[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [Qemu-devel] NBD TLS support in QEMU



On Thu, Sep 04, 2014 at 05:04:06PM +0200, Benoît Canet wrote:
> The Thursday 04 Sep 2014 à 15:34:59 (+0100), Daniel P. Berrange wrote :
> > On Thu, Sep 04, 2014 at 04:19:17PM +0200, Benoît Canet wrote:
> > > The Wednesday 03 Sep 2014 à 17:44:17 (+0100), Stefan Hajnoczi wrote :
> > > > Hi,
> > > > QEMU offers both NBD client and server functionality.  The NBD protocol
> > > > runs unencrypted, which is a problem when the client and server
> > > > communicate over an untrusted network.
> > > > 
> > > > The particular use case that prompted this mail is storage migration in
> > > > OpenStack.  The goal is to encrypt the NBD connection between source and
> > > > destination hosts during storage migration.
> > > 
> > > I agree this would be usefull.
> > > 
> > > > 
> > > > I think we can integrate TLS into the NBD protocol as an optional flag.
> > > > A quick web search does not reveal existing open source SSL/TLS NBD
> > > > implementations.  I do see a VMware NBDSSL protocol but there is no
> > > > specification so I guess it is proprietary.
> > > > 
> > > > The NBD protocol starts with a negotiation phase.  This would be the
> > > > appropriate place to indicate that TLS will be used.  After client and
> > > > server complete TLS setup the connection can continue as normal.
> > > 
> > > Prenegociating TLS look like we will accidentaly introduce some security hole.
> > > Why not just using a dedicated port and let the TLS handshake happen normaly ?
> > 
> > The mgmt app (libvirt in this case) chooses an arbitrary port when
> > telling QEMU to setup NBD, so we don't need to specify any alternate
> > port. I'd expect that libvirt just tell QEMU to enable NBD at both
> > ends, and we immediately do the TLS handshake upon opening the
> > connection.  Only once TLS is established, should the NBD protocol
> > start running. IOW we don't need to modify the NBD protocol at all.
> > 
> > If the mgmt app tells QEMU to enable TLS at one end and not the
> > other, the mgmt app gets what it deserves (a failed TLS handshake).
> > We certainly would not want QEMU to auto-negotiate and fallback
> > to plain text in this case.
> 
> I agree.

Sounds good.

Stefan

Attachment: pgp8mvnXqiZHD.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]