[openstack-dev] Secure RPC
Russell Bryant
rbryant at redhat.com
Tue Nov 6 13:35:26 UTC 2012
On 11/06/2012 06:35 AM, Clark, Robert Graham wrote:
> I believe there are two options here, role based signing and entity based
> signing note that I'm not calling out any specific crypto here, there's a
> bunch of stuff that could be used. In roll based signing each role
> nova-host, nova-network, nova-etc would share a signing-key and any system
> receiving a signed message from a role can verify that the message
> originated from a machine of that roll. The alternative is entity based
> signing where each host is given it's own signing-key and when a system
> receives a message it can verify exactly which machine the message came
> from. I'd be interested to know which method people felt was most
> appropriate. The latter often appears to be more secure but it's possible to
> argue that this is outweighed by the extra overhead. Each machine in your
> system now needs to know about the signing key of every other machine -
> which makes key-rolling/revocation painful and it doesn't isolate any
> potential attacks; most people who deploy at any scale use configuration
> management to keep systems at the same patch level which means that within
> the datacentre you have a flat exploitation space - if I compromised one
> nova-host I can compromise the rest with the same exploit - so protecting
> the signed-keys from individual compromise (by having entity based keys)
> sometimes buys you very little.
I think we need machine-based signing. Really, I want machine+role signing.
Some things I'd like to be able to do ...
1) I want to ensure that only the nova-scheduler service is allowed to
tell nova-compute services to start a new VM. Services of another type
should not be allowed to do this. Role-based signing would cover this case.
2) We are in the middle of some work to remove database access from
nova-compute. This will likely result in having another service that
nova-compute works with to get instance state updated as needed. I'd
like to be able to ensure that only the nova-compute service hosting a
given instance can affect that instance's information in the database.
I do not want another nova-compute service (on a potentially compromised
host) able to change important details about the instance. Role-based
signing is not enough to enforce that.
--
Russell Bryant
More information about the OpenStack-dev
mailing list