From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59004)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aoB0L-0005He-ST
	for qemu-devel@nongnu.org; Thu, 07 Apr 2016 10:33:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aoB0I-0004OV-JW
	for qemu-devel@nongnu.org; Thu, 07 Apr 2016 10:33:53 -0400
Received: from mx1.redhat.com ([209.132.183.28]:36562)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aoB0I-0004OQ-Bg
	for qemu-devel@nongnu.org; Thu, 07 Apr 2016 10:33:50 -0400
References: <1460028959-59091-1-git-send-email-alex@alex.org.uk>
	<20160407115159.GE19932@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <57066FCD.20602@redhat.com>
Date: Thu, 7 Apr 2016 08:33:49 -0600
MIME-Version: 1.0
In-Reply-To: <20160407115159.GE19932@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="S0ha6CJ7OGK1WkkgeUUi1UlBlT2wB9EwW"
Subject: Re: [Qemu-devel] [PATCH] Improve documentation for TLS
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, Alex Bligh <alex@alex.org.uk>
Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>, Wouter Verhelst <w@uter.be>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--S0ha6CJ7OGK1WkkgeUUi1UlBlT2wB9EwW
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 04/07/2016 05:51 AM, Daniel P. Berrange wrote:

>> +
>> +There are four modes of operation for a server. The
>> +server MUST support one of these modes.
>> +
>> +* The server operates entirely without TLS ('NOTLS'); OR
>> +
>> +* The server makes TLS available (for all exports) and
>> +  it is available at the option of the client ('OPTIONALTLS'); OR
>> +
>> +* The server insists upon TLS, and forces the client to
>> +  upgrade by erroring any NBD options other than `NBD_OPT_STARTTLS`
>> +  with `NBD_REP_ERR_TLS_REQD` ('FORCEDTLS'); this in practice means
>> +  that all option negotiation (apart from the `NBD_OPT_STARTTLS`
>> +  itself) is carried out with TLS; OR
>> +
>> +* The server provides TLS, and it is mandatory on zero or more
>> +  exports, and is available at the client's option on all
>> +  other exports ('SELECTIVETLS'). The server does not force
>> +  the client to upgrade to TLS during option haggling (as
>> +  if the client ultimately chose a non-TLS-only export,
>> +  stopping TLS is not possible). Instead it permits the client
>> +  to upgrade as and when it chooses, but unless an upgrade to
>> +  TLS has already taken place, the server errors attempts
>> +  to enter transmission mode on TLS-only exports, MAY
>> +  refuse to provide information about TLS-only exports
>> +  via `NBD_OPT_INFO`, and MAY refuse to provide information
>> +  about non-existent exports via `NBD_OPT_INFO`.
>=20
> IMHO, we should not permit what you call OPTIONALTLS or SELECTIVETLS,
> because these open possibilities for a MITM to perform downgrade
> attacks, where the MITM runs TLS to the real server, but runs no-TLS
> to the real client.

On a safe interface (like loopback) where there cannot be a MitM attack,
they still make sense.  I think the protocol should discourage, but not
forbid, their use (and I think the followup mail does this, by
documenting pitfalls of downgrade attacks).

>=20
> Both the QEMU NBD server and NBD clients only implement FORCEDTLS.

which is fine. You don't have to implement all four server modes to be
compliant to the protocol, implementing just one is okay.

> ie you tell the client to use TLS and it will refuse to talk to a
> server which doesn't support TLS, and you tell the server to use
> TLS and it will refuse to talk to a client which does not request
> TLS
>=20
> Regards,
> Daniel
>=20

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--S0ha6CJ7OGK1WkkgeUUi1UlBlT2wB9EwW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJXBm/NAAoJEKeha0olJ0Nqor0H/0m/stRCngzg8w9AMovy+Jh1
mKd+0Wh0VTNLzS7jLkyVFwF1Mkpdk1L1GEXqg7+iDVAqE1FGtKX1hBRZA39uRG2W
n4hQEO+vx1PJdMzAp//YNxtm7f0tGB6M6CYXS/KbQunCICxZI3102/mkIwVOu2tX
JQ0CNMPLl7s4F6CkjvsLY8+IwVfC5UUEOS0Wdw6hx2oKaMM6bsGEYQJr8Ug+Ga9r
cL4V3WJd67stqRveFCDK6VCXVNbFB7L1K70Rrvcc7BCAVRomUbnfnElaUaKeVXu3
IRJ/SjQH3dAY5QxF9GwJv/oJo7l9bnxB0o3YRHg+7cWIJ1/2WcaMfTiVadng9Y0=
=q3K4
-----END PGP SIGNATURE-----

--S0ha6CJ7OGK1WkkgeUUi1UlBlT2wB9EwW--