[Planetlab-devel] Best-effort port sharing
Justin Cappos
justincappos at gmail.com
Sat Mar 15 22:10:56 EST 2008
> Yes, we can give out the slice id as well.
Okay, the slice ID is fine. If I recall correctly, we can ask the NM for
the slice name (which is what we really need because the slice name is what
we need to pass to Proper / vsys)..
> Could you briefly describe
> how authentication in Stork works currently, and how it relies on the
> old port-binding semantics, so that we can understand your
> requirements better?
>
Sure. Stork has "client slices" (i.e. every slice that uses Stork) and a
"nest slice" that shares files with the client slices to improve network
bandwidth, disk utilization, and memory use. The client slices communicate
with the nest to perform actions on their behalf. For security reasons,
we'd like each end of the connection to know who they are talking to.
Currently, the client slices authenticate the nest by opening a connection
to a low numbered port (that only the nest can bind to). The nest
authenticates the client by asking the client to give it permission to share
a directory created with a name generated with a secure random number
generator.
I've thought about it some more and we could change our authentication
protocol to use the protections in the sharing mechanism to similarly
authenticate the nest to the client. It's non-desirable for several
reasons, mostly because the obvious way to do this within Stork presents us
with a choice to make between security and developer flexibility.
Ideally, we'd like to have a way to do authentication without this issue.
I'm a bit time crunched right now but would be happy to expand on any of
this explanation later if something is unclear...
Thanks,
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.planet-lab.org/pipermail/devel/attachments/20080315/898a5c0d/attachment.html
More information about the Devel
mailing list