[erlang-questions] Controlled interaction of two erlang distributed networks

Kenji Rikitake kenji.rikitake@REDACTED
Thu Aug 27 02:56:11 CEST 2009 

Dear Kenneth, Witold and all:

It is not just about the importance, but the encryption should be
mandated on all protocols between BEAMs and epmds (or anything related
to distributed operation of Erlang systems), if Ericsson and current
Erlang users want to earn financial support of Erlang from the
security-aware (i.e. ordinary) users.

Port-mapping based RPCs in general, not only Erlang's but that of Sun
RPC (or ONC RPC), have been a long-time source of security problems.
You can learn this from the various security advisories regarding Sun
RPC in 1990s, also known as "portmap" problems.

Port-mapping based RPC is extremely unfriendly against firewalls, or
proxies and packet filters.  For example, allowing arbitrary ports for
BEAM communication is almost infeasible in the modern end-user
environment, due to entirely disabling incoming TCP connections, or at
least minimizing it to those absolutely necessary (e.g., ports 80 and
443.)  And under such circumstances IPsec is not a practical solution
either, since UDP exchange other than DNS and NTP is usually prohibited.

As Witold explains, information exchanged between epmds is an easy
target for killing BEAMs.  It includes P2P port mappings between the
BEAMs, so you can easily locate the targets to attack.  Communication
between epmds must be encrypted to prevent this kind of attack.

Of course epmd itself could be a target of DoS attack, but that's
another issue.

I am not denying the usefulness of current rpc module in Erlang.  It's
well-written, transparent, low programming overhead for parallelization,
and is OK so long as being used in a network where arbitrary use of
TCP ports are allowed.  This style of RPC, however, does not scale in
the hostile real-world Internet, unfortunately.

Erlang has SSL and SSH built-in (with the help of crypto linked-in
drivers), and I think the CPUs nowadays are fast enough to run something
equivalent to epmd purely under Erlang without using a dedicated C
program.  So Erlang has a lot of possibilities in implementing secure
protocols on top of it.  

I think making a new RPC protocol from scratch, such as: 

* with restricting the usage of TCP connection between two BEAMs to only
one well-known destination port;

* preferably being able to forwarded through proxies (i.e. the
addressing mechanism of BEAMs does not depend on DNS, IP addresses, or
port numbers); and

* running everything within a BEAM (and linked-in drivers) without
anything like epmd
 
will open a new opportunity for Erlang to become a practical system for
monitoring/controlling distant systems over Internet.  This is a
challenging but an interesting project.

Regards,
Kenji Rikitake

In the message <1251304615.18875.39.camel@REDACTED>
dated Wed, Aug 26, 2009 at 06:36:31PM +0200,
Witold Baryluk <baryluk@REDACTED> writes:
> Dnia 2009-08-26, śro o godzinie 18:28 +0200, Kenneth Lundin pisze:
> > >
> > > (And using inet_ssl_dist is actually *incomplete* for encrypting all
> > > necessary traffics, because it does not encrypt empd traffic at all.)
> > >
> > Why do you think it is important to encrypt the epmd traffic?
> > Is there really any sensitive information exchanged there?
> > It is really very little data with low frequency exchanged between epmd
> > and the nodes. It is actually in practice only used during
> > establishment of a new connection to an Erlang node.
> > 
> > I am not saying that the Erlang distribution is perfect for the use
> > over global internet but
> > is really epmd a problem?
> > 
> > /Kenneth Erlang/OTP Ericsson
> > 
> 
> I think it allows spoofing registration of nodes. This can cause denial
> of service.
> 
> -- 
> Witold Baryluk

More information about the erlang-questions mailing list