From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50189)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1XPDg4-0008Fh-Je
	for qemu-devel@nongnu.org; Wed, 03 Sep 2014 12:45:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1XPDfw-0006TQ-ME
	for qemu-devel@nongnu.org; Wed, 03 Sep 2014 12:45:00 -0400
Received: from mx1.redhat.com ([209.132.183.28]:21351)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1XPDfw-0006Rc-Dw
	for qemu-devel@nongnu.org; Wed, 03 Sep 2014 12:44:52 -0400
Date: Wed, 3 Sep 2014 17:44:17 +0100
From: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20140903164417.GA32748@stefanha-thinkpad.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq"
Content-Disposition: inline
Subject: [Qemu-devel] NBD TLS support in QEMU
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: libvir-list@redhat.com, nick@bytemark.co.uk, Max Reitz <mreitz@redhat.com>, Hani Benhabiles <kroosec@gmail.com>, Paolo Bonzini <pbonzini@redhat.com>, w@uter.be


--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,
QEMU offers both NBD client and server functionality.  The NBD protocol
runs unencrypted, which is a problem when the client and server
communicate over an untrusted network.

The particular use case that prompted this mail is storage migration in
OpenStack.  The goal is to encrypt the NBD connection between source and
destination hosts during storage migration.

I think we can integrate TLS into the NBD protocol as an optional flag.
A quick web search does not reveal existing open source SSL/TLS NBD
implementations.  I do see a VMware NBDSSL protocol but there is no
specification so I guess it is proprietary.

The NBD protocol starts with a negotiation phase.  This would be the
appropriate place to indicate that TLS will be used.  After client and
server complete TLS setup the connection can continue as normal.

Besides QEMU, the userspace NBD tools (http://nbd.sf.net/) can also be
extended to support TLS.  In this case the kernel needs a localhost
socket and userspace handles TLS.

Thoughts?

Stefan

--45Z9DzgjV8m4Oswq
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUB0VhAAoJEJykq7OBq3PIf5gIAL6NbDxDQn4nNn7YiyBV7hq5
ywVWCFg+XcwziDtHAcOVB3KDA2OkgS1adZgx0TqtKtHBWsR+r8vnFKN+GBYxTXvo
oJhscrXSUeIes1L77lBXWjKznOxzQG4cDbnvtRHjaPsXjTpvWLI4UkLKopmjHXRY
6Wo04LOIBowTctZhc9oLfIcwehXCv37GaRW+uurrx1iqP4kmxC4fbTZI8r9+XSxM
Og1VxxUnvC+/3FkATUSyC0NeRU0WeI5oQtjoIlTMmgv+q/OP9rQaEaq74ZcpDdKv
FYsfxjpoxZQLc2oKNMvMG6qI7Xi08rNgdfdrlA8T9rBWAPwRa2TvmX8aQLCW2p0=
=aWor
-----END PGP SIGNATURE-----

--45Z9DzgjV8m4Oswq--