[ClusterLabs] Question regarding the security of corosync
Jan Friesse
jfriesse at redhat.com
Wed Jun 22 03:26:12 EDT 2022
On 22/06/2022 07:12, Andrei Borzenkov wrote:
> On 22.06.2022 02:27, Antony Stone wrote:
>> On Friday 17 June 2022 at 11:39:14, Mario Freytag wrote:
>>
>>> I’d like to ask about the security of corosync. We’re using a Proxmox HA
>>> setup in our testing environment and need to confirm it’s compliance with
>>> PCI guidelines.
>>>
>>> We have a few questions:
>>>
>>> Is the communication encrypted?
>>> What method of encryption is used?
>>> What method of authentication is used?
>>> What is the recommended way of separation for the corosync network? VLAN?
>>
>> Your first three questions are probably well-answered by
>> https://github.com/fghaas/corosync/blob/master/SECURITY
>>
>
> This is thirteen years old file which is not present in the current
> corosync sources. I hesitate to use it as the answer to anything
> *today*. If it is still relevant, why it was removed?
Yup, the file is no longer relevant. The main reason to remove it was
that corosync no longer does encryption itself - it's now knet problem.
Also file was pretty much outdated since removal of tomcrypt and move to
just using nss (so corosync 2 era).
So really authoritative source is knet source code
(https://github.com/kronosnet/kronosnet/blob/main/libknet/crypto.c and
other crypto*.c files).
Honza
>
>> For the fourth, I agree with Jan Friesse - a dedicated physical network is
>> best; a dedicated VLAN is second best.
>>
>>
>> Antony.
>>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
More information about the Users
mailing list