David P. Quigley wrote: > Roll Call: > > Dave Quigley and Stephen Smalley / NSA > Jarrett Lu/Oracle > Peter Staubach & James Morris/Red Hat > Paul Moore / HP > Matthew Dodd / SPARTA > Spencer Shimko / Tresys > > > IETF Note Well Agreement: > > This is a reminder that our discussions are governed by the > IETF Note Well Agreement. See: > > http://www.ietf.org/NOTEWELL.html > > We will start each week's meeting with this announcement. > > Q&A Session concerning existing Labeled NFS documents: > > - Jarrett asked if there were updated documents. > - Dave noted that updated documents are WIP. > - Jarrett suggested contacting Joy Latten about Labeled IPSEC and > developing > a common label format specification. > - Dave summarized current lnfs specification. > > Review Impact Study: > > Dave summarizes: > - Impact and Scope sections near complete. > - Need to flesh out use cases. > 1. Full mode, MAC consistency, especially user home directories. > 2. MAC for virtual machine images stored on network. > 3. Simple security label storage (client-focused). > 4. Regulatory Compliance. > > Spencer/Tresys: > - High performance computing w/ cluster and NFS filesystems. > - Specific reqs to labeled security. > - Becoming more evident in corporate world for regulatory compliance. > > James/Red Hat: > - Corporate partners have flagged LNFS as a requirement. > - OEMs are stating requirements for security enabling of products. > > Dave/NSA: > - EMC on the fence, need more demonstration of real demand for this > technology. >
If you can pass along the name of the contact at EMC I will see what I can do. > Peter/Red Hat: > - Linux NFSv4 server rarely used in the enterprise. > - NetApp or EMC must support for corporate acceptance - major storage > vendors. > > Dave/NSA: > - NetApp expressed that if support this functionality they would like to > provide some sort of MAC enforcement. If the module is SELinux like it > would require a BSD or similar port of SELinux to be made viable again. > > James/Red Hat: They should just start with dumb server model. > Dave/NSA: Agree, just storage initially, full MAC model can follow. > > Peter/Red Hat: Asked for copies of impact study. > Dave/NSA: Should be released publically soon after prepub approval. > > Dave/NSA: Need people to participate in review and writing sections. > > Peter/Red Hat: Management supports moving Labeled NFSv4 forward. Wants > it > to progress together with James' xattr support for NFSv3. > > James/Red Hat: NFSv4 solution must also move forward; out-of-band > NFSv3 solution may discourage standardization of solution for NFSv4. > James will continue to work on documents as well as NFSv3 xattr process. > > James/Red Hat and Dave/NSA: Private namespace for storage on dumb > server? Possibly use system namespace on server? No server > interpretation? Configurable mapping in exports table? Allows server > to be unaffected by labels set by clients even if server is running a > MAC model. > > Matt/SPARTA: Server will always just provide label, no namespace > conflict between client and server. > > James/Red Hat: Clarifies that purpose of NFSv3 xattr work is to provide > a stopgap solution until NFSv4 work can achieve standardization and > deployment as well as to support legacy usage of NFSv3. > > Peter/Red Hat: nfsroot should be included as a use case. > > James/Red Hat: build servers could use local NFS mounts to support dumb > storage? > > Dave/NSA: > - Investigate more details for use cases, summarize and submit to Dave. > - Impact and label format specifier documents will be prepub'd and > released ASAP. > - After release, review and comment. > - Labeled format specifier: split next telecon 50/50. > > Action Items: > - Release impact document. > - Release label format specification document. > - Upload updated requirements and specification documents to IETF > website. > - Invite the labeled ipsec people to next meeting. > > Agenda items for the next meeting: > - Review and incorporate suggested changes to the impact document > - Discuss label format in the protocol / on the wire. > > > > > _______________________________________________ > Labeled-nfs mailing list > Labeled-nfs at linux-nfs.org > http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs > > >
