security
Click on the red underlined text to get to the source
... operating system, network architecture, and security mechanism, and
transport protocol independent. This independence is achieved through
...
... application protocols built on top of RPC to
access security mechanisms that adhere to the GSS-API specification
[RFC2078 ...
...
The purpose of this document is to clarify NFS security issues and to
specify how the NFS protocol uses RPCSEC_GSS ...
... Overview of RPC Security Architecture ...
...
The RPC protocol includes a slot for security parameters (referred to
as an authentication flavor in the RPC ...
... RPC specification [RFC1831]) on
every call. The contents of the security parameters are determined
by the type of authentication used by the server ...
... ports and port monitoring for
security is at best an inconvenience to the attacker and SHOULD NOT
be depended on.
...
... credentials from the
RPC security information in each remote request. Each flavor packages
credentials differently.
...
... AUTH_DH and AUTH_KERB4 styles of security are based on a
network-wide name. They provide greater security ...
... security are based on a
network-wide name. They provide greater security through the use of
DES encryption ...
... The RPCSEC_GSS style of security is based on a security-mechanism-
specific principal name. GSS-API ...
... specific principal name. GSS-API mechanisms provide security through
the use of cryptography. The cryptographic ...
... NFS servers MAY export file systems with specific security flavors
bound to the export. In the event a client uses a security ...
... security flavors
bound to the export. In the event a client uses a security flavor
that is not the one of the flavors the file system was exported with,
...
... Security Flavor Negotiation ...
...
Any application protocol that supports multiple styles of security
will have the issue of negotiating the security method ...
... application protocol that supports multiple styles of security
will have the issue of negotiating the security method to be used.
NFS ...
... up to the client to guess, or depend on prior knowledge. Often the
prior knowledge would be available in the form of security options
specified in a directory service used for the purpose of
...
... different access (read-only versus read-write), and with different
security flavors, it is possible a client might get back multiple
security ...
... security flavors, it is possible a client might get back multiple
security flavors in the list returned in the MNT response. The use of
one flavor instead of another might imply read-only instead of read-
write access, or perhaps some other degradation of access. For this
...
... first flavor. NFS servers that support the ability to export file
systems with multiple security flavors SHOULD either present the best
accessing flavor first to the client, or leave the order under the
...
...
When one develops a new RPC security flavor, iana@iana.org MUST be
contacted to get a unique flavor assignment. To simplify NFS client
and server ...
...
RPCSEC_GSS is a single security flavor over which different security
mechanisms can be multiplexed. Within a mechanism, GSS-API provides
...
... RPCSEC_GSS is a single security flavor over which different security
mechanisms can be multiplexed. Within a mechanism, GSS-API provides
for the support of multiple quality of protections (QOPs), which are
...
... privacy. Thus RPCSEC_GSS effectively supports M * Q * 3 different
styles of security, where M is the number of mechanisms supported, Q
is the average number of QOPs supported for each mechanism, and 3
enumerates authentication ...
...
Because RPCSEC_GSS encodes many styles of security, just adding
RPCSEC_GSS to the list of flavors returned in MOUNT Version 3 ...
... GSS. The idea is that each
pseudo flavor will map to a specific triple of security mechanism,
quality of protection, and service ...
... Given that each integrity algorithm has a different degree of
security, this situation may not be acceptable to the user of GSS-
API ...
... Security Considerations ...
...
Version 3 of the MOUNT protocol is used to negotiate the security
flavor to be used by the NFS Version 3 ...
... NFS client into using a
weaker form of security than what the real NFS server requires.
However, once the NFS ...
... However, once the NFS client selects a security flavor when it
sends a request to real NFS server, if the flavor is
...
... NFS client could contact the MOUNT server using a stronger
security flavor, but this would require that the client know in
advance what security ...
... stronger
security flavor, but this would require that the client know in
advance what security flavors the MOUNT server supports.
...
... If the client and server support a common set of security
flavors, such that the client considers one preferable to the
...
... privacy and other not),
unless the client uses a strong security flavor in the MOUNT
protocol query, an attacker ...
... attacker in the middle could cause the client
to use the weaker form of security. Again, a client could
contact the MOUNT server using a stronger form of security ...
... RPC's RPCSEC_GSS security flavor. This memorandum requires that
triples of { GSS-API mechanism OID ...
... GSS security service } be mapped to a unique RPC security
flavor number, which is a pseudo flavor that does not appear in an
...
... pseudo flavor numbers are no different than that the considerations
for RPC security flavors, as both are assigned from the same number
space. IANA is already responsible for the assigned of RPC ...
... number
space. IANA is already responsible for the assigned of RPC security
flavors, and because this memorandum does not specify the RPC
...
... quality of protection, the RPCSEC_GSS
security service, and flavor number, with the request for a flavor
name. If the registrant does not have a flavor number, then
guidelines for flavor number assignments will indirectly limit the
...
... delegation is to delegate portions of the
RPC security flavor number space with the RPC flavor name space ...
... RPCSEC_GSS Security Service ...
...
There are only three security services and they are enumerated and
described in [RFC2203]. No guideline to IANA ...
... Linn, J., "Generic Security Service Application Program Interface, Version 2", RFC 2078(-> 2743prop), January 1997. http://www.ietf.org/rfc/rfc2078.txt ...