[oslo][cache] oslo.cache hardening
Moises Guimaraes de Medeiros
moguimar at redhat.com
Thu Feb 27 15:13:47 UTC 2020
Whenever deploying a service inside a network, basic security concerns come
Is the network trusted? Can we send data in plaintext?
Is the service available only to those intended to use it?
Can the service itself or others have access to the data?
That is no exception for caching servers and a while ago, me and Lance
Bragstad started a discussion about this topic.
*Protecting data in transit using TLS*
Requires a backend with TLS support.
Since version 1.5.13, Memcached supports authentication and encryption via
TLS. This feature requires:
OpenSSL 1.1.0 or later;
A Memcached client with TLS support;
A Memcached server built using ./configure --enable-tls.
Encrypting the traffic protects the data in transit from reading and
tampering. The complexity impact is that each Memcached server will need a
valid certificate. The performance impact is the TLS overhead itself.
Performing client authentication protects the server from unauthorized read
and write operations. The complexity impact is that each Memcached client
will need a valid certificate. The performance impact is bigger due to the
extra steps to authenticate both sides.
This approach doesn't protect the data held in memory by Memcached in any
*Authentication using SASL*
Requires a backend with SASL support.
Since version 1.4.3, Memcached supports authentication via SASL. This
A Memcached client with SASL support;
A Memcached server built using ./configure --enable-sasl.
This approach protects the server from unauthorized read and write
operations. The complexity and performance impact is according to SASL
This approach doesn't protect the data in transit or held in memory by
Memcached in any other way.
*Encrypting data before storing*
Requires *NO* extra features in the backend.
This approach consists of encrypting the data before sending it to the
caching servers. The complexity impact is dealing with key sharing for the
encryption/decryption process. The performance impact depends on the
algorithms used for encryption.
This approach protects the data both in transit and held in memory by
caching servers, but the key sharing is more prone to setup errors than the
TLS or the SASL approach.
After considering the possible solutions, we decided to tackle the TLS path
first. We did an initial analysis of oslo.cache backends that use Memcached
together with Hervé Beraud here:
Since python-binary-memcached already has SASL support, we thought it to be
a good first candidate to implement TLS support and last month I had it
We are now looking for more people interested in the discussion and help to
push changes forward.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss