Opened 16 years ago
Last modified 10 years ago
#67 closed task
remove UnauthenticatedTub — at Version 9
| Reported by: | Brian Warner | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 0.8.0 |
| Component: | usability | Version: | 0.2.5 |
| Keywords: | security | Cc: | Zooko |
Description (last modified by )
As recommended in #66, there may be good reasons to have Foolscap simply require pyOpenSSL unconditionally, and remove the option of using UnauthenticatedTub. It needs some more thought, though.
Change History (9)
comment:1 Changed 16 years ago by
comment:2 follow-up: 4 Changed 16 years ago by
This is an opportunity to learn about the costs of securing foolscap.
Why is it important to bgranger to avoid the requirement on pyOpenSSL?
Possible reasons:
- Key management makes things harder. The foolscap design should make this not be the case. If it is still the case I would love to know why. (This is a unique feature of foolscap over alternative secure RPC mechanisms -- that the object-capability paradigm makes the key management problem go away.)
- CPU cost of SSL/AES/HMAC/SHA. I would be surprised if this were actually an issue for bgranger's deployments, but maybe it is. Is there evidence that this is a problem? (If it is, then this is useful information for the future, in the future foolscap could use a more CPU-efficient encryption and authentication scheme. I was just describing to Brian a few minutes ago how there are new improved stream ciphers out now which seem to be both faster and safer than AES, for example.)
- Time and network utilization costs of SSL startup. Again, our measurements have shown that this is negligible. What was it -- something like 10,000 connections per second? However, bgranger's network performance characteristics might be different, and if so I would like to learn about it. (A future version of foolscap could use a crypto protocol with faster startup than SSL.)
- Availability of OpenSSL on deployment target. This one I totally believe is an issue for bgranger. I myself have had problems configuring and installing OpenSSL on Windows, Cygwin, and Mac OS X. I wouldn't be surprised if it either doesn't port to the supercomputer at all, or if it does so only with extensive configuration tweaks. Also, even if the source code can be easily built on a deployment target, that isn't the same as it being sufficiently convenient to depend on it being there. I wouldn't be surprised if the worst problem with requiring pyOpenSSL was that there is no simple, cross-platform way to express the fact that pyOpenSSL requires OpenSSL, and have that requirement automatically resolved.
- Other? Is there any problem with using pyOpenSSL in your environment, bgranger, other than the problems mentioned above?
Thank you very much!
comment:3 Changed 16 years ago by
Correction: Brian showed me the spot on the whiteboard where we had scribbled our notes about OpenSSL benchmarking. It was 100 connections per second, which caused a 30% CPU load. Presumably therefore it could handle 300 connections per second if it didn't need to do anything else with its CPU. This was on a typical server from a year or two ago -- 1 CPU, 1 core, about 2 or 3 GHz, Athlon64 or x86 architecture.
Also note that this isn't measuring latency incurred by the SSL connection negotiation, it is only measuring the "connection establishment throughput" -- connections established over some long time period (tens of seconds) divided by that time period.
comment:4 Changed 16 years ago by
Replying to zooko:
This is an opportunity to learn about the costs of securing foolscap.
Why is it important to bgranger to avoid the requirement on pyOpenSSL?
Possible reasons:
- Key management makes things harder. The foolscap design should make this not be the case. If it is still the case I would love to know why. (This is a unique feature of foolscap over alternative secure RPC mechanisms -- that the object-capability paradigm makes the key management problem go away.)
This is a not an issue for us for the reason you mention.
- CPU cost of SSL/AES/HMAC/SHA. I would be surprised if this were actually an issue for bgranger's deployments, but maybe it is. Is there evidence that this is a problem? (If it is, then this is useful information for the future, in the future foolscap could use a more CPU-efficient encryption and authentication scheme. I was just describing to Brian a few minutes ago how there are new improved stream ciphers out now which seem to be both faster and safer than AES, for example.)
This _could_ be a huge issue for us. Our bottleneck process maintains a large number of persistent (hundreds) connections to workers. We need extremely low latency in all of these connections and if this single process has to do a lot of CPU bound work for encryption related things, we could have a problem. I would be very interested in learning about how to use the newer ciphers.
The other performance related thing is that much of the time, we are running over loopback in a single user workstation - in this context, most users will not need security. It seems crazy to force it on them.
- Time and network utilization costs of SSL startup. Again, our measurements have shown that this is negligible. What was it -- something like 10,000 connections per second? However, bgranger's network performance characteristics might be different, and if so I would like to learn about it. (A future version of foolscap could use a crypto protocol with faster startup than SSL.)
All of our connections are persistent, so this is not a big issue.
- Availability of OpenSSL on deployment target. This one I totally believe is an issue for bgranger. I myself have had problems configuring and installing OpenSSL on Windows, Cygwin, and Mac OS X. I wouldn't be surprised if it either doesn't port to the supercomputer at all, or if it does so only with extensive configuration tweaks. Also, even if the source code can be easily built on a deployment target, that isn't the same as it being sufficiently convenient to depend on it being there. I wouldn't be surprised if the worst problem with requiring pyOpenSSL was that there is no simple, cross-platform way to express the fact that pyOpenSSL requires OpenSSL, and have that requirement automatically resolved.
This is a huge one for us. We _have_ to be able to run anywhere that Python+twisted runs. The more exotic platforms for us include AIX and hacked up linux versions on supercomputers. If we can't run foolscap without SSL, we will have to consider dropping foolscap and instead go with plain PB for these contexts. But I _really_ don't want to have to maintain a PB version of all of our stuff.
- Other? Is there any problem with using pyOpenSSL in your environment, bgranger, other than the problems mentioned above?
Thank you very much!
comment:5 Changed 12 years ago by
The IPython project has long since dropped using foolscap and switched to "ZeroMQ". Their primary reason for that switch appers to be Python 3 support:
http://ipython.org/ipython-doc/stable/development/ipythonzmq.html
(Aside: the work-arounds for the lack of access control/confidentiality/integrity in ZeroMQ appear to amount to a bit of hassle and/or vulnerability: http://ipython.org/ipython-doc/dev/parallel/parallel_security.html )
This probably means there are no users of foolscap who require insecure mode.
By the way, I'm reminded of Ian Grigg's immortal rules for secure protocol design:
"H3: There Is Only One Mode And It Is Secure"
http://iang.org/ssl/h3_there_is_only_one_mode_and_it_is_secure.html
comment:6 Changed 11 years ago by
| Milestone: | undecided → 0.6.5 |
|---|
comment:7 Changed 11 years ago by
| Summary: | consider unconditionally requiring pyOpenSSL (and remove UnauthenticatedTub) → remove UnauthenticatedTub |
|---|
comment:8 Changed 11 years ago by
Here's the first patch for this ticket: https://github.com/warner/foolscap/pull/16
comment:9 Changed 11 years ago by
| Description: | modified (diff) |
|---|---|
| Milestone: | 0.6.5 → 0.7.0 |
moving this to 0.7.0 . We'll put the minor stuff in the next minor release (0.6.5), and this more significant (API-breaking) change in the more-major release (0.7.0).
Replying to warner:
Please don't do this. The IPython project is now using foolscap in its parallel computing infrastructure. In some cases:
1) Connecting processes on loopback only
2) In heavily secured contexts where the system is secured through other means
We really need to be able to use foolscap in its insecure mode. Also, we are not confident that openssl is available on some of the more exotic systems (supercomputers) we will be running on. Finally, in these contexts, we need to be able to use foolscap without SSL for performance reasons.
Summary: we are loving foolscap, but definitely prefer to have pyOpenSSL optional. I should mention though that in IPython the default mode is secure!