From: Sage Weil <sweil@redhat.com>
To: Marcus Watts <mwatts@redhat.com>
Cc: Gregory Farnum <gfarnum@redhat.com>,
Haomai Wang <haomai@xsky.com>,
ceph-devel <ceph-devel@vger.kernel.org>
Subject: Re: msgr2 protocol
Date: Sun, 12 Jun 2016 19:59:20 -0400 (EDT) [thread overview]
Message-ID: <alpine.DEB.2.11.1606121950490.32559@cpach.fuggernut.com> (raw)
In-Reply-To: <20160611230503.GA18268@degu.eng.arb.redhat.com>
On Sat, 11 Jun 2016, Marcus Watts wrote:
> If the client doesn't look at "features" before it sends stuff, it
> will not be able to be very smart about taking advantage of some
> future better method. In fact, there isn't much advantage
> to the server sending anything early - it could just as easily
> wait until after it's seen the clients request.
>
> Failing hard & retrying on a failed reconnect is going to be slower.
> On the bright side, at least it shouldn't happen often.
Yep. Well, I think it is the client's (limited choice). If it needs to
know the server features, it needs to either wait for them, or make some
optimistic choice and be prepared to pay the cost of a mistake. We should
give the client choice, though, if we can.
> If you're sending encryption (w/ different auth or keys) from several
> different streams, how are you planning to indicate which bits
> go with which scheme?, and which bits are you planning to encrypt
> and which not?
This is what he stream ids are for, and why the outer portion of the frame
is unencrypted. See
https://github.com/ceph/ceph/pull/9461/files#diff-83789b4be697d82eedbcbe330c44b436R68
+ stream_id (le32)
+ frame_len (le32)
+ tag (TAG_* byte)
+ payload
+ [payload padding -- only present after stream auth phase]
+ [signature -- only present after stream auth phase]
The tag and payload (and padding) would be encrypted or signed, but not
the stream id and frame_len.
> Byte count limits. Basically, you don't want collisions because
> of duplicated keys or data. This depends on your crypto system,
> so, for instance, you should not encrypt with one key more than
> aes, cbc about 2^68 bytes
> aes, ctr exactly 2^128 bytes
> more generally, this depends on mode, blocksize, ...
> This applies across *all* uses of the key - and so you would
> generally want to use the session key directly as little as possible.
> (in particular, using the session key for ctr directly would be very very bad.)
>
> If you've got multiple streams going already, you should be able
> to include a fairly simple rekey method with little effort.
> For instance, as part of the method, you could,
> up front as part of the method
> send a per-stream key encrypted under the shared secret.
> prepend to the first data sent in a payload
> byte limit, stream key #0 (encrypted under the per-stream key)
> then encrypt the next N bytes with stream key #0
> when the byte limit is reached, prepend to the
> next data sent in a payload
> byte limit, stream key #1 (encrypted under the per-stream key)
> then encrypt the next N bytes with stream key #1
> &etc.
Good idea. If I understand correctly, it means that the session_key is
only used to send the new/next random encryption key, and if we make the
byte limit part of the initial protocol we get the rotation we need. It
might be simpler to do it as a frame limit instead of byte limit, and
assume max-length frames (2^32 bytes). We could still be super
conservative and rotate the encryption key every 2^16 messages or
something...? And rotating the key on frame boundaries should be much
simpler to implement.
Anyway, that part can be defined a bit later, I think.
Thanks!
sage
next prev parent reply other threads:[~2016-06-12 23:58 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-26 18:17 msgr2 protocol Sage Weil
2016-05-27 4:41 ` Haomai Wang
2016-05-27 4:45 ` Haomai Wang
2016-05-27 8:28 ` Marcus Watts
2016-05-27 17:33 ` Sage Weil
2016-05-27 17:28 ` Sage Weil
2016-05-27 9:44 ` Yehuda Sadeh-Weinraub
2016-05-27 17:37 ` Sage Weil
2016-05-28 18:19 ` Yehuda Sadeh-Weinraub
2016-06-02 15:43 ` Sage Weil
2016-06-02 15:59 ` Haomai Wang
2016-06-02 16:35 ` Sage Weil
2016-06-02 18:11 ` Gregory Farnum
2016-06-02 18:24 ` Sage Weil
2016-06-02 18:34 ` Gregory Farnum
2016-06-03 13:11 ` Sage Weil
2016-06-03 13:24 ` Sage Weil
2016-06-03 16:47 ` Haomai Wang
2016-06-03 17:33 ` Sage Weil
2016-06-03 17:35 ` Haomai Wang
2016-06-06 8:23 ` Junwang Zhao
2016-06-10 8:31 ` Marcus Watts
2016-06-10 10:11 ` Sage Weil
2016-06-10 10:48 ` Sage Weil
2016-06-06 20:16 ` Gregory Farnum
2016-06-10 11:04 ` Sage Weil
2016-06-10 19:05 ` Marcus Watts
2016-06-10 21:15 ` Sage Weil
2016-06-10 21:22 ` Gregory Farnum
2016-06-11 23:05 ` Marcus Watts
2016-06-12 23:59 ` Sage Weil [this message]
[not found] ` <CACJqLyax_SXEZp3vA2_wR+CdwKOo2Re=SsK2xfXqmXjz9d8iNw@mail.gmail.com>
2016-09-09 21:14 ` Sage Weil
[not found] ` <CACJqLyYwKZ5_1OHR_5=+mr=1ED2Nt34x4TB29j5dE1D+NjzFpg@mail.gmail.com>
2016-09-10 14:43 ` Haomai Wang
2016-09-11 17:05 ` Sage Weil
2016-09-12 2:29 ` Haomai Wang
2016-09-12 13:21 ` Sage Weil
2016-09-13 0:03 ` Gregory Farnum
2016-09-13 1:35 ` Haomai Wang
2016-09-13 13:21 ` Sage Weil
2016-09-13 11:50 ` Jeff Layton
2016-09-13 11:18 ` Jeff Layton
2016-09-13 13:31 ` Sage Weil
2016-09-13 14:48 ` Jeff Layton
2016-09-13 15:10 ` Sage Weil
2016-09-13 20:07 ` Gregory Farnum
2016-06-02 18:16 ` Gregory Farnum
2016-06-29 11:59 Avner Ben Hanoch
2016-06-29 16:52 ` Yehuda Sadeh-Weinraub
2016-06-30 11:59 ` Avner Ben Hanoch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.11.1606121950490.32559@cpach.fuggernut.com \
--to=sweil@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=gfarnum@redhat.com \
--cc=haomai@xsky.com \
--cc=mwatts@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.