Re: [Nbd] NBD TLS support in QEMU
On Wed, Oct 01, 2014 at 10:23:26PM +0200, Wouter Verhelst wrote:
> On Fri, Sep 05, 2014 at 03:26:09PM +0200, Wouter Verhelst wrote:
> > Tunneling the entire protocol inside an SSL connection doesn't fix that;
> > if an attacker is able to hijack your TCP connections and change flags,
> > then this attacker is also able to hijack your TCP connection and
> > redirect it to a decrypting/encrypting proxy.
> > I agree that preventing a possible SSL downgrade attack (and other forms
> > of MITM) should be high on the priority list, but "tunnel the whole
> > thing in SSL" doesn't do that.
> So, having given this some thought, I wanted to come up with a spec just
> so that we had something we could all agree on. As part of that, I had a
> look at qemu-nbd, and noticed that it uses the "oldstyle" handshake
> protocol (on port 10809 by default -- ew, please don't do that).
> I had to change the protocol incompatibly a few years back, because the
> oldstyle protocol is broken by design; in the oldstyle negotiation
> protocol, the server dumps all information it has on the export to the
> client, and then moves on to the data negotiation phase, without waiting
> for any reply from the client. This means the oldstyle protocol can't be
> used for any sort of negotiation.
> As such, I strongly suggest that qemu-nbd move to the newstyle protocol.
Even if we added support for the newstyle protocol I don't see us being
able to drop the oldstyle protocol. NBD is used during migration of block
storage, and we need to be able to migrate from old QEMU to new QEMU and
vica-verca, so can't just switch protocol in a new QEMU without retaining
a way to use the old protocol.
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|