[Bug 1894781] [NEW] [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Bug 1894781] [NEW] [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Vjaceslavs Klimovs]

Public bug reported:

(following from
https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)

As is very well explained in https://www.berrange.com/posts/2016/04/05
/improving-qemu-security-part-5-tls-support-for-nbd-server-client/, and
easily confirmed with captures, NBD stream starts in cleartext and
upgrades to TLS inline (similar to STARTTLS mechanism). As a rationale,
it is stated that this provides better error messages for the user of
NBD.

However, this approach has downsides:

1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used. In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny. 
3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes. 

I think it's fully possible to satisfy the original requirement of good
error messages as well, detecting that the other end is initiating TLS
connection.

It's very unlikely that it's currently sae to recommend to run QEMU
migration stream over a hostile network, but it should be possible to do
with TLS only option.

Solution to this, just like in the case of SMTP, is to provide TLS only
option (no initial cleartext at all) for QEMU migration, which hopefully
it not a large addition.

Thank you for your consideration!

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1894781

Title:
  [Feature request] Provide a way to do TLS first in QEMU/NBD
  connections (not after NBD negotiation)

Status in QEMU:
  New

Bug description:
  (following from
  https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)

  As is very well explained in https://www.berrange.com/posts/2016/04/05
  /improving-qemu-security-part-5-tls-support-for-nbd-server-client/,
  and easily confirmed with captures, NBD stream starts in cleartext and
  upgrades to TLS inline (similar to STARTTLS mechanism). As a
  rationale, it is stated that this provides better error messages for
  the user of NBD.

  However, this approach has downsides:

  1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used. In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
  2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny. 
  3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes. 

  I think it's fully possible to satisfy the original requirement of
  good error messages as well, detecting that the other end is
  initiating TLS connection.

  It's very unlikely that it's currently sae to recommend to run QEMU
  migration stream over a hostile network, but it should be possible to
  do with TLS only option.

  Solution to this, just like in the case of SMTP, is to provide TLS
  only option (no initial cleartext at all) for QEMU migration, which
  hopefully it not a large addition.

  Thank you for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1894781/+subscriptions

Re: [Bug 1894781] [NEW] [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Eric Blake]

On 9/7/20 11:00 PM, Vjaceslavs Klimovs wrote:
> Public bug reported:
> 
> (following from
> https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)
> 
> As is very well explained in https://www.berrange.com/posts/2016/04/05
> /improving-qemu-security-part-5-tls-support-for-nbd-server-client/, and
> easily confirmed with captures, NBD stream starts in cleartext and
> upgrades to TLS inline (similar to STARTTLS mechanism). As a rationale,
> it is stated that this provides better error messages for the user of
> NBD.
> 
> However, this approach has downsides:
> 
> 1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used.

qemu/libvirt is not the only client of NBD.  In fact, the nbdkit and 
libnbd projects exist to make it easier to utilize NBD from more places.

> In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
> 2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny.

This is a non-argument.  When configured correctly at the NBD server, 
the NBD_OPT_STARTTLS option is the _only_ option accepted by a client, 
at which point you are right back into TLS code (from gnutls or 
elsewhere) and using the existing TLS libraries to establish the 
connection - but that is the SAME thing you would have to do even if 
there were a way to connect to an NBD server that doesn't even start 
with plaintext handshaking.

> 3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes.
> 
> I think it's fully possible to satisfy the original requirement of good
> error messages as well, detecting that the other end is initiating TLS
> connection.

If you are going to make a change in this area, it will need to be 
agreed on in the upstream NBD list, where _all_ implementations of NBD 
(both client and server) can weigh in; qemu will not change in a vacuum 
without upstream protocol concurrence.

https://lists.debian.org/nbd/

> 
> It's very unlikely that it's currently sae to recommend to run QEMU
> migration stream over a hostile network, but it should be possible to do
> with TLS only option.

It is very easy to write both servers and clients that require a 
transition from plaintext into TLS before any serious traffic is sent.

> 
> Solution to this, just like in the case of SMTP, is to provide TLS only
> option (no initial cleartext at all) for QEMU migration, which hopefully
> it not a large addition.
> 
> Thank you for your consideration!
> 
> ** Affects: qemu
>       Importance: Undecided
>           Status: New
> 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: [Bug 1894781] [NEW] [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Eric Blake]

On 9/7/20 11:00 PM, Vjaceslavs Klimovs wrote:
> Public bug reported:
> 
> (following from
> https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)
> 
> As is very well explained in https://www.berrange.com/posts/2016/04/05
> /improving-qemu-security-part-5-tls-support-for-nbd-server-client/, and
> easily confirmed with captures, NBD stream starts in cleartext and
> upgrades to TLS inline (similar to STARTTLS mechanism). As a rationale,
> it is stated that this provides better error messages for the user of
> NBD.
> 
> However, this approach has downsides:
> 
> 1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used.

qemu/libvirt is not the only client of NBD.  In fact, the nbdkit and 
libnbd projects exist to make it easier to utilize NBD from more places.

> In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
> 2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny.

This is a non-argument.  When configured correctly at the NBD server, 
the NBD_OPT_STARTTLS option is the _only_ option accepted by a client, 
at which point you are right back into TLS code (from gnutls or 
elsewhere) and using the existing TLS libraries to establish the 
connection - but that is the SAME thing you would have to do even if 
there were a way to connect to an NBD server that doesn't even start 
with plaintext handshaking.

> 3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes.
> 
> I think it's fully possible to satisfy the original requirement of good
> error messages as well, detecting that the other end is initiating TLS
> connection.

If you are going to make a change in this area, it will need to be 
agreed on in the upstream NBD list, where _all_ implementations of NBD 
(both client and server) can weigh in; qemu will not change in a vacuum 
without upstream protocol concurrence.

https://lists.debian.org/nbd/

> 
> It's very unlikely that it's currently sae to recommend to run QEMU
> migration stream over a hostile network, but it should be possible to do
> with TLS only option.

It is very easy to write both servers and clients that require a 
transition from plaintext into TLS before any serious traffic is sent.

> 
> Solution to this, just like in the case of SMTP, is to provide TLS only
> option (no initial cleartext at all) for QEMU migration, which hopefully
> it not a large addition.
> 
> Thank you for your consideration!
> 
> ** Affects: qemu
>       Importance: Undecided
>           Status: New
> 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1894781

Title:
  [Feature request] Provide a way to do TLS first in QEMU/NBD
  connections (not after NBD negotiation)

Status in QEMU:
  New

Bug description:
  (following from
  https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)

  As is very well explained in https://www.berrange.com/posts/2016/04/05
  /improving-qemu-security-part-5-tls-support-for-nbd-server-client/,
  and easily confirmed with captures, NBD stream starts in cleartext and
  upgrades to TLS inline (similar to STARTTLS mechanism). As a
  rationale, it is stated that this provides better error messages for
  the user of NBD.

  However, this approach has downsides:

  1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used. In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
  2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny. 
  3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes. 

  I think it's fully possible to satisfy the original requirement of
  good error messages as well, detecting that the other end is
  initiating TLS connection.

  It's very unlikely that it's currently sae to recommend to run QEMU
  migration stream over a hostile network, but it should be possible to
  do with TLS only option.

  Solution to this, just like in the case of SMTP, is to provide TLS
  only option (no initial cleartext at all) for QEMU migration, which
  hopefully it not a large addition.

  Thank you for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1894781/+subscriptions

[Bug 1894781] Re: [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Eric Blake]

** Bug watch added: gitlab.com/libvirt/libvirt/-/issues #68
   https://gitlab.com/libvirt/libvirt/-/issues/68

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1894781

Title:
  [Feature request] Provide a way to do TLS first in QEMU/NBD
  connections (not after NBD negotiation)

Status in QEMU:
  New

Bug description:
  (following from
  https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)

  As is very well explained in https://www.berrange.com/posts/2016/04/05
  /improving-qemu-security-part-5-tls-support-for-nbd-server-client/,
  and easily confirmed with captures, NBD stream starts in cleartext and
  upgrades to TLS inline (similar to STARTTLS mechanism). As a
  rationale, it is stated that this provides better error messages for
  the user of NBD.

  However, this approach has downsides:

  1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used. In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
  2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny. 
  3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes. 

  I think it's fully possible to satisfy the original requirement of
  good error messages as well, detecting that the other end is
  initiating TLS connection.

  It's very unlikely that it's currently sae to recommend to run QEMU
  migration stream over a hostile network, but it should be possible to
  do with TLS only option.

  Solution to this, just like in the case of SMTP, is to provide TLS
  only option (no initial cleartext at all) for QEMU migration, which
  hopefully it not a large addition.

  Thank you for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1894781/+subscriptions

[Bug 1894781] Re: [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Thomas Huth]

The QEMU project is currently moving its bug tracking to another system.
For this we need to know which bugs are still valid and which could be
closed already. Thus we are setting the bug state to "Incomplete" now.

If the bug has already been fixed in the latest upstream version of QEMU,
then please close this ticket as "Fix released".

If it is not fixed yet and you think that this bug report here is still
valid, then you have two options:

1) If you already have an account on gitlab.com, please open a new ticket
for this problem in our new tracker here:

    https://gitlab.com/qemu-project/qemu/-/issues

and then close this ticket here on Launchpad (or let it expire auto-
matically after 60 days). Please mention the URL of this bug ticket on
Launchpad in the new ticket on GitLab.

2) If you don't have an account on gitlab.com and don't intend to get
one, but still would like to keep this ticket opened, then please switch
the state back to "New" or "Confirmed" within the next 60 days (other-
wise it will get closed as "Expired"). We will then eventually migrate
the ticket automatically to the new system (but you won't be the reporter
of the bug in the new system and thus you won't get notified on changes
anymore).

Thank you and sorry for the inconvenience.


** Changed in: qemu
       Status: New => Incomplete

** Tags added: feature-request

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1894781

Title:
  [Feature request] Provide a way to do TLS first in QEMU/NBD
  connections (not after NBD negotiation)

Status in QEMU:
  Incomplete

Bug description:
  (following from
  https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)

  As is very well explained in https://www.berrange.com/posts/2016/04/05
  /improving-qemu-security-part-5-tls-support-for-nbd-server-client/,
  and easily confirmed with captures, NBD stream starts in cleartext and
  upgrades to TLS inline (similar to STARTTLS mechanism). As a
  rationale, it is stated that this provides better error messages for
  the user of NBD.

  However, this approach has downsides:

  1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used. In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
  2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny. 
  3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes. 

  I think it's fully possible to satisfy the original requirement of
  good error messages as well, detecting that the other end is
  initiating TLS connection.

  It's very unlikely that it's currently sae to recommend to run QEMU
  migration stream over a hostile network, but it should be possible to
  do with TLS only option.

  Solution to this, just like in the case of SMTP, is to provide TLS
  only option (no initial cleartext at all) for QEMU migration, which
  hopefully it not a large addition.

  Thank you for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1894781/+subscriptions

[Bug 1894781] Re: [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Vjaceslavs Klimovs]

** Changed in: qemu
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1894781

Title:
  [Feature request] Provide a way to do TLS first in QEMU/NBD
  connections (not after NBD negotiation)

Status in QEMU:
  New

Bug description:
  (following from
  https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)

  As is very well explained in https://www.berrange.com/posts/2016/04/05
  /improving-qemu-security-part-5-tls-support-for-nbd-server-client/,
  and easily confirmed with captures, NBD stream starts in cleartext and
  upgrades to TLS inline (similar to STARTTLS mechanism). As a
  rationale, it is stated that this provides better error messages for
  the user of NBD.

  However, this approach has downsides:

  1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used. In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
  2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny. 
  3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes. 

  I think it's fully possible to satisfy the original requirement of
  good error messages as well, detecting that the other end is
  initiating TLS connection.

  It's very unlikely that it's currently sae to recommend to run QEMU
  migration stream over a hostile network, but it should be possible to
  do with TLS only option.

  Solution to this, just like in the case of SMTP, is to provide TLS
  only option (no initial cleartext at all) for QEMU migration, which
  hopefully it not a large addition.

  Thank you for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1894781/+subscriptions

[Bug 1894781] Re: [Feature request] Provide a way to do TLS first in QEMU/NBD connections (not after NBD negotiation)

[Thomas Huth]

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/282


** Changed in: qemu
       Status: New => Expired

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #282
   https://gitlab.com/qemu-project/qemu/-/issues/282

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1894781

Title:
  [Feature request] Provide a way to do TLS first in QEMU/NBD
  connections (not after NBD negotiation)

Status in QEMU:
  Expired

Bug description:
  (following from
  https://gitlab.com/libvirt/libvirt/-/issues/68#note_400960567)

  As is very well explained in https://www.berrange.com/posts/2016/04/05
  /improving-qemu-security-part-5-tls-support-for-nbd-server-client/,
  and easily confirmed with captures, NBD stream starts in cleartext and
  upgrades to TLS inline (similar to STARTTLS mechanism). As a
  rationale, it is stated that this provides better error messages for
  the user of NBD.

  However, this approach has downsides:

  1) Clear indication to a network observer that NBD (and therefore likely qemu/libvirt) is used. In contrast, TLS1.3 hides even the SNI of the servers (ESNI, https://blog.cloudflare.com/encrypted-sni/).
  2) Potential for bugs in NBD protocol negotiation code. That code just statistically, likely less looked at code than gnutls. This is not a reflection on NBD code quality, just the fact that TLS code does receive a bit more scrutiny. 
  3) Inability to inspect TLS listener interface for compliance, e.g. with a security scanner. Making sure TLS listeners only select certain ciphersuits is a requirement of some compliance regimes. 

  I think it's fully possible to satisfy the original requirement of
  good error messages as well, detecting that the other end is
  initiating TLS connection.

  It's very unlikely that it's currently sae to recommend to run QEMU
  migration stream over a hostile network, but it should be possible to
  do with TLS only option.

  Solution to this, just like in the case of SMTP, is to provide TLS
  only option (no initial cleartext at all) for QEMU migration, which
  hopefully it not a large addition.

  Thank you for your consideration!

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1894781/+subscriptions