RE: [nfsv4] Re: Comments on CCM draft -00

From: Black_David@emc.com
Date: 05/12/03-02:23:14 PM Z

• Next message: Robert Thurlow: "Re: [nfsv4] NFS Version 4 Minor Revisions"
• Previous message: Sam Hartman: "[nfsv4] Re: Comments on CCM draft -00"
• Maybe in reply to: Sam Hartman: "[nfsv4] Re: Comments on CCM draft -00"
• Next in thread: Nicolas Williams: "Re: [nfsv4] Re: Comments on CCM draft -00"
• Reply: Nicolas Williams: "Re: [nfsv4] Re: Comments on CCM draft -00"
• Reply: Sam Hartman: "Re: [nfsv4] Re: Comments on CCM draft -00"

From: Black_David@emc.com
Message-ID: <277DD60FB639D511AC0400B0D068B71E0564CC14@corpmx14.corp.emc.com>
Subject: RE: [nfsv4] Re: Comments on CCM draft -00
Date: Mon, 12 May 2003 15:23:14 -0400

Sam,

>     Nicolas> On Wed, May 07, 2003 at 09:04:26AM -0700, Nicolas
>     Nicolas> Williams wrote:
>     >>  1) CCM is dangerous without mandating the use of channel
>     >> bindings.
> 
>     Nicolas> So, I'd like to clarify this.  I think there needs to be
>     Nicolas> an option for channel bindings.  Around the time of this
>     Nicolas> past Connectathon I offered three options: negotiate no
>     Nicolas> bindings, negotiate network address channel bindings and
>     Nicolas> negotiate the use IPsec/... bindings.
> 
>     Nicolas> Negotiating no bindings and no session crypto can be
>     Nicolas> useful in some environments.
> 
> 
> I'd love to push for mandating the use of channel bindings.  I suspect
> I'd be alone in that desire.
> 
> What I do think is reasonable to require is that implementations must
> implement some real channel bindings.  If you want to turn it off, say
> because you have some box that you want to tap your traffic on, that's
> fine.
> 
> But I as a user want to have a guarantee that if I buy two CCM-capable
> devices that both support IPSEC, I can configure both devices to talk
> to each other using channel bindings.  To get this I need mandatory to
> implement channel bindings even if they are not mandatory to use.

Could you run through that last paragraph in a little more detail?
If one configures the IPsec on those two devices correctly and (more
importantly) only installs the IPsec keying material for the NFS/CCM
sessions on those two devices, then they can only set up IPsec SAs
for NFS/CCM to each other (in practice, IPsec will recognize NFS
via port usage, so this'll be NFS as opposed to NFS/CCM).  What
portion of this approach requires the higher assurance that channel
bindings provide?  The answer may involve scenarios with more
than two devices.

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

• Next message: Robert Thurlow: "Re: [nfsv4] NFS Version 4 Minor Revisions"
• Previous message: Sam Hartman: "[nfsv4] Re: Comments on CCM draft -00"
• Maybe in reply to: Sam Hartman: "[nfsv4] Re: Comments on CCM draft -00"
• Next in thread: Nicolas Williams: "Re: [nfsv4] Re: Comments on CCM draft -00"
• Reply: Nicolas Williams: "Re: [nfsv4] Re: Comments on CCM draft -00"
• Reply: Sam Hartman: "Re: [nfsv4] Re: Comments on CCM draft -00"

This archive was generated by hypermail 2.1.2 : 03/04/05-02:12:23 AM Z CST