[oslo][cache] oslo.cache hardening

Moises Guimaraes de Medeiros moguimar at redhat.com
Thu Feb 27 15:13:47 UTC 2020


Hi all,

Whenever deploying a service inside a network, basic security concerns come
to mind:

Is the network trusted? Can we send data in plaintext?
Is the service available only to those intended to use it?
Can the service itself or others have access to the data?

That is no exception for caching servers and a while ago, me and Lance
Bragstad started a discussion about this topic.


*Possible solutions*

*Protecting data in transit using TLS*

Requires a backend with TLS support.

Since version 1.5.13, Memcached supports authentication and encryption via
TLS. This feature requires:

OpenSSL 1.1.0 or later;
A Memcached client with TLS support;
A Memcached server built using ./configure --enable-tls.

Encrypting the traffic protects the data in transit from reading and
tampering. The complexity impact is that each Memcached server will need a
valid certificate. The performance impact is the TLS overhead itself.

Performing client authentication protects the server from unauthorized read
and write operations. The complexity impact is that each Memcached client
will need a valid certificate. The performance impact is bigger due to the
extra steps to authenticate both sides.

This approach doesn't protect the data held in memory by Memcached in any
other way.

*Authentication using SASL*

Requires a backend with SASL support.

Since version 1.4.3, Memcached supports authentication via SASL. This
feature requires:

A Memcached client with SASL support;
A Memcached server built using ./configure --enable-sasl.

This approach protects the server from unauthorized read and write
operations. The complexity and performance impact is according to SASL
usage.

This approach doesn't protect the data in transit or held in memory by
Memcached in any other way.

*Encrypting data before storing*

Requires *NO* extra features in the backend.

This approach consists of encrypting the data before sending it to the
caching servers. The complexity impact is dealing with key sharing for the
encryption/decryption process. The performance impact depends on the
algorithms used for encryption.

This approach protects the data both in transit and held in memory by
caching servers, but the key sharing is more prone to setup errors than the
TLS or the SASL approach.

---

After considering the possible solutions, we decided to tackle the TLS path
first. We did an initial analysis of oslo.cache backends that use Memcached
together with Hervé Beraud here:

https://etherpad.openstack.org/p/oslo-cache-tls-support-worksheet

Since python-binary-memcached already has SASL support, we thought it to be
a good first candidate to implement TLS support and last month I had it
merged here:

https://github.com/jaysonsantos/python-binary-memcached/pull/211

We are now looking for more people interested in the discussion and help to
push changes forward.

--

Moisés Guimarães

Software Engineer

Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200227/00dcfaf6/attachment-0001.html>


More information about the openstack-discuss mailing list