On 22/06/2022 07:12, Andrei Borzenkov wrote:
On 22.06.2022 02:27, Antony Stone wrote:
On Friday 17 June 2022 at 11:39:14, Mario Freytag wrote:
I’d like to ask about the security of corosync. We’re using a Proxmox HA
setup in our testing environment and need to confirm it’s compliance with
PCI guidelines.
We have a few questions:
Is the communication encrypted?
What method of encryption is used?
What method of authentication is used?
What is the recommended way of separation for the corosync network? VLAN?
Your first three questions are probably well-answered by
https://github.com/fghaas/corosync/blob/master/SECURITY
This is thirteen years old file which is not present in the current
corosync sources. I hesitate to use it as the answer to anything
*today*. If it is still relevant, why it was removed?
Yup, the file is no longer relevant. The main reason to remove it was
that corosync no longer does encryption itself - it's now knet problem.
Also file was pretty much outdated since removal of tomcrypt and move to
just using nss (so corosync 2 era).
So really authoritative source is knet source code
(https://github.com/kronosnet/kronosnet/blob/main/libknet/crypto.c and
other crypto*.c files).
Honza
For the fourth, I agree with Jan Friesse - a dedicated physical network is
best; a dedicated VLAN is second best.
Antony.
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
