+1 to deprecating and removing SECURITY_UDP_DHALGO. The current implementation is a non-thread-safe hack that would require extensive work to "fix". It fails EVERY time we run mass test run. I'd prefer to see us embrace DTLS as a standard.
On Fri, Feb 28, 2020 at 11:43 AM Bill Burcham <bill.burc...@gmail.com> wrote: > I propose we deprecate Geode’s proprietary UDP message privacy algorithm > based on the Diffie-Hellman key exchange protocol. This would deprecate: > > ConfigurationProperties.SECURITY_UDP_DHALGO > > String DistributionConfig.getSecurityUDPDHAlgo() > > void DistributionConfig.setSecurityUDPDHAlgo(String attValue) > DistributionConfig.SECURITY_UDP_DHALGO_NAME > > Additionally we’d have to upate documentation to reflect deprecation. > > From ConfigurationProperties.java: > > > Application can set this property to valid symmetric key algorithm, to > encrypt udp messages in Geode. Geode will generate symmetric key using > Diffie-Hellman key exchange algorithm between peers. That key further used > by specified algorithm to encrypt the udp messages. > > The property (and the feature) was added mid-2016. Unfortunately it was not > added as an “experimental” feature, so it cannot simply be removed. > > Incidentally, the corresponding property for client-server communication, > SECURITY_CLIENT_DHALGO, is already deprecated. It was deprecated in Geode > 1.5 in favor of SSL/TLS. > > I am proposing deprecating the feature because: > > > 1. > > The feature has not proven popular with users. > 2. > > At least one hard-to-reproduce bug exists in the implementation: > GEODE-6448 <https://issues.apache.org/jira/browse/GEODE-6448>. We’ve > burned a person-week trying to fix the problem (Bruce Schuchardt and me) > and it’s not clear how much more time it will take. If we decide to > deprecate the feature, fixing this problem would be de-prioritized > accordingly. > 3. > > If we decide, in the future, that UDP message security is required, it > would be better to implement a standard algorithm such as DTLS > <https://tools.ietf.org/html/rfc6347>: > 1. > > Our algorithm provides only message privacy whereas DTLS provides > privacy, tamper-resistance, and message forgery protection > 2. > > DTLS is a standard > 3. > > There is some support for DTLS in the JDK (JEP-219 > <https://openjdk.java.net/jeps/219> delivered in JDK 9). It’s not a > complete implementation e.g. guaranteed delivery is a do-it-yourself > kit. > > > Actually implementing DTLS is out of scope for this proposal. Adding DTLS > would be a significant undertaking. > > So, how do you feel about me making a GEODE ticket to deprecate the > SECURITY_UDP_DHALGO configuration property? >
