[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] netsync status
|
From: |
graydon hoare |
|
Subject: |
Re: [Monotone-devel] netsync status |
|
Date: |
Tue, 24 Feb 2004 10:42:24 -0500 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 |
[CC'ing back to the list, they're good questions]
Will wrote:
Graydon,
By 'throw out the old network code' do you mean the NNTP/SMTP/Depot code?
that is what I meant, yeah.
If so, I have to admit this is one of the things I found particularly
cool about Monotone: I can wget (or even sneaker-net) a file of
Monotone packets instead of requiring a fully-capable network connection.
This made it very convenient because our firewall makes it difficult
to connect to anything outside HTTP/FTP. Even direct SMTP is not allowed.
ok. this is something I am not completely clear on the facts of. many
people (myself included) have "marketed" HTTP-based transports as
"firewall friendly". I don't know how much that's true. in particular I
don't know whether:
- most firewalls people work on really do block outbound-initiated
connections on non-HTTP ports
- most admins aren't willing to listen to reason on extra cases, eg
can you convince your admin to let you use cvs pserver?
- the filtering of non-HTTP traffic (assuming it exists) is mostly
done by port filtering or application protocol proxying / monitoring
I'll admit to being somewhat pleased with the old "any source of packets
will do" approach, too. it's just that, well, it had too many ways of
going wrong. if it still gets use I guess I'll maintain it for a while,
I just think it would be .. tidier .. to have 1 networking system rather
than 2.
I'd appreciate if other people who feel the older system had desirable
properties -- concretely, in real world use, not just on paper -- could
speak up so I can get a feel for it. I don't want to be rude and remove
stuff people have come to like.
Also, how much protection does the 'netsync' server give itself, e.g.
authentication, perhaps encryption (if it's appropriate), DOS... or is
this going to be based on the packet-signing such that when it's
discovered that someone was sending Trojan packets, they can easily be
removed from the repository or 'tagged' as dodgy.
it tries to resist DoS attacks by limiting the number of active
connections, the input buffer allocated to each, and the idle time on
each. it won't do any database access until it authenticates, and the
authentication is based on the existing RSA keys signing nonces. in
theory you could DoS it by generating a stream of bogus authentication
requests, keeping it in a permanent connect-RSA-verification-fail loop,
but this could also be rate-limited without much work. once you get past
the RSA authentication you can definitely DoS it, but that's sort of the
point.
there is no encryption at the moment, and after authentication a remote
party can only gain authorization to (at worst) add objects to your
database or read objects back from it (not delete any). specific
read/write authorization is controlled on a per-key and per-collection
basis in a lua hook you have to provide. after that, like always,
monotone makes its security decisions based on evaluating certificates
it has on-hand, not based on "where they came from" or any such thing.
there are possibly errors in the decoder functions. that's true of most
code that reads from the network, though (ASN.1 anyone?). the question
of finding them -- or proving them to not exist -- weighs heavily on my
mind.
-graydon