Fluentd message forwarding with authentication and encryption

13,422 views

Published on

Fluentd message forwarding with authentication and encryption

  1. 1. Fluentd message forwarding with authentication and encryption @tagomoris (TAGOMORI Satoshi) Fluentd Casual Talks #2 at 2013/02/1513年2月15日金曜日
  2. 2. TAGOMORI SATOSHI (@TAGOMORIS) NHN JAPAN CORP.13年2月15日金曜日
  3. 3. 13年2月15日金曜日
  4. 4. Fluentd forward has no authentication issues:81 "Authentication between nodes is required" by @saki7 has no encryption pull:56 "Added compression and encryption feature to forward plugin" by @mazgi13年2月15日金曜日
  5. 5. But how? OpenSSL::SSL::SSLSocket Socket overwrapped by OpenSSL Simple digest authentication over SSL13年2月15日金曜日
  6. 6. fluent-plugin-secure-forward Forwarding over SSL [required] with auto-generated self-signed certification Shared key authentication [required] to verify receiver identity Username and Password authentication [optional] to verify sender identity13年2月15日金曜日
  7. 7. Connect: out_secure_forward 1. CONNECT TCP SESSION 2. START SSL SESSION 3. CHECK CERTIFICATE TTL (4. CHECK CERTIFICATE CN) in_secure_forward13年2月15日金曜日
  8. 8. Handshake (1): out_secure_forward 1. SERVER SEND HELO - SERVER OPTIONS - AUTH_SALT in_secure_forward13年2月15日金曜日
  9. 9. Handshake (2): out_secure_forward 2. CLIENT SEND PING - CLIENT HOST NAME - SALT FOR SHARED KEY - DIGEST(SALT + HOSTNAME + SHARED KEY) - USERNAME - DIGEST(AUTH_SALT + USERNAME + PASSWORD) in_secure_forward13年2月15日金曜日
  10. 10. Handshake (3): out_secure_forward 3. SERVER CHECK PING - SOURCE IP/HOST PERMISSION - SHARED KEY DIGEST - USERNAME AND PASSWORD DIGEST in_secure_forward13年2月15日金曜日
  11. 11. Handshake (4): out_secure_forward 4. SERVER SEND PONG - AUTHENTICATION RESULT - SERVER HOST NAME - DIGEST(SALT + HOSTNAME + SHARED KEY) in_secure_forward13年2月15日金曜日
  12. 12. Handshake (5): out_secure_forward 5. CLIENT CHECK PONG - AUTHENTICATION RESULT - SHARED KEY DIGEST in_secure_forward13年2月15日金曜日
  13. 13. Session established: out_secure_forward * SEND MESSAGES OVER SSL in_secure_forward13年2月15日金曜日
  14. 14. Many many TODOs: Tests for non self-signed certificates ACK mode protocol design & implementation Keepalive disable mode implementation More access control Network ACL & domain wildcard ACL DNS reverse lookup & check Disconnection just after SSL session established Pluggable authentication databases Encryption algorithm options Balancing/failover connections TESTS!!!!!!! (this plugin has no one asserts....)13年2月15日金曜日
  15. 15. fluent-plugin-secure-forward Version v0.0.1 is HIGHLY EXPERIMENTAL This plugin is TOY PROGRAM PoC We needs other maintainer who uses this plugin or MONEY & TD support! :-) Thanks!13年2月15日金曜日

×