《SNIA-SDC23-DeSanti-NVMe -over-Fabrics-Security-Update_0.pdf》由会员分享,可在线阅读,更多相关《SNIA-SDC23-DeSanti-NVMe -over-Fabrics-Security-Update_0.pdf(39页珍藏版)》请在三个皮匠报告上搜索。
1、1|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Virtual ConferenceSeptember 28-29,2021NVMe over Fabrics Security UpdateClaudio DeSantiDistinguished EngineerDell Technologies CTIO Group2|2023 SNIA.2023 Dell Technologies.All Rights Reserved.AgendaSAN Security FrameworkNVMe/TCP with TLSTP 8018:U
2、pdates to NVMe/TCP with TLS PSK Scope Confusion TLS Concatenation use of Opportunistic TLSTP 8025:Usage Configuration of NVMe/TCP Security3|2023 SNIA.2023 Dell Technologies.All Rights Reserved.SAN Security Framework4|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Storage Area Network(SAN)Examp
3、leHostsStorageSubsystem5|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Security Threat 1:Access Control 1)Uncontrolled Storage Access Countermeasure:Storage Access Control NVMe namespaces mapping NVMe-oF Zoning Does not prevent impersonation16|2023 SNIA.2023 Dell Technologies.All Rights Reser
4、ved.Security Threat 2:Impersonation 2)Impersonation(Spoofing)Countermeasure:Authentication Proof of identity27|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Security Threat 3:Communication Access3)Communication Access Eavesdrop Inject/Modify Countermeasure:Secure Channel(data in flight)Confid
5、entiality Cryptographic Integrity38|2023 SNIA.2023 Dell Technologies.All Rights Reserved.SAN Security MechanismsiSCSIFibre ChannelNVMe over Fabrics/IPStorage Endpoint AuthenticationCHAP(strong secret)SRP(weak secret,e.g.,password)not used in practiceDH-CHAP(strong secret)FCPAP(weak secret,e.g.,passw
6、ord)FCAP(certificates)FC-EAP(strong secret)DH-HMAC-CHAP(strong secret)-Defined in TP 8006-Now in Base Spec.rev 2.0Centralized Authentication VerificationRADIUS(CHAP-only,obsolete)RADIUS(DH-CHAP-only,obsolete)Authentication Verification Entity(AVE)-Defined in TP 8019Secure Channel(authenticated encry
7、ption&cryptographic integrity)IPsec(e.g.,in security gateway)FCsec(IPsec-like,usage limited)TLS(pre-shared key)for TCP only-Defined in TP 8011-Now in NVMe/TCP Transport Spec.9|2023 SNIA.2023 Dell Technologies.All Rights Reserved.NVMe/TCP with TLS10|2023 SNIA.2023 Dell Technologies.All Rights Reserve
8、d.NVMe/TCP Secure Channel:TLS TLS(Transport Layer Security):widely used TCP secure channel protocol Secure channel=authentication,confidentiality,cryptographic integrity(primary properties)Typical(web)usage:server uses certificate with TLS,client authenticates after TLS setup(e.g.,TLS-protected HTTP
9、)TLS 1.3 for NVMe/TCP:part of NVMe TCP transport specification TLS not specified for other NVMe-oF IP-based protocol(i.e.,RDMA,e.g.,RoCEv2)TLS not implemented in NIC RDMA hardware data paths,hence not usable in practice Older TLS versions:TLS 1.2:Strongly discouraged in favor of modernized,more secu
10、re TLS 1.3 Older versions of TLS(1.0&1.1)&all versions of SSL:insecure,hence prohibited11|2023 SNIA.2023 Dell Technologies.All Rights Reserved.NVMe/TCP-TLSConnect CommandConnect Response1.An NVMe/TCP-TLS transport session is established 2.The Connect exchange is performed to set up NVMe Queue and as
11、sociate host to controller3.Secure channel and Queue are set up,ready for subsequent operationsHostControllerSecure channel and queue set upNVMe/TCP-TLS transport session establishment12|2023 SNIA.2023 Dell Technologies.All Rights Reserved.TLS Credentials(1):Not X.509 Certificates(for now)NVMe X.509
12、 certificate identities:use NVMe-native identities NVMe supports non-IP transports(e.g.,Fibre Channel,InfiniBand)that do not use web or IP identities SPDM-based certificate authentication anticipated for all NVMe transports NVMe certificates should use NVMe-native identities(i.e.,NQNs,text strings s
13、imilar to iSCSI IQNs)Reminder:certificate binds identity to public key,binding is signed by private key of Certificate Authority(CA)Mapping certificate identity to actual identity weakens security because that mapping is not signed Requires an NVMe-specific X.509 certificate format to use NVMe NQNs
14、as certificate identities Certificate lifecycle management(e.g.,issuance,revocation,replacement)Q:Who operates the CAs(Certificate Authorities)that issue and revoke certificates?A:Vendors,including OEMs(e.g.,Dell,HPE)and device vendors(e.g.,Samsung,Kioxia,Seagate)Problem:Thats not how existing Inter
15、net/web CAs are operated PCIe is blazing a trail in this area,NVMe chose to wait,watch,and learn13|2023 SNIA.2023 Dell Technologies.All Rights Reserved.TLS Credentials(2):Pre-shared Keys TLS secure channel for NVMe/TCP is based on pre-shared keys(PSKs)In order to communicate over TLS,two NVMe entiti
16、es need to be configured with the same PSK Each pair of entities require its own PSK(limits“blast radius”of PSK compromise)O(n2)problem:a fabric with N hosts and M subsystems requires N x M PSKs NVMe-oF authentication protocol(DH-HMAC-CHAP)to the rescue Upon successful completion of an authenticatio
17、n exchange,the two involved NVMe entities generate an ephemeral shared session key(e.g.,a PSK computed on the fly)The TLS negotiation can then be performed using a PSK derived from that shared key Reduces TLS PSK provisioning to per-entity DH-HMAC-CHAP secret provisioning O(n)problem:a fabric with N
18、 hosts and M subsystem requires N+M secrets When AVE is deployed14|2023 SNIA.2023 Dell Technologies.All Rights Reserved.(Old)TLS ConcatenationConnect Comm.Connect Resp.1.An NVMe/TCP transport session is established2.The Connect exchange is performed to set up NVMe queue and associate host to control
19、ler3.The host performs an authentication transaction with the controller,transaction that generates a pre-shared key PSK between host and controller4.The generated PSK is used to perform a TLS negotiation and to establish a secure channel5.Secure channel and queue are set up,ready for subsequent ope
20、rationsHostControllerSecure channel and queue set upAuthentication Transaction generating a PSKTLS secure channel establishment using the PSKNVMe/TCP transport session establishment15|2023 SNIA.2023 Dell Technologies.All Rights Reserved.TP 8018:NVMe/TCP with TLS UpdatesPSK Scope Confusion16|2023 SNI
21、A.2023 Dell Technologies.All Rights Reserved.TLS PSK Scope NVMe/TCP defined two methods for obtaining a PSK Retained PSK:from an administratively provisioned configured PSK Generated PSK:from a DH-HMAC-CHAP authentication transaction And two associated PSK identities Because TLS 1.3 requires each PS
22、K to be associated with one and only one PSK Identity“NVMe0R ”“NVMe0G ”The scope of a retained PSK was defined per entity pair All TLS sessions between a host and an NVM subsystem use the(single)retained PSK The scope of a generated PSK was not well defined Per Admin Queue or I/O Queue?Per NVMe/TCP
23、controller?Per entity pair?This caused confusion(next slides)17|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Use Case#1:Per Controller ScopeAdmin QueueI/O Queue#1I/O Queue#2I/O Queue#nGlobal State(e.g.,keyring)Generated PSK TCP handshake ICR/Connect DH-HMAC-CHAP TLS handshake TCP handshake I
24、CR/Connect DH-HMAC-CHAP TLS handshakeGlobal State(e.g.,keyring)TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Conne
25、ctGenerated PSK18|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Use Case#2:Per Queue ScopeAdmin QueueI/O Queue#1I/O Queue#2I/O Queue#nTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGenerated PSKTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGenerated PSKTCP handshakeICR/ConnectDH-HMAC-CHA
26、PTLS handshakeGenerated PSKTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGenerated PSKTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGenerated PSKTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGenerated PSKGlobal State(e.g.,keyring)Generated PSKTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshak
27、eTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGlobal State(e.g.,keyring)Generated PSK19|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Use Case#3:Mixed ScopeAdmin QueueI/O Queue#1I/O Queue#2TCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGenerated PSKTCP handshakeICR/ConnectDH-HMAC-CHAPTL
28、S handshakeGenerated PSKGlobal State(e.g.,keyring)Generated PSKTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeTCP handshakeICR/ConnectDH-HMAC-CHAPTLS handshakeGlobal State(e.g.,keyring)Generated PSKTCP handshakeTLS handshakeICR/ConnectTCP handshakeTLS handshakeICR/ConnectI/O Queue#nTCP handshakeTL
29、S handshakeICR/ConnectTCP handshakeTLS handshakeICR/Connect20|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Scope Confusion and Solution Having a single PSK Identity for all generated PSKs between two entities is problematic Use case#2 can leverage the TCP connection for disambiguationCan man
30、age generated PSK as ephemeral-only Use case#1 is the one desired,where a PSK is reused across all connections to the same controller Cannot manage generated PSK as ephemeral-only because reused Cannot disambiguate associations to different controllers Solution Approach(TP 8018):Two PartsA.New Per-P
31、SK unique identitiesSupport unambiguously multiple scopes of a PSKB.Restrict TLS PSK generation to Admin Queue(Use Case#1)I/O Queues reuse PSK generated on Admin QueueHSubsystemC1C221|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Part A.New Per-PSK Identities:PSK Digest Compute a PSK digest U
32、se secure associated with PSK(in form of HMAC)Digest computed from PSK,Host NQN,and NVM Subsystem NQN(as HMAC inputs)And represented in ASCII via a Base64 conversion PSK Identity uniqueness:add the digest to the PSK Identity“NVMe01R NQNh NQNc”“NVMe01G NQNh NQNc”Resulting PSK Identity uniquely identi
33、fies the actual PSK Uniqueness:Hash(HMAC)output size is at least 256 bits,cryptographically binds PSK to its PSK Identity A different PSK produces a different digest hence a different PSK Identity New functionality enabled by per-PSK Identities Use different generated PSK on different controllers(PS
34、K Identity uniquely identifies PSK)Bonus:PSK rollover support PSK identities distinguish old and new PSKs22|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Per Entity Pair Scope3232NQNhNQNc3232NQNhNQNcPSK1PSK-ID1PSK1PSK-ID1PSK1PSK-ID1PSK1PSK-ID1DH-HMAC-CHAPTLS23|2023 SNIA.2023 Dell Technologies
35、.All Rights Reserved.Per Association Scope3232NQNhNQNc3232NQNhNQNcPSK2 PSK-ID2PSK2 PSK-ID2PSK3 PSK-ID3PSK3 PSK-ID3PSK4 PSK-ID4PSK4 PSK-ID4DH-HMAC-CHAPPSK1 PSK-ID1PSK1 PSK-ID1PSK2 PSK-ID2PSK2 PSK-ID2PSK3 PSK-ID3PSK3 PSK-ID3PSK4 PSK-ID4PSK4 PSK-ID4TLSPSK1 PSK-ID1PSK1 PSK-ID124|2023 SNIA.2023 Dell Tech
36、nologies.All Rights Reserved.Part B:Support Only Use Case#1 New capability:Generated PSK can be shared among controllersAdmin QueueI/O Queue#1I/O Queue#2I/O Queue#nGlobal State(e.g.,keyring)Generated PSK TCP handshake ICR/Connect DH-HMAC-CHAP TLS handshake TCP handshake ICR/Connect DH-HMAC-CHAP TLS
37、handshakeGlobal State(e.g.,keyring)TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/ConnectGenerated PSK25|2023 SNIA.
38、2023 Dell Technologies.All Rights Reserved.TP 8018:NVMe/TCP with TLS UpdatesTLS Concatenation use of Opportunistic TLS26|2023 SNIA.2023 Dell Technologies.All Rights Reserved.A Funny Thing Happenedin an early NVMe/TCP TLS implementation Reminder:TLS concatenation switched to TLS in the middle of a TC
39、P stream DH-HMAC-CHAP authentication performed in the clear,generates a TLS PSK Generated TLS PSK used to authenticate TLS handshake TLS handshake enables TLS,TCP traffic continues under TLS encryption This is called“Opportunistic TLS”Interesting theory what about practice?Implementer:What do I do w
40、ith the NVMe commands that arrived during the TLS handshake?Protocol designers:Ehmm?That wasnt supposed to happen!Implementer:But the code did that now what am I supposed to do?20/20 Hindsight:example of a known problem with opportunistic TLS Unexpected non-TLS traffic bypasses TLS handshake in prog
41、ress Has been seen in SMTP implementations of TLS Multi-layer protocol stack automatically directs incoming traffic to the right protocol layer27|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Solution Approach Part A:Change to a second TCP connection Disconnect:Remove first TCP connection aft
42、er generating TLS PSK Reconnect:Start second TCP connection,use TLS PSK to start TLS handshake What happens to unexpected non-TLS traffic?Stranded on first TCP connection(socket)because second TCP connection uses a different TCP source port Bit-bucketed by teardown/cleanup of first TCP connection(so
43、cket)robust assurance of discard Part B:Unexpected non-TLS traffic closes second connection Simpler check because second TCP connection starts with TLS handshake TLS alert sent(if appropriate)before closing TCP connection28|2023 SNIA.2023 Dell Technologies.All Rights Reserved.TLS Concatenation with
44、Explicit DisconnectAdmin QueueGlobal State(e.g.,keyring)Generated PSK TCP handshake ICReq/ICResp Connect DH-HMAC-CHAP TCP disconnect TCP handshake ICReq/ICResp Connect DH-HMAC-CHAP TCP disconnectGlobal State(e.g.,keyring)Generated PSKTCPTCPNVMe/TCPNVMe/TCPNVMe-oFNVMe-oF29|2023 SNIA.2023 Dell Technol
45、ogies.All Rights Reserved.TLS Concatenation with Explicit DisconnectGlobal State(e.g.,keyring)Generated PSKGlobal State(e.g.,keyring)I/O Queue#1 TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/ConnectI/O Queue#2 TCP handshake TLS handshake ICR/Connect TCP handshake TLS handsh
46、ake ICR/ConnectI/O Queue#n TCP handshake TLS handshake ICR/Connect TCP handshake TLS handshake ICR/ConnectGenerated PSKAdmin Queue TCP handshake TLS handshake ICReq/ICResp Connect TCP handshake TLS handshake ICReq/ICResp ConnectTLSTLSNVMe/TCPNVMe/TCPNVMe-oFNVMe-oFTCPTCP30|2023 SNIA.2023 Dell Technol
47、ogies.All Rights Reserved.1.An NVMe/TCP transport session is established2.The Connect exchange is performed to set up an Admin Queue and associate host to controller3.An authentication transaction generating a PSK between host and controller is performed4.The NVMe/TCP transport session is disconnect
48、ed5.An NVMe/TCP-TLS transport session is established using the generated PSK6.The Connect exchange is performed to set up an Admin Queue and associate host to controller7.Secure channel and queue are set up8.An NVMe/TCP-TLS transport session is established using the generated PSK9.The Connect exchan
49、ge is performed to set up the first I/O Queue of the established association10.Secure channel and queue are set up11.An NVMe/TCP-TLS transport session is established using the generated PSK12.The Connect exchange is performed to set up the Nth I/O Queue of the established association13.Secure channe
50、l and queue are set upHostControllerConnect CommandConnect ResponseAuthentication Transaction generating a PSKNVMe/TCP transport session establishmentPSKPSKNVMe/TCP transport session disconnectSecure channel and Admin Queue set upNVMe/TCP-TLS transport session establishment with PSKConnect CommandCo
51、nnect ResponseSecure channel and 1st I/O Queue set upNVMe/TCP-TLS transport session establishment with PSKConnect CommandConnect ResponseSecure channel and Nth I/O Queue set upNVMe/TCP-TLS transport session establishment with PSKConnect CommandConnect ResponseUpdated TLS Concatenation31|2023 SNIA.20
52、23 Dell Technologies.All Rights Reserved.TP 8025:Usage Configuration of NVMe/TCP SecurityWhen to Use a Security Mechanism?32|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Terminology Security mechanism not provisioned:The parameters(e.g.,DH-HMAC-CHAP secret or TLS Configured PSK)needed by tha
53、t security mechanism have not been provisioned and hence the NVMe entity is not able to use that security mechanism Security mechanism provisioned:The parameters(e.g.,DH-HMAC-CHAP secret or TLS Configured PSK)needed by that security mechanism have been provisioned and hence the NVMe entity is able t
54、o use that security mechanism Once a security mechanism is provisioned,usage of that mechanism can be:Disabled:do not use it Permitted:negotiate with the other party Required:do use it Defined in TP 802533|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Usage Behavior:General Logic If a securit
55、y mechanism is disabled,then it is not used No matter what the other entity configuration is If a security mechanism is required,then it is used No matter what the other entity configuration is If a security mechanism is permitted,then:The host decides about using the mechanism from the discovery lo
56、g entry about the NVM subsystem The NVM subsystem let the host decide 34|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Security ProcessingAt TCP connection time:if(TLS provisioned)follow TLS usage behaviorelse continueAfter successful completion of the Connect command:if(Authentication provis
57、ioned)if(TLS not provisioned or connection already in TLS)follow Authentication only usage behavior else follow Authentication with TLS concatenation usage behavior else continue35|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Example:TLS Usage ConfigurationConfigurationDescriptionTLS disable
58、dOnly TCP connections without TLS with a remote entity are allowedTLS permittedTCP connections with and without TLS with a remote entity are allowedTLS requiredOnly TCP connections with TLS with a remote entity are allowed36|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Host TLS BehaviorHost
59、Usage ConfigurationActionTLS disabledDo not initiate TCP connections with TLS.TLS permittedIf the SECTYPE field in the TSAS field in the discovery log entry for the remote entity is not cleared to zero,then initiate TCP connections with TLS,irrespective of the value of the TSC field in that discover
60、y log entry.If establishing any TCP connection with TLS fails and the TSC field in that discovery log entry is not set to 01b(i.e.,Required),the host may fall back to initiate TCP connections without TLS.If the SECTYPE field in the TSAS field in the discovery log entry for the remote entity is clear
61、ed to zero and the TSC field is not set to 01b(i.e.,Required),then initiate TCP connections without TLS.If the SECTYPE field in the TSAS field in the discovery log entry for the remote entity is cleared to zero and the TSC field is set to 01b(i.e.,Required),then that discovery log entry is inconsist
62、ent and TCP connections without TLS may or may not be initiated.If no discovery log entry has been retrieved for the remote entity,then TCP connections with or without TLS may be initiated.TLS requiredInitiate TCP connections with TLS.37|2023 SNIA.2023 Dell Technologies.All Rights Reserved.NVN Subsy
63、stem TLS BehaviorSubsystem Usage ConfigurationActionTLS disabledClose the TCP connection if a TLS handshake is initiated upon completion of the TCP handshakeTLS permittedContinue all TCP connections whether or not a TLS handshake is initiated upon completion of the TCP handshakeTLS requiredClose the
64、 TCP connection if a TLS handshake is not initiated upon completion of the TCP handshake38|2023 SNIA.2023 Dell Technologies.All Rights Reserved.ConclusionTP 8018:Updates to NVMe/TCP with TLSYes,NVMe/TCP-TLS can now be used!TP 8025:Usage Configuration of NVMe/TCP SecurityYes,NVMe over IP security usage can now be consistently configured!39|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Please take a moment to rate this session Your feedback is important to us