<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Re: [Lustre-devel] security: rpc message vs bulk data</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16674" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>1. Securing bulk
data.</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT
color=#0000ff></FONT></SPAN> </DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>It seems to me that it
<U>is</U> appropriate to use the GSSAPI to secure the</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>transfer of bulk
</FONT></SPAN><SPAN class=125025714-08082008><FONT color=#0000ff>data between
client and server since it's effectively just</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>another message. I
can see (at least naively) that it would be good to</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>avoid double encryption
in the case where file contents are actually stored</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>encrypted on
disk. But even in this case, don't we still have to sign
the</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>(encrypted) bulk so that
the receiver can be sure it arrived intact?</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT
color=#0000ff></FONT></SPAN> </DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>2. Securing
Capabilities.</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT
color=#0000ff></FONT></SPAN> </DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>If we want to be sure
that a Capability given to client A cannot be</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>snooped and used by
client B we either (a) have to make the Capability </FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>secret (i.e. never
passed in cleartext) or (b) have to make the Capability</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>identify which client it
is </FONT></SPAN><SPAN class=125025714-08082008><FONT color=#0000ff>valid
for.</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT
color=#0000ff></FONT></SPAN> </DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>It seems to me that (b)
is preferrable since it ensures that a malicious</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>client cannot leak
Capabilities to a 3rd party. The downside is that this</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>multiplies the number of
unique Capabilities by the number of clients,</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>potentially increasing
CPU load when 1000s of clients all open the same</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>shared file and each
require unique Capabilities to access the stripe
objects.</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT color=#0000ff>Do we have a feel
for how bad this could be?</FONT></SPAN></DIV>
<DIV><SPAN class=125025714-08082008><FONT
color=#0000ff></FONT></SPAN> </DIV>
<DIV><SPAN class=125025714-08082008> Cheers,
<BR>
Eric </DIV><BR></SPAN>
<DIV><SPAN class=125025714-08082008><FONT
color=#0000ff></FONT></SPAN> </DIV></BODY></HTML>