[Linux-ha-dev] Heartbeat authentication [was Re: Heartbeat 0.45 experiences]

Alan Robertson alanr@bell-labs.com
Tue, 19 Oct 1999 16:37:05 -0600 

Crispin Cowan wrote:
> 
> Alan Robertson wrote:
> 
> > Steve Beattie wrote:
> > >    Which begs me to ask: what is the security model
> > >    behind the authentication scheme? What sort of threats are you
> > >    attempting to prevent by using it?
> >
> > Members of the cluster are given significant privileges with respect to each
> > other.  In the current implementation, one cluster member can say to another
> > "give up this resource" and they will.  This is immediate denial of service, and
> > opens the door wide for the hacker to masquerade as a cluster member.
> >
> > The authentication is used for two reasons:
> >
> >         1)      To prevent joe-hacker from telling our cluster to do
> >                 something we don't want it to do through the wire.
> >
> >         2)      To detect packets corrupted by "normal" network problems.
> >                 so that we don't try and act on them.
> >
> > We run on IP media, and on raw serial ports.  The raw serial ports have no
> > protection against dropped/mangled characters except for the authentication.
> >
> > Basically, we've raised the bar for an intruder to gain control of the cluster
> > through the software we've written.  And, we believe we've raised it a good bit
> > above the highly-vulnerable "I trust everything" level it started with.  Not
> > only that, but the serial ports needed it for checksums :-)
> 
> I'm still a little vauge on the threat model that you're considering.  Is the
> authentication to prevent an outsider from attacking one of the nodes in the
> cluster?  To prevent someone from masquerading as one of the nodes in the cluster?
> Or to prevent the attacker from leveraging a crack into one of the cluster nodes
> into total control of the cluster?  They're all important, but crypto applies to
> each case in different ways ...

The authentication was added to prevent an outside computer from being
accepted as a cluster member by the cluster itself, and thereby obtaining the
rights and privileges that go with that.  It is believed that it will also
make it somewhat more difficult for an outside computer to disrupt
intracluster communications.

This should help from opening new holes that an attacker can use to leverage
into total control of the cluster.

It will not help keep an outside computer from masquerading as a cluster
member to clients, since they don't speak the heartbeat protocol, and aren't
privvy to the secret used to authenticate packets.  It's all about
intracluster protocols, and keeping outsiders from joining the cluster from
the point of view of the cluster itself.

I haven't been worried about things I didn't create (like old holes).

I'm not a security expert.  I was aware of some significant holes, so I asked
Neal McBurnett (a friend who is much more knowledgeable about security
matters) to help us keep from opening large new holes.  I've CCed him on this
mail.

As a result, I still may not be answering your question.

	Thanks for your patience,


	-- Alan Robertson
	   alanr@bell-labs.com