On Thu, Sep 04, 2014 at 04:19:17PM +0200, Benoît Canet wrote:
The Wednesday 03 Sep 2014 à 17:44:17 (+0100), Stefan Hajnoczi wrote :
Hi,
QEMU offers both NBD client and server functionality. The NBD protocol
runs unencrypted, which is a problem when the client and server
communicate over an untrusted network.
The particular use case that prompted this mail is storage migration in
OpenStack. The goal is to encrypt the NBD connection between source and
destination hosts during storage migration.
I agree this would be usefull.
I think we can integrate TLS into the NBD protocol as an optional flag.
A quick web search does not reveal existing open source SSL/TLS NBD
implementations. I do see a VMware NBDSSL protocol but there is no
specification so I guess it is proprietary.
The NBD protocol starts with a negotiation phase. This would be the
appropriate place to indicate that TLS will be used. After client and
server complete TLS setup the connection can continue as normal.
Prenegociating TLS look like we will accidentaly introduce some security hole.
Why not just using a dedicated port and let the TLS handshake happen normaly ?
The mgmt app (libvirt in this case) chooses an arbitrary port when
telling QEMU to setup NBD, so we don't need to specify any alternate
port. I'd expect that libvirt just tell QEMU to enable NBD at both
ends, and we immediately do the TLS handshake upon opening the
connection. Only once TLS is established, should the NBD protocol
start running. IOW we don't need to modify the NBD protocol at all.