Use PSK between region and rack controllers to encrypt RPC

standalonesa · 12 May 2021 20:53

Hello. I’m a new MaaS user, and while investigating the security stance of the product, I was surprised to see that the data in transit over RPC was plaintext:

20:39:45.724030 IP 10.100.1.10.42446 > maas-poc1.mydomain.com.5252: Flags [P.], seq 827:1280, ack 95, win 501, options [nop,nop,TS val 4204001166 ecr 3529692185], length 453
    0x0000:  4500 01f9 c6a4 4000 3b06 3d17 0a3c 00c0  E.....@.;.=..<..
    0x0010:  0ac4 2484 a5ce 1484 4733 98c3 016b a57e  ..$.....G3...k.~
    0x0020:  8018 01f5 9e22 0000 0101 080a fa93 f78e  ....."..........
    0x0030:  d262 d419 0004 5f61 736b 0002 3365 0008  .b...._ask..3e..
    0x0040:  5f63 6f6d 6d61 6e64 000e 5570 6461 7465  _command..Update
    0x0050:  5365 7276 6963 6573 0008 7365 7276 6963  Services..servic
    0x0060:  6573 0180 0004 6e61 6d65 0004 7466 7470  es....name..tftp
    0x0070:  0006 7374 6174 7573 0007 7275 6e6e 696e  ..status..runnin
    0x0080:  6700 0b73 7461 7475 735f 696e 666f 0000  g..status_info..
    0x0090:  0000 0004 6e61 6d65 0004 6874 7470 0006  ....name..http..
    0x00a0:  7374 6174 7573 0007 7275 6e6e 696e 6700  status..running.
    0x00b0:  0b73 7461 7475 735f 696e 666f 0000 0000  .status_info....
    0x00c0:  0004 6e61 6d65 0005 6468 6370 6400 0673  ..name..dhcpd..s
    0x00d0:  7461 7475 7300 036f 6666 000b 7374 6174  tatus..off..stat
    0x00e0:  7573 5f69 6e66 6f00 0000 0000 046e 616d  us_info......nam
    0x00f0:  6500 0664 6863 7064 3600 0673 7461 7475  e..dhcpd6..statu
    0x0100:  7300 036f 6666 000b 7374 6174 7573 5f69  s..off..status_i
    0x0110:  6e66 6f00 0000 0000 046e 616d 6500 086e  nfo......name..n
    0x0120:  7470 5f72 6163 6b00 0673 7461 7475 7300  tp_rack..status.
    0x0130:  0772 756e 6e69 6e67 000b 7374 6174 7573  .running..status
    0x0140:  5f69 6e66 6f00 0000 0000 046e 616d 6500  _info......name.
    0x0150:  0864 6e73 5f72 6163 6b00 0673 7461 7475  .dns_rack..statu
    0x0160:  7300 0772 756e 6e69 6e67 000b 7374 6174  s..running..stat
    0x0170:  7573 5f69 6e66 6f00 0000 0000 046e 616d  us_info......nam
    0x0180:  6500 0a70 726f 7879 5f72 6163 6b00 0673  e..proxy_rack..s
    0x0190:  7461 7475 7300 0772 756e 6e69 6e67 000b  tatus..running..
    0x01a0:  7374 6174 7573 5f69 6e66 6f00 0000 0000  status_info.....
    0x01b0:  046e 616d 6500 0b73 7973 6c6f 675f 7261  .name..syslog_ra
    0x01c0:  636b 0006 7374 6174 7573 0007 7275 6e6e  ck..status..runn
    0x01d0:  696e 6700 0b73 7461 7475 735f 696e 666f  ing..status_info
    0x01e0:  0000 0000 0009 7379 7374 656d 5f69 6400  ......system_id.
    0x01f0:  0672 7774 7265 6100 00                   .rwtrea..

The rack and the region controllers already share the secret that was used to initially join them. Is there a reason MaaS doesn’t use this to encrypt the communications?

I looked in both the Hardening guide (https://maas.io/docs/snap/2.9/ui/hardening-your-maas-installation) and the TLS guide (https://maas.io/docs/snap/2.9/ui/configuring-tls-encryption) and neither one mention securing the RPC link.

Thoughts?

evan.sikorski · 17 May 2021 04:23

I did this manually using transport-mode (ie. non-tunneling) IPSEC between the rackmounts and region.