Re: [Nbd] doc/proto.md: TLS question

To: Alex Bligh <alex@...872...>, nbd-general@lists.sourceforge.net
Subject: Re: [Nbd] doc/proto.md: TLS question
From: Eric Blake <eblake@...696...>
Date: Wed, 6 Apr 2016 07:53:50 -0600
Message-id: <570514EE.3070403@...696...>
In-reply-to: <AA5BB2F4-E122-4372-9121-95FA94A48AB2@...872...>
References: <AA5BB2F4-E122-4372-9121-95FA94A48AB2@...872...>

On 04/06/2016 07:37 AM, Alex Bligh wrote:
>>From the proto.md:
> 
>> NBD_REP_ERR_TLS_REQD (2^31 + 5)
>>
>> The server is unwilling to continue negotiation unless TLS is negotiated first. A server MUST NOT send this error if it has one or more exports that do not require TLS; not even if the client indicated interest (by way of NBD_OPT_PEEK_EXPORT) in an export which requires TLS.
>>
>> If this reply is used, servers SHOULD send it in reply to each and every unencrypted NBD_OPT_* message (apart from NBD_OPT_STARTTLS).
> 
> I think the last SHOULD is wrong and should be deleted.
> 
> Firstly, this implies a server should reply with NBD_REP_ERR_TLS_REQD even before it knows the client even supports TLS. That's wrong. It even implies the server should sent it even if *it* doesn't support TLS.
> 
> Secondly, even if by magic the server somehow knows that the client supports TLS, and it supports TLS too, it makes it impossible for a server to serve both TLS and non-TLS exports as it would force the client to negotiate TLS to process (say) NBD_OPT_LIST, and there's then no way of un-negotiating TLS.
> 
> I think this should thus be deleted.

Or at least modified; the earlier sentence is nicer ("A server MUST NOT
send this error if it has one or more exports that do not require TLS").

My understanding of the situation: there are three server configurations
(no TLS support, mixed, and only TLS support), and two guest
configurations (plaintext, TLS):

- Server has no exports that require TLS:
  - server MUST NOT use NBD_REP_ERR_TLS_REQD on any option request
  - server MUST send failure (NBD_REP_ERR_UNSUP or NBD_REP_ERR_POLICY)
if client sends NBD_OPT_STARTTLS
  - client is forced to use plaintext, even if it knows TLS

- Server has mixed setup (some exports require TLS, some do not)
  - server MUST NOT use NBD_REP_ERR_TLS_REQD on any option request
except for NBD_OPT_INFO or NBD_OPT_GO on an export that requires TLS (or
rather, if the export name is not plaintext)
  - server MUST NOT use NBD_REP_ERR_TLS_REQD after successful
NBD_OPT_STARTTLS
  - client MAY use plaintext for an export that does not require TLS
  - client MAY use NBD_OPT_STARTTLS to switch to TLS to be able to
access remaining exports
  - server SHOULD NOT make an export be plaintext-only (but maybe
there's a corner case where it happens, so I did not use MUST NOT)

- Server requires TLS support
  - server MUST use NBD_REP_ERR_TLS_REQD on any option request except
NBD_OPT_STARTTLS, if TLS is not negotiated yet
  - server MUST NOT use NBD_REP_ERR_TLS_REQD after successful
NBD_OPT_STARTTLS
  - client that does not know TLS will be unable to connect
  - client that knows TLS MUST negotiate TLS before doing anything else
useful

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- [Nbd] doc/proto.md: TLS question
  - From: Alex Bligh <alex@...872...>

Prev by Date: Re: [Nbd] [Qemu-devel] Is NBD_CMD_FLAG_FUA valid during NBD_CMD_FLUSH?
Next by Date: Re: [Nbd] [PATCH v2] doc: Add NBD_CMD_BLOCK_STATUS extension
Previous by thread: [Nbd] doc/proto.md: TLS question
Next by thread: Re: [Nbd] doc/proto.md: TLS question
Index(es):
- Date
- Thread