[Twisted-Python] SSL + AMP
Brian Warner
warner at lothar.com
Thu Mar 20 16:59:17 MDT 2008
> > Does foolscap already support such fall-back behavior for coping with
> > firewalls? Or does that break the security model?
Not yet, and yes.
> "server A can introduce a client B to C by passing B the FURL to some
> object hosted in C's tub"
A motivating use case would be a chat system, in which the central server was
used to introduce clients to each other, and all messages were sent directly
from one client to another. B and C might be two separate clients, and the
point of introduction is when B wants to connect to C.
The server can stash a reference to an object in C's tub, or a FURL to that
object that was generated by C. It can then send one of these to B (perhaps
as an argument to publish message, or a response to a "get all connected
clients" request message). The gift/introduction code in Foolscap lets you
send live references (i.e. RemoteReference instances) to third parties, and
in the current release this causes the FURL of the target to be delivered and
automatically connected to.
But of course this requires that the recipient of the gift be able to connect
to the target, and if that target is behind a firewall then the introduction
will fail.
We don't have any sort of relay or hole-punching code in place yet. As a
result, in Tahoe (http://allmydata.org), the few places that use Introduction
are careful to arrange for the target of the introduction (the "gift") to be
on the publically-visible server, rather than on the probably-behind-NAT
client.
Possible solutions:
1: non-Membrane plaintext Forwarder
It is pretty easy to build a server-side proxy (called a Forwarder) that
has a doRemoteCall() method that just echoes the request on to another
object. Each time B sends a message to that-which-they-think-is-C, really
they're sending it to a Forwarder on A, and the Forwarder sends the
request on to C, gets the response, and forwards the response back to B.
This takes about 5 lines of code:
class Forwarder(Referenceable):
def __init__(self, target):
self.target = target
def doRemoteCall(self, methname, args, kwargs):
return self.target.callRemote(methname, *args, **kwargs)
The first disadvantage is that the Forwarder gets to see (and control) all
messages, so you're vulnerable to it for confidentiality and integrity.
The second disadvantage is that if there are other object references in
the arguments or the responses, those need to be wrapped in Forwarders
too. This is a job for the "Membrane" pattern.
2: yes-Membrane plaintext Forwarder
Eventually Foolscap will have utility functions for building easy
membranes, but not yet. (foolscap ticket #44). Having this would remove
the prohibitions on putting object references in your arguments and return
values, but doesn't remove the vulnerability to the forwarder.
3: per-message ciphertext proxy
Like the Forwarder, but you change the client to encrypt all its messages
first, and the server to decrypt them. This keeps the proxy from seeing
the contents of the messages. Encrypt the responses too. Add more crypto
goo to make sure the proxy can't corrupt either.
Foolscap has some support for serializing arbitrary object graphs, which
would help. The "Sealer/Unsealer" code (foolscap ticket #20) that is under
development will handle both the serialization and the encryption. You'd
need some extra layer to figure out what keys to use.
4: server-side per-Tub ciphertext proxy
The Foolscap negotiation protocol is specifically designed to provide for
multiple Tubs listening on the same port. We build a Relay process to
which the NAT-bound Tubs can attach, registering themselves with a (tubid,
listener_rref) tuple. This listener_rref object has a single accept()
method, which returns a handler_rref object. When B wants to connect to C,
the FURL it uses will contain C's tubid but will have connection hints
that point to the relay's listening socket. When B connects to the relay
and says it wants to talk to tubidC, the relay (during the negotiation
process) tells the listener_rref that it wants a new connection, gets the
handler_rref, then switches into a simple proxy mode where it copies data
from the B-side connection into remote_write() messages sent to the
handler_rref. On C, the contents of these messages are written into a
loopback TCP socket that mimics the data being exchanged between B and the
relay. Responses generated by C get proxied backwards to the relay over
the same connection.
This requires more code, but it's the "right way to do it" for relay. The
intermediate relay doesn't get to see or corrupt the traffic that it is
carrying, and the remote objects on B and C don't need to be aware that
anything unusual is going on. C needs to register with the relay, and the
FURL needs to be created with the right connection hints, but that can be
done once at startup (instead of requiring that every single message be
specially encrypted).
This one is tracked with foolscap ticket #46, copied directly from this
note.
cheers,
-Brian
More information about the Twisted-Python
mailing list