From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55185) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XPY8F-0004OJ-7Z for qemu-devel@nongnu.org; Thu, 04 Sep 2014 10:35:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XPY87-0006Dk-0m for qemu-devel@nongnu.org; Thu, 04 Sep 2014 10:35:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:64246) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XPY86-0006DY-Ow for qemu-devel@nongnu.org; Thu, 04 Sep 2014 10:35:18 -0400 Date: Thu, 4 Sep 2014 15:34:59 +0100 From: "Daniel P. Berrange" Message-ID: <20140904143459.GN772@redhat.com> References: <20140903164417.GA32748@stefanha-thinkpad.redhat.com> <20140904141916.GA28417@irqsave.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20140904141916.GA28417@irqsave.net> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [libvirt] NBD TLS support in QEMU Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: =?utf-8?Q?Beno=C3=AEt?= Canet Cc: Stefan Hajnoczi , libvir-list@redhat.com, qemu-devel@nongnu.org, Max Reitz , Paolo Bonzini , Hani Benhabiles , nick@bytemark.co.uk, w@uter.be On Thu, Sep 04, 2014 at 04:19:17PM +0200, Beno=C3=AEt Canet wrote: > The Wednesday 03 Sep 2014 =C3=A0 17:44:17 (+0100), Stefan Hajnoczi wrot= e : > > Hi, > > QEMU offers both NBD client and server functionality. The NBD protoc= ol > > runs unencrypted, which is a problem when the client and server > > communicate over an untrusted network. > >=20 > > The particular use case that prompted this mail is storage migration = in > > OpenStack. The goal is to encrypt the NBD connection between source = and > > destination hosts during storage migration. >=20 > I agree this would be usefull. >=20 > >=20 > > I think we can integrate TLS into the NBD protocol as an optional fla= g. > > A quick web search does not reveal existing open source SSL/TLS NBD > > implementations. I do see a VMware NBDSSL protocol but there is no > > specification so I guess it is proprietary. > >=20 > > The NBD protocol starts with a negotiation phase. This would be the > > appropriate place to indicate that TLS will be used. After client an= d > > server complete TLS setup the connection can continue as normal. >=20 > Prenegociating TLS look like we will accidentaly introduce some securit= y hole. > Why not just using a dedicated port and let the TLS handshake happen no= rmaly ? The mgmt app (libvirt in this case) chooses an arbitrary port when telling QEMU to setup NBD, so we don't need to specify any alternate port. I'd expect that libvirt just tell QEMU to enable NBD at both ends, and we immediately do the TLS handshake upon opening the connection. Only once TLS is established, should the NBD protocol start running. IOW we don't need to modify the NBD protocol at all. If the mgmt app tells QEMU to enable TLS at one end and not the other, the mgmt app gets what it deserves (a failed TLS handshake). We certainly would not want QEMU to auto-negotiate and fallback to plain text in this case. Regards, Daniel --=20 |: http://berrange.com -o- http://www.flickr.com/photos/dberrange= / :| |: http://libvirt.org -o- http://virt-manager.or= g :| |: http://autobuild.org -o- http://search.cpan.org/~danberr= / :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vn= c :|