From: dai.ngo@oracle.com
To: Bruce Fields <bfields@fieldses.org>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
Steve Dickson <steved@redhat.com>,
Olga Kornievskaia <olga.kornievskaia@gmail.com>,
Chuck Lever <chuck.lever@oracle.com>
Subject: Re: server-to-server copy by default
Date: Mon, 1 Nov 2021 10:37:11 -0700 [thread overview]
Message-ID: <1500403d-6aa1-3909-d44f-b33c1c1f3ce2@oracle.com> (raw)
In-Reply-To: <78839450-8095-01ae-53e8-f0ebf941b5a5@oracle.com>
On 10/21/21 11:34 PM, dai.ngo@oracle.com wrote:
> On 10/21/21 7:02 AM, Bruce Fields wrote:
>> On Wed, Oct 20, 2021 at 10:00:41PM -0700, dai.ngo@oracle.com wrote:
>>> The attack can come from the replies of the source server or requests
>>> from the source server to the destination server via the back channel.
>>> One of possible attack in the reply is BAD_STATEID which was handled
>>> by the client code as mentioned by Olga.
>>>
>>> Here is the list of NFS requests made from the destination to the
>>> source server:
>>>
>>> EXCHANGE_ID
>>> CREATE_SESSION
>>> RECLAIM_COMLETE
>>> SEQUENCE
>>> PUTROOTFH
>>> PUTHF
>>> GETFH
>>> GETATTR
>>> READ/READ_PLUS
>>> DESTROY_SESSION
>>> DESTROY_CLIENTID
>>>
>>> Do you think we should review all replies from these requests to make
>>> sure error replies do not cause problems for the destination server?
>> That's the exactly the sort of analysis I was curious to see, yes.
>
> I will go through these requests to see if is there is anything that
> we need to do to ensure the destination does not react negatively
> on the replies.
still need to be done.
>
>>
>> (I doubt the PUTROOTFH, PUTFH, GETFH, and GETATTR are really necessary,
>> I wonder if there's any way we could just bypass them in our case. I
>> don't know, maybe that's more trouble than it's worth.)
>
> I'll take a look but I think we should avoid modifying the client
> code if possible.
>
>>
>>> same for the back channel ops:
>>>
>>> OP_CB_GETATTR
>>> OP_CB_RECALL
>>> OP_CB_LAYOUTRECALL
>>> OP_CB_NOTIFY
>>> OP_CB_PUSH_DELEG
>>> OP_CB_RECALL_ANY
>>> OP_CB_RECALLABLE_OBJ_AVAIL
>>> OP_CB_RECALL_SLOT
>>> OP_CB_SEQUENCE
>>> OP_CB_WANTS_CANCELLED
>>> OP_CB_NOTIFY_LOCK
>>> OP_CB_NOTIFY_DEVICEID
>>> OP_CB_OFFLOAD
>> There shouldn't be any need for callbacks at all. We might be able to
>> get away without even setting up a backchannel. But, yes, if the server
>> tries to send one anyway, it'd be good to know we do something
>> reasonable.
>
> or do not specify the back channel when creating the session somehow.
> I will report back.
We can not disable the back channel of the SSC v4.2 mount since it might
share the same connection with a regular NFSv4.2 mount from the destination
to the source server. We need to be able to identify whether the back channel
request is for the regular mount or the SSC mount and if it's for the SSC
mount then drop the request.
To differentiate back channel request for SSC vs regular mount I plan to
do the following:
Mark the nfs_server of the SSC mount with with a flag (NFS_MOUNT_SSC)
When a back channel request comes in, we check all the nfs_server's
that share the same nfs_client based on the clientid in the request.
If there is one or more nfs_server's sharing the same nfs_client and
none of them is marked as NFS_MOUNT_SSC then we allow the request to
be processed as normal (non-SSC case).
If there are multiple nfs_server's and one of then is marked as NFS_MOUNT_SSC
then we allow the request to be processed. This is because if there
is a regular mount from destination to source server that means the
source server is already trusted by the destination's admin.
If there is only one nfs_server and it's marked as NFS_MOUNT_SSC then
we drop that request.
Do see any problem with this approach or you have any suggestion on
how to handle this?
Thanks,
-Dai
next prev parent reply other threads:[~2021-11-01 17:37 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-20 15:54 server-to-server copy by default J. Bruce Fields
2021-10-20 16:00 ` Chuck Lever III
2021-10-20 16:33 ` Olga Kornievskaia
2021-10-20 19:03 ` dai.ngo
2021-10-20 20:29 ` Bruce Fields
2021-10-21 5:00 ` dai.ngo
2021-10-21 14:02 ` Bruce Fields
2021-10-22 6:34 ` dai.ngo
2021-10-22 12:58 ` Bruce Fields
2021-11-01 17:37 ` dai.ngo [this message]
2021-11-01 19:33 ` Bruce Fields
2021-11-01 19:55 ` dai.ngo
2021-10-20 17:24 ` Steve Dickson
2021-10-20 17:51 ` Chuck Lever III
2021-10-20 16:37 ` Olga Kornievskaia
2021-10-20 17:45 ` Chuck Lever III
2021-10-20 18:15 ` Bruce Fields
2021-10-20 19:04 ` Chuck Lever III
2021-10-21 13:43 ` Steve Dickson
2021-10-21 13:56 ` Bruce Fields
2021-10-21 14:13 ` Bruce Fields
2021-10-21 14:22 ` Trond Myklebust
2021-10-21 14:38 ` bfields
2021-10-20 18:00 ` J. Bruce Fields
2021-11-01 18:22 ` Charles Hedrick
2021-11-01 19:25 ` Steve Dickson
2021-11-01 19:44 ` Charles Hedrick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1500403d-6aa1-3909-d44f-b33c1c1f3ce2@oracle.com \
--to=dai.ngo@oracle.com \
--cc=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=olga.kornievskaia@gmail.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.