Re: NBD TLS support in QEMU

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 02, 2014 at 01:00:04PM +0200, Paolo Bonzini wrote:
> Il 01/10/2014 22:23, Wouter Verhelst ha scritto:
> > Hi,
> > 
> > On Fri, Sep 05, 2014 at 03:26:09PM +0200, Wouter Verhelst wrote:
> >> Tunneling the entire protocol inside an SSL connection doesn't fix that;
> >> if an attacker is able to hijack your TCP connections and change flags,
> >> then this attacker is also able to hijack your TCP connection and
> >> redirect it to a decrypting/encrypting proxy.
> >>
> >> I agree that preventing a possible SSL downgrade attack (and other forms
> >> of MITM) should be high on the priority list, but "tunnel the whole
> >> thing in SSL" doesn't do that.
> > 
> > So, having given this some thought, I wanted to come up with a spec just
> > so that we had something we could all agree on. As part of that, I had a
> > look at qemu-nbd, and noticed that it uses the "oldstyle" handshake
> > protocol (on port 10809 by default -- ew, please don't do that).
> 
> Can you use new-style handshake with a single unnamed export?  Export
> names are a useless complication for qemu-nbd.

Not currently, but I don't think you need that. You could have a default
name, which would be used if no name was otherwise specified. It's not
much of a stretch to make that name part of the protocol spec, either.

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]