Add TLS support #152
Comments
|
kTLS doesn't still handle in-kernel handshakes, although work is being carried out by TempestaFW, therefore an user-space library is required to handle the initial handshaking before enabling the TLS TX/RX to the kernel an, if available, to the underlying hardware accelerator. The kTLS has a pretty limited support for the cyphersuites but the supported ones really cover the most used and secure ones, so for know it's fine to rely on these although in the future additional support can be handled in userspace. Currently cachegrand requires openssl but only for the bigintegers implementation, not for the encryption, both mbedtls and openssl should be compared to investigate which is the best option. |
|
Altghough OpenSSL has a simpler interface, it doesn't really support and the interface is a bit less flexible than mbedtls. Also for mbedtls I have found this article It covers the usage of coroutines, which are similar to fibers, uses custom recv/send and enables kTLS and therefore it's a perfect reference. I have also found this wrapper around ktls / mbed that automatically enables kTLS for the sockets using mbed |
|
With mbed going to be used for TLS makes sense to drop OpenSSL entirely and use the BigNum implementation from mbedtls |
Currently cachegrand doesn't provide any kind of over-the-wire encryption which might lead to successful MITM attacks.
To avoid these kind of problems TLS encryption for the connection can be implemented, as it's also supported by the modules curently implemented (e.g. Redis & Prometheus).
To add support for TLS there are multiple options as OpenSSL, mbedtls, kTLS, etc., and although the most common option is OpenSSL for cachegrand kTLS is a better suited option because it's able to provide great performances althoguh losing support for some older TLS versions, e.g. TLS 1.1 and previous, which is not a problem per-se because these shouldn't be used!
kTLS has also a native support for the hardware accelerators which is a great advantage.
Here some useful performance comparisons
https://legacy.netdevconf.info/0x14/pub/slides/25/TLS%20Perf%20Characterization%20slides%20-%20Netdev%200x14%20v2.pdf
https://legacy.netdevconf.info/0x14/pub/papers/29/0x14-paper29-talk-paper.pdf (focuses on offloading)
More information on kTLS
https://docs.kernel.org/networking/tls-offload.html
https://github.com/ktls/af_ktls
https://docs.nvidia.com/networking/display/MLNXOFEDv531001/Kernel+Transport+Layer+Security+(kTLS)+Offloads
Some reference repos for the actual implementation
https://github.com/insanum/ktls_test
The text was updated successfully, but these errors were encountered: