[openstack-dev] Secure RPC

Clark, Robert Graham robert.clark at hp.com
Tue Nov 6 16:55:42 UTC 2012


> -----Original Message-----
> From: Russell Bryant [mailto:rbryant at redhat.com]
> Sent: 06 November 2012 13:35
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] Secure RPC
> 
> On 11/06/2012 06:35 AM, Clark, Robert Graham wrote:
> > I believe there are two options here, role based signing and entity
> > based signing note that I'm not calling out any specific crypto here,
> > there's a bunch of stuff that could be used. In roll based signing
> > each role nova-host, nova-network, nova-etc would share a signing-key
> > and any system receiving a signed message from a role can verify that
> > the message originated from a machine of that roll. The alternative is
> > entity based signing where each host is given it's own signing-key and
> > when a system receives a message it can verify exactly which machine
> > the message came from. I'd be interested to know which method people
> > felt was most appropriate. The latter often appears to be more secure
> > but it's possible to argue that this is outweighed by the extra
> > overhead. Each machine in your system now needs to know about the
> > signing key of every other machine - which makes
> > key-rolling/revocation painful and it doesn't isolate any potential
> > attacks; most people who deploy at any scale use configuration
> > management to keep systems at the same patch level which means that
> > within the datacentre you have a flat exploitation space - if I
> > compromised one nova-host I can compromise the rest with the same
> > exploit - so protecting the signed-keys from individual compromise (by
having
> entity based keys) sometimes buys you very little.
> 
> I think we need machine-based signing.  Really, I want machine+role
signing.
> 
> Some things I'd like to be able to do ...
> 
> 1) I want to ensure that only the nova-scheduler service is allowed to
tell nova-
> compute services to start a new VM.  Services of another type should not
be
> allowed to do this.  Role-based signing would cover this case.
> 
> 2) We are in the middle of some work to remove database access from nova-
> compute.  This will likely result in having another service that
nova-compute
> works with to get instance state updated as needed.  I'd like to be able
to ensure
> that only the nova-compute service hosting a given instance can affect
that
> instance's information in the database.
> I do not want another nova-compute service (on a potentially compromised
> host) able to change important details about the instance.  Role-based
signing is
> not enough to enforce that.

I absolutely see this as being where we need to get to eventually. If you
believe we can do this in one big leap then all the better!

> 
> --
> Russell Bryant
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6190 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121106/ded8da7a/attachment.bin>


More information about the OpenStack-dev mailing list