[erlang-questions] A sender() BIF?

Richard O'Keefe ok@REDACTED
Tue Feb 23 02:54:38 CET 2010

On Feb 23, 2010, at 3:24 AM, Keis, Andrei wrote:

> I think the focus here should be on remote node authentication (and  
> network identity of the sender process) rather than reply pid, which  
> is part of the message data.

Remote node authentication is the responsibility of the Erlang
distribution protocol, though.  If two nodes are connected, they
trust each other.  One of the recurring topics in this mailing
list is that if you don't physically control the nodes in the
network that are connecting to each other, you shouldn't be using
the standard Erlang distribution protocol but should be rolling
your own.  And authentication is part of that.

Given the existence of the 'rpc' module, if node N (aughty) wants
to send something to node V (ictim), and the process on node V
that N wants to attack is suspicious of foreign messages, all
N has to do is create an agent on V and have _it_ send the message.
What good will it do to know the "network identity of the sender
process" in that case?

In fact we have at least three ways that nodes might communicate:

(little or no security)
    The built-in Erlang distribution protocol.
    Appropriate when you have physical control of the machines and
    the network linking them.
(moderate security)
    Erlang distribution running over some other substrate such as
(more security)
    Specific IP connections to specific ports using custom protocols
    with appropriate authentication.

I don't think it is appropriate to hack on the fundamental machinery
used within a node or trusted cluster (plain Erlang message passing)
to satisfy the needs of less trusting applications.  Not because
there is anything wrong with security, but because once you are "in"
with the Erlang distribution protocol, you are _totally_ in, and
that's not how to get good security.


More information about the erlang-questions mailing list