[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-nfs-discuss
Subject:    [nfs-discuss] Labeled NFS Meeting Minutes January 27th 2010
From:       "David P. Quigley" <dpquigl () tycho ! nsa ! gov>
Date:       2010-01-28 23:08:13
Message-ID: 1264720093.20881.35.camel () moss-terrapins ! epoch ! ncsc ! mil
[Download RAW message or body]

Roll Call:  

Dave Quigley and Stephen Smalley / NSA
Jarrett Lu/Oracle
Peter Staubach & James Morris/Red Hat
Paul Moore / HP
Matthew Dodd / SPARTA
Spencer Shimko / Tresys


IETF Note Well Agreement:

  This is a reminder that our discussions are governed by the 
  IETF Note Well Agreement. See:

    http://www.ietf.org/NOTEWELL.html

  We will start each week's meeting with this announcement.

Q&A Session concerning existing Labeled NFS documents:

- Jarrett asked if there were updated documents.
- Dave noted that updated documents are WIP.
- Jarrett suggested contacting Joy Latten about Labeled IPSEC and
developing
  a common label format specification.
- Dave summarized current lnfs specification.

Review Impact Study:

Dave summarizes:
- Impact and Scope sections near complete.
- Need to flesh out use cases.
1. Full mode, MAC consistency, especially user home directories.
2. MAC for virtual machine images stored on network.
3. Simple security label storage (client-focused).
4. Regulatory Compliance.

Spencer/Tresys:
- High performance computing w/ cluster and NFS filesystems.
- Specific reqs to labeled security.
- Becoming more evident in corporate world for regulatory compliance.

James/Red Hat:
- Corporate partners have flagged LNFS as a requirement.
- OEMs are stating requirements for security enabling of products.

Dave/NSA:
- EMC on the fence, need more demonstration of real demand for this
technology.

Peter/Red Hat:
- Linux NFSv4 server rarely used in the enterprise.
- NetApp or EMC must support for corporate acceptance - major storage
vendors.

Dave/NSA:
- NetApp expressed that if support this functionality they would like to
provide some sort of MAC enforcement. If the module is SELinux like it
would require a BSD or similar port of SELinux to be made viable again.

James/Red Hat:  They should just start with dumb server model.
Dave/NSA:   Agree, just storage initially, full MAC model can follow.

Peter/Red Hat:  Asked for copies of impact study.
Dave/NSA:  Should be released publically soon after prepub approval.

Dave/NSA:  Need people to participate in review and writing sections.

Peter/Red Hat: Management supports moving Labeled NFSv4 forward.  Wants
it
to progress together with James' xattr support for NFSv3.

James/Red Hat:  NFSv4 solution must also move forward;  out-of-band
NFSv3 solution may discourage standardization of solution for NFSv4.
James will continue to work on documents as well as NFSv3 xattr process.

James/Red Hat and Dave/NSA:  Private namespace for storage on dumb
server?  Possibly use system namespace on server?  No server
interpretation?  Configurable mapping in exports table?  Allows server
to be unaffected by labels set by clients even if server is running a
MAC model.

Matt/SPARTA:  Server will always just provide label, no namespace
conflict between client and server.

James/Red Hat:  Clarifies that purpose of NFSv3 xattr work is to provide
a stopgap solution until NFSv4 work can achieve standardization and
deployment as well as to support legacy usage of NFSv3.

Peter/Red Hat:  nfsroot should be included as a use case.

James/Red Hat:  build servers could use local NFS mounts to support dumb
storage?

Dave/NSA:
- Investigate more details for use cases, summarize and submit to Dave.
- Impact and label format specifier documents will be prepub'd and
released ASAP.
- After release, review and comment.
- Labeled format specifier:  split next telecon 50/50.

Action Items:
- Release impact document.
- Release label format specification document.
- Upload updated requirements and specification documents to IETF
website.
- Invite the labeled ipsec people to next meeting.

Agenda items for the next meeting:
- Review and incorporate suggested changes to the impact document
- Discuss label format in the protocol / on the wire.




_______________________________________________
nfs-discuss mailing list
nfs-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]