From owner-freebsd-security@freebsd.org Wed Oct 18 23:32:58 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8800EE46A27 for ; Wed, 18 Oct 2017 23:32:58 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 52F056E5B9 for ; Wed, 18 Oct 2017 23:32:58 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.89 (FreeBSD)) (envelope-from ) id 1e4xpQ-0009os-A3; Thu, 19 Oct 2017 00:32:48 +0100 Date: Thu, 19 Oct 2017 00:32:48 +0100 From: Gary Palmer To: Benjamin Kaduk Cc: "WhiteWinterWolf (Simon)" , freebsd-security@freebsd.org, "Ronald F. Guilmette" Subject: Re: WPA2 bugz - One Man's Quick & Dirty Response Message-ID: <20171018233248.GB96120@in-addr.com> References: <32999.1508299211@segfault.tristatelogic.com> <53010303-bd65-26a1-64b9-6eefa325ca46@whitewinterwolf.com> <20171018224344.GA96685@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171018224344.GA96685@kduck.kaduk.org> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2017 23:32:58 -0000 On Wed, Oct 18, 2017 at 05:43:44PM -0500, Benjamin Kaduk wrote: > I fear I must wade into this thread, despite it being thick with FUD. > > On Wed, Oct 18, 2017 at 07:27:42PM +0200, WhiteWinterWolf (Simon) wrote: > > Hi Ronald, > > > > Le 18/10/2017 ? 06:00, Ronald F. Guilmette a ?crit : > > > > > > In message <49252eda-3d48-f7bc-95e7-db716db4ed91@whitewinterwolf.com>, > > > "WhiteWinterWolf (Simon)" wrote: > > > > > >> Ideally, you would use a specific protection for each of these layers, > > >> so that an vulnerability affecting one layer would be compensated by > > >> other layers. > > > > > > A good point. > > > > > > Right about now, I wish that I knew one hell of a lot more about both > > > NFS and SMB than I do... and also SSH and TLS. I suspect that the > > > file sharing protocols I am most concerned about (NFS & SMB) could > > > perhaps be run in a manner such that both initial volume mounts and > > > also data blocks (to & from) the share volumes would be additionally > > > encrypted, so that I could be running everything securely, even if > > > some attacker managed to do maximally evil things to my WiFi/WPA2 > > > network. > > > > > > Do NFS and/or SMB have their own built-in encryption? > > > > No, not really. > > > > NFS has no built-in encryption, it may be possible to tunnel it but this > > is out-of-scope here (using a VPN and tunnel everything would be easier > > than nitpicking and tunnel only the NFS data flow). > > This statement is either false or highly misleading. NFS (both v3 and v4) > is an RPC protocol, and RPCSEC_GSS exists and can provide per-message > confidentiality protection. It may be true that Kerberos is basically > the only GSS-API mechanism implemented for RPCSEC_GSS, and the necessary > Kerberos setup is far more painful to set up than it needs to be, > but all modern NFS implementations support it. More specifically, for FreeBSD a very quick search finds https://wiki.freebsd.org/KerberizedNFS which includes that you can configure an export as krb5p which encrypts the payload of RPC requests. Although the article is dated this year, "man mount_nfs" shows krb5p is documented in 10.3-RELEASE so all supported FBSD versions should implement krb5p. This is probably overkill for a home setup. Regards, Gary