[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NFS

To: "Michael R. Eisler" <Michael.Eisler@Eng.Sun.Com>, ipsec@tis.com
Subject: Re: IPSEC and NFS
From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
Date: Mon, 02 Feb 1998 13:51:35 -0500
Organization: Nortel Technology, Messaging and Security Infrastructure
References: <Roam.SIMC.2.0.6.886216315.2336.mre@jurassic.eng.sun.com>
Sender: owner-ipsec@ex.tis.com

Michael R. Eisler wrote:
> 
> > Angelos D. Keromytis wrote:
> >
> > >
> > > I've been using NFS over IPsec to protect against outsider attacks for
> > > a while now, but I don't see how NFS can be made insider-resistant
> > > without major restructuring of the protocol. There's the implicit
> > > assumption that the client kernel is behaving. Of course, you didn't
> > > quite explain what your threat model was (hostile users on the client
> > > machine I presume -- in which case IPsec+priviledged ports required
> > > for the client can do wonders).
> > > Cheers,
> > Fair enough, I wasn't very clear on the threat model.
> >
> > I'm particularly concerned about things like PCs participating in
> >   NFS services, in which it's sooooo easy for the client to "cheat"
> >   in the sense of claiming a uid/gid that it has no "right" to.
> >   I'm afraid that your analysis of NFS requiring major restructuring
> >   to protect agaist this is correct.  Secure RPC doesn't appear to
>                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> >   be a reasonable fix for this either.  Sigh.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> why?
>
The last time I looked at the way secure RPC worked, it was, to be
  polite, less than wonderful.  RSA keypairs were limited to some very
  small size, and private keys were stored on a central server, with
  encrypted private keys flying over the network, making it easy to
  launch a passwd-style cracking attack.  Unless secure RPC has come
  a long way since I read about it (a couple of years ago), then I still
  claim that it isn't a reasonable solution.

> >
> > If I restrict an NFS server to only allowing SAs with hosts it
> >   knows "play by the rules"--in that user processes cannot fake
> >   legitimate NFS protocol (because they can't get a privileged port),
> 
> not all operating systems support the concept of privileged users having
> exclusive access to "privileged" ports.
Right, but if I restrict my NFS servers to only dealing with operating
systems
  that HAVE that concept, then this kludge works.

-- 
----------------------------------------------------------------------
Marcus Leech                             Mail:   Dept 8M86, MS 012, FITZ
Systems Security Architect               Phone: (ESN) 393-9145  +1 613
763 9145
Messaging and Security Infrastructure    Fax:   (ESN) 395-1407  +1 613
765 1407
Nortel Technology              mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------

References:

Re: IPSEC and NFS

From: "Michael R. Eisler" <Michael.Eisler@Eng.Sun.Com>

Prev by Date: I-D ACTION:draft-ietf-ippcp-protocol-05.txt
Next by Date: Re: Search draft
Prev by thread: Re: IPSEC and NFS
Next by thread: Re: IPSEC and NFS
Index(es):
- Main
- Thread