Archived

This forum has been archived. Please start a new discussion on GitHub.

IceGrid security question

I'm planning to run all services in out service cloud using one big IceGrid (basically like DNS). Unfortunately it seems like that when registering nodes, no verification/cross check is done in respect to the node name. That means in practice, that every node that is part of the IceGrid has to run at the same security/trust level, because any node can pretend to be any other node. Is this observation correct, or is there a way by e.g. using permission verifiers to dictate in the master registry what each node is allowed todo e.g. by the certificate used.

We're using certificates to secure communication between services as well by limiting access based on DNs (also for outgoing connections), so the risk is reduced, but there still is a good potential to disrupt the service infrastructure. Not sure if there would be also a problem with AdapterIds, or if those are enforced by the registry based on deployment information.

Bringing this down to a yes/no question: Do all participating nodes in an IceGrid form a hippie commune (and therefore might use the same SSL certificate as well, since it won't make a difference anyway)?

Thanks ;)
Michael

Comments

  • benoit
    benoit Rennes, France
    Hi,

    Yes, once a node is authenticated and connected to the registry, it can claim to be any node, there's no way to restrict a given node (identified by its certificate) to use a given node name. We could certainly improve this and allow specifying a mapping of node names and SSL identities in the IceGrid registry configuration (or perhaps simply use the DN as the node name).

    In any case, you can either use a single certificate for all the nodes or different certificates. The second option provides you a way to prevent some nodes to connect to IceGrid if you revoke theirs certificates.

    Cheers,
    Benoit.
  • Ok, I might write a patch to do that (it doesn't seem too hard, extract the DN from the SSL context, store it and verify). Hardest part is probably to make that configurable in a transparent way.

    Would you be interested in integrating such a patch once it's done - just asking because reviewing it might take some time at your end. Won't happen anytime soon anyway, but I'll keep you posted.
  • Haven't heard back from you on this one yet (if you're interested in getting a structured patch) - kind of defines how we're trying to implement this. A solution that will make it to the source tree is preferred for obvious reasons.
  • bernard
    bernard Jupiter, FL
    Hi Michael,

    Thank you for your offer to contribute this enhancement to IceGrid. It sounds like this would be a generally useful feature.

    We will need a signed assignment for this contribution, in order to review it and (if we find it suitable) include it in our source tree. I'll send you our assignment template by email.

    Best regards,
    Bernard
  • Hi Bernard,

    I've sent you a mission statement, a description of the patch, the patch itself, and the signed assignment document via email.

    cheers
    Michael
  • Patch posted

    I posted a patch that addresses this issue in the Patches section of the Forum. See http://www.zeroc.com/forums/patches/5663-patch-prevent-icegrid-node-registry-replica-name-spoofing.html.