[ https://issues.jboss.org/browse/JGRP-2021?page=com.atlassian.jira.plugin.... ] Bela Ban updated JGRP-2021: --------------------------- Description: Although JGroups provides message encryption ({{ENCRYPT}}) and cluster admission control ({{AUTH}}), it _does not_ prevent malicious attacks. For example, if a rogue node creates a minimal stack without encryption or authentication, then it is possible for that member to * Send messages to the cluster * Capture an existing message from a cluster member P, change it (e.g. the seqno) and resend it spooking P's address * Install a new view including itself * Possibly install a new shared key in {{ENCRYPT}}, thereby being able to _receive_ cluster messages The goals are therefore: 1. Prevent cluster members from delivering messages from a non-member (exceptions are join requests from new members and merge requests) 2. Prevent a non-member from receiving any cluster messages The first goal also prevents rogue views from getting installed, or new shared secrets from being installed into {{ENCRYPT}}. h3. Proposed solution * Use ENCRYPT for encryption of the payload *and the headers* * Now _every message_ carries an enrypt header * (Let's assume for the moment that {{ENCRYPT}} is configured to use a shared key) * Sent messages encrypt not just the payload but also the headers h3. Scenarios h4. Installing a rogue view h4. Catching a message from some member P, modifying it and re-sending it on behalf of P * thus was: Although JGroups provides message encryption ({{ENCRYPT}}) and cluster admission control ({{AUTH}}), it _does not_ prevent malicious attacks. For example, if a rogue node creates a minimal stack without encryption or authentication, then it is possible for that member to * Send messages to the cluster * Capture an existing message from a cluster member P, change it (e.g. the seqno) and resend it spooking P's address * Install a new view including itself * Possibly install a new shared key in {{ENCRYPT}}, thereby being able to _receive_ cluster messages The goals are therefore: 1. Prevent cluster members from delivering messages from a non-member (exceptions are join requests from new members and merge requests) 2. Prevent a non-member from receiving any cluster messages The first goal also prevents rogue views from getting installed, or new shared secrets from being installed into {{ENCRYPT}}. h3. Proposed solution * Use ENCRYPT for encryption of the payload *and the headers* * Now _every message_ carries an enrypt header h4. -- This message was sent by Atlassian JIRA (v6.4.11#64026)