[OpenAFS] Encrypted connections by default in OpenAFS 1.8?

Benjamin Kaduk openafs-info@openafs.org
Fri, 27 Feb 2015 15:26:07 -0500 (EST)


Hi all,

The progress towards a 1.8 release is well underway, and it is time to
consider what behavior changes are desired for the major release boundary.

One change which has been proposed is to encrypt connections by default.
There has long been the 'fs setcrypt' command (introduced in 2001) to
allow the connections from a cache manager to the servers in the cell
(which most distributions' packaging enable by default).  However, there
is not currently an option to enable encryption for the intra-dbserver
connections which effect ubik replication, or for other server-to-server
connections such as fileserver queries to the protection server, and
volume forwarding traffic.

Given events in the news in recent years, it seems to me that we do our
users a disservice by not using a "secure" mode operation by default.
(Quote around "secure" are necessary given the known weaknesses of the
fcrypt encryption used by rxkad, but with the rxkad-k5 extension, there
does remain some level of protection to offer.)  Though rxkad encryption
is known to introduce severe performance penalties, administrators who
require the extra performance should be able to discover that and use
the documented procedure for disabling encryption.  Administrators who
just want to set something up and have it running would be protected,
without needing to know that they need to go through the effort of finding
the documentation and enabling encryption everywhere.

I propose that the OpenAFS 1.8 major release introduce encryption by
default, for all(*) connections, whether client-to-server or
server-to-server.  There would of course be knobs to disable encryption
for sites which do not need it, but the default value would be "on".

In addition to feedback on the general proposal for encrypt-by-default, I
would appreciate feedback on more detailed questions, which might shape
the structure of an implementation:

(1) Is it sufficient to have one single knob that controls all connections
from a given host, whether cache manager or server?

(2) (Assuming that the answer to (1) is "no") Should there be separate
knobs knob for intra-ubik connections, fileserver-to-ptserver, and
volserver-to-volserver connections?

(3) What downsides do you see as possible for a new text-based
configuration file to control the various behaviors?  (Looking forward,
this could also be a place to configure selection of rxgk vs. rxkad.)


No decisions have been made; this thread is me seeking feedback from the
community on an issue where I have an opinion but do not know the position
of the community as a whole.

Thank you,

Ben


(*) My current proposal affects mostly the cache manager;
encryption-by-default for the standalong client tools (vos, pts, bos,
etc.) would be configurable in a different way, presumably with a
command-line option.