Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

New connection protocol version with encrypted features map #1098

Merged
merged 3 commits into from
Jul 14, 2015

Conversation

dpw
Copy link
Contributor

@dpw dpw commented Jul 7, 2015

Addresses #1029.

Although the new protocol version fixes #912, because compatibility support for the old protocol version is present, we cannot declare #912 fixed by this PR. Unless there are other overriding factors, I suggest we retain compatibility for one major release, i.e. drop V1 compatibility in 1.2. I'll create an issue for that if/when this gets merged.

@dpw dpw force-pushed the encrypt-features branch from 59a357a to 83f3027 Compare July 7, 2015 13:12
@rade
Copy link
Member

rade commented Jul 7, 2015

I suggest we retain compatibility for one major release, i.e. drop V1 compatibility in 1.2.

That's a good plan since it allows a rolling upgrade from weave 1.0 to 1.1 and then to 1.2.

However, it also does delay the fix to #912 for a fair while. We could add an option to the router to allow manual adjustment of the min supported protocol version. 1.1 users could use that to insist on V2, thus eliminating the #912 DoS vector. They could even do a rolling upgrade of 1.0 that way, i.e. first roll out a normal upgrade to 1.1, and then roll out an upgrade that bumps the min protocol version.

@rade
Copy link
Member

rade commented Jul 7, 2015

We could add an option to the router to allow manual adjustment of the min supported protocol version.

And the default for 1.1 could be to only speak V2, so it's secure by default.

@dpw
Copy link
Contributor Author

dpw commented Jul 7, 2015

And the default for 1.1 could be to only speak V2, so it's secure by default.

I don't see much point in making the compatibility optional and defaulting to incompatible. Users won't set the option until they run into the incompatibility, by which point any serious inconvenience that might occur has likely already occurred. "Compatible but not by default" effectively means incompatible.

Given how long this issue has been around, and the relatively low risk that someone will want to DoS a weave deployment at this point, and the high probability that there are other ways to DoS weave if they did want to, I recommend leaving #912 open for one more major release.

If we do make compatibility optional, then it should default to compatible. Paranoid users can then control the risk of #912 if they want. Though any paranoid users should already have firewalls ensuring that weave can only receive from a restricted set of IP addresses.

@rade
Copy link
Member

rade commented Jul 7, 2015

If we do make compatibility optional, then it should default to compatible.

I agree with that but also think it is trumped by security. "secure+incompatible" wins over "insecure+compatible".

@dpw
Copy link
Contributor Author

dpw commented Jul 7, 2015

If we do make compatibility optional, then it should default to compatible.

I agree with that but also think it is trumped by security. "secure+incompatible" wins over "insecure+compatible".

This is a DoS issue, not a break in weave's encryption. So as a security issue, it is at the weak end of the spectrum. This is tacitly recognized by the fact that #912 has been open for weeks with no rush to get it fixed.

In that context, the ordering between "secure+incompatible" and "insecure+compatible" is not so clear. Having an option for the paranoid seems like providing our users with a choice. Having an option to maintain compatibility seems like such a weak form of compatibility that I doubt it is worth the engineering effort. Why not just say "1.1 is not compatible with 1.0 due to a security issue"?

@rade
Copy link
Member

rade commented Jul 7, 2015

Why not just say "1.1 is not compatible with 1.0 due to a security issue"?

Could do, but seems a shame given that we can make it compatible, and you've already written the code for it.

If we do introduce a min-version option, and make v1 ("compatible but with DoS vector") the default, do you think we can claim to have solved #912?

@rade
Copy link
Member

rade commented Jul 7, 2015

Users won't set the option until they run into the incompatibility, by which point any serious inconvenience that might occur has likely already occurred.

There will likely be a few things like that in 1.1, i.e. situations where special care, and modifications of scripts, is needed to perform a rolling upgrade from 1.0.

@dpw
Copy link
Contributor Author

dpw commented Jul 7, 2015

Could do, but seems a shame given that we can make it compatible, and you've already written the code for it.

The compatibility code in this PR is merely a necessary condition for 1.1 to be compatible with 1.0. Work in other areas may be required for compatibility.

Also, if compatibility were not an objective, I would have removed the vestigial layer of gob encoding that remains in the V2 protocol but is only used to encode []byte items.

If we do introduce a min-version option, and make v1 ("compatible but with DoS vector") the default, do you think we can claim to have solved #912?

I think we can reasonably claim to have solved #912 with the PR as it stands.

I think we can reasonably claim not to have solved #912 until the V1 protocol code is removed.

If we include a min-version option that gives the user a choice between security and compatibility, we'll have to document its implications carefully in the release notes whatever the default. After that, whether we say #912 is solved or not is academic.

@rade
Copy link
Member

rade commented Jul 7, 2015

Also, if compatibility were not an objective, I would have removed the vestigial layer of gob encoding that remains in the V2 protocol but is only used to encode []byte items.

Interesting. I'm guessing you are talking about replacing layer 4 in #519 with a simple length-prefix encoding with a reasonable size bound?

@dpw
Copy link
Contributor Author

dpw commented Jul 7, 2015

There will likely be a few things like that in 1.1, i.e. situations where special care, and modifications of scripts, is needed to perform a rolling upgrade from 1.0.

We should keep an eye on whether the end result is worth it. I assume the desire expressed for compatibility between different versions of weave is because our users wish to be able to mix different versions and have them work together without worrying about it. If we have a "compatibility" that requires a contorted process on the user's part, then we may find that no-one actually follows that route, deciding that it's easier and safer to do a full deployment instead.

@dpw
Copy link
Contributor Author

dpw commented Jul 7, 2015

Interesting. I'm guessing you are talking about replacing layer 4 in #519 with a simple length-prefix encoding with a reasonable size bound?

Yes. With compatibility in mind, it seemed better to keep the v1-to-2 protocol changes focused on a single goal, and leave other changes for future protocol revisions. But without compatibility, that degobification would be close to trivial.

@rade
Copy link
Member

rade commented Jul 7, 2015

The users we have had discussions with are actually quite ok with spending some effort on an upgrade. Their main concern is the ability to perform a rolling upgrade. As long as that is possible, even if it involves some modifications to existing config/deployment scripts, they are happy.

There does of course come a point where the contortions required become too cumbersome. Arguably the same is true of our code base.

I think we are close to the point with 1.1 where breaking compatibility is the least worst option.

@rade
Copy link
Member

rade commented Jul 8, 2015

@dpw I have cherry-picked the first three commits onto master. Please rebase. Was going to pick the fourth too but found a bug in it. Please fix.

@rade rade assigned dpw Jul 8, 2015
@rade
Copy link
Member

rade commented Jul 8, 2015

Thinking about documenting a --min-version option has put me off the idea.

@dpw dpw force-pushed the encrypt-features branch from 83f3027 to d0be20a Compare July 8, 2015 15:41
@dpw
Copy link
Contributor Author

dpw commented Jul 8, 2015

Thinking about documenting a --min-version option has put me off the idea.

Already implemented. We can leave it undocumented, or rip the option out easily enough.

@dpw dpw force-pushed the encrypt-features branch from d0be20a to ce8dfb7 Compare July 8, 2015 16:20
@rade
Copy link
Member

rade commented Jul 8, 2015

I have cherry-picked 7d5e6b5 onto master.

@rade rade unassigned dpw Jul 8, 2015
@rade
Copy link
Member

rade commented Jul 9, 2015

@dpw pls rebase.

@rade rade assigned dpw Jul 9, 2015
@dpw dpw force-pushed the encrypt-features branch from ce8dfb7 to 04581f1 Compare July 9, 2015 10:04
@dpw
Copy link
Contributor Author

dpw commented Jul 9, 2015

@dpw pls rebase.

Done. But there were no conflicts so I'm not sure why this was requested.

@dpw dpw assigned rade and unassigned dpw Jul 9, 2015
@rade
Copy link
Member

rade commented Jul 9, 2015

Done. But there were no conflicts so I'm not sure why this was requested.

GH thought it needed a rebase. Presumably because of the cherry-pick.

@rade rade removed their assignment Jul 9, 2015
@rade
Copy link
Member

rade commented Jul 9, 2015

linter is unhappy.

@dpw
Copy link
Contributor Author

dpw commented Jul 9, 2015

linter is unhappy.

Good

@rade
Copy link
Member

rade commented Jul 9, 2015

Good

Please fix. What it is complaining about doesn't strike me as onerous.

@dpw
Copy link
Contributor Author

dpw commented Jul 9, 2015

Care to tell me what it is complaining about? I don't really wish to work out what options or filtering on its output I need to apply to avoid the silly suggestions.

@rade
Copy link
Member

rade commented Jul 9, 2015

Look at the travis ci report. bin/lint in our repo already filters out the nonsense.

@dpw dpw force-pushed the encrypt-features branch 2 times, most recently from e6599fe to c8a2492 Compare July 9, 2015 11:05
@dpw
Copy link
Contributor Author

dpw commented Jul 9, 2015

Apparently it now has travis' blessing.

@dpw dpw assigned rade Jul 9, 2015
Sender TCPSender
SessionKey *[32]byte
Version byte
}

This comment was marked as abuse.

This comment was marked as abuse.

This comment was marked as abuse.

dpw and others added 3 commits July 9, 2015 14:37
To allow users to forgo compatibility with Weave Net 1.0 in order to
avoid weaveworks#912, by setting --protocol-min-version=2.
Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
@dpw dpw force-pushed the encrypt-features branch from c8a2492 to a05c65c Compare July 9, 2015 14:05
conn.Decryptor = NewNonDecryptor()
} else {
conn.Decryptor = NewNaClDecryptor(conn.SessionKey, conn.outbound)
}

This comment was marked as abuse.

This comment was marked as abuse.

@rade
Copy link
Member

rade commented Jul 13, 2015

It took me a while to get my head around this. It's a fair bit of extra code, and the control flow is more involved than previously. Alas I have not been able to come up with anything better. So modulo the two minor issues above, this LGTM.

@rade rade assigned dpw and unassigned rade Jul 13, 2015
@rade
Copy link
Member

rade commented Jul 13, 2015

btw, I think this should close #912, and we should open a separate issue to remove v1 protocol support.

rade added a commit that referenced this pull request Jul 14, 2015
New connection protocol version with encrypted features map

Closes #1029. Closes #912.
@rade rade merged commit 2f35ad1 into weaveworks:master Jul 14, 2015
@rade rade modified the milestones: current, 1.1.0 Jul 15, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

DoS vector in protocol message stream
2 participants