RFC 2623 (rfc2623) - Page 2 of 19


NFS Version 2 and Version 3 Security Issues and the NFS Protocol's Use of RPCSEC_GSS and Kerberos V5



Alternative Format: Original Text Document



RFC 2623       NFS Security, RPCSEC_GSS, and Kerberos V5       June 1999


   3.1.  Server Principal . . . . . . . . . . . . . . . . . . . . .   9
   3.2.  Negotiation  . . . . . . . . . . . . . . . . . . . . . . .   9
   3.3.  Changing RPCSEC_GSS Parameters . . . . . . . . . . . . . .  10
   3.4.  Registering Pseudo Flavors and Mappings  . . . . . . . . .  11
   4.  The NFS Protocol over Kerberos V5  . . . . . . . . . . . . .  11
   4.1.  Issues with Kerberos V5 QOPs . . . . . . . . . . . . . . .  12
   4.2.  The NFS Protocol over Kerberos V5 Pseudo Flavor
         Registration Entry . . . . . . . . . . . . . . . . . . . .  13
   5.  Security Considerations  . . . . . . . . . . . . . . . . . .  14
   6.  IANA Considerations [RFC 2434]  . . . . . . . . . . . . . . .  14
   6.1.  Pseudo Flavor Number . . . . . . . . . . . . . . . . . . .  14
   6.2.  String Name of Pseudo Flavor . . . . . . . . . . . . . . .  15
   6.2.1.  Name Space Size  . . . . . . . . . . . . . . . . . . . .  15
   6.2.2.  Delegation . . . . . . . . . . . . . . . . . . . . . . .  15
   6.2.3.  Outside Review . . . . . . . . . . . . . . . . . . . . .  15
   6.3.  GSS-API Mechanism OID  . . . . . . . . . . . . . . . . . .  15
   6.4.  GSS-API Mechanism Algorithm Values . . . . . . . . . . . .  15
   6.5.  RPCSEC_GSS Security Service  . . . . . . . . . . . . . . .  16
   References . . . . . . . . . . . . . . . . . . . . . . . . . . .  16
   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . .  17
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . .  18
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . .  19

1.  Introduction

   The NFS protocol provides transparent remote access to shared file
   systems across networks. The NFS protocol is designed to be machine,
   operating system, network architecture, and security mechanism, and
   transport protocol independent. This independence is achieved through
   the use of ONC Remote Procedure Call (RPC) primitives built on top of
   an eXternal Data Representation (XDR).  NFS protocol Version 2 is
   specified in the Network File System Protocol Specification
   [RFC 1094]. A description of the initial implementation can be found
   in [Sandberg]. NFS protocol Version 3 is specified in the NFS Version
   3 Protocol Specification [RFC 1813]. A description of some initial
   implementations can be found in [Pawlowski].

   For the remainder of this document, whenever it refers to the NFS
   protocol, it means NFS Version 2 and Version 3, unless otherwise
   stated.

   The RPC protocol is specified in the Remote Procedure Call Protocol
   Specification Version 2 [RFC 1831]. The XDR protocol is specified in
   External Data Representation Standard [RFC 1832].

   A new RPC security flavor, RPCSEC_GSS, has been specified [RFC 2203].
   This new flavor allows application protocols built on top of RPC to
   access security mechanisms that adhere to the GSS-API specification



Eisler                      Standards Track