[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: First look
On 07/04/11 14:51, Trevor Blackwell wrote:
> I'm setting up spiped to replace my current mesh of ssh -L between cloud
> servers.
Does this mean I can tell people that spiped is going to be running on
robots now? Please please please? ;-)
> So far:
>
> - I wish it had a don't-fork option so I could run it from
> daemontools supervise.
Hmm, ok. I guess that's easy enough to do... personally I'd want spiped
to not respawn if it died, since "daemon died" usually implies "someone is
trying to exploit a security vulnerability" and I don't believe in giving
people second chances.
Any preference for what letter I should use for the option?
> - It should set OREUSEADDR on its source socket. Currently it exits
> with EADDRINUSE if you start it within 30 seconds of killing an old one.
>
> I expect to have to start new ones / kill old ones whenever I add /
> remove a backend server. So restart time matters.
Good point. I had intended to do that but I forgot before getting around
to finding the relevant line of code.
> - I don't understand the performance / security tradeoff of the -f
> option.
The -f disables the Diffie-Hellman handshake.
By default:
* spiped can do about 400 handshakes per second on a modern x86 CPU
* if the shared keyfile is compromised, existing connections remain secure
With -f:
* spiped can do over 10000 handshakes per second on a modern x86 CPU
* if the shared keyfile is compromised, anyone who logged the initial
handshake will be able to decrypt and tamper with existing connections.
Either way, connections established *after* the shared keyfile is compromised
will not be secure, of course.
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
- References:
- First look
- From: Trevor Blackwell <trevor@anybots.com>