[erlang-questions] Controlled interaction of two erlang distributed networks

Dave Smith dizzyd@REDACTED
Thu Aug 27 05:38:00 CEST 2009 

I'm not sure it's worth anything, but I designed and implemented
something along these lines for a class I took last year. You can read
about it here:

http://dizzyd.com/sdist.pdf

I could also make the code available if it's interesting. However, it
does have most of the security
properties Kenji was describing.

It would be very nice to have something which permits better port
control than the current EPMD approach. Security guidelines in trusted
environments have grown more stringent over the years and the
"everyone grab a port and register it!" approach doesn't fit well with
semi-trusted environments.

Anyways, I hope this paper will at least stimulate some further discussion. :)

D.

2009/8/26 Kenji Rikitake <kenji.rikitake@REDACTED>:
> Dear Kenneth, Witold and all:
>
> It is not just about the importance, but the encryption should be
> mandated on all protocols between BEAMs and epmds (or anything related
> to distributed operation of Erlang systems), if Ericsson and current
> Erlang users want to earn financial support of Erlang from the
> security-aware (i.e. ordinary) users.
>
> Port-mapping based RPCs in general, not only Erlang's but that of Sun
> RPC (or ONC RPC), have been a long-time source of security problems.
> You can learn this from the various security advisories regarding Sun
> RPC in 1990s, also known as "portmap" problems.
>
> Port-mapping based RPC is extremely unfriendly against firewalls, or
> proxies and packet filters.  For example, allowing arbitrary ports for
> BEAM communication is almost infeasible in the modern end-user
> environment, due to entirely disabling incoming TCP connections, or at
> least minimizing it to those absolutely necessary (e.g., ports 80 and
> 443.)  And under such circumstances IPsec is not a practical solution
> either, since UDP exchange other than DNS and NTP is usually prohibited.
>
> As Witold explains, information exchanged between epmds is an easy
> target for killing BEAMs.  It includes P2P port mappings between the
> BEAMs, so you can easily locate the targets to attack.  Communication
> between epmds must be encrypted to prevent this kind of attack.
>
> Of course epmd itself could be a target of DoS attack, but that's
> another issue.
>
> I am not denying the usefulness of current rpc module in Erlang.  It's
> well-written, transparent, low programming overhead for parallelization,
> and is OK so long as being used in a network where arbitrary use of
> TCP ports are allowed.  This style of RPC, however, does not scale in
> the hostile real-world Internet, unfortunately.
>
> Erlang has SSL and SSH built-in (with the help of crypto linked-in
> drivers), and I think the CPUs nowadays are fast enough to run something
> equivalent to epmd purely under Erlang without using a dedicated C
> program.  So Erlang has a lot of possibilities in implementing secure
> protocols on top of it.
>
> I think making a new RPC protocol from scratch, such as:
>
> * with restricting the usage of TCP connection between two BEAMs to only
> one well-known destination port;
>
> * preferably being able to forwarded through proxies (i.e. the
> addressing mechanism of BEAMs does not depend on DNS, IP addresses, or
> port numbers); and
>
> * running everything within a BEAM (and linked-in drivers) without
> anything like epmd
>
> will open a new opportunity for Erlang to become a practical system for
> monitoring/controlling distant systems over Internet.  This is a
> challenging but an interesting project.
>
> Regards,
> Kenji Rikitake
>
> In the message <1251304615.18875.39.camel@REDACTED>
> dated Wed, Aug 26, 2009 at 06:36:31PM +0200,
> Witold Baryluk <baryluk@REDACTED> writes:
>> Dnia 2009-08-26, śro o godzinie 18:28 +0200, Kenneth Lundin pisze:
>> > >
>> > > (And using inet_ssl_dist is actually *incomplete* for encrypting all
>> > > necessary traffics, because it does not encrypt empd traffic at all.)
>> > >
>> > Why do you think it is important to encrypt the epmd traffic?
>> > Is there really any sensitive information exchanged there?
>> > It is really very little data with low frequency exchanged between epmd
>> > and the nodes. It is actually in practice only used during
>> > establishment of a new connection to an Erlang node.
>> >
>> > I am not saying that the Erlang distribution is perfect for the use
>> > over global internet but
>> > is really epmd a problem?
>> >
>> > /Kenneth Erlang/OTP Ericsson
>> >
>>
>> I think it allows spoofing registration of nodes. This can cause denial
>> of service.
>>
>> --
>> Witold Baryluk
>
> ________________________________________________________________
> erlang-questions mailing list. See http://www.erlang.org/faq.html
> erlang-questions (at) erlang.org
>
>

More information about the erlang-questions mailing list