From: Wouter Verhelst <w@uter.be>
To: Paolo Bonzini <pbonzini@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>,
Hani Benhabiles <kroosec@gmail.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
qemu-devel@nongnu.org, Max Reitz <mreitz@redhat.com>,
nick@bytemark.co.uk, libvir-list@redhat.com, mprivozn@redhat.com,
nbd-general@lists.sf.net, rjones@redhat.com
Subject: [Qemu-devel] spec, RFC: TLS support for NBD
Date: Sat, 18 Oct 2014 00:03:23 +0200 [thread overview]
Message-ID: <20141017220323.GC31287@grep.be> (raw)
In-Reply-To: <542D36E8.2010705@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1721 bytes --]
Hi all,
(added rjones from nbdkit fame -- hi there)
So I think the following would make sense to allow TLS in NBD.
This would extend the newstyle negotiation by adding two options (i.e.,
client requests), one server reply, and one server error as well as
extend one existing reply, in the following manner:
- The two new commands are NBD_OPT_PEEK_EXPORT and NBD_OPT_STARTTLS. The
former would be used to verify if the server will do TLS for a given
export:
C: NBD_OPT_PEEK_EXPORT
S: NBD_REP_SERVER, with an extra field after the export name
containing flags that describe the export (R/O vs R/W state,
whether TLS is allowed and/or required).
If the server indicates that TLS is allowed, the client may now issue
NBD_OPT_STARTTLS:
C: NBD_OPT_STARTTLS
S: NBD_REP_STARTTLS # or NBD_REP_ERR_POLICY, if unwilling
C: <initiate TLS handshake>
Once the TLS handshake has completed, negotiation should continue over
the secure channel. The client should initiate that by sending an
NBD_OPT_* message.
- The server may reply to any and all negotiation request with
NBD_REP_ERR_TLS_REQD if it does not want to do anything without TLS.
However, if at least one export is supported without encryption, the
server must not in any case use this reply.
There is no command to "exit" TLS again. I don't think that makes sense,
but I could be persuaded otherwise with sound technical arguments.
Thoughts?
(full spec (with numbers etc) exists as an (uncommitted) diff to
doc/proto.txt on my laptop, ...)
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2014-10-17 22:03 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-03 16:44 [Qemu-devel] NBD TLS support in QEMU Stefan Hajnoczi
2014-09-04 14:19 ` Benoît Canet
2014-09-04 14:34 ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2014-09-04 15:04 ` Benoît Canet
2014-09-04 15:45 ` Stefan Hajnoczi
2014-09-04 15:54 ` John Snow
2014-09-04 22:07 ` [Qemu-devel] " Wouter Verhelst
2014-09-04 22:54 ` Benoît Canet
2014-09-05 8:42 ` Wouter Verhelst
2014-09-05 12:15 ` Stefan Hajnoczi
2014-09-04 22:02 ` Wouter Verhelst
2014-09-05 8:13 ` Daniel P. Berrange
2014-09-05 8:34 ` Wouter Verhelst
2014-09-05 12:21 ` Stefan Hajnoczi
2014-09-05 6:23 ` [Qemu-devel] [libvirt] " Michal Privoznik
2014-09-05 8:10 ` Daniel P. Berrange
2014-09-05 8:46 ` [Qemu-devel] " Hani Benhabiles
2014-09-05 12:31 ` Stefan Hajnoczi
2014-09-05 13:26 ` Wouter Verhelst
2014-10-01 20:23 ` Wouter Verhelst
2014-10-02 11:00 ` Paolo Bonzini
2014-10-02 13:50 ` Wouter Verhelst
2014-10-08 18:16 ` Wouter Verhelst
2014-10-09 12:42 ` Paolo Bonzini
2014-10-02 11:05 ` Daniel P. Berrange
2014-10-02 11:28 ` Paolo Bonzini
2014-10-17 22:03 ` Wouter Verhelst [this message]
2014-10-18 6:33 ` [Qemu-devel] spec, RFC: TLS support for NBD Richard W.M. Jones
2014-10-20 7:58 ` Daniel P. Berrange
2014-10-20 9:56 ` Stefan Hajnoczi
2014-10-20 11:51 ` Markus Armbruster
2014-10-20 11:56 ` Florian Weimer
2014-10-20 12:48 ` Richard W.M. Jones
2014-10-20 22:10 ` Wouter Verhelst
2014-10-21 9:35 ` Daniel P. Berrange
2014-10-21 18:02 ` Wouter Verhelst
2014-10-20 12:08 ` Daniel P. Berrange
2014-10-20 21:53 ` [Qemu-devel] spec, RFC: TLS support for NBDµ Wouter Verhelst
2014-10-21 8:17 ` Markus Armbruster
2014-10-21 18:30 ` Wouter Verhelst
2014-10-25 10:43 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2014-10-30 10:40 ` Stefan Hajnoczi
2014-10-31 18:15 ` Wouter Verhelst
2014-11-03 14:30 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141017220323.GC31287@grep.be \
--to=w@uter.be \
--cc=berrange@redhat.com \
--cc=kroosec@gmail.com \
--cc=libvir-list@redhat.com \
--cc=mprivozn@redhat.com \
--cc=mreitz@redhat.com \
--cc=nbd-general@lists.sf.net \
--cc=nick@bytemark.co.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).