[ClusterLabs] corosync 2.4.4 version provide secure the communication by default

Jan Friesse jfriesse at redhat.com
Mon Jan 23 10:14:50 EST 2023


On 23/01/2023 10:38, S Sathish S wrote:
> Hi Jan/Team,
> 
> Yes , In syslog we noticed "crypto: none" during startup of corosync service.

Ok, so then communication is unencrypted.

> 
> In Corosync communication which protocols/ports transfer sensitive data which need to be secured ?

Corosync implements its own protocol and for udpu it is using port 5405 
by default.

> 
> Or It will have only binary protocol like 5405 port for all corosync communication?

Yes

Basically if you dump UDP traffic port 5405 you should see messages sent 
via cpg.

For example I've tried:
tcpdump -i eth1  -nN -nn udp

and send "This is nice test" using testcpg (which is using CPG group 
called GROUP) and entry

"16:12:22.534234 IP 192.168.63.35.52319 > 192.168.63.36.5405: UDP, 
length 321
E..]D?@. at .....?#..?$._...I."......"..............?#..................................)...(...........?#............o.............................a........................GROUP........................................................................................................................................................U..This 
is nice test"

was logged.

Regards,
   Honza

> 
> Thanks and Regards,
> S Sathish S
> -----Original Message-----
> From: Jan Friesse <jfriesse at redhat.com>
> Sent: 23 January 2023 14:50
> To: Cluster Labs - All topics related to open-source clustering welcomed <users at clusterlabs.org>
> Cc: S Sathish S <s.s.sathish at ericsson.com>
> Subject: Re: [ClusterLabs] corosync 2.4.4 version provide secure the communication by default
> 
> Hi,
> 
> On 23/01/2023 01:37, S Sathish S via Users wrote:
>> Hi Team,
>>
>> corosync 2.4.4 version provide mechanism to secure the communication path between nodes of a cluster by default? bcoz in our configuration secauth is turned off but still communication occur is encrypted.
>>
>> Note : Capture tcpdump for port 5405 and I can see that the data is already garbled and not in the clear.
> 
> It's binary protocol so don't expect some really readable format (like xml/json/...). But with your config it should be unencrypted. You can check message "notice  [TOTEM ] Initializing transmit/receive security
> (NSS) crypto: none hash: none" during start of corosync.
> 
> Regards,
>     Honza
> 
> 
>>
>> [root at node1 ~]# cat /etc/corosync/corosync.conf totem {
>>       version: 2
>>       cluster_name: OCC
>>      secauth: off
>>       transport: udpu
>> }
>>
>> nodelist {
>>       node {
>>           ring0_addr: node1
>>           nodeid: 1
>>       }
>>
>>       node {
>>           ring0_addr: node2
>>           nodeid: 2
>>       }
>>
>>       node {
>>           ring0_addr: node3
>>           nodeid: 3
>>       }
>> }
>>
>> quorum {
>>       provider: corosync_votequorum
>> }
>>
>> logging {
>>       to_logfile: yes
>>       logfile: /var/log/cluster/corosync.log
>>       to_syslog: no
>>       timestamp: on
>> }
>>
>> Thanks and Regards,
>> S Sathish S
>>
>>
>> _______________________________________________
>> Manage your subscription:
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-d41b18997a64a81a&q=1&e=d75dcac1-7d11-41aa-b596-47366bde2862&u=
>> https%3A%2F%2Flists.clusterlabs.org%2Fmailman%2Flistinfo%2Fusers
>>
>> ClusterLabs home:
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-b3537e65a3f1def4&q=1&e=d75dcac1-7d11-41aa-b596-47366bde2862&u=
>> https%3A%2F%2Fwww.clusterlabs.org%2F
>>
> 



More information about the Users mailing list