From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp89.iad3a.emailsrvr.com (smtp89.iad3a.emailsrvr.com [173.203.187.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 23AB03CB35 for ; Thu, 4 Jan 2018 17:12:39 -0500 (EST) Received: from smtp4.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp4.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id D79D45713; Thu, 4 Jan 2018 17:12:38 -0500 (EST) X-SMTPDoctor-Processed: csmtpprox beta Received: from smtp4.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp4.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id D12D15772; Thu, 4 Jan 2018 17:12:38 -0500 (EST) Received: from app9.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp4.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id B64835713; Thu, 4 Jan 2018 17:12:38 -0500 (EST) X-Sender-Id: dpreed@deepplum.com Received: from app9.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Thu, 04 Jan 2018 17:12:38 -0500 Received: from deepplum.com (localhost.localdomain [127.0.0.1]) by app9.wa-webapps.iad3a (Postfix) with ESMTP id A4883C0046; Thu, 4 Jan 2018 17:12:38 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: dpreed@deepplum.com, from: dpreed@deepplum.com) with HTTP; Thu, 4 Jan 2018 17:12:38 -0500 (EST) X-Auth-ID: dpreed@deepplum.com Date: Thu, 4 Jan 2018 17:12:38 -0500 (EST) From: "dpreed@deepplum.com" To: "Dave Taht" Cc: "=?utf-8?Q?Joel_Wir=C4=81mu_Pauling?=" , "Jonathan Morton" , cerowrt-devel@lists.bufferbloat.net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20180104171238000000_25199" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: References: <1515103376.00366530@apps.rackspace.com> Message-ID: <1515103958.671820801@apps.rackspace.com> X-Mailer: webmail/12.9.10-RC Subject: Re: [Cerowrt-devel] =?utf-8?q?KASLR=3A_Do_we_have_to_worry_about_othe?= =?utf-8?q?r_arches_than_x86=3F?= X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 22:12:39 -0000 ------=_20180104171238000000_25199 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AI don't disagree about using containers being useful as one of many secu= rity mechanisms. They are useful against certain attack vectors, but depend= on two things: 1) kernel correctness, and 2) putting all functionality in = separate userspace processes to satisfy the "principle of least privilege".= =0A =0A-----Original Message-----=0AFrom: "Dave Taht" = =0ASent: Thursday, January 4, 2018 5:04pm=0ATo: "dpreed@deepplum.com" =0ACc: "Joel Wir=C4=81mu Pauling" , "Jon= athan Morton" , cerowrt-devel@lists.bufferbloat.net= =0ASubject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arch= es than x86?=0A=0A=0A=0AOn Thu, Jan 4, 2018 at 2:02 PM, dpreed@deepplum.com= wrote:=0A> Containers and kernel namespaces, and so = forth are MEANINGLESS against the=0A> Meltdown and Sceptre problems. It's a= hardware bug that lets any userspace=0A> process access anything the kerne= l can address.=0A=0AJust to be clear, I was merely agreeing with joel that = containers had=0Amatured enough to be potentially usuable for some level of= process=0Aisolation and firewalling, not that it applied to coping with Me= ltRe.=0A>=0A>=0A>=0A> -----Original Message-----=0A> From: "Joel Wir=C4=81m= u Pauling" =0A> Sent: Thursday, January 4, 2018 4:52pm= =0A> To: "Dave Taht" =0A> Cc: "Jonathan Morton" ,=0A> cerowrt-devel@lists.bufferbloat.net=0A> Subject: Re:= [Cerowrt-devel] KASLR: Do we have to worry about other arches=0A> than x86= ?=0A>=0A> Well as I've argued before Lede ideally should be using to Kernel= Namespaces=0A> (poor mans containers) for at a minimum the firewall and pe= r-interface=0A> routing instances.=0A>=0A> The stuff I am running at home i= s mostly on cheap Atom board, so it's a=0A> matter of squeezing out unneede= d cruft on the platform. Also I don't want to=0A> be admining centos/rhel s= ervers at home.=0A>=0A> On 5 January 2018 at 10:47, Dave Taht wrote:=0A>>=0A>> On Thu, Jan 4, 2018 at 1:44 PM, Joel Wir=C4=81mu = Pauling =0A>> wrote:=0A>> >=0A>> >=0A>> > On 5 January 2= 018 at 01:09, Jonathan Morton =0A>> > wrote:=0A>> >>= =0A>> >>=0A>> >>=0A>> >> I don't think we need to worry about it too much i= n a router context.=0A>> >> Virtual server folks, OTOH...=0A>> >>=0A>> >> -= Jonathan Morton=0A>> >>=0A>> > Disagree - The Router is pretty much synony= mous with NFV=0A>> >=0A>> > ; I run my lede instances at home on hypervisor= s - and this is=0A>> > definitely=0A>> > the norm in Datacentres now. We ne= ed to work through this quite=0A>> > carefully.=0A>>=0A>> Yes, the NFV case= is serious and what I concluded we had most to worry=0A>> about - before s= tarting to worry about the lower end router chips=0A>> themselves. But I wa= sn't aware that people were actually trying to run=0A>> lede in that, I'd k= ind of expected=0A>> a more server-like distro to be used there. Why lede i= n a NFV? Ease of=0A>> configuration? Reduced attack surface? (hah)=0A>>=0A>= > The only x86 chip I use (aside from simulations) is the AMD one in the=0A= >> apu2, which I don't know enough about as per speculation...=0A>>=0A>> --= =0A>>=0A>> Dave T=C3=A4ht=0A>> CEO, TekLibre, LLC=0A>> http://www.teklibre.= com=0A>> Tel: 1-669-226-2619=0A=0A=0A=0A-- =0A=0ADave T=C3=A4ht=0ACEO, TekL= ibre, LLC=0Ahttp://www.teklibre.com=0ATel: 1-669-226-2619 ------=_20180104171238000000_25199 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I don't disagree about= using containers being useful as one of many security mechanisms. They are= useful against certain attack vectors, but depend on two things: 1) kernel= correctness, and 2) putting all functionality in separate userspace proces= ses to satisfy the "principle of least privilege".

=0A

 

=0A

-----Original Message-----
From: = "Dave Taht" <dave.taht@gmail.com>
Sent: Thursday, January 4, 201= 8 5:04pm
To: "dpreed@deepplum.com" <dpreed@deepplum.com>
Cc= : "Joel Wir=C4=81mu Pauling" <joel@aenertia.net>, "Jonathan Morton" &= lt;chromatix99@gmail.com>, cerowrt-devel@lists.bufferbloat.net
Subj= ect: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than= x86?

=0A
=0A

On Thu, Jan 4, 2018 at 2:02 PM, dpreed@deepplum.com <dpreed@deeppl= um.com> wrote:
> Containers and kernel namespaces, and so forth = are MEANINGLESS against the
> Meltdown and Sceptre problems. It's a= hardware bug that lets any userspace
> process access anything the= kernel can address.

Just to be clear, I was merely agreeing wit= h joel that containers had
matured enough to be potentially usuable fo= r some level of process
isolation and firewalling, not that it applied= to coping with MeltRe.
>
>
>
> -----Origin= al Message-----
> From: "Joel Wir=C4=81mu Pauling" <joel@aenerti= a.net>
> Sent: Thursday, January 4, 2018 4:52pm
> To: "D= ave Taht" <dave.taht@gmail.com>
> Cc: "Jonathan Morton" <c= hromatix99@gmail.com>,
> cerowrt-devel@lists.bufferbloat.net
> Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other = arches
> than x86?
>
> Well as I've argued before L= ede ideally should be using to Kernel Namespaces
> (poor mans conta= iners) for at a minimum the firewall and per-interface
> routing in= stances.
>
> The stuff I am running at home is mostly on ch= eap Atom board, so it's a
> matter of squeezing out unneeded cruft = on the platform. Also I don't want to
> be admining centos/rhel ser= vers at home.
>
> On 5 January 2018 at 10:47, Dave Taht <= ;dave.taht@gmail.com> wrote:
>>
>> On Thu, Jan 4, = 2018 at 1:44 PM, Joel Wir=C4=81mu Pauling <joel@aenertia.net>
&g= t;> wrote:
>> >
>> >
>> > On 5= January 2018 at 01:09, Jonathan Morton <chromatix99@gmail.com>
= >> > wrote:
>> >>
>> >>
>= ;> >>
>> >> I don't think we need to worry about = it too much in a router context.
>> >> Virtual server folk= s, OTOH...
>> >>
>> >> - Jonathan Morton<= br />>> >>
>> > Disagree - The Router is pretty m= uch synonymous with NFV
>> >
>> > ; I run my le= de instances at home on hypervisors - and this is
>> > defini= tely
>> > the norm in Datacentres now. We need to work throug= h this quite
>> > carefully.
>>
>> Yes,= the NFV case is serious and what I concluded we had most to worry
>= ;> about - before starting to worry about the lower end router chips
>> themselves. But I wasn't aware that people were actually trying = to run
>> lede in that, I'd kind of expected
>> a mor= e server-like distro to be used there. Why lede in a NFV? Ease of
>= > configuration? Reduced attack surface? (hah)
>>
>&g= t; The only x86 chip I use (aside from simulations) is the AMD one in the>> apu2, which I don't know enough about as per speculation...>>
>> --
>>
>> Dave T=C3=A4ht
>> CEO, TekLibre, LLC
>> http://www.teklibre.com
&g= t;> Tel: 1-669-226-2619



--

Dave T=C3= =A4ht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-= 226-2619

=0A
 ------=_20180104171238000000_25199--