Re: [Qemu-devel] [PATCH FYI 45/46] migration: support TLS encryption with TCP migration backend

[Daniel P. Berrange]

On Mon, Sep 07, 2015 at 05:23:01PM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrange (address@hidden) wrote:
> > This extends the TCP migration backend so that it can make use
> > of QIOChannelTLS to provide transparent TLS encryption. To
> > trigger enablement the URI on the incoming and outgoing sides
> > should have 'tls-creds=ID' appended, eg
> > 
> >    tcp:$HOST:$PORT,tls-creds=ID
> 
> What makes this tcp specifc? Would it work on any bidirectional
> transport?

TLS is capable of working on any bi-directional transport.
When using x509 certificates with TLS though, the client
would typically validate the server identity by comparing
the hostname it connected to, with the hostname encoded
in the server's x509 certificate. So if we want to enable
use of TLS over a transport that isn't TCP, we'd need to
figure out the policy around x509 certificate validation.
This isn't neccessarily hard, but it would need someone
to describe the usage scenario, so we can figure out what
makes sense from the security POV.

Since I've not heard of anyone asking for TLS support on
non-TCP transports, I figured it was fine to only plumb
it into tcp: for migration for now and avoid these questions.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|