OSCON 2019 | Time to Think Different

•

1 gostou•168 visualizações

Decoupling Distributed Systems from IP Networks Take a trip with Derek Collison into the history of distributed systems, the good and the bad, and now how to move forward.

Tecnologia

Time to Think Different:
Decoupling distributed systems from
IP networks
oscon.com
#OSCON

oscon.com
#OSCON
Derek Collison / @derekcollison
Founder and CEO at Synadia
๏ Creator of NATS
๏ Founder and Former CEO at Apcera
๏ CTO, Chief Architect at VMware
๏ Architected CloudFoundry
๏ Technical Director at Google
๏ SVP and Chief Architect at TIBCO

“A distributed system is one that prevents you
from working because of the failure of a machine
that you had never heard of.”
Leslie Lamport

Distributed Systems History
1. We created this problem
2. There used to be just one computer
3. Security was a guard that was posted, sometimes
4. Want to do more, buy a faster machine

IP Networks
1. Based on network addressing and routing
2. Network elements can route packets
3. Used to be NO network elements but NICs
4. Now, lots of network elements - try traceroute!

IP Networks
1. Mostly 1:1 (src -> dst)
2. But could do broadcast, kindof
3. Could do select broadcast, e.g. multicast, kindof
4. Management and admin nightmare
5. So mostly 1:1 via TCP/IP, clouds don’t support 1:N

IP Ports
1. 2 bytes - max 65k per src addr
2. Allows multiple “apps” on a single “machine”
3. Deﬁned scale problems with Web Scale 🤔
4. Deﬁned the Firewall era (punch a hole!)
5. Ports == app, e.g. 22, 80, 443, 4222
6. Why is everything HTTP(S)? 😏

DNS
1. Generally does not include the port
2. Generally is not secured
3. Can be compromised easily, e.g. hotels, GoGo
4. Can be hard to register new hostname

Modern Software Systems
1. Decomposable software
2. Services and Streams to Connect
3. Platform technology is maturing
4. Compute and Storage are ubiquitous, but can $$
5. Machine -> VM -> Container -> Serverless -> ????
6. Systems Arch still important, but being forgot

Cryptography
1. Symmetric
2. Asymmetric or PKI
3. Both - Difﬁe Hellman
4. Prime Based -> Elliptic Curve
5. Encrypted Communications, Authenticated, a bit.
6. X509 certiﬁcates - TLS, SSL, HTTPS

x509
1. Public Key Certiﬁcates - PKI
2. Chains of trust (or self signed)
3. A way to trust who you are speaking to
4. Mostly one way
5. Cumbersome, painful, surprising!

Summary
1. Communications over IP networks
2. DNS converts name to IP, but not a port
3. Apps bind to a port, but mostly HTTPS
4. Moderns software systems lots of moving parts
5. They use TLS for encryption and some identity
6. Based off a name, returned as IP from DNS
7. And everything is moving and changing

Think different
1. Do not use IP for addressing/discovery and comms
2. Do not depend on DNS to get the right IP
3. PKI is good, passwords bad. Lose them!
4. Don’t restrict to 1:1 communications
5. Don’t force everything through HTTP(S)
6. Allow scalable Services and Streams, same tech
7. Secure by default, decentralized by design

NATS
1. Based on routing of subjects (topics) not IP
2. Message based, not packet
3. Can do Services and Streams
4. Can do N:M, and queue delivery, not just 1:1
5. Secure and isolated, decentralized by design
6. A Simple, Lightweight, Self Healing System
7. Simple things are Simple, Hard is Possible

NATS Slack
1. Decentralized, no central control or SPOF
2. Secure by default
3. Can run anywhere, on any cloud, platform, or geo
4. Verify messages and users
5. Channels and DMs, DMs private
6. Lightweight
7. Extensible - Your homework

Please Rate this Session
https://conferences.oreilly.com/oscon/oscon-or/public/schedule/detail/75998

Mais conteúdo relacionado

Mais procurados

IPv6 SecuritySkeeve Stevens

Reinventing anon emailantitree

Nsa and vpnantitree

ifwt remote (sydney ruxmon edition)Tim N

2016 TTL Security Gap Analysis with Kali LinuxJason Murray

2600 av evasion_deuceDb Cooper

Device inspection to remote rootTim N

Git MoneyTim N

Practically DROWNingTim N

How Smart Thermostats Have Made Us VulnerableRay Potter

Migrate from windows to linuxMarJose Darang

Kali linux summarisedSanchit Srivastava

The Security layerSwetha S

Kali LinuxChanchal Dabriya

Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer

nessusMuhammad Yasin

Introduction to ethereum_publicantitree

Best Practice TLS for IBM DominoJared Roberts

Kali LinuxSumit Singh

Kali linuxHarsh Gor

Mais procurados (20)

IPv6 Security

Reinventing anon email

Nsa and vpn

ifwt remote (sydney ruxmon edition)

2016 TTL Security Gap Analysis with Kali Linux

2600 av evasion_deuce

Device inspection to remote root

Git Money

Practically DROWNing

How Smart Thermostats Have Made Us Vulnerable

Migrate from windows to linux

Kali linux summarised

The Security layer

Kali Linux

Web Application Security Testing: Kali Linux Is the Way to Go

nessus

Introduction to ethereum_public

Best Practice TLS for IBM Domino

Kali Linux

Kali linux

Semelhante a OSCON 2019 | Time to Think Different

How Secure is TCP/IP - A review of Network Protocolssuserc49ec4

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis

Wo defensive trickery_13mar2017Dan Kaminsky

SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite

Hacking Robotics(English Version)Kensei Demura

Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett

Black ops of tcp2005 japanDan Kaminsky

Introduction to Computer NetworkingAmit Saha

Bh eu 05-kaminskyDan Kaminsky

Phifer 3 30_04Ayano Midakso

Rapid IPv6 Deployment for ISP NetworksSkeeve Stevens

VPNKetan Paithankar

Java & IoTLeonardo De Moura Rocha Lima

Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay

Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge

Tcp Anonymous Authenticated IDJim MacLeod

Why Many Websites are still Insecure (and How to Fix Them)Cloudflare

Bh fed-03-kaminskyDan Kaminsky

Why and How to use Onion Networking - #EMFCamp2018Alec Muffett

Semelhante a OSCON 2019 | Time to Think Different (20)

How Secure is TCP/IP - A review of Network Protocol

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)

Wo defensive trickery_13mar2017

SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite

Hacking Robotics(English Version)

Setting Up .Onion Addresses for your Enterprise, v3.5

Black ops of tcp2005 japan

Introduction to Computer Networking

Bh eu 05-kaminsky

Phifer 3 30_04

Rapid IPv6 Deployment for ISP Networks

VPN

Java & IoT

Trick or XFLTReaT a.k.a. Tunnel All The Things

Henrik Strøm - IPv6 from the attacker's perspective

Tcp Anonymous Authenticated ID

Why Many Websites are still Insecure (and How to Fix Them)

Bh fed-03-kaminsky

Why and How to use Onion Networking - #EMFCamp2018

Mais de NATS

RethinkConn 2022!NATS

KubeCon + CloudNative Con NA 2021 | A New Generation of NATSNATS

Easy, Secure, and Fast: Using NATS.io for Streams and ServicesNATS

Deep Dive into Building a Secure & Multi-tenant SaaS Solution with NATSNATS

NATS Connect Live | Serverless on Kubernetes with OpenFaaS & NATSNATS

NATS Connect Live!NATS

NATS Connect Live | SwimOS & NATSNATS

NATS Connect Live | Pub/Sub on the Power GridNATS

NATS Connect Live | Distributed Identity & AuthorizationNATS

NATS Connect Live | NATS as a Service MeshNATS

NATS Connect Live | ResgateNATS

NATS Connect Live | NATS & Augmented RealityNATS

Deploy Secure and Scalable Services Across Kubernetes Clusters with NATSNATS

KubeCon NA 2019 Keynote | NATS - Past, Present, and the FutureNATS

A New Way of Thinking | NATS 2.0 & ConnectivityNATS

Serverless for the Cloud Native Era with FissionNATS

Simple, Secure, Scalable Messaging for the Cloud Native Era - AllThingsOpen 2...NATS

Microservices Meetup San Francisco - August 2017 Talk on NATSNATS

Writing Networking Clients in Go - GopherCon 2017 talkNATS

NATS vs HTTP for Interservice CommunicationNATS

Mais de NATS (20)

RethinkConn 2022!

KubeCon + CloudNative Con NA 2021 | A New Generation of NATS

Easy, Secure, and Fast: Using NATS.io for Streams and Services

Deep Dive into Building a Secure & Multi-tenant SaaS Solution with NATS

NATS Connect Live | Serverless on Kubernetes with OpenFaaS & NATS

NATS Connect Live!

NATS Connect Live | SwimOS & NATS

NATS Connect Live | Pub/Sub on the Power Grid

NATS Connect Live | Distributed Identity & Authorization

NATS Connect Live | NATS as a Service Mesh

NATS Connect Live | Resgate

NATS Connect Live | NATS & Augmented Reality

Deploy Secure and Scalable Services Across Kubernetes Clusters with NATS

KubeCon NA 2019 Keynote | NATS - Past, Present, and the Future

A New Way of Thinking | NATS 2.0 & Connectivity

Serverless for the Cloud Native Era with Fission

Simple, Secure, Scalable Messaging for the Cloud Native Era - AllThingsOpen 2...

Microservices Meetup San Francisco - August 2017 Talk on NATS

Writing Networking Clients in Go - GopherCon 2017 talk

NATS vs HTTP for Interservice Communication

Último

Connecting the Dots for Information Discovery.pdfNeo4j

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal

2024 April Patch TuesdayIvanti

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3

TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda

Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada

Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll

Scale your database traffic with Read & Write split using MySQL RouterMydbops

Data governance with Unity Catalog PresentationKnoldus Inc.

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein

Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes

How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe

Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica

MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple

OSCON 2019 | Time to Think Different

1. Time to Think Different: Decoupling distributed systems from IP networks oscon.com #OSCON

2. oscon.com #OSCON Derek Collison / @derekcollison Founder and CEO at Synadia ๏ Creator of NATS ๏ Founder and Former CEO at Apcera ๏ CTO, Chief Architect at VMware ๏ Architected CloudFoundry ๏ Technical Director at Google ๏ SVP and Chief Architect at TIBCO

3. Think Different

4. Distributed Systems

5. “A distributed system is one that prevents you from working because of the failure of a machine that you had never heard of.” Leslie Lamport

6. How did we get here?

7. Distributed Systems History 1. We created this problem 2. There used to be just one computer 3. Security was a guard that was posted, sometimes 4. Want to do more, buy a faster machine

8. Networks

9. Network Protocols

10. IP Won

11. TCP/IP Won

12. IP Networks 1. Based on network addressing and routing 2. Network elements can route packets 3. Used to be NO network elements but NICs 4. Now, lots of network elements - try traceroute!

13. IP Networks 1. Mostly 1:1 (src -> dst) 2. But could do broadcast, kindof 3. Could do select broadcast, e.g. multicast, kindof 4. Management and admin nightmare 5. So mostly 1:1 via TCP/IP, clouds don’t support 1:N

14. Ports?

15. Oh yea, Ports..

16. IP Ports 1. 2 bytes - max 65k per src addr 2. Allows multiple “apps” on a single “machine” 3. Deﬁned scale problems with Web Scale 🤔 4. Deﬁned the Firewall era (punch a hole!) 5. Ports == app, e.g. 22, 80, 443, 4222 6. Why is everything HTTP(S)? 😏

17. Numbers Suck!

18. Thought too small too!

19. IPv4 vs IPv6

20. You know your BF’s Phone number?

21. DNS

22. ��

23. When in Doubt...

24. Always Blame DNS

25. ��

26. DNS 1. Generally does not include the port 2. Generally is not secured 3. Can be compromised easily, e.g. hotels, GoGo 4. Can be hard to register new hostname

27. Detour

28. Modern Software Systems 1. Decomposable software 2. Services and Streams to Connect 3. Platform technology is maturing 4. Compute and Storage are ubiquitous, but can $$ 5. Machine -> VM -> Container -> Serverless -> ???? 6. Systems Arch still important, but being forgot

29. What About?

30. Security?

31. Trust?

32. Cryptography

33. Cryptography 1. Symmetric 2. Asymmetric or PKI 3. Both - Difﬁe Hellman 4. Prime Based -> Elliptic Curve 5. Encrypted Communications, Authenticated, a bit. 6. X509 certiﬁcates - TLS, SSL, HTTPS

34. x509 1. Public Key Certiﬁcates - PKI 2. Chains of trust (or self signed) 3. A way to trust who you are speaking to 4. Mostly one way 5. Cumbersome, painful, surprising!

35. Thank You! Let’s Encrypt

36. Summary

37. Summary 1. Communications over IP networks 2. DNS converts name to IP, but not a port 3. Apps bind to a port, but mostly HTTPS 4. Moderns software systems lots of moving parts 5. They use TLS for encryption and some identity 6. Based off a name, returned as IP from DNS 7. And everything is moving and changing

38. Houston..

39. We need our own Tesla Moment

40. Stop making things more complicated

41. Think Different

42. Think different 1. Do not use IP for addressing/discovery and comms 2. Do not depend on DNS to get the right IP 3. PKI is good, passwords bad. Lose them! 4. Don’t restrict to 1:1 communications 5. Don’t force everything through HTTP(S) 6. Allow scalable Services and Streams, same tech 7. Secure by default, decentralized by design

43.

44. NATS 1. Based on routing of subjects (topics) not IP 2. Message based, not packet 3. Can do Services and Streams 4. Can do N:M, and queue delivery, not just 1:1 5. Secure and isolated, decentralized by design 6. A Simple, Lightweight, Self Healing System 7. Simple things are Simple, Hard is Possible

45. Example

46. NATS Slack 1. Decentralized, no central control or SPOF 2. Secure by default 3. Can run anywhere, on any cloud, platform, or geo 4. Verify messages and users 5. Channels and DMs, DMs private 6. Lightweight 7. Extensible - Your homework

47. We built a demo

48. And its OpenSource!

49. docker run -ti --rm synadia/oscon

50. github.com ConnectEverything/oscon2019

51. DEMO

52. Thank You!

53. Please Rate this Session https://conferences.oreilly.com/oscon/oscon-or/public/schedule/detail/75998