Re: Let's Deprecate the SECURITY_UDP_DHALGO Configuration Property

Fri, 28 Feb 2020 13:02:48 -0800 

+1

On 2/28/20, 11:43 AM, "Bill Burcham" <bill.burc...@gmail.com> wrote:

    I propose we deprecate Geode’s proprietary UDP message privacy algorithm
    based on the Diffie-Hellman key exchange protocol. This would deprecate:
    
    ConfigurationProperties.SECURITY_UDP_DHALGO
    
    String DistributionConfig.getSecurityUDPDHAlgo()
    
    void DistributionConfig.setSecurityUDPDHAlgo(String attValue)
    DistributionConfig.SECURITY_UDP_DHALGO_NAME
    
    Additionally we’d have to upate documentation to reflect deprecation.
    
    From ConfigurationProperties.java:
    
    
    Application can set this property to valid symmetric key algorithm, to
    encrypt udp messages in Geode. Geode will generate symmetric key using
    Diffie-Hellman key exchange algorithm between peers. That key further used
    by specified algorithm to encrypt the udp messages.
    
    The property (and the feature) was added mid-2016. Unfortunately it was not
    added as an “experimental” feature, so it cannot simply be removed.
    
    Incidentally, the corresponding property for client-server communication,
    SECURITY_CLIENT_DHALGO, is already deprecated. It was deprecated in Geode
    1.5 in favor of SSL/TLS.
    
    I am proposing deprecating the feature because:
    
    
       1.
    
       The feature has not proven popular with users.
       2.
    
       At least one hard-to-reproduce bug exists in the implementation:
       GEODE-6448 
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FGEODE-6448&amp;data=02%7C01%7Cbruces%40vmware.com%7Ccd3777c845544f7d0ea008d7bc866b3f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637185157829173567&amp;sdata=rHYsNtYHz1cyPH5RtT1neqARzIGVqP7oRJ0RJ1llXLs%3D&amp;reserved=0>.
 We’ve
       burned a person-week trying to fix the problem (Bruce Schuchardt and me)
       and it’s not clear how much more time it will take. If we decide to
       deprecate the feature, fixing this problem would be de-prioritized
       accordingly.
       3.
    
       If we decide, in the future, that UDP message security is required, it
       would be better to implement a standard algorithm such as DTLS
       
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6347&amp;data=02%7C01%7Cbruces%40vmware.com%7Ccd3777c845544f7d0ea008d7bc866b3f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637185157829173567&amp;sdata=UiKnGMT%2FgomuKMf%2FvkBhPpukUGHs42laFZ%2FDtFedoRo%3D&amp;reserved=0>:
       1.
    
          Our algorithm provides only message privacy whereas DTLS provides
          privacy, tamper-resistance, and message forgery protection
          2.
    
          DTLS is a standard
          3.
    
          There is some support for DTLS in the JDK (JEP-219
          
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenjdk.java.net%2Fjeps%2F219&amp;data=02%7C01%7Cbruces%40vmware.com%7Ccd3777c845544f7d0ea008d7bc866b3f%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637185157829173567&amp;sdata=WaAYo1dyMEdm%2BvXM5kbTVwiL5ryIEXvx0qadMaPW1T8%3D&amp;reserved=0>
 delivered in JDK 9). It’s not a
          complete implementation e.g. guaranteed delivery is a do-it-yourself 
kit.
    
    
    Actually implementing DTLS is out of scope for this proposal. Adding DTLS
    would be a significant undertaking.
    
    So, how do you feel about me making a GEODE ticket to deprecate the
    SECURITY_UDP_DHALGO configuration property?

Reply via email to