SlideShare a Scribd company logo

Fluentd message forwarding with authentication and encryption

SATOSHI TAGOMORI
SATOSHI TAGOMORI
1 of 15
Download to read offline
Fluentd message forwarding with authentication and encryption @tagomoris (TAGOMORI Satoshi) Fluentd Casual Talks #2 at 2013/02/15 13年2月15日金曜日
TAGOMORI SATOSHI (@TAGOMORIS) NHN JAPAN CORP. 13年2月15日金曜日
13年2月15日金曜日
Fluentd forward has no authentication issues:81 "Authentication between nodes is required" by @saki7 has no encryption pull:56 "Added compression and encryption feature to forward plugin" by @mazgi 13年2月15日金曜日
But how? 'OpenSSL::SSL::SSLSocket' Socket overwrapped by OpenSSL Simple digest authentication over SSL 13年2月15日金曜日
fluent-plugin-secure-forward Forwarding over SSL [required] with auto-generated self-signed certification Shared key authentication [required] to verify receiver identity Username and Password authentication [optional] to verify sender identity 13年2月15日金曜日
Connect: out_secure_forward 1. CONNECT TCP SESSION 2. START SSL SESSION 3. CHECK CERTIFICATE TTL (4. CHECK CERTIFICATE CN) in_secure_forward 13年2月15日金曜日
Handshake (1): out_secure_forward 1. SERVER SEND HELO - SERVER OPTIONS - AUTH_SALT in_secure_forward 13年2月15日金曜日
Handshake (2): out_secure_forward 2. CLIENT SEND PING - CLIENT HOST NAME - SALT FOR SHARED KEY - DIGEST(SALT + HOSTNAME + SHARED KEY) - USERNAME - DIGEST(AUTH_SALT + USERNAME + PASSWORD) in_secure_forward 13年2月15日金曜日
Handshake (3): out_secure_forward 3. SERVER CHECK PING - SOURCE IP/HOST PERMISSION - SHARED KEY DIGEST - USERNAME AND PASSWORD DIGEST in_secure_forward 13年2月15日金曜日
Handshake (4): out_secure_forward 4. SERVER SEND PONG - AUTHENTICATION RESULT - SERVER HOST NAME - DIGEST(SALT + HOSTNAME + SHARED KEY) in_secure_forward 13年2月15日金曜日
Handshake (5): out_secure_forward 5. CLIENT CHECK PONG - AUTHENTICATION RESULT - SHARED KEY DIGEST in_secure_forward 13年2月15日金曜日
Session established: out_secure_forward * SEND MESSAGES OVER SSL in_secure_forward 13年2月15日金曜日
Many many TODOs: Tests for non self-signed certificates ACK mode protocol design & implementation Keepalive disable mode implementation More access control Network ACL & domain wildcard ACL DNS reverse lookup & check Disconnection just after SSL session established Pluggable authentication databases Encryption algorithm options Balancing/failover connections TESTS!!!!!!! (this plugin has no one asserts....) 13年2月15日金曜日
fluent-plugin-secure-forward Version v0.0.1 is HIGHLY EXPERIMENTAL This plugin is TOY PROGRAM PoC We needs other maintainer who uses this plugin or MONEY & TD support! :-) Thanks! 13年2月15日金曜日

More Related Content

Fluentd message forwarding with authentication and encryption

  • 1. Fluentd message forwarding with authentication and encryption @tagomoris (TAGOMORI Satoshi) Fluentd Casual Talks #2 at 2013/02/15 13年2月15日金曜日
  • 2. TAGOMORI SATOSHI (@TAGOMORIS) NHN JAPAN CORP. 13年2月15日金曜日
  • 4. Fluentd forward has no authentication issues:81 "Authentication between nodes is required" by @saki7 has no encryption pull:56 "Added compression and encryption feature to forward plugin" by @mazgi 13年2月15日金曜日
  • 5. But how? 'OpenSSL::SSL::SSLSocket' Socket overwrapped by OpenSSL Simple digest authentication over SSL 13年2月15日金曜日
  • 6. fluent-plugin-secure-forward Forwarding over SSL [required] with auto-generated self-signed certification Shared key authentication [required] to verify receiver identity Username and Password authentication [optional] to verify sender identity 13年2月15日金曜日
  • 7. Connect: out_secure_forward 1. CONNECT TCP SESSION 2. START SSL SESSION 3. CHECK CERTIFICATE TTL (4. CHECK CERTIFICATE CN) in_secure_forward 13年2月15日金曜日
  • 8. Handshake (1): out_secure_forward 1. SERVER SEND HELO - SERVER OPTIONS - AUTH_SALT in_secure_forward 13年2月15日金曜日
  • 9. Handshake (2): out_secure_forward 2. CLIENT SEND PING - CLIENT HOST NAME - SALT FOR SHARED KEY - DIGEST(SALT + HOSTNAME + SHARED KEY) - USERNAME - DIGEST(AUTH_SALT + USERNAME + PASSWORD) in_secure_forward 13年2月15日金曜日
  • 10. Handshake (3): out_secure_forward 3. SERVER CHECK PING - SOURCE IP/HOST PERMISSION - SHARED KEY DIGEST - USERNAME AND PASSWORD DIGEST in_secure_forward 13年2月15日金曜日
  • 11. Handshake (4): out_secure_forward 4. SERVER SEND PONG - AUTHENTICATION RESULT - SERVER HOST NAME - DIGEST(SALT + HOSTNAME + SHARED KEY) in_secure_forward 13年2月15日金曜日
  • 12. Handshake (5): out_secure_forward 5. CLIENT CHECK PONG - AUTHENTICATION RESULT - SHARED KEY DIGEST in_secure_forward 13年2月15日金曜日
  • 13. Session established: out_secure_forward * SEND MESSAGES OVER SSL in_secure_forward 13年2月15日金曜日
  • 14. Many many TODOs: Tests for non self-signed certificates ACK mode protocol design & implementation Keepalive disable mode implementation More access control Network ACL & domain wildcard ACL DNS reverse lookup & check Disconnection just after SSL session established Pluggable authentication databases Encryption algorithm options Balancing/failover connections TESTS!!!!!!! (this plugin has no one asserts....) 13年2月15日金曜日
  • 15. fluent-plugin-secure-forward Version v0.0.1 is HIGHLY EXPERIMENTAL This plugin is TOY PROGRAM PoC We needs other maintainer who uses this plugin or MONEY & TD support! :-) Thanks! 13年2月15日金曜日