[openstack-dev] [Neutron][LBaaS] SSL re-encryption scenario question
Stephen Balukoff
sbalukoff at bluebox.net
Fri Apr 18 17:36:11 UTC 2014
Dang. I was hoping this wasn't the case. (I personally think it's a
little silly not to trust your service provider to secure a network when
they have root access to all the machines powering your cloud... but I
digress.)
Part of the reason I was hoping this wasn't the case, isn't just because it
consumes a lot more CPU on the load balancers, but because now we
potentially have to manage client certificates and CA certificates (for
authenticating from the proxy to back-end app servers). And we also have to
decide whether we allow the proxy to use a different client cert / CA per
pool, or per member.
Yes, I realize one could potentially use no client cert or CA (ie.
encryption but no auth)... but that actually provides almost no extra
security over the unencrypted case: If you can sniff the traffic between
proxy and back-end server, it's not much more of a stretch to assume you
can figure out how to be a man-in-the-middle.
Do any of you have a use case where some back-end members require SSL
authentication from the proxy and some don't? (Again, deciding whether
client cert / CA usage should attach to a "pool" or to a "member.")
It's a bit of a rabbit hole, eh.
Stephen
On Fri, Apr 18, 2014 at 10:21 AM, Eichberger, German <
german.eichberger at hp.com> wrote:
> Hi Stephen,
>
>
>
> The use case is that the Load Balancer needs to look at the HTTP requests
> be it to add an X-Forward field or change the timeout – but the network
> between the load balancer and the nodes is not completely private and the
> sensitive information needs to be again transmitted encrypted. This is
> admittedly an edge case but we had to implement a similar scheme for HP
> Cloud’s swift storage.
>
>
>
> German
>
>
>
> *From:* Stephen Balukoff [mailto:sbalukoff at bluebox.net]
> *Sent:* Friday, April 18, 2014 8:22 AM
>
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* [openstack-dev] [Neutron][LBaaS] SSL re-encryption scenario
> question
>
>
>
> Howdy, folks!
>
>
>
> Could someone explain to me the SSL usage scenario where it makes sense to
> re-encrypt traffic traffic destined for members of a back-end pool? SSL
> termination on the load balancer makes sense to me, but I'm having trouble
> understanding why one would be concerned about then re-encrypting the
> traffic headed toward a back-end app server. (Why not just use straight TCP
> load balancing in this case, and save the CPU cycles on the load balancer?)
>
>
>
> We terminate a lot of SSL connections on our load balancers, but have yet
> to have a customer use this kind of functionality. (We've had a few ask
> about it, usually because they didn't understand what a load balancer is
> supposed to do-- and with a bit of explanation they went either with SSL
> termination on the load balancer + clear text on the back-end, or just
> straight TCP load balancing.)
>
>
>
> Thanks,
>
> Stephen
>
>
>
>
> --
> Stephen Balukoff
> Blue Box Group, LLC
> (800)613-4305 x807
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Stephen Balukoff
Blue Box Group, LLC
(800)613-4305 x807
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140418/a2829e1b/attachment.html>
More information about the OpenStack-dev
mailing list