Coda File System

Re: Coda development (rpc2 handshake / instance authentication)

From: <u-myfx_at_aetey.se>
Date: Fri, 6 May 2016 16:31:25 +0200
On Fri, May 06, 2016 at 09:18:55AM -0400, Jan Harkes wrote:
> We are talking about RPC2, which is a messaging protocol between clients
> and servers that relies on shared secrets to get a common session key.
> 
> If client A wants to connect to server B and somehow finds out that it
> is supposed to connect to address X port Y, and whoever 'picks up the
> phone' at that address uses the correct shared secret to complete the
> handshake, then there is no use for the instance id.

Exactly, I would like a small change in rpc2 to be able to make use of it.

An alternative would be in protocols on top of rpc2 begin the
conversation with the server party presenting oneself.

> Because if A somehow got connected to something that isn't B, then there
> is no reliable way to resolve the issue of 'how do I connect to B'.

This is not the issue I am worried about, but rather "prevent
A from talking to B's brother C when A intended to talk to B".

(The issue of an unavailable service is the one Coda is meant to deal
with gracefully)

> > I would not dare to analyze _all_ cases including possibly unknown future
> > ones and be sure that talking to a wrong instance never ever can lead
> > to a problem.
> 
> There is no such thing as a wrong instance, and if you think the client
> application could have a better idea than the server instances I've got
> some bad news for you.

:)

For me, if the instance is not the one the rpc2 client meant to contact,
it is wrong. There is nothing in the code which prevents this.

You insist that when this happens, it is guaranteed to be harmless.

I do not see any guarantee for being harmless and I doubt you
have analyzed the system exhaustively, to be able to say _never_.

Note, I do not say that there _will_ be any harm, but I want to be sure
there will be not.

You are right that a peer instance check is not included in the rpc2
functionality. This does not seem to be hard to add.

Do you feel this would be expensive or risky? What would be the downsides,
besides the corresponding API extension (adding a "server instance id"
argument)?

Regards,
Rune
Received on 2016-05-06 10:32:07