|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] MirageOS and my recent involvement
Dear all,it is pretty quite on this list. I'm not sure whether this is a good sign or not. I unfortunately had to cancel the retreat in November due to lack of signups (3 people managed to sign up within the deadline) :/ While late signups are possible, it is always a burden. But I have some exciting MirageOS related news that I find worth sharing, and hope to engage discussions by doing so. Maybe it is also worth to restart weekly / biweekly MirageOS meetings (as in the old days) -- what do you think? Some repositories in the mirage organization are suffering from bitrot, and/or lack of cleanups or reviews (such as the ocaml-solo5 PR waiting since a long time for proper reviews that would enable to use OCaml 5) -- my personal experience with OCaml 5 from a resource perspective is not very good, that's why I don't really care about that too much (and am happy that 4.14 is under long-term support). ## MirageVPN / OpenVPNWe at robur managed to receive EU (NGI Assure) funding to work on MirageVPN (an OpenVPN implementation), which we started back in 2019 - to add more mdoern crypto and more recent features (tls-crypt, ..), a server implementation, a QubesOS client unikernel, ... -- https://nlnet.nl/project/MirageVPN/ \o/ The source is developed at https://github.com/robur-coop/miragevpn (also see our blog entries at https://blog.robur.coop) In case you are using OpenVPN and are looking for a replacement, please have a try (and/or open issues if you're stuck / missing features). ## DNSvizor / DNSmasqWe at robur also managed to receive EU (NGI0 Entrust) funding to work on DNSvizor (a DNS resolver and DHCP server - basically a DNSmasq replacement) https://nlnet.nl/project/DNSvizor/ (earlier funding for this project didn't pan out due to how to direct the money -- https://nlnet.nl/project/Robur/) -- but we already have a basic repository up and running https://github.com/robur-coop/dnsvizor At the earlier retreats previous versions of such a unikernel were actively being used - and we also discovered some issues that were then fixed on site. But now, finally putting several months of effort into it (in 2024) will hopefully result in a useful unikernel. Again, if you wish for some features, or have a DNSmasq in production that you're keen on having replaced, don't hesitate to open an issue (and provide us with your configuration). ## uTCPSince August I've motivated myself to work a bit more on uTCP, a TCP/IP stack that originated from Netsem, a formal model in HOL4. Apart from minor bugfixes to get it compiling again, I pushed it into production (first for retreat.mirage.io, then once the resource leakage was sorted, also on a.ns.robur.coop, and now finally as tls reverse proxy on *.robur.coop). Some highlights from the last months: making it usable: - properly set initial window - segment reassembly performance: - improve performance of checksum computation by a factor of 5 - avoid lots of allocations (improved performance by factor of 3) correctness - drop connection in LAST ACK if FIN was received- fix exceptions (Cstruct.shift exceeding send queue, Cstruct.shiftv with negative amount) - no longer being stuck in various states (CLOSE WAIT, FIN WAIT 2) [which turned out to be an issue in the model] - avoid usage of multiple maps convenience: - add metrics and monitoring- since mirage 4.4.1, using uTCP is possible without too much headache (still some, see https://github.com/mirage/retreat.mirage.io/blob/748f29e20499a8b508b11a302e8890202202e854/config.ml#L36-L69 for an example) It is now in a nice shape - while working on it, I also discovered that mirage-tcpip has some issues (apart from resource leaks, it also doesn't validate any checksum). There are still some open issues to work on before releasing an initial version (such as path MTU discovery, selective acknowledgement, congestion control, increase initial window size, accurate byte counting). But the upside is that even the reverse TLS tunnel that carries quite some load doesn't seem to leak memory anymore. repository: https://github.com/robur-coop/utcp blog article:https://hannes.robur.coop/Posts/TCP-ns network semantics: https://www.cl.cam.ac.uk/~pes20/Netsem/ JACM journal paper (2019): http://www.cl.cam.ac.uk/~pes20/Netsem/paper3.pdf ## NetHSMThe first (to my knowledge) commercial product using MirageOS (and Muen) is now for sale; it is a "Hardware Security Module", so something you can store your private keys which hopefully never get extracted. With the robur team (namely Steffi and Martin) I was involved in the early days (doing system design and implementation) [though I've not followed changes in later years]. See their announcement at https://www.nitrokey.com/news/2023/after-8-years-development-nethsm-10-available-first-open-source-hardware-security-module NB: I don't agree with everything they say. I'm especially sad how they did a code dump on GitHub instead of preserving the commit history. Best, Hannes
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |