[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] NBD TLS support in QEMU
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [Qemu-devel] NBD TLS support in QEMU |
|
Date: |
Thu, 02 Oct 2014 13:28:40 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 |
Il 02/10/2014 13:05, Daniel P. Berrange ha scritto:
> On Wed, Oct 01, 2014 at 10:23:26PM +0200, Wouter Verhelst wrote:
>> Hi,
>>
>> On Fri, Sep 05, 2014 at 03:26:09PM +0200, Wouter Verhelst wrote:
>>> Tunneling the entire protocol inside an SSL connection doesn't fix that;
>>> if an attacker is able to hijack your TCP connections and change flags,
>>> then this attacker is also able to hijack your TCP connection and
>>> redirect it to a decrypting/encrypting proxy.
>>>
>>> I agree that preventing a possible SSL downgrade attack (and other forms
>>> of MITM) should be high on the priority list, but "tunnel the whole
>>> thing in SSL" doesn't do that.
>>
>> So, having given this some thought, I wanted to come up with a spec just
>> so that we had something we could all agree on. As part of that, I had a
>> look at qemu-nbd, and noticed that it uses the "oldstyle" handshake
>> protocol (on port 10809 by default -- ew, please don't do that).
>>
>> I had to change the protocol incompatibly a few years back, because the
>> oldstyle protocol is broken by design; in the oldstyle negotiation
>> protocol, the server dumps all information it has on the export to the
>> client, and then moves on to the data negotiation phase, without waiting
>> for any reply from the client. This means the oldstyle protocol can't be
>> used for any sort of negotiation[1].
>>
>> As such, I strongly suggest that qemu-nbd move to the newstyle protocol.
>
> Even if we added support for the newstyle protocol I don't see us being
> able to drop the oldstyle protocol. NBD is used during migration of block
> storage, and we need to be able to migrate from old QEMU to new QEMU and
> vica-verca, so can't just switch protocol in a new QEMU without retaining
> a way to use the old protocol.
For that you don't use qemu-nbd, we use the NBD server that is embedded
in the QEMU executable. That one shares almost all the code with
qemu-nbd but, because we are exporting multiple disks over a single
port, ends up using the new-style protocol.
qemu-nbd uses the old-style protocol only because it has a single,
unnamed export.
QEMU's NBD client will use the old-style protocol if given URLs like
nbd://HOST:PORT/, and the new-style protocol for nbd://HOST:PORT/NAME.
Paolo
- Re: [Qemu-devel] NBD TLS support in QEMU, Wouter Verhelst, 2014/10/01
- Re: [Qemu-devel] NBD TLS support in QEMU, Daniel P. Berrange, 2014/10/02
- Re: [Qemu-devel] NBD TLS support in QEMU,
Paolo Bonzini <=
- [Qemu-devel] spec, RFC: TLS support for NBD, Wouter Verhelst, 2014/10/17
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Richard W.M. Jones, 2014/10/18
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Daniel P. Berrange, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Stefan Hajnoczi, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Markus Armbruster, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Daniel P. Berrange, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Florian Weimer, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Richard W.M. Jones, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Wouter Verhelst, 2014/10/20
- Re: [Qemu-devel] spec, RFC: TLS support for NBD, Daniel P. Berrange, 2014/10/21