NFSv4 Working GroupInternet Engineering Task Force (IETF) W. AdamsonInternet-DraftRequest for Comments: 8000 NetAppIntended status:Category: Standards Track N. WilliamsExpires: March 5, 2017ISSN: 2070-1721 CryptonectorSeptember 1,October 2016MultipleRequirements for NFSv4DomainMulti-Domain Namespace DeploymentRequirements draft-ietf-nfsv4-multi-domain-fs-reqs-11Abstract This document presents requirementsonfor the deployment of the NFSv4 protocols for the construction of an NFSv4 filename spacenamespace in environments with multiple NFSv4 Domains. To participate in an NFSv4 multi-domain filename space,namespace, the server must offer amulti-domainmulti-domain- capable file system and support RPCSEC_GSS for user authentication. In most instances, the server must also supportidentity mappingidentity-mapping services. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 5, 2017.http://www.rfc-editor.org/info/rfc8000. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Federated File System . . . . . . . . . . . . . . . . . . . . 5 4. Identity Mapping . . . . . . . . . . . . . . . . . . . . . . 5 4.1. NFSv4 Server Identity Mapping . . . . . . . . . . . . . ..5 4.2. NFSv4 Client Identity Mapping . . . . . . . . . . . . . ..6 5.Stand-aloneStand-Alone NFSv4 Domain Deployment Examples . . . . . . . . 7 5.1. AUTH_SYS with Stringified UID/GID . . . . . . . . . . . ..7 5.2. AUTH_SYS withname@domain .Name@domain . . . . . . . . . . . . . . . . 8 5.3. RPCSEC_GSS withname@domain .Name@domain . . . . . . . . . . . . . . . 8 6.Multi-domainMulti-Domain Constraints to the NFSv4 Protocol . . . . . . . 8 6.1. Name@domain Constraints . . . . . . . . . . . . . . . . ..9 6.1.1. NFSv4 Domain and DNS Services . . . . . . . . . . . .. .9 6.1.2. NFSv4 Domain and Name Services . . . . . . . . . . .. .10 6.2. RPC Security Constraints . . . . . . . . . . . . . . . ..10 6.2.1. NFSv4 Domain and Security Services . . . . . . . . .. .11 7.Stand-aloneStand-Alone Examples in an NFSv4Multi-domainMulti-Domain Deployment . . 11 8. ResolvingMulti-domainMulti-Domain Authorization Information . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 10.IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 11.References . . . . . . . . . . . . . . . . . . . . . . . . . 1411.1.10.1. Normative References . . . . . . . . . . . . . . . . . ..1411.2.10.2. Informative References . . . . . . . . . . . . . . . . ..15Appendix A.Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction The NFSv4 protocols NFSv4.0 [RFC7530], NFSv4.1 [RFC5661], and NFSv4.2[I-D.NFSv4.2][RFC7862] introduce the concept of an NFS Domain. An NFSv4 Domain is defined as a set of users and groups using the NFSv4 name@domain user and group identification syntax with the same specified @domain. Previous versions of the NFS protocol, such as NFSv3 [RFC1813], use the UNIX-centric user identification mechanism of numeric user and group ID for the uid3 and gid3 [RFC1813] file attributes and for identity in theONCRPC [RFC5531]authsys_parms AUTH_SYScredential.credential defined in the Open Network Computing (ONC) Remote Procedure Call (RPC) protocol [RFC5531]. Section 6.1 of [RFC2624] notes that the use ofUNIX-centricUNIX- centric numeric IDs limits the scale of NFS to large local work groups. UNIX-centric numeric IDs are not unique across NFSv3 deployments and so are not designed for Internet scaling achieved by taking into account multiple naming domains and multiple naming mechanisms (see Section 6.2). The NFSv4 Domain's use of the name@domain syntax provides this Internet scaling by allowing servers and clients to translate between the external name@domain string representation to a local or internal numeric (or other identifier)representationrepresentation, which matches internal implementation needs. Multi-domain deployments require support for unique identities across the deployment's name services and security services, as well as the use of multi-domain file systems capable of the on-disk representation of identities belonging to multiple NFSv4 Domains. The name@domain syntax can provide unique identities andsothus enables the NFSv4 multi-domain filename space.namespace. Unlike previous versions of NFS, the NFSv4 protocols define a referral mechanism (Section 8.4.3 of [RFC7530]) that allows a single server or a set of servers to present a multi-server namespace that encompasses file systems located on multiple servers. This enables the establishment of site-wide, organization-wide, or even a truly global filename space.namespace. The NFSv4protocolsprotocols' name@domain syntax and referral mechanism along with the use of RPCSEC_GSS security mechanisms enables the construction of an NFSv4 multi-domain filename space.namespace. This document presents requirements on the deployment of the NFSv4 protocols for the construction of an NFSv4 filename spacenamespace in environments with multiple NFSv4 Domains. To participate in an NFSv4 multi-domain filename space,namespace, the server must offer amulti-domainmulti-domain- capable file system and support RPCSEC_GSS [RFC2203] for user authentication. In most instances, the server must also supportidentity mappingidentity-mapping services. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Terminology NFSv4 Domain: A set of users and groups using the NFSv4 name@domain user and group identification syntax with the same specified @domain. Stand-alone NFSv4 Domain: A deployment of the NFSv4 protocols and NFSv4 filename spacenamespace in an environment with a single NFSv4 Domain. Local representation of identity: A representation of a user or a group of users capable of being stored persistently within a file system.TypicallyTypically, such representations are identical to the form in which users and groups are represented within internal serverAPI's.APIs. Examples are numericid'sIDs such as a uidNumber (UID), gidNumber (GID) [RFC2307], or a Windows Security Identifier (SID) [CIFS]. In somecasecases, the identifier space for user and groups overlap, requiring anyone using such anidID to know a priori whether the identifier is for a user or a group. Unique identity: An on-the-wire form of identity that is unique across an NFSv4 multi-domainname spacenamespace that can be mapped to a local representation. For example, the NFSv4 name@domain or the Kerberosprincipal@REALM [RFC4121].principal [RFC4120]. Multi-domain: In this document, the term "multi-domain" always refers to multiple NFSv4 Domains.Multi-domain capable filesystem:Multi-domain-capable file system: A localfilesystemfile system that uses a local ID form that can represent NFSv4 identities from multiple domains. Principal:anAn RPCSEC_GSS [RFC2203] authentication identity.Usually,It is usually, but not always, a user; rarely, if ever, a group; and sometimes a host or server. Authorization Context: A collection of information about a principal such asusername,user name, userID, group membership,etceteraetc., used in authorization decisions. Stringified UID or GID: NFSv4 owner and group strings that consist of decimal numeric values with no leadingzeros,zeros andwhichthat do not contain an '@' sign. See Section 5.9 of [RFC5661]. Name Service: Facilities thatprovidesprovide the mapping between {NFSv4 Domain,groupgroup, or user name} and the appropriate local representation of identity. Also includes facilities providing mapping between a security principal and local representation of identity. Can be applied to unique identities or principals from within local and remote domains. Often provided by a Directory Service such asLDAPthe Lightweight Directory Access Protocol (LDAP) [RFC4511]. Name Service Switch (nsswitch):aA facilityinthat provides a variety of sources for common configuration databases and name resolution mechanisms. FedFS: The Federated File System (FedFS) [RFC5716] describes the requirements and administrative tools to construct a uniform NFSv4file server based name spacefile-server-based namespace that is capable of spanning a whole enterprise and that is easy to manage. Domain: This term is used in multiple contexts where it has different meanings.Definitions of "nfsv4 domain""NFSv4 Domain" and"multi- domain" have already appeared above in Section 1. Below we provide other specific definitions used this document."multi-domain" are defined above. DNS domain:aA set of computers, services, or any Internet resource identified byana DNS domain name [RFC1034]. Security realm or domain:aA set of configured security providers, users, groups, security roles, and security policies running a single security protocol and administered by a single entity, forexampleexample, a Kerberos realm. FedFS domain: A filename spacenamespace that can cross multiple shares on multiple file servers using file-access protocols such as NFSv4. A FedFS domain is typically a single administrativeentity,entity and has a name that is similar to a DNS domain name. Also known as aFederation."Federation". Administrative domain:aA set of users, groups, computers, and services administered by a single entity. Can include multiple DNS domains, NFSv4domains,Domains, security domains, and FedFS domains. 3. Federated File System The FedFS is the standardized method of constructing and administrating an enterprise-wide NFSv4filesystem,file system andsois thus referenced in this document. The requirements for multi-domain deployments described in this document apply to all NFSv4 multi- domain deployments, whether or not they are runas a FedFS or not.as a FedFS. Stand-alone NFSv4 Domain deployments can be run in many ways. While a FedFS can be run within all stand-alone NFSv4domain configurationsDomain configurations, some of these configurations (Section 5) are not compatible with joining a multi-domain FedFSname space.namespace. 4. Identity Mapping 4.1. NFSv4 Server Identity Mapping NFSv4 servers deal with two kinds of identities: authentication identities (referred to here as "principals") and authorization identities ("users" and "groups" of users). NFSv4 supports multiple authentication methods, each authenticating an "initiator principal" (typically representing a user) to an "acceptor principal" (always corresponding to the NFSv4 server). NFSv4 does not prescribe how to represent authorization identities on file systems. All file access decisions constitute "authorization" and are made by NFSv4 servers using authorization context information and file metadata related to authorization, such as a file's access control list (ACL). NFSv4 servers may be required to perform two kinds of mappings depending upon what authentication and authorization information is sent on thewire,wire and what is stored in the exported file system. For example, if an authentication identity such as a Kerberos principal is sent with authorization information such as a "privilege attribute certificate" (PAC)[PAC][PAC], then mapping is not required (see Section 8). 1. Auth-to-authz: A mapping between the authentication identity and the authorization context information. 2. Wire-to-disk: A mapping between the on-the-wire authorization identity representation and the on-disk authorization identity representation. AName Servicename service such as LDAP often provides these mappings. Many aspects of these mappings are entirely implementation specific, but some requiremulti-domain capablemulti-domain-capable name resolution and security services in order to interoperate in a multi-domain environment. NFSv4 servers use these mappings for: 1. File access: Both the auth-to-authz and the wire-to-disk mappings may be required for file access decisions. 2.Meta-dataMetadata setting and listing: The auth-to-authz mapping is usually required to service file metadata setting or listing requests such as ACL or UNIX permission setting or listing. This mapping is needed because NFSv4 messages use identity representations of the formname@domainname@domain, which normally differs from the server's local representation of identity. 4.2. NFSv4 Client Identity Mapping A client setting the owner or group attribute will often need access toidentity mappingidentity-mapping services. This is becauseAPI'sAPIs within the client will specify the identity in a local form(e.g(e.g., UNIX using aUID/GID)UID/ GID) so that when stringified id's cannot be used, theidID must be converted to a unique identity form. A client obtaining values for the owner or group attributes will similarly need access toidentity mappingidentity-mapping services. This is because the client API will need these attributes in a local form, as above. As aresultresult, name services need to be available to convert the unique identity to a local form. Note that each of these situations arises because client-sideAPI'sAPIs require a particular local identity representation. The need for mapping services would not arise if the clients could use the unique representation of identity directly. 5.Stand-aloneStand-Alone NFSv4 Domain Deployment Examples The purpose of this section is to list some typical stand-alone deployment examples to highlight the need for the required restraints to the NFSv4 protocol, name service configuration, and security service choices in an NFSv4 multi-domain environment described in Section 6. Section 7 notes how these stand-alone deployment examples would need to change to participate in an NFSv4 multi-domain deployment. In order to service as many environments as possible, the NFSv4 protocol is designed to allow administrators freedom to configure their NFSv4domainsDomains as they please. Stand-alone NFSv4 Domains can be run in many ways. These examples are foraan NFSv4 server exporting a POSIXUID/GIDUID/GID- based file system, a typical deployment. These examples are listed in the order of increasing NFSv4 administrative complexity. 5.1. AUTH_SYS with Stringified UID/GID This example is the closest NFSv4 gets to being run as NFSv3 as there is no need for a name service for file metadata listing. File access: The AUTH_SYS RPC credential [RFC5531] provides a UID as the authentication identity, and a list of GIDs as authorization context information. File access decisions require no name service interaction as the on-the-wire and on-disk representation are the same and the auth-to-authz UID and GID authorization context information is provided in the RPC credential.Meta-dataMetadata setting and listing: When the NFSv4 clients and servers implement a stringified UID/GID scheme, where a stringified UID or GID is used for the NFSv4 name@domain on-the-wire identity, then a name service is not required for file metadata listing as theUIDUID, or GID can be constructed from the stringified form on the fly by the server. 5.2. AUTH_SYS withname@domainName@domain Another possibility is to express identity using the form 'name@domain', rather than using a stringified UID/GID scheme for file metadata setting and listing. File access: This is the same as in Section 5.1.Meta-dataMetadata setting and listing: The NFSv4 server will need to use a name service for the wire-to-disk mappings to map between the on-the- wire name@domain syntax and the on-disk UID/GID representation. Often, the NFSv4 server will use the nsswitch interface for these mappings. A typical use of the nsswitch name service interface uses no domain component, just the UID attribute [RFC2307] (or login name) as the name component. This isnonot an issue in a stand-alone NFSv4domainDomain deployment as the NFSv4 Domain is known to the NFSv4 server and can be combined with the login name to form the name@domain syntax after the return of the name service call. 5.3. RPCSEC_GSS withname@domainName@domain RPCSEC_GSS usesGSS-APIGeneric Security Service Application Program Interface (GSS-API) [RFC2743] security mechanisms to securely authenticate users to servers. The most common mechanism is Kerberos [RFC4121]. This final example adds the use of RPCSEC_GSS with the Kerberos 5 GSS security mechanism. File Access: The forms of GSS principal names aremechanism-specific.mechanism specific. ForKerberosKerberos, these are of the form principal@REALM. Sometimes authorization context information is delivered with authentication, but this cannot be counted on. Authorization context information not delivered with authentication has timely update considerations (i.e., generally it's not possible to get a timely update). File access decisions therefore require a wire-to-disk mapping of the GSS principal to aUID,UID and an auth-to-authz mapping to obtain the list of GIDs as the authorization context.Meta-dataMetadata setting and listing: This is the same as in Section 5.2. 6.Multi-domainMulti-Domain Constraints to the NFSv4 Protocol Joining NFSv4 Domains under a single filename spacenamespace imposes slightly on the NFSv4administrationadministrative freedom.HereIn this section, we describe the required constraints. 6.1. Name@domain Constraints NFSv4 uses a syntax of the form "name@domain" (see Section 5.9 of [RFC7530]) as the on-the-wire representation of the "who" field of an NFSv4 access control entry (ACE) for users and groups. This design provides a level of indirection that allows NFSv4 clients and servers with different internal representations of authorization identity to interoperate even when referring to authorization identities from different NFSv4 Domains.Multi-domain capableMulti-domain-capable sites need to meet the following requirements in order to ensure that NFSv4 clients and servers can map between name@domain and internal representations reliably. While some of these constraints are basic assumptions in NFSv4.0 [RFC7530] and NFSv4.1 [RFC5661], they need to be clearly stated for the multi- domain case. o The NFSv4 Domain portion of name@domain MUST be unique within the multi-domainname space.namespace. See[RFC5661] section[RFC5661], Section 5.9"Interpreting("Interpreting owner andowner_group"owner_group") for a discussion on NFSv4 Domain configuration. o The name portion of name@domain MUST be unique within the specified NFSv4 Domain. Due to UID and GID collisions, stringified UID/GIDs MUST NOT be used in a multi-domain deployment. This means that multi-domain-capable servers MUST reject requests that use stringified UID/GIDs. 6.1.1. NFSv4 Domain and DNS Services Here we address the relationship between NFSv4 Domain name and DNS domain name in a multi-domain deployment. The definition of an NFSv4 Domain name, the @domain portion of the name@domain syntax, needs clarification to work in a multi-domain file systemname space.namespace. [RFC5661], Section 5.9[RFC5661]loosely defines the NFSv4 Domain name as a DNS domain name. This loose definition for the NFSv4 Domain name is a good one, as DNS domain names are globally unique. As notedabovein Section 6.1, any choice of NFSv4 Domain name can work within a stand-alone NFSv4 Domain deployment whereas the NFSv4 Domain name is required to be unique across a multi-domain deployment. A typical configuration is that there is a single NFSv4 Domain that is served by a single DNS domain. In thiscasecase, the NFSv4 Domain name can be the same as the DNS domain name. An NFSv4 Domain can span multiple DNS domains. In this case, one of the DNS domain names can be chosen as the NFSv4 Domain name. Multiple NFSv4 Domains can also share a DNS domain. In this case, only one of the NFSv4 Domains can use the DNS domain name, the other NFSv4 Domains must choose another unique NFSv4 Domain name. 6.1.2. NFSv4 Domain and Name Services As notedabovein Section 6.1, each name@domain is unique across themulti-domain name spacemulti- domain namespace and maps, on each NFSv4 server, to the local representation of identity used by that server. Typically, this representation consists of an indication of the particular domain combined with the UID/GID corresponding to the name component. To support such an arrangement, each NFSv4 Domain needs to have a single name resolution service capable of converting the names defined within the domain to the corresponding local representation. 6.2. RPC Security Constraints As described in[RFC5661] section[RFC5661], Section 2.2.1.1"RPC("RPC SecurityFlavors":Flavors"): NFSv4.1 clients and servers MUST implement RPCSEC_GSS. (This requirement to implement is not a requirement to use.) Other flavors, such asAUTH_NONE,AUTH_NONE and AUTH_SYS, MAY be implemented as well. The underlying RPCSEC_GSS[RFC2203]GSS-API [RFC2203] security mechanism used in a multi-domainname spacenamespace is REQUIRED to employ a method of cross NFSv4 Domain trust so that a principal from a security service in one NFSv4 Domain can be authenticated in another NFSv4 Domain that uses a security service with the same security mechanism. Kerberos is an example of such a security service. The AUTH_NONE [RFC5531] security flavor can be useful in a multi- domain deployment to grant universal read-only access to public data without any credentials. The AUTH_SYS security flavor [RFC5531] uses a host-based authentication model where the weakly authenticated host (the NFSv4 client) asserts the user's authorization identities using small integers, uidNumber, and gidNumber[RFC2307],[RFC2307] as user and group identity representations. Because this authorization ID representation has no domain component, AUTH_SYS can only be used in aname spacenamespace where all NFSv4 clients and servers sharean [RFC2307]a nameservice.service as described in [RFC2307]. A shared name service is required because uidNumbers and gidNumbers are passed in the RPC credential; there is no negotiation ofname spacenamespace in AUTH_SYS. Collisions can occur if multiple name services are used, so AUTH_SYS MUST NOT be used in a multi-domain file system deployment. 6.2.1. NFSv4 Domain and Security Services As notedabovein Section6.2, caveat6.2 regarding AUTH_NONE, multiple NFSv4 Domain security services are RPCSEC_GSS based with the Kerberos 5 security mechanism being the most commonly (and as of this writing, the only) deployed service. A single Kerberos 5 security service per NFSv4 Domain with the upper case NFSv4 Domain name as the Kerberos 5 REALM name is a common deployment. Multiple security services per NFSv4 Domain isallowed,allowed and brings the need of mapping multiple Kerberos 5 principal@REALMs to the same local ID. Methods of achieving this are beyond the scope of this document. 7.Stand-aloneStand-Alone Examples in an NFSv4Multi-domainMulti-Domain Deployment In thissectionsection, we revisit the stand-alone NFSv4 Domain deployment examples in Section 5notingand note what is prohibiting them from participating in an NFSv4 multi-domain deployment. Note that because all on-disk identities participating in a stand- alone NFSv4 Domain belong to the same NFSv4 Domain, stand-alone NFSv4 Domain deployments have no requirement for exportingmulti-domainmulti-domain- capable file systems. To participate in an NFSv4 multi-domain deployment, all three examples in Section 5 would need to exportmulti-domain capablemulti-domain-capable file systems. Due to the use of AUTH_SYS and stringifiedUID/GIDsUID/GIDs, the first stand- alone deployment example (described in Section5.15.1) is not suitable for participation in an NFSv4 multi-domain deployment. The second examplein described(described in Section5.25.2) does use the name@domain syntax, but the use of AUTH_SYS prohibits its participation in an NFSv4 multi-domain deployment. The third example (described in Section5.35.3) can participate in a multi-domainname spacenamespace deployment if: o The NFSv4 Domain name is unique across thename space.namespace. o All exported file systems are multi-domain capable. o A secure method is used to resolve the remote NFSv4 Domainprincipalsprincipal's authorization information from an authoritative source. 8. ResolvingMulti-domainMulti-Domain Authorization Information When an RPCSEC_GSS principal is seeking access to files on an NFSv4 server, after authenticating the principal, the server SHOULD obtain in a secure manner the principal's authorization context information from an authoritative source such as the name service in the principal's NFSv4 Domain. In the stand-alone NFSv4 Domain case where the principal is seeking access to files on an NFSv4 server in the principal's home NFSv4 Domain, the server administrator has knowledge of the local policies and methods for obtaining the principal's authorization information and the mappings to local representation of identity from an authoritative source.E.g.,For example, the administrator can configure secure access to the local NFSv4domainDomain name service. In the multi-domain case where a principal is seeking access to files on an NFSv4 server not in the principal's home NFSv4 Domain, the NFSv4 server may be required to contact the remote name service in theprincipalsprincipal's NFSv4 Domain. In thiscasecase, there is no assumption of: o Remote name service configuration knowledge. o The syntax of the remote authorization context information presented to the NFSv4 server by the remote name service for mapping to a local representation. There are several methods the NFSv4 server can use to obtain the NFSv4 Domain authoritative authorization information for a remote principal from an authoritative source. Whileany detaildetailing these methods is beyond the scope of this document, some general methods are listed here. 1. Amechanism specificmechanism-specific GSS-API authorization payload containing credential authorization data such as a "privilege attribute certificate" (PAC) [PAC] or a "principal authentication data" (PAD)[I-D.sorce-krbwg-general-pac].[GEN-PAC]. This is the preferred method as the payload is delivered as part of GSS-API authentication, avoids requiring any knowledge of the remote authoritative service configuration, andits syntax is well known.has a well-known syntax. 2. When there is a security agreement between the local and remote NFSv4 Domain name services plus regular update data feeds, the NFSv4 server local NFSv4 Domain name service can be authoritative forprincipal'sprincipals in the remote NFSv4 Domain. In this case, the NFSv4 server makes a query toit'sits local NFSv4 Domain name service just as it does when servicing a local domain principal. While this requires detailed knowledge of the remote NFSv4DomainsDomain name service for the update data feeds, the authorization context information presented to the NFSv4 server is in the same form as a query for a local principal. 3. An authenticated direct query from the NFSv4 server to the principal's NFSv4 Domain authoritative name service. This requires the NFSv4 server to have detailed knowledge of the remote NFSv4 Domain's authoritative name service and detailed knowledge of the syntax of the resultant authorization context information. 9. Security Considerations This RFC discusses security throughout. All the security considerations of the relevant protocols, such as NFSv4.0 [RFC7530], NFSv4.1 [RFC5661], RPCSEC_GSS [RFC2203], GSS-API [RFC4121], LDAP [RFC4511], Requirements for Federated FS [RFC5716], FedFS NamespaceDBDatabase Protocol [RFC7532], FedFS Administration Protocol [RFC7533], and FedFS Security Addendum[I-D.lever-fedfs-security-addendum][SEC-ADD] apply. Authentication and authorization across administrative domainspresentspresent security considerations, most of which are treated elsewhere, but we repeat some of them here: o latency in propagation of revocation of authentication credentials o latency in propagation of revocation of authorizations o latency in propagation of granting of authorizations o complications in establishing aforeign domain's users'complete authorizationcontext: onlycontext for users of a foreign domain (only parts may be available toserversservers) o privacy considerations in a federated environment Most of these are security considerations of the mechanisms used to authenticate users to servers and servers tousers,users and of the mechanisms used to evaluate a user's authorization context. Implementors may be tempted to assume thatrealm"realm" (or "issuer") andNFSv4 Domain"NFSv4 Domain" are roughly the same thing, but they are not. Configuration and/or lookup protocols (such as LDAP) and associated schemas are generally required in order to evaluate a user principal's authorization context (see Section 8). In the simplestschemescheme, a server has access to a database mapping all known principal names tousernamesuser names whose authorization context can be evaluated using operating system interfaces that deal inusernamesuser names rather than principal names. Note that clients may also need to evaluate a server's authorization context when using labeled security[I-D.NFSv4.2][RFC7862] (e.g., is the server authorized to handle content at a given securitylevel,level for the given client process subject label). When the server accepts usercredentialcredentials from more than one realm, it is important to remember that the server must verify that the client it is talking to has a credential for the name the client has presented theserver,server and thatthatthe credential's issuer (i.e., its realm) is allowed to issue it.UsuallyUsually, the service principal realm authorization function is implemented by the security mechanism, but the implementor should check this. 10.IANA Considerations There are no IANA considerations in this document. 11.References11.1.10.1. Normative References[I-D.NFSv4.2] Haynes, T., "NFS Version 4 Minor Version 2", draft-ietf- nfsv4-minorversion2-36 (Work In Progress), April 2015.[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, <http://www.rfc-editor.org/info/rfc1034>. [RFC1813] Callaghan, B., Pawlowski, B., and P. Staubach, "NFS Version 3 Protocol Specification", RFC 1813, DOI10.17487/ RFC1813,10.17487/RFC1813, June 1995, <http://www.rfc-editor.org/info/rfc1813>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI10.17487/ RFC2119,10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2203] Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol Specification", RFC 2203, DOI 10.17487/RFC2203, September 1997, <http://www.rfc-editor.org/info/rfc2203>. [RFC2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, DOI10.17487/ RFC2743,10.17487/RFC2743, January 2000, <http://www.rfc-editor.org/info/rfc2743>. [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2", RFC 4121, DOI 10.17487/RFC4121, July 2005, <http://www.rfc-editor.org/info/rfc4121>. [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, DOI10.17487/ RFC4511,10.17487/RFC4511, June 2006, <http://www.rfc-editor.org/info/rfc4511>. [RFC5661] Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed., "Network File System (NFS) Version 4 Minor Version 1 Protocol", RFC 5661, DOI 10.17487/RFC5661, January 2010, <http://www.rfc-editor.org/info/rfc5661>. [RFC7530] Haynes, T., Ed. and D. Noveck, Ed., "Network File System (NFS) Version 4 Protocol", RFC 7530, DOI 10.17487/RFC7530, March 2015, <http://www.rfc-editor.org/info/rfc7530>.11.2.[RFC7862] Haynes, T., "Network File System (NFS) Version 4 Minor Version 2 Protocol", RFC 7862, DOI 10.17487/RFC7862, October 2016, <http://www.rfc-editor.org/info/rfc7862>. 10.2. Informative References [CIFS] Microsoft Corporation,"[MS-CIFS] -- v20130118"[MS-CIFS]: Common Internet File System (CIFS) Protocol",January 2013. [I-D.lever-fedfs-security-addendum] Lever, C., "Federated Filesystem Security Addendum", draft-cel-nfsv4-federated-fs-security-addendum-05 (Active Internet Draft), MayMS-CIFS v20160714 (Rev 26.0), July 2016.[I-D.sorce-krbwg-general-pac][GEN-PAC] Sorce, S., Yu, T., and T. Hardjono, "A Generalized PAC for Kerberos V5",draft-ietf-krb-wg-general-pac-01 (Work In Progress awaiting merge with other document ),Work in Progress, draft-sorce-krbwg-general- pac-02, June 2011. [PAC] Brezak, J., "Utilizing the Windows 2000 Authorization Data in Kerberos Tickets for Access Control to Resources",OctoberFebruary 2002. [RFC2307] Howard, L., "An Approach for Using LDAP as a Network Information Service", RFC 2307, DOI 10.17487/RFC2307, March 1998, <http://www.rfc-editor.org/info/rfc2307>. [RFC2624] Shepler, S., "NFS Version 4 Design Considerations", RFC 2624, DOI 10.17487/RFC2624, June 1999, <http://www.rfc-editor.org/info/rfc2624>. [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, DOI 10.17487/RFC4120, July 2005, <http://www.rfc-editor.org/info/rfc4120>. [RFC5531] Thurlow, R., "RPC: Remote Procedure Call Protocol Specification Version 2", RFC 5531, DOI 10.17487/RFC5531, May 2009, <http://www.rfc-editor.org/info/rfc5531>. [RFC5716] Lentini, J., Everhart, C., Ellard, D., Tewari, R., and M. Naik, "Requirements for Federated File Systems", RFC 5716, DOI 10.17487/RFC5716, January 2010, <http://www.rfc-editor.org/info/rfc5716>. [RFC7532] Lentini, J., Tewari, R., and C. Lever, Ed., "Namespace Database (NSDB) Protocol for Federated File Systems", RFC 7532, DOI 10.17487/RFC7532, March 2015, <http://www.rfc-editor.org/info/rfc7532>. [RFC7533] Lentini, J., Tewari, R., and C. Lever, Ed., "Administration Protocol for Federated File Systems", RFC 7533, DOI 10.17487/RFC7533, March 2015, <http://www.rfc-editor.org/info/rfc7533>.Appendix A.[SEC-ADD] Lever, C., "Federated Filesystem Security Addendum", Work in Progress, draft-cel-nfsv4-federated-fs-security- addendum-05, May 2016. Acknowledgments Andy Adamson would like to thank NetApp,Inc.Inc., for its funding of his time on this project. We thank Chuck Lever, Tom Haynes, Brian Reitz, Bruce Fields, and David Noveck for their review. Authors' Addresses William A. (Andy) Adamson NetApp Email: andros@netapp.com Nicolas Williams Cryptonector Email: nico@cryptonector.com