From: "Daniel P. Berrange" <berrange@redhat.com>
To: Wouter Verhelst <w@uter.be>
Cc: Florian Weimer <fweimer@redhat.com>,
qemu-devel@nongnu.org, Hani Benhabiles <kroosec@gmail.com>,
libvir-list@redhat.com, mprivozn@redhat.com,
nbd-general@lists.sf.net, Markus Armbruster <armbru@redhat.com>,
"Richard W.M. Jones" <rjones@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
nick@bytemark.co.uk, Paolo Bonzini <pbonzini@redhat.com>,
Max Reitz <mreitz@redhat.com>
Subject: Re: [Qemu-devel] spec, RFC: TLS support for NBD
Date: Tue, 21 Oct 2014 10:35:06 +0100 [thread overview]
Message-ID: <20141021093506.GA23368@redhat.com> (raw)
In-Reply-To: <20141020221039.GA18722@grep.be>
On Tue, Oct 21, 2014 at 12:10:39AM +0200, Wouter Verhelst wrote:
> On Mon, Oct 20, 2014 at 01:56:43PM +0200, Florian Weimer wrote:
> > I cannot comment on whether the proposed STARTTLS command is at the correct
> > stage of the NBD protocol. If there is a protocol description for NBD, I
> > can have a look.
>
> To make this discussion in that regard a bit easier, I've committed the
> proposed spec to a separate branch:
>
> https://github.com/yoe/nbd/blob/tlsspec/doc/proto.txt
So, if I'm understanding correctly the new style "fixed" handshake
currently works like this:
Server starts transmission with version info
- S: "NBDMAGIC"
- S: 0x49484156454F5054
- S: 0x1
And the client acknowledges with a 32 bits of and first bit set
- C: 0x1
Now the client has to request one or more options, of which the
NBD_OPT_EXPORT_NAME (0x1) option is mandatory, so it will be the
first thing the client sends next . So it would send
- C: 0x49484156454F5054
- C: 0x1
- C: 0xa (length of name)
- C: "volumename"
You're proposing to add a new option NBD_OPT_STARTTLS (0x5). For this to
work we would need to update the language to say that the NBD_OPT_STARTTLS
must be the first option that the client sends to the server, because we
want the option name to transmit in ciphertext.
So the new protocol startup would be
Server starts transmission with version info
- S: "NBDMAGIC"
- S: 0x49484156454F5054
- S: 0x1
And the client acknowledges with a 32 bits of zero
- C: 0x1
Client requests TLS
- C: 0x49484156454F5054
- C: 0x5
Server acknowledges TLS:
- S: 0x3e889045565a9
- S: 0x5
- S: 0x1 (REP_ACK)
- S: 0x0
Now the TLS handshake is performed by client + server
The client can now set other options using the secure
channel, of which the NBD_OPT_EXPORT_NAME (0x1) option
is mandatory, so it will be the first thing the client
sends next . So they would send
- C: "0x49484156454F5054"
- C: 0x1
- C: 0xa (length of name)
- C: "volumename"
...etc...
This is secure when both client and server want to use TLS.
This is secure when the client wants TLS and the server does
not want TLS, because the server will reject TLS and the client
will then close the connection.
My concern is the case where the client does not want TLS but
the server does want TLS. In this case the client will immediately
send the NBD_OPT_EXPORT_NAME in clear text over the wire, not giving
the server any chance to reject the use of a clear text channel.
This problem is inherant to the approach of using the NBD protocol
options to negotiate TLS.
One way I see to solve that insecurity, would be for the server
to make use of one of the extra reserved bits in the very first
message it sends. ie we need to negotiate TLS immediately after the
version number / magic acknowledgment, before we actually start
the main body of the protocol
ie, with the new style fixed handshake the server should send
Server starts transmission with version info
- S: "NBDMAGIC"
- S: 0x49484156454F5054
- S: 0x2
And the client acknowledges with a 32bits and first two bits set
- C: 0x2
The questionmark here is what happens when the client sees the
second bit of reserved field set ?
The protocol docs merely say
"S: 16 bits of zero (bits 1-15 reserved for future use; bit 0 in use to
signal fixed newstyle (see below))"
But don't mention what clients should do upon seeing unknown bits
set in the server's message ?
If clients ignore unknown bits, then we have the same problem where a
client can ignore the TLS bit and start sending option name in the
clear before the server rejects the session.
If clients abort (close connection) on seeing unknown bits, then we
are good.
A 3rd alternative is to actually use a separate magic number, which
should guarantee the client would immediately close upon seeing a
magic number which indicated TLS is required.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2014-10-21 9:35 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-03 16:44 [Qemu-devel] NBD TLS support in QEMU Stefan Hajnoczi
2014-09-04 14:19 ` Benoît Canet
2014-09-04 14:34 ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2014-09-04 15:04 ` Benoît Canet
2014-09-04 15:45 ` Stefan Hajnoczi
2014-09-04 15:54 ` John Snow
2014-09-04 22:07 ` [Qemu-devel] " Wouter Verhelst
2014-09-04 22:54 ` Benoît Canet
2014-09-05 8:42 ` Wouter Verhelst
2014-09-05 12:15 ` Stefan Hajnoczi
2014-09-04 22:02 ` Wouter Verhelst
2014-09-05 8:13 ` Daniel P. Berrange
2014-09-05 8:34 ` Wouter Verhelst
2014-09-05 12:21 ` Stefan Hajnoczi
2014-09-05 6:23 ` [Qemu-devel] [libvirt] " Michal Privoznik
2014-09-05 8:10 ` Daniel P. Berrange
2014-09-05 8:46 ` [Qemu-devel] " Hani Benhabiles
2014-09-05 12:31 ` Stefan Hajnoczi
2014-09-05 13:26 ` Wouter Verhelst
2014-10-01 20:23 ` Wouter Verhelst
2014-10-02 11:00 ` Paolo Bonzini
2014-10-02 13:50 ` Wouter Verhelst
2014-10-08 18:16 ` Wouter Verhelst
2014-10-09 12:42 ` Paolo Bonzini
2014-10-02 11:05 ` Daniel P. Berrange
2014-10-02 11:28 ` Paolo Bonzini
2014-10-17 22:03 ` [Qemu-devel] spec, RFC: TLS support for NBD Wouter Verhelst
2014-10-18 6:33 ` Richard W.M. Jones
2014-10-20 7:58 ` Daniel P. Berrange
2014-10-20 9:56 ` Stefan Hajnoczi
2014-10-20 11:51 ` Markus Armbruster
2014-10-20 11:56 ` Florian Weimer
2014-10-20 12:48 ` Richard W.M. Jones
2014-10-20 22:10 ` Wouter Verhelst
2014-10-21 9:35 ` Daniel P. Berrange [this message]
2014-10-21 18:02 ` Wouter Verhelst
2014-10-20 12:08 ` Daniel P. Berrange
2014-10-20 21:53 ` [Qemu-devel] spec, RFC: TLS support for NBDµ Wouter Verhelst
2014-10-21 8:17 ` Markus Armbruster
2014-10-21 18:30 ` Wouter Verhelst
2014-10-25 10:43 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2014-10-30 10:40 ` Stefan Hajnoczi
2014-10-31 18:15 ` Wouter Verhelst
2014-11-03 14:30 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141021093506.GA23368@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=fweimer@redhat.com \
--cc=kroosec@gmail.com \
--cc=libvir-list@redhat.com \
--cc=mprivozn@redhat.com \
--cc=mreitz@redhat.com \
--cc=nbd-general@lists.sf.net \
--cc=nick@bytemark.co.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
--cc=w@uter.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).