[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [libvirt] NBD TLS support in QEMU
From: |
Benoît Canet |
Subject: |
Re: [Qemu-devel] [libvirt] NBD TLS support in QEMU |
Date: |
Thu, 4 Sep 2014 17:04:06 +0200 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
The Thursday 04 Sep 2014 à 15:34:59 (+0100), Daniel P. Berrange wrote :
> On Thu, Sep 04, 2014 at 04:19:17PM +0200, Benoît Canet wrote:
> > The Wednesday 03 Sep 2014 à 17:44:17 (+0100), Stefan Hajnoczi wrote :
> > > Hi,
> > > QEMU offers both NBD client and server functionality. The NBD protocol
> > > runs unencrypted, which is a problem when the client and server
> > > communicate over an untrusted network.
> > >
> > > The particular use case that prompted this mail is storage migration in
> > > OpenStack. The goal is to encrypt the NBD connection between source and
> > > destination hosts during storage migration.
> >
> > I agree this would be usefull.
> >
> > >
> > > I think we can integrate TLS into the NBD protocol as an optional flag.
> > > A quick web search does not reveal existing open source SSL/TLS NBD
> > > implementations. I do see a VMware NBDSSL protocol but there is no
> > > specification so I guess it is proprietary.
> > >
> > > The NBD protocol starts with a negotiation phase. This would be the
> > > appropriate place to indicate that TLS will be used. After client and
> > > server complete TLS setup the connection can continue as normal.
> >
> > Prenegociating TLS look like we will accidentaly introduce some security
> > hole.
> > Why not just using a dedicated port and let the TLS handshake happen
> > normaly ?
>
> The mgmt app (libvirt in this case) chooses an arbitrary port when
> telling QEMU to setup NBD, so we don't need to specify any alternate
> port. I'd expect that libvirt just tell QEMU to enable NBD at both
> ends, and we immediately do the TLS handshake upon opening the
> connection. Only once TLS is established, should the NBD protocol
> start running. IOW we don't need to modify the NBD protocol at all.
>
> If the mgmt app tells QEMU to enable TLS at one end and not the
> other, the mgmt app gets what it deserves (a failed TLS handshake).
> We certainly would not want QEMU to auto-negotiate and fallback
> to plain text in this case.
I agree.
Best regards
Benoît
>
> Regards,
> Daniel
> --
> |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org -o- http://virt-manager.org :|
> |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
>
Re: [Qemu-devel] NBD TLS support in QEMU, Wouter Verhelst, 2014/09/04