From: "Daniel P. Berrange" <berrange@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>,
Hani Benhabiles <kroosec@gmail.com>,
libvir-list@redhat.com, mprivozn@redhat.com,
nbd-general@lists.sf.net,
"Richard W.M. Jones" <rjones@redhat.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
nick@bytemark.co.uk, Wouter Verhelst <w@uter.be>,
Paolo Bonzini <pbonzini@redhat.com>,
Max Reitz <mreitz@redhat.com>
Subject: Re: [Qemu-devel] spec, RFC: TLS support for NBD
Date: Mon, 20 Oct 2014 13:08:41 +0100 [thread overview]
Message-ID: <20141020120841.GE19687@redhat.com> (raw)
In-Reply-To: <8738ajq7qo.fsf@blackfin.pond.sub.org>
On Mon, Oct 20, 2014 at 01:51:43PM +0200, Markus Armbruster wrote:
> Stefan Hajnoczi <stefanha@redhat.com> writes:
>
> > On Mon, Oct 20, 2014 at 08:58:14AM +0100, Daniel P. Berrange wrote:
> >> On Sat, Oct 18, 2014 at 07:33:22AM +0100, Richard W.M. Jones wrote:
> >> > On Sat, Oct 18, 2014 at 12:03:23AM +0200, Wouter Verhelst wrote:
> >> > > Hi all,
> >> > >
> >> > > (added rjones from nbdkit fame -- hi there)
> >> >
> >> > [I'm happy to implement whatever you come up with, but I've added
> >> > Florian Weimer to CC who is part of Red Hat's product security group]
> >> >
> >> > > So I think the following would make sense to allow TLS in NBD.
> >> > >
> >> > > This would extend the newstyle negotiation by adding two options (i.e.,
> >> > > client requests), one server reply, and one server error as well as
> >> > > extend one existing reply, in the following manner:
> >> > >
> >> > > - The two new commands are NBD_OPT_PEEK_EXPORT and NBD_OPT_STARTTLS. The
> >> > > former would be used to verify if the server will do TLS for a given
> >> > > export:
> >> > >
> >> > > C: NBD_OPT_PEEK_EXPORT
> >> > > S: NBD_REP_SERVER, with an extra field after the export name
> >> > > containing flags that describe the export (R/O vs R/W state,
> >> > > whether TLS is allowed and/or required).
> >>
> >> IMHO the server should never provide *any* information about the exported
> >> volume(s) until the TLS layer has been fully setup. ie we shouldn't only
> >> think about the actual block data transfers, we should protect the entire
> >> NBD protocol even metadata related operations.
> >
> > This makes sense.
>
> Seconded.
>
> > TLS is about the transport, not about a particular NBD export. The only
> > thing that should be communicated is STARTTLS.
>
> Furthermore, STARTTLS is vulnerable to active attacks: if you can get
> between the peers, you can make them fall back to unencrypted silently.
> How do you plan to guard against that?
Well the use of a STARTTLS message at a protocol level isn't vulnerable
per-se, rather it is the handling of it that matters. The key is what
happens if the server wants TLS and the client does not send a STARTTLS
message. If the server happily carries on with plain text that's bad. If
the server closes any connection that attempts to skip STARTTLS, that's
fine. Likewise if the client wants TLS and the server claims to not do
TLS, then the client should close the connection and not carry on. This
avoids the MITM downgrade problem.
So from the POV of QEMU / QEMU-NBD I'd expect us to have a CLI option
tls=on|off and if the client / server are configured differently then
it would be a hard failure, never any negotiated fallback to plain text
if one requests TLS and the other doesn't.
If QEMU relies on the CLI option, then technically we do not need any
NBD protocol level changes at all. A standard TLS handshake could be
started the moment the TCP connection is established. Only once the
TLS handshake completes would the NBD protocol start running.
The real / main benefit of having a STARTTLS message would be to give
better error reporting for clients not attempting TLS. eg so they could
report a clear "This server requires TLS" error instead of just seeing
unintelligible data from the NBD server and no clue that it is a TLS
handshake.
This is how the VNC integration works at least. The VNC server advertizes
that it requires the TLS auth protocol extension. If the VNC client does
not support this, the server will drop the connection and the VNC client
can at least report to the user that the server requested use of TLS.
The key is that no data or metadata that is in any way related to remote
desktop (or NBD volume) is exchanged between server/client until after
the TLS auth protocol completes.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2014-10-20 12:09 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-03 16:44 [Qemu-devel] NBD TLS support in QEMU Stefan Hajnoczi
2014-09-04 14:19 ` Benoît Canet
2014-09-04 14:34 ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2014-09-04 15:04 ` Benoît Canet
2014-09-04 15:45 ` Stefan Hajnoczi
2014-09-04 15:54 ` John Snow
2014-09-04 22:07 ` [Qemu-devel] " Wouter Verhelst
2014-09-04 22:54 ` Benoît Canet
2014-09-05 8:42 ` Wouter Verhelst
2014-09-05 12:15 ` Stefan Hajnoczi
2014-09-04 22:02 ` Wouter Verhelst
2014-09-05 8:13 ` Daniel P. Berrange
2014-09-05 8:34 ` Wouter Verhelst
2014-09-05 12:21 ` Stefan Hajnoczi
2014-09-05 6:23 ` [Qemu-devel] [libvirt] " Michal Privoznik
2014-09-05 8:10 ` Daniel P. Berrange
2014-09-05 8:46 ` [Qemu-devel] " Hani Benhabiles
2014-09-05 12:31 ` Stefan Hajnoczi
2014-09-05 13:26 ` Wouter Verhelst
2014-10-01 20:23 ` Wouter Verhelst
2014-10-02 11:00 ` Paolo Bonzini
2014-10-02 13:50 ` Wouter Verhelst
2014-10-08 18:16 ` Wouter Verhelst
2014-10-09 12:42 ` Paolo Bonzini
2014-10-02 11:05 ` Daniel P. Berrange
2014-10-02 11:28 ` Paolo Bonzini
2014-10-17 22:03 ` [Qemu-devel] spec, RFC: TLS support for NBD Wouter Verhelst
2014-10-18 6:33 ` Richard W.M. Jones
2014-10-20 7:58 ` Daniel P. Berrange
2014-10-20 9:56 ` Stefan Hajnoczi
2014-10-20 11:51 ` Markus Armbruster
2014-10-20 11:56 ` Florian Weimer
2014-10-20 12:48 ` Richard W.M. Jones
2014-10-20 22:10 ` Wouter Verhelst
2014-10-21 9:35 ` Daniel P. Berrange
2014-10-21 18:02 ` Wouter Verhelst
2014-10-20 12:08 ` Daniel P. Berrange [this message]
2014-10-20 21:53 ` [Qemu-devel] spec, RFC: TLS support for NBDµ Wouter Verhelst
2014-10-21 8:17 ` Markus Armbruster
2014-10-21 18:30 ` Wouter Verhelst
2014-10-25 10:43 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2014-10-30 10:40 ` Stefan Hajnoczi
2014-10-31 18:15 ` Wouter Verhelst
2014-11-03 14:30 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141020120841.GE19687@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=fweimer@redhat.com \
--cc=kroosec@gmail.com \
--cc=libvir-list@redhat.com \
--cc=mprivozn@redhat.com \
--cc=mreitz@redhat.com \
--cc=nbd-general@lists.sf.net \
--cc=nick@bytemark.co.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
--cc=w@uter.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).