From nobody Tue Jun 27 10:17:45 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qr0ym0WMyz4k7wR for ; Tue, 27 Jun 2023 10:17:52 +0000 (UTC) (envelope-from peterj@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qr0yl6sd7z3K3v; Tue, 27 Jun 2023 10:17:51 +0000 (UTC) (envelope-from peterj@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687861072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=H6V7Qa4yz5J6l8iX7K2fkYNMwby71rhxGkoEiwL6RVE=; b=ty0VKyUFnGPYqA8EyUoZtD/Lw046k/8B6SLu9kilqZ7f/Nr7+u29+p1osAEjcl/0v9qtZ0 O26wyGsQdKd2fcg9vpmcY2hFI5iPtn5VqBAUC2TUOfEoAotHA+dsxO3IMFFiMxbxTfWfGf WZh+qePbKtFgOgvwBQ2y1Tg0iyfmBnkwA/oxCAYA2yt9BzdF/61jhBTy4RJdvC4fOrypzN vt+As4LTwdub4N8BFbp64WyXULy70HVkHvI8NGtMkqhdi9zsGLf0UJmMeX48Bs7S/8wVEB X6UayxAspZTmkry/03ieDBoi1rIW0RtkpNr5r7YrUyAnv2VcV2c1EK33SC26og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687861072; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=H6V7Qa4yz5J6l8iX7K2fkYNMwby71rhxGkoEiwL6RVE=; b=yHjM3DcoxY220GCRvELXIbDkOby8PldpZhoLoRrdoQzUzDVOdtZzZx52u/Y9euRmMJSYgh TzgKVFOguJZ2j8btqS6fi7nw0kSev/WTL3ur7F5vVC2VhS7zBzDM3JhBJuFUPuv3i6vdF5 J4qEtgYjyVRxZH680t+xMTE06Nk/qWVG6YOsCmbL+1DKc5P4+Rg0NGBLNhnCWWQh8vmUFW bsdv5SRmH3FtZinVIPJXbbjri7srFwYLqFX8wnEAFYrYYSvEq0IoLtVc0HrBy44uYLY10Z VvM8/AChlk/GnYHBEYJfuxR/tSqY1gPPEIa6rqT+pYWsGRYNyeZQDH3stKsaVQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687861072; a=rsa-sha256; cv=none; b=JGHWV9W8lnLxA4E4oGHZkLzm9AL3sunLwt+bO/Y9TUJMbJm7nAR1yiTLFypVL+zbyYn4S2 BuTQ5zXLvrXiXbidXR9AqaajXbHCFXdyKzAXYm/X1p3Je+ZyET/t9cCA/gDiwgt3x46bkM Zgmj2mPfS1wkBatsCjchJ28TDzhm+8EzFe6oKdA9cMhqfvYc2weuffrTtIiBeRJ52TN/1X ORwRWC4pfKdwm/eBKe6lFvvELM7A/l+9zbxKP3KgWj4JnmP6TKC1s5tv1gU98L143ArSct LZZSzLmHexyLIDwukeoU7Pmm8Xe+C5WUmGgS7JElh072z4KgDOB1+HWvTLl8vw== Received: from server.rulingia.com (ppp239-208.static.internode.on.net [59.167.239.208]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) (Authenticated sender: peterj) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Qr0yk6CSmz1JmG; Tue, 27 Jun 2023 10:17:50 +0000 (UTC) (envelope-from peterj@freebsd.org) Date: Tue, 27 Jun 2023 20:17:45 +1000 From: Peter Jeremy To: Rick Macklem Cc: freebsd-fs@freebsd.org Subject: Re: Diskless NFS over TLS Message-ID: References: List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GaA+O6fdmOrrb7yU" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp X-ThisMailContainsUnwantedMimeParts: N --GaA+O6fdmOrrb7yU Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2023-Jun-24 06:40:34 -0700, Rick Macklem wrote: >On Sat, Jun 24, 2023 at 6:15=E2=80=AFAM Rick Macklem wrote: >> >> On Sat, Jun 24, 2023 at 2:24=E2=80=AFAM Peter Jeremy wrote: >> > I am contemplating whether it's possible to use secure NFS for at least >> > the root mount[*]. The problem is that NFS-over-TLS relies on >> > rpc.tlsclntd to perform the STARTTLS and that needs a functional >> > userland to run it. >> At this point, I do not think the "tls" option can be added via "mount -= u". >> I had assumed that users would want "on the wire encryption, etc" to >> be done right away, before any non-encrypted data travels across the >> wire. That would be ideal but I agree it would be be difficult to implement. In particular, it would mean the boot loader would need to perform the TLS handshake. >Btw, to make this work for your case would be non-trivial, since the >old (non-TLS) >TCP connection would need to continue to work until the TLS handshake upca= ll >to the daemon is completed. And the, the TCP connection used for NFS RPCs >would need to be switched to use the new TLS/TCP connection. This is not h= ow >the krpc works now, so I am not exactly volunteering to do this, even if o= thers >think it is a good idea. Thanks for that. I'll consider it infeasible for now. >> Can you put all the data that needs to be secured on a separate volume a= nd >> mount that from /etc/fstab? (I'm sure you have thought of this, but...) >> Note that there is overhead in using NFS-over-TLS (mostly CPU overhead, >> assuming you do not have hardware offload), so you only want to use it >> when there is data that needs to be secured. I was thinking more of relying on TLS for better protection against network issues and also trying to move towards a zero-trust network. The main problem is that one of the pieces of data needing to be secured is the NFS TLS keys needed to mount the secure volume. Thinking more, I'm not sure how much value NFS-over-TLS provides unless I can secure the boot process (DHCP and TFTP) as well. Thank you for your input. --=20 Peter Jeremy --GaA+O6fdmOrrb7yU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmSat0NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzQDGw//cF8XtjH1RLWOsBO1ytaHW3r5YsCJf+t2CC00GXdGlb6Ibp27X4M0KrJD XjVcM7mtYginQVZgu3nCGl1uJ9x7/br0UzZzE/oH2d1AZUZCpnviWuX8RaA0Fk2d mOapDciICMAlbYSuBLoV6SO9gF2YpcyrY+gPtOlrAFPEIYKZ5xIEJTUEkwJHtNlZ pVxuPztKJKxQZNmv3Rbyi3NchYUq2kKVQjuy2I9NdUT0+BRz+doBHsfKjh4wZvpW f+BsdwgelVNfpIAW8a3c18CTqPsBueArTK8HnGFSkDr5YTRylQoFL/+cC5l2Y/5V 0LWfsN2f1bXmP1GJHiBDv/d3mCpKyVdc/O6Ev+8+8/G/N8sQHgEnGhiFfNHeCnCR dbdYRsyM9sZxTkY6WaI6S9Ts1PRxVuFlmu/hYhzYy2bBpB/eKsW9MdzEKwriZwk+ 8jFg2smHAKTpTEpSHYms3YGWMRVtllLY8f05v8iA0d5QTpGIuANNtDSZA2q/7X6v 1Lr8fCx5bVmhCOOBNu42Onxmpy+xmDtWB8nwAyqLZQJyGIjEOAHZkW/upJ9QJNDG pwYDFU7xbTZTCdKdMmfPvkFPtkSRJvV8f5Iq8mp91KtPEgZgwVXlZ6SO2uXfk8Ta 1qxtBtdDjAQ/aJyIo2VKjQ67F20cD2u+yINwNP+RePWWJjWsnuI= =70gH -----END PGP SIGNATURE----- --GaA+O6fdmOrrb7yU--