IceGrid security question

grembogrembo Member Michael GmelinOrganization: Grem Equity GmbHProject: E-Commerce platform
I'm planning to run all services in out service cloud using one big IceGrid (basically like DNS). Unfortunately it seems like that when registering nodes, no verification/cross check is done in respect to the node name. That means in practice, that every node that is part of the IceGrid has to run at the same security/trust level, because any node can pretend to be any other node. Is this observation correct, or is there a way by e.g. using permission verifiers to dictate in the master registry what each node is allowed todo e.g. by the certificate used.

We're using certificates to secure communication between services as well by limiting access based on DNs (also for outgoing connections), so the risk is reduced, but there still is a good potential to disrupt the service infrastructure. Not sure if there would be also a problem with AdapterIds, or if those are enforced by the registry based on deployment information.

Bringing this down to a yes/no question: Do all participating nodes in an IceGrid form a hippie commune (and therefore might use the same SSL certificate as well, since it won't make a difference anyway)?

Thanks ;)
Michael

Comments

  • benoitbenoit Rennes, FranceAdministrators, ZeroC Staff Benoit FoucherOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi,

    Yes, once a node is authenticated and connected to the registry, it can claim to be any node, there's no way to restrict a given node (identified by its certificate) to use a given node name. We could certainly improve this and allow specifying a mapping of node names and SSL identities in the IceGrid registry configuration (or perhaps simply use the DN as the node name).

    In any case, you can either use a single certificate for all the nodes or different certificates. The second option provides you a way to prevent some nodes to connect to IceGrid if you revoke theirs certificates.

    Cheers,
    Benoit.
  • grembogrembo Member Michael GmelinOrganization: Grem Equity GmbHProject: E-Commerce platform
    Ok, I might write a patch to do that (it doesn't seem too hard, extract the DN from the SSL context, store it and verify). Hardest part is probably to make that configurable in a transparent way.

    Would you be interested in integrating such a patch once it's done - just asking because reviewing it might take some time at your end. Won't happen anytime soon anyway, but I'll keep you posted.
  • grembogrembo Member Michael GmelinOrganization: Grem Equity GmbHProject: E-Commerce platform
    Haven't heard back from you on this one yet (if you're interested in getting a structured patch) - kind of defines how we're trying to implement this. A solution that will make it to the source tree is preferred for obvious reasons.
  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi Michael,

    Thank you for your offer to contribute this enhancement to IceGrid. It sounds like this would be a generally useful feature.

    We will need a signed assignment for this contribution, in order to review it and (if we find it suitable) include it in our source tree. I'll send you our assignment template by email.

    Best regards,
    Bernard
  • grembogrembo Member Michael GmelinOrganization: Grem Equity GmbHProject: E-Commerce platform
    Hi Bernard,

    I've sent you a mission statement, a description of the patch, the patch itself, and the signed assignment document via email.

    cheers
    Michael
  • grembogrembo Member Michael GmelinOrganization: Grem Equity GmbHProject: E-Commerce platform
    Patch posted

    I posted a patch that addresses this issue in the Patches section of the Forum. See http://www.zeroc.com/forums/patches/5663-patch-prevent-icegrid-node-registry-replica-name-spoofing.html.
Sign In or Register to comment.