[openstack-dev] [nova][keystone] Message Queue Security

Simo Sorce simo at redhat.com
Fri Apr 26 20:30:17 UTC 2013


On Fri, 2013-04-26 at 16:09 -0400, Eric Windisch wrote:
> > 
> > Also read the email I sent today, the number of lookups is down to 1
> > now, just like in the public key case.
> > > 
> > 
> 
> Except in the public-key case, the lookup is done on the receiving end
> for verifications, not on the sender-side. 
> 
> The receiving end tends to scale-out more than the sending end and can
> more comfortably handle these lookups.
> 
> The 5 schedulers sending to 1000 compute or volume services shouldn't
> bear the burden of performing lookups if those lookups can be
> performed on the receiving end. 1000 hosts can more comfortably make
> queries than 5 hosts can.

Except for encryption you have to do those lookups on the sender side
too, so you are back to square zero.

Also doing lookup on the receiver you forgo the possibility of doing
access control even before allowing to send any message, requiring
access control on the receiving end (potentially a second lookup for the
policy).

Also doing lookups on the receiver end you open up to an attack where a
malicious users sends thousands of messages *seemingly* coming from
different sources causing the receiver to try thousands of requests
against the server to verify a public key that does not exist.

Sorry, no silver bullet for you.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the OpenStack-dev mailing list