Re: [Nbd] spec, RFC: TLS support for NBD

To: Wouter Verhelst <w@...112...>
Cc: Florian Weimer <fweimer@...696...>, "Daniel P. Berrange" <berrange@...696...>, libvir-list@...696..., mprivozn@...696..., nbd-general@...72..., qemu-devel@...530..., Max Reitz <mreitz@...696...>, Stefan Hajnoczi <stefanha@...696...>, Paolo Bonzini <pbonzini@...696...>
Subject: Re: [Nbd] spec, RFC: TLS support for NBD
From: "Richard W.M. Jones" <rjones@...696...>
Date: Sat, 18 Oct 2014 07:33:22 +0100
Message-id: <20141018063322.GC1349@...696...>
In-reply-to: <20141017220323.GC31287@...3...>
References: <20140903164417.GA32748@...1390...> <20140905084618.GA3720@...1599...> <20140905132608.GB26974@...3...> <20141001202326.GA2533@...3...> <20141002110516.GG13032@...696...> <542D36E8.2010705@...696...> <20141017220323.GC31287@...3...>

On Sat, Oct 18, 2014 at 12:03:23AM +0200, Wouter Verhelst wrote:
> Hi all,
> 
> (added rjones from nbdkit fame -- hi there)

[I'm happy to implement whatever you come up with, but I've added
Florian Weimer to CC who is part of Red Hat's product security group]

> So I think the following would make sense to allow TLS in NBD.
> 
> This would extend the newstyle negotiation by adding two options (i.e.,
> client requests), one server reply, and one server error as well as
> extend one existing reply, in the following manner:
> 
> - The two new commands are NBD_OPT_PEEK_EXPORT and NBD_OPT_STARTTLS. The
>   former would be used to verify if the server will do TLS for a given
>   export:
> 
>   C: NBD_OPT_PEEK_EXPORT
>   S: NBD_REP_SERVER, with an extra field after the export name
>      containing flags that describe the export (R/O vs R/W state,
>      whether TLS is allowed and/or required).
>   
>   If the server indicates that TLS is allowed, the client may now issue
>   NBD_OPT_STARTTLS:
> 
>   C: NBD_OPT_STARTTLS
>   S: NBD_REP_STARTTLS # or NBD_REP_ERR_POLICY, if unwilling
>   C: <initiate TLS handshake>
> 
>   Once the TLS handshake has completed, negotiation should continue over
>   the secure channel. The client should initiate that by sending an
>   NBD_OPT_* message.
> 
> - The server may reply to any and all negotiation request with
>   NBD_REP_ERR_TLS_REQD if it does not want to do anything without TLS.
>   However, if at least one export is supported without encryption, the
>   server must not in any case use this reply.
> 
> There is no command to "exit" TLS again. I don't think that makes sense,
> but I could be persuaded otherwise with sound technical arguments.
> 
> Thoughts?
> 
> (full spec (with numbers etc) exists as an (uncommitted) diff to
> doc/proto.txt on my laptop, ...)
> 
> -- 
> It is easy to love a country that is famous for chocolate and beer
> 
>   -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26



-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW

Reply to:

Follow-Ups:
- Re: [Nbd] spec, RFC: TLS support for NBD
  - From: "Daniel P. Berrange" <berrange@...696...>

References:
- Re: [Nbd] NBD TLS support in QEMU
  - From: Wouter Verhelst <w@...112...>
- Re: [Nbd] NBD TLS support in QEMU
  - From: "Daniel P. Berrange" <berrange@...696...>
- Re: [Nbd] NBD TLS support in QEMU
  - From: Paolo Bonzini <pbonzini@...696...>
- [Nbd] spec, RFC: TLS support for NBD
  - From: Wouter Verhelst <w@...112...>

Prev by Date: [Nbd] spec, RFC: TLS support for NBD
Next by Date: Re: [Nbd] spec, RFC: TLS support for NBD
Previous by thread: [Nbd] spec, RFC: TLS support for NBD
Next by thread: Re: [Nbd] spec, RFC: TLS support for NBD
Index(es):
- Date
- Thread