aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDimitri Staessens <[email protected]>2024-11-10 10:38:13 +0100
committerDimitri Staessens <[email protected]>2024-11-10 10:38:13 +0100
commit2f8ca12e6ce4e8492761151b519e9c58b40deb67 (patch)
tree92d3ce8d3136fb738a835076288ce0f93aca813c
parent4face8993b1768fa0951edb5608993cb89b97e0c (diff)
downloadwebsite-2f8ca12e6ce4e8492761151b519e9c58b40deb67.tar.gz
website-2f8ca12e6ce4e8492761151b519e9c58b40deb67.zip
blog: add authentication blog
-rw-r--r--content/en/blog/20241110-auth.md134
1 files changed, 134 insertions, 0 deletions
diff --git a/content/en/blog/20241110-auth.md b/content/en/blog/20241110-auth.md
new file mode 100644
index 0000000..e96356c
--- /dev/null
+++ b/content/en/blog/20241110-auth.md
@@ -0,0 +1,134 @@
+---
+date: 2024-11-10
+title: "The other end of the authentication rabbit hole"
+linkTitle: "Authentication"
+author: Dimitri Staessens
+---
+
+'''
+I know the pieces fit
+'Cause I watched them tumble down
+ -- Tool, Schism (2001)
+'''
+
+Mariah Carey signals it almost Christmas, so it sounds like as good a
+time for a blog post. Been a long time since my last one.
+
+My plan for this year for Ouroboros was to clean up the flow allocator
+code, then add implement authentication and clean up and fix packet
+loss handling (EFCP) and congestion avoidance, and then leave the
+elephant - the naming system - for later.
+
+As they say, plans never survive contact with the enemy. At least I
+got the clean-up of the flow allocator code done.
+
+So how did the authentication implementation go, you ask? Or maybe
+not, but I'm going to tell you anyway. Despite not having an
+implementation, the journey has been quite interesting.
+
+The idea was quite simple, actually. I've been been told ad nauseam
+not to "reinvent the wheel", so my approach to authentication was
+going to be as boring as one could expect: establish a flow between
+the client and server, and then do some well-known public key
+cryptography magic to authenticate. It's how SSL does it, nothing
+wrong with that, is there?
+
+After an initial check, I validated I could easily use OpenSSL and
+X509 certificates. This authentication implementation was going to be
+a walk in the park.
+
+But here I am, at least 5 months later, and I don't have this
+implemented.
+
+There was one thing I absolutely wanted to avoid: having to configure
+the certificates for each application. The library could of course add
+some configuration/command line options to each linked application
+(e.g. --certificate), but even that is not to my liking: I know this
+is roughly how it is with OpenSSL certificates today, but it's a drag,
+and the O7s code was very emphatically hinting that it could be
+done.
+
+But how? One way was to map programs to certificates in the IRM
+configuration, and when an application starts, the IRMd will pass it
+the certificate. As an example, the configuration has an entry
+/usr/bin/apache -> apache.crt and when /usr/bin/apache starts, it
+would get that certificate loaded). Meh, that would kind of have
+worked, but it left another problem open: what if I wanted the same
+application to start twice, but with different certificates? In other
+words, I'd need to map the certificate to a process, not to a program.
+That kept my mind busy for a while, as there seemingly was no obvious
+solution to this. I say seemingly, because the solution is as obvious
+as it is simple. But it's far off the current state of affairs.
+
+So, how could I get a process to load a certificate at runtime, but
+configure it in a central location before the process is running?
+That seems like aa catch 22. Mapping the program, instantiating the
+program, then set a new mapping, starting another process, that would
+be an error-prone mess riddled with race conditions.
+
+The answer is simple don't map the process, map the service name. O7s
+already has the primitives to map programs and processes to names. And
+this method is actually not that far off the current Internet. X509
+certficates are usually tied to Domain Names. One part of the puzzle
+solved, and I can still use standard X509 certificates.
+
+So, why don't I have this yet? Glad you asked.
+
+Mapping certificates to names and as such indirectly tying them to
+processes allows for a significantly different approach for
+authentication. Why would we trust the peer with sending us his
+certificate? We can get it from the name system, before establishing
+any communications with the peer. So, instead of allocating a flow,
+and then authenticating and deriving symmetric keys for end-to-end
+in-flight encryption - as is done with TLS - we can do something a lot
+more secure: encrypt absolutely everything - including the initial
+(flow allocation) handshake.
+
+But this has another impact on my implementation plan: I need the
+naming system, as the public certificate needs to be there for this to
+work.
+
+The naming system is a component that has not been written yet. It is
+a distributed application/database and it needs IPC with the IRMd.
+
+And so this has opened another debate in my head: should I start over
+with the implementation?
+
+O7s started in 2016 with the intention to be a RINA implentation, but
+as we went on we changed it quite a bit. Some core parts are a thorn
+in my eye, most notably the synchronous RPC implementation. I don't
+want to build the new component (name system) using that approach, and
+ripping it out of the current implementation is going to be messy.
+
+Starting over would allow using a more "modern" language than C. I've
+been looking at rust and golang, but from my initial survey, they
+don't seem like a good fit due to the lack of shared memory/robust
+mutex support. If C is the only viable language for this thing,
+ripping the guts out of the current implementation might be the best
+option after all.
+
+I've not reached a conclusion yet.
+
+Anyway, as always: Stay Curious. And have a nice end of year.
+
+Dimitri
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+