From: Wouter Verhelst <w@uter.be>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Hani Benhabiles <kroosec@gmail.com>,
libvir-list@redhat.com, mprivozn@redhat.com,
nbd-general@lists.sf.net, qemu-devel@nongnu.org,
Max Reitz <mreitz@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
nick@bytemark.co.uk
Subject: Re: [Qemu-devel] NBD TLS support in QEMU
Date: Wed, 8 Oct 2014 20:16:10 +0200 [thread overview]
Message-ID: <20141008181610.GA27382@grep.be> (raw)
In-Reply-To: <20141002135057.GA20677@grep.be>
On Thu, Oct 02, 2014 at 03:50:57PM +0200, Wouter Verhelst wrote:
> On Thu, Oct 02, 2014 at 01:00:04PM +0200, Paolo Bonzini wrote:
> > Il 01/10/2014 22:23, Wouter Verhelst ha scritto:
> > > Hi,
> > >
> > > On Fri, Sep 05, 2014 at 03:26:09PM +0200, Wouter Verhelst wrote:
> > >> Tunneling the entire protocol inside an SSL connection doesn't fix that;
> > >> if an attacker is able to hijack your TCP connections and change flags,
> > >> then this attacker is also able to hijack your TCP connection and
> > >> redirect it to a decrypting/encrypting proxy.
> > >>
> > >> I agree that preventing a possible SSL downgrade attack (and other forms
> > >> of MITM) should be high on the priority list, but "tunnel the whole
> > >> thing in SSL" doesn't do that.
> > >
> > > So, having given this some thought, I wanted to come up with a spec just
> > > so that we had something we could all agree on. As part of that, I had a
> > > look at qemu-nbd, and noticed that it uses the "oldstyle" handshake
> > > protocol (on port 10809 by default -- ew, please don't do that).
> >
> > Can you use new-style handshake with a single unnamed export? Export
> > names are a useless complication for qemu-nbd.
>
> Not currently, but I don't think you need that. You could have a default
> name, which would be used if no name was otherwise specified. It's not
> much of a stretch to make that name part of the protocol spec, either.
So. I think this makes sense, and as such changed the proto.txt file as
follows:
diff --git a/doc/proto.txt b/doc/proto.txt
index e0a4fb1..990d012 100644
--- a/doc/proto.txt
+++ b/doc/proto.txt
@@ -242,10 +242,13 @@ Option types
* NBD_OPT_EXPORT_NAME (1)
Choose the export which the client would like to use, and end option
haggling. Data: name of the export, free-form UTF8 text (subject to
limitations by server implementation). If the chosen export does not
exist, the server closes the connection.
+ A special, "empty", name (i.e., the length field is zero and no name
+ is specified), is reserved for a "default" export, to be used in cases
+ where explicitly specifying an export name makes no sense.
* NBD_OPT_ABORT (2)
Abort negotiation and close the connection. Optional.
* NBD_OPT_LIST (3)
That is, specify an empty name to specify a default.
Thoughts?
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
next prev parent reply other threads:[~2014-10-08 21:27 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-03 16:44 [Qemu-devel] NBD TLS support in QEMU Stefan Hajnoczi
2014-09-04 14:19 ` Benoît Canet
2014-09-04 14:34 ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2014-09-04 15:04 ` Benoît Canet
2014-09-04 15:45 ` Stefan Hajnoczi
2014-09-04 15:54 ` John Snow
2014-09-04 22:07 ` [Qemu-devel] " Wouter Verhelst
2014-09-04 22:54 ` Benoît Canet
2014-09-05 8:42 ` Wouter Verhelst
2014-09-05 12:15 ` Stefan Hajnoczi
2014-09-04 22:02 ` Wouter Verhelst
2014-09-05 8:13 ` Daniel P. Berrange
2014-09-05 8:34 ` Wouter Verhelst
2014-09-05 12:21 ` Stefan Hajnoczi
2014-09-05 6:23 ` [Qemu-devel] [libvirt] " Michal Privoznik
2014-09-05 8:10 ` Daniel P. Berrange
2014-09-05 8:46 ` [Qemu-devel] " Hani Benhabiles
2014-09-05 12:31 ` Stefan Hajnoczi
2014-09-05 13:26 ` Wouter Verhelst
2014-10-01 20:23 ` Wouter Verhelst
2014-10-02 11:00 ` Paolo Bonzini
2014-10-02 13:50 ` Wouter Verhelst
2014-10-08 18:16 ` Wouter Verhelst [this message]
2014-10-09 12:42 ` Paolo Bonzini
2014-10-02 11:05 ` Daniel P. Berrange
2014-10-02 11:28 ` Paolo Bonzini
2014-10-17 22:03 ` [Qemu-devel] spec, RFC: TLS support for NBD Wouter Verhelst
2014-10-18 6:33 ` Richard W.M. Jones
2014-10-20 7:58 ` Daniel P. Berrange
2014-10-20 9:56 ` Stefan Hajnoczi
2014-10-20 11:51 ` Markus Armbruster
2014-10-20 11:56 ` Florian Weimer
2014-10-20 12:48 ` Richard W.M. Jones
2014-10-20 22:10 ` Wouter Verhelst
2014-10-21 9:35 ` Daniel P. Berrange
2014-10-21 18:02 ` Wouter Verhelst
2014-10-20 12:08 ` Daniel P. Berrange
2014-10-20 21:53 ` [Qemu-devel] spec, RFC: TLS support for NBDµ Wouter Verhelst
2014-10-21 8:17 ` Markus Armbruster
2014-10-21 18:30 ` Wouter Verhelst
2014-10-25 10:43 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2014-10-30 10:40 ` Stefan Hajnoczi
2014-10-31 18:15 ` Wouter Verhelst
2014-11-03 14:30 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141008181610.GA27382@grep.be \
--to=w@uter.be \
--cc=kroosec@gmail.com \
--cc=libvir-list@redhat.com \
--cc=mprivozn@redhat.com \
--cc=mreitz@redhat.com \
--cc=nbd-general@lists.sf.net \
--cc=nick@bytemark.co.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).