From: John Snow <jsnow@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>,
"Benoît Canet" <benoit.canet@irqsave.net>
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
libvir-list@redhat.com, qemu-devel@nongnu.org,
Max Reitz <mreitz@redhat.com>,
Hani Benhabiles <kroosec@gmail.com>,
nick@bytemark.co.uk, w@uter.be,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [libvirt] NBD TLS support in QEMU
Date: Thu, 04 Sep 2014 11:54:52 -0400 [thread overview]
Message-ID: <54088B4C.1070001@redhat.com> (raw)
In-Reply-To: <20140904143459.GN772@redhat.com>
On 09/04/2014 10:34 AM, Daniel P. Berrange wrote:
> On Thu, Sep 04, 2014 at 04:19:17PM +0200, Benoît Canet wrote:
>> The Wednesday 03 Sep 2014 à 17:44:17 (+0100), Stefan Hajnoczi wrote :
>>> Hi,
>>> QEMU offers both NBD client and server functionality. The NBD protocol
>>> runs unencrypted, which is a problem when the client and server
>>> communicate over an untrusted network.
>>>
>>> The particular use case that prompted this mail is storage migration in
>>> OpenStack. The goal is to encrypt the NBD connection between source and
>>> destination hosts during storage migration.
>>
>> I agree this would be usefull.
>>
>>>
>>> I think we can integrate TLS into the NBD protocol as an optional flag.
>>> A quick web search does not reveal existing open source SSL/TLS NBD
>>> implementations. I do see a VMware NBDSSL protocol but there is no
>>> specification so I guess it is proprietary.
>>>
>>> The NBD protocol starts with a negotiation phase. This would be the
>>> appropriate place to indicate that TLS will be used. After client and
>>> server complete TLS setup the connection can continue as normal.
>>
>> Prenegociating TLS look like we will accidentaly introduce some security hole.
>> Why not just using a dedicated port and let the TLS handshake happen normaly ?
>
> The mgmt app (libvirt in this case) chooses an arbitrary port when
> telling QEMU to setup NBD, so we don't need to specify any alternate
> port. I'd expect that libvirt just tell QEMU to enable NBD at both
> ends, and we immediately do the TLS handshake upon opening the
> connection. Only once TLS is established, should the NBD protocol
> start running. IOW we don't need to modify the NBD protocol at all.
This is my understanding of how, for example, the IRC protocol added SSL
support. the SSL/TLS handshake happens first, but the very next thing
the client/server expects to see is the usual IRC protocol talk, encrypted.
If it sees incorrect magic after the SSL shake, both ends hang up.
If it sees IRC magic prior to the SSL shake, it either allows an
unencrypted session, or if the user or server has requested SSL-only,
one or both ends hang up.
>
> If the mgmt app tells QEMU to enable TLS at one end and not the
> other, the mgmt app gets what it deserves (a failed TLS handshake).
> We certainly would not want QEMU to auto-negotiate and fallback
> to plain text in this case.
>
> Regards,
> Daniel
>
next prev parent reply other threads:[~2014-09-04 15:55 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-03 16:44 [Qemu-devel] NBD TLS support in QEMU Stefan Hajnoczi
2014-09-04 14:19 ` Benoît Canet
2014-09-04 14:34 ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2014-09-04 15:04 ` Benoît Canet
2014-09-04 15:45 ` Stefan Hajnoczi
2014-09-04 15:54 ` John Snow [this message]
2014-09-04 22:07 ` [Qemu-devel] " Wouter Verhelst
2014-09-04 22:54 ` Benoît Canet
2014-09-05 8:42 ` Wouter Verhelst
2014-09-05 12:15 ` Stefan Hajnoczi
2014-09-04 22:02 ` Wouter Verhelst
2014-09-05 8:13 ` Daniel P. Berrange
2014-09-05 8:34 ` Wouter Verhelst
2014-09-05 12:21 ` Stefan Hajnoczi
2014-09-05 6:23 ` [Qemu-devel] [libvirt] " Michal Privoznik
2014-09-05 8:10 ` Daniel P. Berrange
2014-09-05 8:46 ` [Qemu-devel] " Hani Benhabiles
2014-09-05 12:31 ` Stefan Hajnoczi
2014-09-05 13:26 ` Wouter Verhelst
2014-10-01 20:23 ` Wouter Verhelst
2014-10-02 11:00 ` Paolo Bonzini
2014-10-02 13:50 ` Wouter Verhelst
2014-10-08 18:16 ` Wouter Verhelst
2014-10-09 12:42 ` Paolo Bonzini
2014-10-02 11:05 ` Daniel P. Berrange
2014-10-02 11:28 ` Paolo Bonzini
2014-10-17 22:03 ` [Qemu-devel] spec, RFC: TLS support for NBD Wouter Verhelst
2014-10-18 6:33 ` Richard W.M. Jones
2014-10-20 7:58 ` Daniel P. Berrange
2014-10-20 9:56 ` Stefan Hajnoczi
2014-10-20 11:51 ` Markus Armbruster
2014-10-20 11:56 ` Florian Weimer
2014-10-20 12:48 ` Richard W.M. Jones
2014-10-20 22:10 ` Wouter Verhelst
2014-10-21 9:35 ` Daniel P. Berrange
2014-10-21 18:02 ` Wouter Verhelst
2014-10-20 12:08 ` Daniel P. Berrange
2014-10-20 21:53 ` [Qemu-devel] spec, RFC: TLS support for NBDµ Wouter Verhelst
2014-10-21 8:17 ` Markus Armbruster
2014-10-21 18:30 ` Wouter Verhelst
2014-10-25 10:43 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2014-10-30 10:40 ` Stefan Hajnoczi
2014-10-31 18:15 ` Wouter Verhelst
2014-11-03 14:30 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54088B4C.1070001@redhat.com \
--to=jsnow@redhat.com \
--cc=benoit.canet@irqsave.net \
--cc=berrange@redhat.com \
--cc=kroosec@gmail.com \
--cc=libvir-list@redhat.com \
--cc=mreitz@redhat.com \
--cc=nick@bytemark.co.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=w@uter.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).