draft-ietf-nfsv4-multi-domain-fs-reqs-05.txt   draft-ietf-nfsv4-multi-domain-fs-reqs-06.txt 
NFSv4 Working Group W. Adamson NFSv4 Working Group W. Adamson
Internet-Draft NetApp Internet-Draft NetApp
Intended status: Standards Track N. Williams Intended status: Standards Track N. Williams
Expires: February 22, 2016 Cryptonector Expires: April 3, 2016 Cryptonector
August 21, 2015 October 1, 2015
Multiple NFSv4 Domain Namespace Deployment Guidelines Multiple NFSv4 Domain Namespace Deployment Guidelines
draft-ietf-nfsv4-multi-domain-fs-reqs-05 draft-ietf-nfsv4-multi-domain-fs-reqs-06
Abstract Abstract
This document discusses issues relevant to the deployment of the This document discusses issues relevant to the deployment of the
NFSv4 protocols in situations allowing for the construction of an NFSv4 protocols in situations allowing for the construction of an
NFSv4 file namespace supporting the use of multiple NFSv4 domains and NFSv4 file namespace supporting the use of multiple NFSv4 domains and
utilizing multi-domain capable file systems. Also described are utilizing multi-domain capable file systems. Also described are
constraints on name resolution and security services appropriate to constraints on name resolution and security services appropriate to
the administration of such a system. Such a namespace is a suitable the administration of such a system. Such a namespace is a suitable
way to enable a Federated File System supporting the use of multiple way to enable a Federated File System supporting the use of multiple
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 22, 2016. This Internet-Draft will expire on April 3, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 40 skipping to change at page 2, line 40
4.3. RPCSEC_GSS with name@domain . . . . . . . . . . . . . . . . 7 4.3. RPCSEC_GSS with name@domain . . . . . . . . . . . . . . . . 7
5. Multi-domain Constraints to the NFSv4 Protocol . . . . . . . 8 5. Multi-domain Constraints to the NFSv4 Protocol . . . . . . . 8
5.1. Name@domain Constraints . . . . . . . . . . . . . . . . . . 8 5.1. Name@domain Constraints . . . . . . . . . . . . . . . . . . 8
5.1.1. NFSv4 Domain and DNS Services . . . . . . . . . . . . . . 9 5.1.1. NFSv4 Domain and DNS Services . . . . . . . . . . . . . . 9
5.1.2. NFSv4 Domain and Name Services . . . . . . . . . . . . . 9 5.1.2. NFSv4 Domain and Name Services . . . . . . . . . . . . . 9
5.2. RPC Security Constraints . . . . . . . . . . . . . . . . . 9 5.2. RPC Security Constraints . . . . . . . . . . . . . . . . . 9
5.2.1. NFSv4 Domain and Security Services . . . . . . . . . . . 10 5.2.1. NFSv4 Domain and Security Services . . . . . . . . . . . 10
6. Resolving Multi-domain Authorization Information . . . . . . 10 6. Resolving Multi-domain Authorization Information . . . . . . 10
7. Stand-alone Examples and Multiple NFSv4 Domain Namespaces . . 12 7. Stand-alone Examples and Multiple NFSv4 Domain Namespaces . . 12
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. Normative References . . . . . . . . . . . . . . . . . . . . 13 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 14 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
An NFSv4 domain is defined as a set of users and groups named by a An NFSv4 domain is defined as a set of users and groups named by a
particular domain using the NFSv4 name@domain syntax. This includes particular domain using the NFSv4 name@domain syntax. This includes
NFSv4.0 [RFC7530], NFSv4.1 [RFC5661], and minor versions yet to be NFSv4.0 [RFC7530], NFSv4.1 [RFC5661], and minor versions yet to be
published. Often, a computer which acts as an NFSv4 client and published. Often, a computer which acts as an NFSv4 client and
always acts on behalf of users belonging to a particular NFSv4 domain always acts on behalf of users belonging to a particular NFSv4 domain
skipping to change at page 10, line 5 skipping to change at page 10, line 5
NFSv4.1 clients and servers MUST implement RPCSEC_GSS. NFSv4.1 clients and servers MUST implement RPCSEC_GSS.
(This requirement to implement is not a requirement (This requirement to implement is not a requirement
to use.) Other flavors, such as AUTH_NONE, and AUTH_SYS, to use.) Other flavors, such as AUTH_NONE, and AUTH_SYS,
MAY be implemented as well. MAY be implemented as well.
The underlying RPCSEC_GSS security mechanism used in a multi-domain The underlying RPCSEC_GSS security mechanism used in a multi-domain
namespace is REQUIRED to employ a method of cross NFSv4 domain trust namespace is REQUIRED to employ a method of cross NFSv4 domain trust
so that a principal from a security service in one NFSv4 domain can so that a principal from a security service in one NFSv4 domain can
be authenticated in another NFSv4 domain that uses a security service be authenticated in another NFSv4 domain that uses a security service
with the same security mechanism. Kerberos, and PKU2U with the same security mechanism. Kerberos is an example of such a
[I-D.zhu-pku2u] are examples of such security services. security services.
The AUTH_NONE security flavor can be useful in a multi-domain The AUTH_NONE security flavor can be useful in a multi-domain
deployment to grant universal access to public data without any deployment to grant universal access to public data without any
credentials. credentials.
The AUTH_SYS security flavor uses a host-based authentication model The AUTH_SYS security flavor uses a host-based authentication model
where the weakly authenticated host (the NFSv4 client) asserts the where the weakly authenticated host (the NFSv4 client) asserts the
user's authorization identities using small integers, uidNumber, and user's authorization identities using small integers, uidNumber, and
gidNumber [RFC2307], as user and group identity representations. gidNumber [RFC2307], as user and group identity representations.
Because this authorization ID representation has no domain component, Because this authorization ID representation has no domain component,
skipping to change at page 13, line 29 skipping to change at page 13, line 29
Implementors may be tempted to assume that realm (or "issuer") and Implementors may be tempted to assume that realm (or "issuer") and
NFSv4 domain are roughly the same thing, but they are not. NFSv4 domain are roughly the same thing, but they are not.
Configuration and/or lookup protocols (such as LDAP) and associated Configuration and/or lookup protocols (such as LDAP) and associated
schemas are generally required in order to evaluate a user schemas are generally required in order to evaluate a user
principal's authorization context. In the simplest scheme a server principal's authorization context. In the simplest scheme a server
has access to a database mapping all known principal names to has access to a database mapping all known principal names to
usernames whose authorization context can be evaluated using usernames whose authorization context can be evaluated using
operating system interfaces that deal in usernames rather than operating system interfaces that deal in usernames rather than
principal names. principal names.
9. Normative References 9. IANA Considerations
[CIFS] Microsoft Corporation, "[MS-CIFS] -- v20130118 Common There are no IANA considerations in this document.
Internet File System (CIFS) Protocol", January 2013.
10. References
10.1. Normative References
[I-D.NFSv4.2] [I-D.NFSv4.2]
Haynes, T., "NFS Version 4 Minor Version 2", draft-ietf- Haynes, T., "NFS Version 4 Minor Version 2", draft-ietf-
nfsv4-minorversion2-36 (Work In Progress), April 2015. nfsv4-minorversion2-36 (Work In Progress), April 2015.
[I-D.rpcsec-gssv3] [I-D.rpcsec-gssv3]
Adamson, W. and N. Williams, "Remote Procedure Call (RPC) Adamson, W. and N. Williams, "Remote Procedure Call (RPC)
Security Version 3", draft-ietf-nfsv4-rpcsec-gssv3-12 Security Version 3", draft-ietf-nfsv4-rpcsec-gssv3-12
(Work In Progress), July 2015. (Work In Progress), July 2015.
[I-D.sorce-krbwg-general-pac]
Sorce, S., Yu, T., and T. Hardjono, "A Generalized PAC for
Kerberos V5", draft-ietf-krb-wg-general-pac-02 (Work In
Progress awaiting merge with other document ), June 2011.
[I-D.zhu-pku2u]
Zhu, L., Altman, J., and N. Williams, "Public Key
Cryptography Based User-to-User Authentication - (PKU2U)",
draft-zhu-pku2u-09 (Work In Progress), November 2008.
[PAC] Brezak, J., "Utilizing the Windows 2000 Authorization Data
in Kerberos Tickets for Access Control to Resources",
October 2002.
[RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
RFC 1034, November 1987. RFC 1034, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC2203] Eisler, M. and J. Linn, "RPCSEC_GSS Protocol [RFC2203] Eisler, M. and J. Linn, "RPCSEC_GSS Protocol
Specification", RFC 2203, September 1997. Specification", RFC 2203, September 1997.
[RFC2307] Howard, L., "An Approach for Using LDAP as a Network
Information Service", RFC 2307, March 1998.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121, July Interface (GSS-API) Mechanism: Version 2", RFC 4121, July
2005. 2005.
[RFC4511] Sermersheim, Ed., J., "Lightweight Directory Access [RFC4511] Sermersheim, Ed., J., "Lightweight Directory Access
Protocol (LDAP): The Protocol", RFC 4511, June 2006. Protocol (LDAP): The Protocol", RFC 4511, June 2006.
[RFC5661] Shepler, S., Eisler, M., and D. Noveck, "Network File [RFC5661] Shepler, S., Eisler, M., and D. Noveck, "Network File
System (NFS) Version 4 Minor Version 1 Protocol", RFC System (NFS) Version 4 Minor Version 1 Protocol", RFC
5661, January 2010. 5661, January 2010.
[RFC7530] Haynes, T. and D. Noveck, "Network File System (NFS)
version 4 Protocol", RFC 7530, March 2015.
10.2. Informative References
[CIFS] Microsoft Corporation, "[MS-CIFS] -- v20130118 Common
Internet File System (CIFS) Protocol", January 2013.
[I-D.sorce-krbwg-general-pac]
Sorce, S., Yu, T., and T. Hardjono, "A Generalized PAC for
Kerberos V5", draft-ietf-krb-wg-general-pac-01 (Work In
Progress awaiting merge with other document ), June 2011.
[PAC] Brezak, J., "Utilizing the Windows 2000 Authorization Data
in Kerberos Tickets for Access Control to Resources",
October 2002.
[RFC2307] Howard, L., "An Approach for Using LDAP as a Network
Information Service", RFC 2307, March 1998.
[RFC5716] Lentini, J., Everhart, C., Ellard, D., Tewari, R., and M. [RFC5716] Lentini, J., Everhart, C., Ellard, D., Tewari, R., and M.
Naik, "Requirements for Federated File Systems", RFC 5716, Naik, "Requirements for Federated File Systems", RFC 5716,
January 2010. January 2010.
[RFC7530] Haynes, T. and D. Noveck, "Network File System (NFS)
version 4 Protocol", RFC 7530, March 2015.
Appendix A. Acknowledgments Appendix A. Acknowledgments
Andy Adamson would like to thank NetApp, Inc. for its funding of his Andy Adamson would like to thank NetApp, Inc. for its funding of his
time on this project. time on this project.
We thank Chuck Lever, Tom Haynes, Brian Reitz, Bruce Fields, and We thank Chuck Lever, Tom Haynes, Brian Reitz, Bruce Fields, and
David Noveck for their review. David Noveck for their review.
Authors' Addresses Authors' Addresses
 End of changes. 11 change blocks. 
30 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/