From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51629)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <benoit.canet@irqsave.net>) id 1XPXtS-0005uj-Lj
	for qemu-devel@nongnu.org; Thu, 04 Sep 2014 10:20:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <benoit.canet@irqsave.net>) id 1XPXtM-0001FE-Gr
	for qemu-devel@nongnu.org; Thu, 04 Sep 2014 10:20:10 -0400
Received: from lputeaux-656-01-25-125.w80-12.abo.wanadoo.fr
	([80.12.84.125]:45972 helo=paradis.irqsave.net)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <benoit.canet@irqsave.net>) id 1XPXtM-0001CM-B2
	for qemu-devel@nongnu.org; Thu, 04 Sep 2014 10:20:04 -0400
Date: Thu, 4 Sep 2014 16:19:17 +0200
From: =?iso-8859-1?Q?Beno=EEt?= Canet <benoit.canet@irqsave.net>
Message-ID: <20140904141916.GA28417@irqsave.net>
References: <20140903164417.GA32748@stefanha-thinkpad.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <20140903164417.GA32748@stefanha-thinkpad.redhat.com>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] NBD TLS support in QEMU
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: libvir-list@redhat.com, qemu-devel@nongnu.org, Max Reitz <mreitz@redhat.com>, Hani Benhabiles <kroosec@gmail.com>, nick@bytemark.co.uk, w@uter.be, Paolo Bonzini <pbonzini@redhat.com>

The Wednesday 03 Sep 2014 =E0 17:44:17 (+0100), Stefan Hajnoczi wrote :
> Hi,
> QEMU offers both NBD client and server functionality.  The NBD protocol
> runs unencrypted, which is a problem when the client and server
> communicate over an untrusted network.
>=20
> The particular use case that prompted this mail is storage migration in
> OpenStack.  The goal is to encrypt the NBD connection between source an=
d
> destination hosts during storage migration.

I agree this would be usefull.

>=20
> I think we can integrate TLS into the NBD protocol as an optional flag.
> A quick web search does not reveal existing open source SSL/TLS NBD
> implementations.  I do see a VMware NBDSSL protocol but there is no
> specification so I guess it is proprietary.
>=20
> The NBD protocol starts with a negotiation phase.  This would be the
> appropriate place to indicate that TLS will be used.  After client and
> server complete TLS setup the connection can continue as normal.

Prenegociating TLS look like we will accidentaly introduce some security =
hole.
Why not just using a dedicated port and let the TLS handshake happen norm=
aly ?

Best regards

Beno=EEt
>=20
> Besides QEMU, the userspace NBD tools (http://nbd.sf.net/) can also be
> extended to support TLS.  In this case the kernel needs a localhost
> socket and userspace handles TLS.
>=20
> Thoughts?
>=20
> Stefan