You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently cachegrand doesn't provide any kind of over-the-wire encryption which might lead to successful MITM attacks.
To avoid these kind of problems TLS encryption for the connection can be implemented, as it's also supported by the modules curently implemented (e.g. Redis & Prometheus).
To add support for TLS there are multiple options as OpenSSL, mbedtls, kTLS, etc., and although the most common option is OpenSSL for cachegrand kTLS is a better suited option because it's able to provide great performances althoguh losing support for some older TLS versions, e.g. TLS 1.1 and previous, which is not a problem per-se because these shouldn't be used!
kTLS has also a native support for the hardware accelerators which is a great advantage.
kTLS doesn't still handle in-kernel handshakes, although work is being carried out by TempestaFW, therefore an user-space library is required to handle the initial handshaking before enabling the TLS TX/RX to the kernel an, if available, to the underlying hardware accelerator.
The kTLS has a pretty limited support for the cyphersuites but the supported ones really cover the most used and secure ones, so for know it's fine to rely on these although in the future additional support can be handled in userspace.
Currently cachegrand requires openssl but only for the bigintegers implementation, not for the encryption, both mbedtls and openssl should be compared to investigate which is the best option.
Currently cachegrand doesn't provide any kind of over-the-wire encryption which might lead to successful MITM attacks.
To avoid these kind of problems TLS encryption for the connection can be implemented, as it's also supported by the modules curently implemented (e.g. Redis & Prometheus).
To add support for TLS there are multiple options as OpenSSL, mbedtls, kTLS, etc., and although the most common option is OpenSSL for cachegrand kTLS is a better suited option because it's able to provide great performances althoguh losing support for some older TLS versions, e.g. TLS 1.1 and previous, which is not a problem per-se because these shouldn't be used!
kTLS has also a native support for the hardware accelerators which is a great advantage.
Here some useful performance comparisons
https://legacy.netdevconf.info/0x14/pub/slides/25/TLS%20Perf%20Characterization%20slides%20-%20Netdev%200x14%20v2.pdf
https://legacy.netdevconf.info/0x14/pub/papers/29/0x14-paper29-talk-paper.pdf (focuses on offloading)
More information on kTLS
https://docs.kernel.org/networking/tls-offload.html
https://github.com/ktls/af_ktls
https://docs.nvidia.com/networking/display/MLNXOFEDv531001/Kernel+Transport+Layer+Security+(kTLS)+Offloads
Some reference repos for the actual implementation
https://github.com/insanum/ktls_test
The text was updated successfully, but these errors were encountered: