Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hiding the real backend server address(#107) #109

Closed
wants to merge 1 commit into from
Closed

hiding the real backend server address(#107) #109

wants to merge 1 commit into from

Conversation

onestraw
Copy link
Contributor

refer #107 for details

@onestraw
Copy link
Contributor Author

Could you review the PR for #107 @juliens @emilevauge

@onestraw
Copy link
Contributor Author

@klizhentas @archisgore any suggestions?

@archisgore
Copy link

If security is your goal, hashing is a bad idea. First of all no matter how strong the hash (and MD5 has been broken a lot), the cardinality of an IP address is only 4 bytes (32 bits) that means only about 4 billion combinations. MD5 generates an output that's 128-bits wide. Meaning nearly every IP will map to one and only one hashed value, making dictionaries even more trivial.

This problem gets much worse because MOST server IPs behind vulcan will be Private addresses, totaling about 17,891,328 (https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces)

Since vulcan is open source, this will be broken trivially.

You need an irreversible transform (or a computationally difficult one to reverse.)

I don't mean to propose a solution here, but here are some thoughts:
My first pick would be a cryptographically secure random number. It would be arbitrary. This is difficult to do in a distributed system like vulcan (without writing back to etcd.) If this could be done, it would be completely unguessable and irreversible.

The other is to salt the hash with some shared random number. Only instances connected to that etcd cluster will have access to the salt value. An attacker would not.

An easy way to salt+hash is to use shared symmetric key. Then encrypt each server's name using this key. Even if the attacker has 17 million or so addresses, they would need to guess one of a bunch of key possibilities (depending on key length).

@archisgore
Copy link

Oh wait, I forgot, this isn't vulcan, but Oxy. Why not externalize the hash function? When instantiating NewStickySession() it can be passed an interface "Obfuscator"

type Obfuscator interface {
    Obfuscate(string) string
    Normalize(string) string
}

Implementors who know how to share data across instances can use random numbers. Other implementors might use salting. While others might be okay with hashing. At least at instantiation, it forces the implementor to make a decision and they know what they're getting into.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants