[Spread-users] Spread authentication module and SASL

Joshua Goodall joshua at roughtrade.net
Wed Mar 5 20:24:46 EST 2003


On Tue, Mar 04, 2003 at 05:29:11PM -0800, Michael Fair wrote:
> I'm new to Spread so please forgive my ignorance.
> 
> I'm interested in using Spread as the backbone of
> an IRC server network (perhaps even extending it
> to clients).

The open-licensed version of Spread won't perform too well in this
scenario, because it doesn't include the wide-area communication
protocol AFAIK; I doubt that the broadcast protocol will be adequate
over multicast tunnels, unless your IRC network is very closely
coupled and using untunneled multicast.

The IRC server protocol itself tries to form a nondirected acyclic
graph over a mesh of possible connections, and the message transport
is then a pruned flood-fill over this graph.  This will not sit
well with Spread; I have in the past considered writing an adapter
daemon that speaks both IRC and some reliable, multipath meshed
multicast protocol, to act as a proxy for the IRC server.

Ordering is not an issue in IRC, which reduces actual need to that
of a meshable, reliable multicast transport that can cope with
ad-hoc changes in wide-area architecture without restart.

Spread (at least, the open-source Spread) seems to me a poor fit
for those requirements, or I'd have already done this.  In fact
these requirements are closer to the problem of reliable multicast
in a wireless environment.  There are many such experimental
protocols: CAMP, AMRis, AMRoute, ODMRP, GAMER, MAODV come to mind;
they are time-consuming to evaluate.

I suspect that the military have an interest in ad-hoc battlefield
group communication that will keep research in this direction
well-funded.


> Has SASL been considered for use as the authentication
> and security communication layer between Spread clients
> and Servers?

One could embed it in the protocol.  I have a rough decode
of the binary client-server protocol at
http://www.roughtrade.net/spread/spread-client-proto.txt

> I also thought that if SASL could be incorporated
> into the server, then a more dynamic configuration
> could be made possible by having Spread daemons
> authenticate themselves to each other and request
> inclusion into the network (this would of course be
> bi-directional to ensure no one is taking advantage
> of the opportunity to present a "man in the middle"
> attack during a net partition).

The Spread interdaemon protocol is not connection-based,
which would make SASL a hard call.  Have you looked at
Secure/Flush Spread, which could give you relatively
strong levels of encryption and membership?

Joshua.

-- 
Joshua Goodall
joshua at roughtrade.net             "Your object hit ratio is weak, old man"
"If you cache me now, I will dump more core than you can possibly imagine"




More information about the Spread-users mailing list