed that a session ID generated by the different, it cannot be guaranteed that a session ID generated by the
first will be recognized as invalid by the first. Therefore, in first will be recognized as invalid by the first. Therefore, in
managing server reconfigurations among servers with different server managing server reconfigurations among servers with different server
scope values, it is necessary to make sure that all clients have scope values, it is necessary to make sure that all clients have
disconnected from the first server before effecting the disconnected from the first server before effecting the
reconfiguration. Nonetheless, clients should not assume that servers reconfiguration. Nonetheless, clients should not assume that servers
will always adhere to this requirement; clients MUST be prepared to will always adhere to this requirement; clients MUST be prepared to
deal with unexpected effects of server reconfigurations. Even where deal with unexpected effects of server reconfigurations. Even where
a session ID is inappropriately recognized as valid, it is likely a session ID is inappropriately recognized as valid, it is likely
that either the connection will not be recognized as valid, or that a either that the connection will not be recognized as valid or that a
sequence value for a slot will not be correct. Therefore, when a sequence value for a slot will not be correct. Therefore, when a
client receives results indicating such unexpected errors, the use of client receives results indicating such unexpected errors, the use of
EXCHANGE_ID to determine the current server configuration and present EXCHANGE_ID to determine the current server configuration is
the client to the server is RECOMMENDED. RECOMMENDED.
A variation on the above is that after a server's network address A variation on the above is that after a server's network address
moves, there is no NFSv4.1 server listening. E.g. no listener on moves, there is no NFSv4.1 server listening, e.g., no listener on
port 2049, the NFSv4 server returns NFS4ERR_MINOR_VERS_MISMATCH, the port 2049. In this example, one of the following occur: the NFSv4
NFS server returns a PROG_MISMATCH error, the RPC listener on 2049 server returns NFS4ERR_MINOR_VERS_MISMATCH, the NFS server returns a
returns PROG_MISMATCH, or attempts to re-connect to the network PROG_MISMATCH error, the RPC listener on 2049 returns PROG_UNVAIL, or
address timeout. These SHOULD be treated as equivalent to SEQUENCE attempts to reconnect to the network address timeout. These SHOULD
returning NFS4ERR_BADSESSION for these purposes. be treated as equivalent to SEQUENCE returning NFS4ERR_BADSESSION for
these purposes.
When the client detects session loss, it needs to call CREATE_SESSION When the client detects session loss, it needs to call CREATE_SESSION
to recover. Any non-idempotent operations that were in progress to recover. Any non-idempotent operations that were in progress
might have been performed on the server at the time of session loss. might have been performed on the server at the time of session loss.
The client has no general way to recover from this. The client has no general way to recover from this.
Note that loss of session does not imply loss of lock, open, Note that loss of session does not imply loss of byte-range lock,
delegation, or layout state because locks, opens, delegations, and open, delegation, or layout state because locks, opens, delegations,
layouts are tied to the client ID and depend on the client ID, not and layouts are tied to the client ID and depend on the client ID,
the session. Nor does loss of lock, open, delegation, or layout not the session. Nor does loss of byte-range lock, open, delegation,
state imply loss of session state, because the session depends on the or layout state imply loss of session state, because the session
client ID; loss of client ID however does imply loss of session, depends on the client ID; loss of client ID however does imply loss
lock, open, delegation, and layout state. See Section 8.4.2. A of session, byte-range lock, open, delegation, and layout state. See
session can survive a server restart, but lock recovery may still be Section 8.4.2. A session can survive a server restart, but lock
needed. recovery may still be needed.
It is possible CREATE_SESSION will fail with NFS4ERR_STALE_CLIENTID It is possible that CREATE_SESSION will fail with
(e.g. the server restarts and does not preserve client ID state). If NFS4ERR_STALE_CLIENTID (e.g., the server restarts and does not
so, the client needs to call EXCHANGE_ID, followed by CREATE_SESSION. preserve client ID state). If so, the client needs to call
EXCHANGE_ID, followed by CREATE_SESSION.
2.10.12.2. Events Requiring Server Action 2.10.13.2. Events Requiring Server Action
The following events require server action to recover. The following events require server action to recover.
2.10.12.2.1. Client Crash and Restart 2.10.13.2.1. Client Crash and Restart
As described in Section 18.35, a restarted client sends EXCHANGE_ID As described in Section 18.35, a restarted client sends EXCHANGE_ID
in such a way it causes the server to delete any sessions it had. in such a way that it causes the server to delete any sessions it
had.
2.10.12.2.2. Client Crash with No Restart 2.10.13.2.2. Client Crash with No Restart
If a client crashes and never comes back, it will never send If a client crashes and never comes back, it will never send
EXCHANGE_ID with its old client owner. Thus the server has session EXCHANGE_ID with its old client owner. Thus, the server has session
state that will never be used again. After an extended period of state that will never be used again. After an extended period of
time and if the server has resource constraints, it MAY destroy the time, and if the server has resource constraints, it MAY destroy the
old session as well as locking state. old session as well as locking state.
2.10.12.2.3. Extended Network Partition 2.10.13.2.3. Extended Network Partition
To the server, the extended network partition may be no different To the server, the extended network partition may be no different
from a client crash with no restart (see Section 2.10.12.2.2). from a client crash with no restart (see Section 2.10.13.2.2).
Unless the server can discern that there is a network partition, it Unless the server can discern that there is a network partition, it
is free to treat the situation as if the client has crashed is free to treat the situation as if the client has crashed
permanently. permanently.
2.10.12.2.4. Backchannel Connection Loss 2.10.13.2.4. Backchannel Connection Loss
If there were callback requests outstanding at the time of a If there were callback requests outstanding at the time of a
connection loss, then the server MUST retry the request, as described connection loss, then the server MUST retry the requests, as
in Section 2.10.6.2. Note that it is not necessary to retry requests described in Section 2.10.6.2. Note that it is not necessary to
over a connection with the same source network address or the same retry requests over a connection with the same source network address
destination network address as the lost connection. As long as the or the same destination network address as the lost connection. As
session ID, slot ID, and sequence ID in the retry match that of the long as the session ID, slot ID, and sequence ID in the retry match
original request, the callback target will recognize the request as a that of the original request, the callback target will recognize the
retry even if it did see the request prior to disconnect. request as a retry even if it did see the request prior to
disconnect.
If the connection lost is the last one associated with the If the connection lost is the last one associated with the
backchannel