On Fri, Sep 05, 2014 at 09:13:26AM +0100, Daniel P. Berrange wrote:
On Fri, Sep 05, 2014 at 12:02:18AM +0200, Wouter Verhelst wrote:
> [Cc: to nbd-general list added]
>
> On Wed, Sep 03, 2014 at 05:44:17PM +0100, Stefan Hajnoczi wrote:
> > Hi,
> > QEMU offers both NBD client and server functionality. The NBD protocol
> > runs unencrypted, which is a problem when the client and server
> > communicate over an untrusted network.
> >
> > The particular use case that prompted this mail is storage migration in
> > OpenStack. The goal is to encrypt the NBD connection between source and
> > destination hosts during storage migration.
>
> I've never given encrypted NBD high priority, since I don't think
> encryption without authentication serves much purpose -- and I haven't
> gotten around to adding authentication yet (for which I have plans; but
> other things have priority).
While have an authentication layer like SASL wired into the NBD protocol
would be nice, it shouldn't be considered a blocker / pre-requisite.
I'm not saying that. If someone were to come up with patches for TLS
support in NBD, I'm not going to say no (provided they're sensible etc,
yada yada). It's just that when I look at things to do for NBD and
prioritize, I intend work on authentication (with SASL, indeed) before I
work on TLS.
--
<Lo-lan-do> Home is where you have to wash the dishes.
-- #debian-devel, Freenode, 2004-09-22