How to determine from tcpdump which sec krb5, krb5i or krb5p option is used ?

In this article I am going to show how can we determine from tcpdump which security mode I am using with my nfs share.

Generally, on system it can be easily identified by /proc/mounts output but you can confirm the same from tcpdump as well.

I have collected the tcpdump while mounting the share with krb5, krb5i and krb5p.

First of all some information about these security modes : I got this info from man page of nfs.

sec=krb5        provides cryptographic proof of a user’s identity in each RPC request.  This provides strong  verification of  the  identity  of  users  accessing data on the server.
sec=krb5i       security flavor  provides  a cryptographically  strong  guarantee that the data in each RPC request has not been tampered with.
sec=krb5p       security flavor encrypts every RPC request to prevent data exposure during network transit; however, expect  some  performance  impact  when  using  integrity  checking or encryption.

You need to check this option for NFS call but don’t check it on NULL procedure calls.

a) Identifying the type of security : here we can see that ” GSS Service: rpcsec_gss_svc_none (1)” which indicates that we are using krb5 option.

~~~

Remote Procedure Call, Type:Call XID:0x998e7aaa
Fragment header: Last fragment, 128 bytes
1… …. …. …. …. …. …. …. = Last Fragment: Yes
.000 0000 0000 0000 0000 0000 1000 0000 = Fragment Length: 128
XID: 0x998e7aaa (2576251562)
Message Type: Call (0)
RPC Version: 2
Program: NFS (100003)
Program Version: 4
Procedure: COMPOUND (1)
Credentials
Flavor: RPCSEC_GSS (6)
Length: 24
GSS Version: 1
GSS Procedure: RPCSEC_GSS_DATA (0)
GSS Sequence Number: 1
GSS Service: rpcsec_gss_svc_none (1)
GSS Context
GSS Context Length: 4
GSS Context: 03000000
[Created in frame: 15]
[Destroyed in frame: 17]
Verifier
Flavor: RPCSEC_GSS (6)
GSS Token: 0000001c040404ffffffffff0000000029621b307b46a22f…
GSS Token Length: 28
GSS-API Generic Security Service Application Program Interface
krb5_blob: 040404ffffffffff0000000029621b307b46a22f2416a199…
krb5_tok_id: KRB_TOKEN_CFX_GetMic (0x0404)
krb5_cfx_flags: 0x04
…. .1.. = AcceptorSubkey: Set
…. ..0. = Sealed: Not set
…. …0 = SendByAcceptor: Not set
krb5_filler: ffffffffff
krb5_cfx_seq: 694295344
krb5_sgn_cksum: 7b46a22f2416a1998189d4f3
Network File System, Ops(3): PUTROOTFH, GETFH, GETATTR

~~~

b) Here we can see GSS Service: rpcsec_gss_svc_integrity (2) which indicates that we are using krb5i mount option.

~~~

Remote Procedure Call, Type:Call XID:0x9000c99d
Fragment header: Last fragment, 168 bytes
1… …. …. …. …. …. …. …. = Last Fragment: Yes
.000 0000 0000 0000 0000 0000 1010 1000 = Fragment Length: 168
XID: 0x9000c99d (2415970717)
Message Type: Call (0)
RPC Version: 2
Program: NFS (100003)
Program Version: 4
Procedure: COMPOUND (1)
Credentials
Flavor: RPCSEC_GSS (6)
Length: 24
GSS Version: 1
GSS Procedure: RPCSEC_GSS_DATA (0)
GSS Sequence Number: 1
GSS Service: rpcsec_gss_svc_integrity (2)
GSS Context
GSS Context Length: 4
GSS Context: 18000000
[Created in frame: 13]
[Destroyed in frame: 15]
Verifier
Flavor: RPCSEC_GSS (6)
GSS Token: 0000001c040404ffffffffff00000000048c66c21f96b420…
GSS Token Length: 28
GSS-API Generic Security Service Application Program Interface
krb5_blob: 040404ffffffffff00000000048c66c21f96b4205aa1df73…
krb5_tok_id: KRB_TOKEN_CFX_GetMic (0x0404)
krb5_cfx_flags: 0x04
…. .1.. = AcceptorSubkey: Set
…. ..0. = Sealed: Not set
…. …0 = SendByAcceptor: Not set
krb5_filler: ffffffffff
krb5_cfx_seq: 76310210
krb5_sgn_cksum: 1f96b4205aa1df7338ecf03f
Network File System

~~~

c) If we are seeing GSS Service: rpcsec_gss_svc_privacy (3) that means krb5p option is used to mount the filesystem.

~~~

Remote Procedure Call, Type:Call XID:0xd66bae50
Fragment header: Last fragment, 204 bytes
1… …. …. …. …. …. …. …. = Last Fragment: Yes
.000 0000 0000 0000 0000 0000 1100 1100 = Fragment Length: 204
XID: 0xd66bae50 (3597381200)
Message Type: Call (0)
RPC Version: 2
Program: NFS (100003)
Program Version: 4
Procedure: COMPOUND (1)
Credentials
Flavor: RPCSEC_GSS (6)
Length: 24
GSS Version: 1
GSS Procedure: RPCSEC_GSS_DATA (0)
GSS Sequence Number: 3
GSS Service: rpcsec_gss_svc_privacy (3)
GSS Context
GSS Context Length: 4
GSS Context: 1a000000
[Created in frame: 13]
[Destroyed in frame: 16]
Verifier
Flavor: RPCSEC_GSS (6)
GSS Token: 0000001c040404ffffffffff000000002e82de2d0c6204fb…
GSS Token Length: 28
GSS-API Generic Security Service Application Program Interface
krb5_blob: 040404ffffffffff000000002e82de2d0c6204fbd16f6ad2…
krb5_tok_id: KRB_TOKEN_CFX_GetMic (0x0404)
krb5_cfx_flags: 0x04
…. .1.. = AcceptorSubkey: Set
…. ..0. = Sealed: Not set
…. …0 = SendByAcceptor: Not set
krb5_filler: ffffffffff
krb5_cfx_seq: 780328493
krb5_sgn_cksum: 0c6204fbd16f6ad270552024
GSS-Wrap
Network File System

~~~

Tip : When we are using krb5p option you will not be able to see the content of the nfs portion of frame because of high security. New layer GSS-Wrap is introduced.

Summary :

GSS Service: rpcsec_gss_svc_none (1)         == krb5

GSS Service: rpcsec_gss_svc_integrity (2)  == krb5i

GSS Service: rpcsec_gss_svc_privacy (3)  ===   krb5p

Reference :

https://tools.ietf.org/html/rfc2203#section-5.3.2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s