From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45122)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XPZDr-00018z-NW
	for qemu-devel@nongnu.org; Thu, 04 Sep 2014 11:45:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XPZDi-00056v-ND
	for qemu-devel@nongnu.org; Thu, 04 Sep 2014 11:45:19 -0400
Received: from mail-we0-x230.google.com ([2a00:1450:400c:c03::230]:58414)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XPZDi-000563-GG
	for qemu-devel@nongnu.org; Thu, 04 Sep 2014 11:45:10 -0400
Received: by mail-we0-f176.google.com with SMTP id q59so10410826wes.35
	for <qemu-devel@nongnu.org>; Thu, 04 Sep 2014 08:45:07 -0700 (PDT)
Date: Thu, 4 Sep 2014 16:45:03 +0100
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20140904154503.GB26494@stefanha-thinkpad.redhat.com>
References: <20140903164417.GA32748@stefanha-thinkpad.redhat.com>
	<20140904141916.GA28417@irqsave.net>
	<20140904143459.GN772@redhat.com>
	<20140904150406.GA8094@irqsave.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="RASg3xLB4tUQ4RcS"
Content-Disposition: inline
In-Reply-To: <20140904150406.GA8094@irqsave.net>
Subject: Re: [Qemu-devel] [libvirt]    NBD TLS support in QEMU
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: =?iso-8859-1?Q?Beno=EEt?= Canet <benoit.canet@irqsave.net>
Cc: Hani Benhabiles <kroosec@gmail.com>, libvir-list@redhat.com, qemu-devel@nongnu.org, Max Reitz <mreitz@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, nick@bytemark.co.uk, w@uter.be


--RASg3xLB4tUQ4RcS
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 04, 2014 at 05:04:06PM +0200, Beno=EEt Canet wrote:
> The Thursday 04 Sep 2014 =E0 15:34:59 (+0100), Daniel P. Berrange wrote :
> > On Thu, Sep 04, 2014 at 04:19:17PM +0200, Beno=EEt Canet wrote:
> > > The Wednesday 03 Sep 2014 =E0 17:44:17 (+0100), Stefan Hajnoczi wrote=
 :
> > > > Hi,
> > > > QEMU offers both NBD client and server functionality.  The NBD prot=
ocol
> > > > runs unencrypted, which is a problem when the client and server
> > > > communicate over an untrusted network.
> > > >=20
> > > > The particular use case that prompted this mail is storage migratio=
n in
> > > > OpenStack.  The goal is to encrypt the NBD connection between sourc=
e and
> > > > destination hosts during storage migration.
> > >=20
> > > I agree this would be usefull.
> > >=20
> > > >=20
> > > > I think we can integrate TLS into the NBD protocol as an optional f=
lag.
> > > > A quick web search does not reveal existing open source SSL/TLS NBD
> > > > implementations.  I do see a VMware NBDSSL protocol but there is no
> > > > specification so I guess it is proprietary.
> > > >=20
> > > > The NBD protocol starts with a negotiation phase.  This would be the
> > > > appropriate place to indicate that TLS will be used.  After client =
and
> > > > server complete TLS setup the connection can continue as normal.
> > >=20
> > > Prenegociating TLS look like we will accidentaly introduce some secur=
ity hole.
> > > Why not just using a dedicated port and let the TLS handshake happen =
normaly ?
> >=20
> > The mgmt app (libvirt in this case) chooses an arbitrary port when
> > telling QEMU to setup NBD, so we don't need to specify any alternate
> > port. I'd expect that libvirt just tell QEMU to enable NBD at both
> > ends, and we immediately do the TLS handshake upon opening the
> > connection.  Only once TLS is established, should the NBD protocol
> > start running. IOW we don't need to modify the NBD protocol at all.
> >=20
> > If the mgmt app tells QEMU to enable TLS at one end and not the
> > other, the mgmt app gets what it deserves (a failed TLS handshake).
> > We certainly would not want QEMU to auto-negotiate and fallback
> > to plain text in this case.
>=20
> I agree.

Sounds good.

Stefan

--RASg3xLB4tUQ4RcS
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUCIj/AAoJEJykq7OBq3PIH5MIAJSbmxQuSXinxbdfkfPYzFJH
b/MEqgUI+KqM/s8wsyqbelHakuhhGImzIu2mAIHtG7ec5x458qVFlJHzN0JLbb4G
TVr4HgM/oINUCKoHkxT5vqWvBtvwmHly68fl/u+cM7tMqX4n0umMyCUZ5pw3Bbmv
x2kzyMaDQLsJsMeFGw/f39lm+AQnjGEXST+kgf85Ys8ZCBW82JqJj3DMf5ZSk2wp
vto0lB5bUNNEXt0PIteMs80oLlV+arMvU7vUmnvmFA23yAoDCE2jQlQ4z02EdVNI
cq2DxQjUSYQWTqozBbouVgvkM1EOWbdwUlcTjumTw/PDEwVGtZEU0wvr2V6FEag=
=C4u8
-----END PGP SIGNATURE-----

--RASg3xLB4tUQ4RcS--