[Linux-ha-dev] Using transis/spread

Guochun Shi gshi at ncsa.uiuc.edu
Tue Sep 14 15:21:25 MDT 2004 

At 11:44 PM 8/23/2004 +0200, you wrote:
>On 2004-08-23T14:57:44,
>   Guochun Shi <gshi at ncsa.uiuc.edu> said:
>
>> >> We can also add the authentication to a message before giving it to
>> >> transis and compute the auth string after we get a messge from
>> >> transis. I don't see that a problem.
>> >
>> >That's not the same. That's authenticating the message payload, but
>> >not the message itself, and might still allow an intruder to cause
>> >havoc to the message ordering.
>> >
>> >Really, the low-level messages transis sends on the network must be
>> >authenticated and/or encrypted.
>> 
>> I admit I am confused :). What authentication is used for the whole
>> message for the current bcast/mcast/ucast besides the payload
>> authentication? 
>
>The whole message basically (including all metadata) is currently
>protected by the authentication scheme, and discarded if the
>authentication fails.
>
>If we just hand a signed message to transis for delivery, this still
>would mean that transis itself (the acks, naks, numbering etc) would
>remain unprotected on the network, and an attacker could mess this up.

Transis daemon will definitely need heartbeat's authentication and/or multicast.  
For implementation we need modify transis code and let heartbeat master 
process fork transis daemon process.

(recall: in method (e), you proposed transis daemon use heartbeat's muticast) 

In this method, an ordered message will have to go through processes

client-> heartbeat master process -> transis daemon 
->heartbeat master process -> media write process

 ->media read process -> heartbeat master process 
 -> transis daemon -> heartbeat client process -> client

If transis daemons communicate with each other directly then we save lots of overheads.

client-> heartbeat master process -> transis daemon 
 -> transis daemon  -> heartbeat client process -> client

But a transis daemon will have to compute authentication itself. It does not fit into the
current architecture -- right now all authentication are computed in heartbeat master process.
I agree it is unclean design :(

-Guochun

More information about the Linux-HA-Dev mailing list