From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54560) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XPfwJ-0006fF-Bv for qemu-devel@nongnu.org; Thu, 04 Sep 2014 18:55:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XPfwC-0003Uc-TS for qemu-devel@nongnu.org; Thu, 04 Sep 2014 18:55:39 -0400 Received: from lputeaux-656-01-25-125.w80-12.abo.wanadoo.fr ([80.12.84.125]:58997 helo=paradis.irqsave.net) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XPfwC-0003UX-N8 for qemu-devel@nongnu.org; Thu, 04 Sep 2014 18:55:32 -0400 Date: Fri, 5 Sep 2014 00:54:45 +0200 From: =?iso-8859-1?Q?Beno=EEt?= Canet Message-ID: <20140904225445.GA25202@irqsave.net> References: <20140903164417.GA32748@stefanha-thinkpad.redhat.com> <20140904141916.GA28417@irqsave.net> <20140904220704.GB25871@grep.be> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20140904220704.GB25871@grep.be> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] NBD TLS support in QEMU List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Wouter Verhelst Cc: =?iso-8859-1?Q?Beno=EEt?= Canet , Hani Benhabiles , libvir-list@redhat.com, nick@bytemark.co.uk, qemu-devel@nongnu.org, Max Reitz , Stefan Hajnoczi , nbd-generic@lists.sf.net, Paolo Bonzini The Friday 05 Sep 2014 =E0 00:07:04 (+0200), Wouter Verhelst wrote : > On Thu, Sep 04, 2014 at 04:19:17PM +0200, Beno=EEt Canet wrote: > > The Wednesday 03 Sep 2014 =E0 17:44:17 (+0100), Stefan Hajnoczi wrote= : > > > Hi, > > > QEMU offers both NBD client and server functionality. The NBD prot= ocol > > > runs unencrypted, which is a problem when the client and server > > > communicate over an untrusted network. > > >=20 > > > The particular use case that prompted this mail is storage migratio= n in > > > OpenStack. The goal is to encrypt the NBD connection between sourc= e and > > > destination hosts during storage migration. > >=20 > > I agree this would be usefull. > >=20 > > >=20 > > > I think we can integrate TLS into the NBD protocol as an optional f= lag. > > > A quick web search does not reveal existing open source SSL/TLS NBD > > > implementations. I do see a VMware NBDSSL protocol but there is no > > > specification so I guess it is proprietary. > > >=20 > > > The NBD protocol starts with a negotiation phase. This would be th= e > > > appropriate place to indicate that TLS will be used. After client = and > > > server complete TLS setup the connection can continue as normal. > >=20 > > Prenegociating TLS look like we will accidentaly introduce some secur= ity hole. I was thinking of the fallback to cleartext case. As a regular developper I am afraid of doing something creative with cryptography. >=20 > Can you elaborate on that? How would it be a security hole? >=20 > > Why not just using a dedicated port and let the TLS handshake happen = normaly ? >=20 > Because STARTTLS(-like) protocols are much cleaner; no need to open two > firewall ports. Also, when I made the request for a port number at IANA= , > I was told I wouldn't get another port for a "secure" variant -- which > makes sense. As such, if the reference implementation is ever going to > support TLS, it has to be in a way where it is negotiated at setup time= . >=20 > SMTP can do this safely. So can LDAP. I'm sure we can come up with a > safe way of negotiating TLS. >=20 > If you want to disallow nonencrypted communication, I'm sure it can be > made possible to require TLS for (some of) your exports. >=20 > (my objections on userspace/kernelspace issues still stand, however) >=20 > --=20 > It is easy to love a country that is famous for chocolate and beer >=20 > -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 >=20