Re: IP Clusters and security
- From: Stephen Hoffman <Hoff@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 16 May 2007 11:19:01 -0400
JF Mezei wrote:
Doc wrote:The sooner you have that the better. Hobbyists can start having competitions over who can form the largest geographical cluster. :)
One could conceivably operate a cluster within the passenger cabin of an aircraft, for instance, assuming an IR connection was available. (I haven't looked to see if IR is permissible under FAA regulations, though I'd tend to expect most regulations in this area would target emissions in the radio-frequency portion of the spectrum.)
Perhaps what is needed is a cluster of clusters, where each cluster defines what resources the supercluster has access to.
The analog here being some sort of Kerberos or LDAP distributed authentication.
Right now, clusters are protected by physical boundary of an ethernet and physical cables to disk drives.
All unencrypted traffic. Not just that of the cluster.
But once you open it up to IP, it will open a whole can of worms in terms of hackers trying to join a cluster. If hackers get hodl of cluster_authorize.dat, they can then join the cluster and have access to all the data on any disk.
If a cracker gains access to the wire and the traffic is unencrypted, the cracker has all necessary access. Having the full contents of CLUSTER_AUTHORIZE in your possession is not centrally relevant; if an attacker has wire-level (unencrypted) or WiFi-level (unencrypted or WEP) access to the data links, then the configuration is already pwned.
This concern isn't specific to IP, in other words.
As for clustering and its (current) use of IP, various SANs already operate over IP. FCIP is in use at a number of OpenVMS sites. The host-to-host communications do not traverse IP, but the FC storage does.
Services for OpenVMS