Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authorization of nodes #364

Open
engelmi opened this issue Jun 21, 2023 · 0 comments
Open

Support authorization of nodes #364

engelmi opened this issue Jun 21, 2023 · 0 comments
Labels
backlog This is next up in priority enhancement New feature or request

Comments

@engelmi
Copy link
Member

engelmi commented Jun 21, 2023

This is a continuation of #88 and copied from #88 (comment):

TLDR

The answer is as always complicated. The double proxy solution (in my demo HAProxy, but can be other implementation) covers authentication but not authorization. Therefore, it blocks any party without a certificate, but once you have one, nothing stops you from impersonating to any other agent.

What's the problem

When using mutual TLS (mTLS), both the server and the client present their certificate to allow the other party to authenticate them. For simplicity, let's say they share the same CA to both sign their certificate and authenticate the other party's. With this in place, only parties that have access to a certificate signed by this CA can connect to the server.

However, this also means that when different cars share the same CA, if they can connect somehow, nothing in this mechanism stops an agent from car A from connecting to the manager in car B. For this purpose, Hirte has the AllowedNodeNames. So, assuming that nodes in different cars will have names unique to the car, this covers the innocent cases.

But, what about malicious cases? What stops this node from car A from impersonating to a node from car B? Currently, even with the double proxy, nothing. The reason is that the node name is part of the payload. So, nothing stops that malicious node from setting the node name in the payload to that of the node from car B. Please note that the same goes for a rouge node in car B.

Solutions

Partial Solution

I can think of two solutions that can be used reduce the risk and limit it into the nodes inside the car

  1. Use a different CAs in each car.
  2. Use the AllowedNodeNames mechanism also in the server's proxy to allow access based on the subject.

In both of this solutions, nodes from other cars will not be able to connect to the server, either because their certificate has a different CA (1) of because the subject of their certificate is not in the allowed list (2). But, nothing is blocking the rouge node in the same car.

Golden but difficult to implement

The best solution is to get the node name from the certificate's subject and not from the payload. This way you block impersonation altogether since the node's name comes from its certificate. You can see this example on how details from the SSL certificate may be passed to the backend server in HTTP headers. Having said that, while this example is useful for learning how to extract the information, injecting it into the payload (and in our case the D-Bus message) is more complicated.
@engelmi engelmi mentioned this issue Jun 21, 2023
Closed
@engelmi engelmi added the jira Issues that are synced to Jira label Jun 21, 2023
@engelmi engelmi added the enhancement New feature or request label Jul 26, 2023
@mkemel mkemel added backlog This is next up in priority and removed jira Issues that are synced to Jira labels Nov 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog This is next up in priority enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@engelmi @mkemel