Python's `str.__repr__()`
-Sometimes software is written using whatever built-ins you find in your programming language of choice. +
Sometimes software is written using whatever built-ins you find in your programming language of choice. This is usually great! However, it can happen that you depend on the precise semantics of those built-ins. This can be a problem if those semantics become important to your software and you need to port it to another programming language. diff --git a/articles/2024-08-21-OpenVPN-and-MirageVPN.html b/articles/2024-08-21-OpenVPN-and-MirageVPN.html index 0683731..b80adca 100644 --- a/articles/2024-08-21-OpenVPN-and-MirageVPN.html +++ b/articles/2024-08-21-OpenVPN-and-MirageVPN.html @@ -5,13 +5,13 @@
MirageVPN and OpenVPN
-At Robur we have been busy at work implementing our OpenVPN™-compatible MirageVPN software. -Recently we have implemented the server side. +
At Robur we have been busy at work implementing our OpenVPN™-compatible MirageVPN software. +Recently we have implemented the server side. In order to implement this side of the protocol I studied parts of the OpenVPN™ source code and performed experiments to understand what the implementation does at the protocol level. Studying the OpenVPN™ implementation has lead me to discover two security issues: CVE-2024-28882 and CVE-2024-5594. In this article I will talk about the relevant parts of the protocol, and describe the security issues in detail.
diff --git a/articles/arguments.html b/articles/arguments.html index b1ed2f9..e7a9023 100644 --- a/articles/arguments.html +++ b/articles/arguments.html @@ -5,13 +5,13 @@Runtime arguments in MirageOS
-TL;DR: Passing runtime arguments around is tricky, and prone to change every other month.
+TL;DR: Passing runtime arguments around is tricky, and prone to change every other month.
Motivation
Sometimes, as an unikernel developer and also as operator, it's nice to have some runtime arguments passed to an unikernel. Now, if you're into OCaml, diff --git a/articles/dnsvizor01.html b/articles/dnsvizor01.html index a5cdafe..fbc488f 100644 --- a/articles/dnsvizor01.html +++ b/articles/dnsvizor01.html @@ -5,13 +5,13 @@
Meet DNSvizor: run your own DHCP and DNS MirageOS unikernel
-TL;DR: We got NGI0 Entrust (via NLnet) funding for developing +
TL;DR: We got NGI0 Entrust (via NLnet) funding for developing DNSvizor - a DNS resolver and DHCP server. Please help us by sharing with us your dnsmasq configuration, so we can diff --git a/articles/finances.html b/articles/finances.html index 6f75ade..6fd86aa 100644 --- a/articles/finances.html +++ b/articles/finances.html @@ -5,13 +5,13 @@
How has robur financially been doing since 2018?
-Since the beginning, robur has been working on MirageOS unikernels and getting +
Since the beginning, robur has been working on MirageOS unikernels and getting them deployed. Due to our experience in hierarchical companies, we wanted to create something different - a workplace without bosses and management. Instead, we are a collective where everybody has a say on what we do, and who gets how diff --git a/articles/gptar.html b/articles/gptar.html index aeba524..e7cad44 100644 --- a/articles/gptar.html +++ b/articles/gptar.html @@ -5,13 +5,13 @@
GPTar
-At Robur we developed a piece of software for mirroring or exposing an opam repository. +
At Robur we developed a piece of software for mirroring or exposing an opam repository. We have it deployed at opam.robur.coop, and you can use it as an alternative to opam.ocaml.org. It is usually more up-to-date with the git opam-repository than opam.ocaml.org although in the past it suffered from occasional availability issues. I can recommend reading Hannes' post about opam-mirror. diff --git a/articles/lwt_pause.html b/articles/lwt_pause.html index f9fe6b3..0306e51 100644 --- a/articles/lwt_pause.html +++ b/articles/lwt_pause.html @@ -5,13 +5,13 @@
Cooperation and Lwt.pause
-Here's a concrete example of the notion of availability and the scheduler used +
Here's a concrete example of the notion of availability and the scheduler used
(in this case Lwt). As you may know, at Robur we have developed a unikernel:
opam-mirror. It launches an HTTP service that can be used as an
OPAM overlay available from a Git repository (with opam repository add <name> <url>).
MirageVPN updated (AEAD, NCP)
-Updating MirageVPN
-As announced earlier this month, we've been working hard over the last months on MirageVPN (initially developed in 2019, targeting OpenVPN™ 2.4.7, now 2.6.6). We managed to receive funding from NGI Assure call (via NLnet). We've made over 250 commits with more than 10k lines added, and 18k lines removed. We closed nearly all old issues, and opened 100 fresh ones, of which we already closed more than half of them. :D
+Updating MirageVPN
+As announced earlier this month, we've been working hard over the last months on MirageVPN (initially developed in 2019, targeting OpenVPN™ 2.4.7, now 2.6.6). We managed to receive funding from NGI Assure call (via NLnet). We've made over 250 commits with more than 10k lines added, and 18k lines removed. We closed nearly all old issues, and opened 100 fresh ones, of which we already closed more than half of them. :D
Actual bugs fixed (that were leading to non-working MirageVPN applications)
In more detail, we had a specific configuration running over all the years, namely UDP mode with static keys (no TLS handshake, etc.). There were several issues (bitrot) that we encountered and solved along the path, amongst others:
-
@@ -35,7 +35,7 @@
To avoid any future breakage while revising the code (cleaning it up, extending it), we are now building several unikernels as part of our CI system. We also have setup OpenVPN™ servers with various configurations that we periodically test with our new code (we'll also work on further automation thereof).
New features: AEAD ciphers, supporting more configuration primitives
-We added various configuration primitives, amongst them configuratble tls ciphersuites, minimal and maximal tls version to use, tls-crypt-v2, verify-x509-name, cipher, remote-random, ...
+We added various configuration primitives, amongst them configuratble tls ciphersuites, minimal and maximal tls version to use, tls-crypt-v2, verify-x509-name, cipher, remote-random, ...
From a cryptographic point of view, we are now supporting more authentication hashes via the configuration directive auth, namely the SHA2 family - previously, only SHA1 was supported, AEAD ciphers (AES-128-GCM, AES-256-GCM, CHACHA20-POLY1305) - previously only AES-256-CBC was supported.
NCP - Negotiation of cryptographic parameters
OpenVPN™ has a way to negotiate cryptographic parameters, instead of hardcoding them in the configuration. The client can propose its supported ciphers, and other features (MTU, directly request a push message for IP configuration, use TLS exporter secret instead of the hand-crafted (TLS 1.0 based PRF), ...) once the TLS handshake has been completed.
diff --git a/articles/miragevpn-performance.html b/articles/miragevpn-performance.html index 591b8f9..b6160f8 100644 --- a/articles/miragevpn-performance.html +++ b/articles/miragevpn-performance.html @@ -5,13 +5,13 @@Speeding up MirageVPN and use it in the wild
-As we were busy continuing to work on MirageVPN, we got in touch with eduVPN, who are interested about deploying MirageVPN. We got example configuration from their side, and fixed some issues, and also implemented tls-crypt - which was straightforward since we earlier spend time to implement tls-crypt-v2.
+As we were busy continuing to work on MirageVPN, we got in touch with eduVPN, who are interested about deploying MirageVPN. We got example configuration from their side, and fixed some issues, and also implemented tls-crypt - which was straightforward since we earlier spend time to implement tls-crypt-v2.
In January, they gave MirageVPN another try, and measured the performance -- which was very poor -- MirageVPN (run as a Unix binary) provided a bandwith of 9.3Mb/s, while OpenVPN provided a bandwidth of 360Mb/s (using a VPN tunnel over TCP).
We aim at spending less resources for computing, thus the result was not satisfying for us. We re-read a lot of code, refactored a lot, and are now at ~250Mb/s.
Tooling for performance engineering of OCaml
@@ -40,7 +40,7 @@ To better guide the performance engineering, we also developed discussing it in the OCaml community, and are eager to find a solution to avoid unneeded computations.Conclusion
-To conclude: we already achieved a factor of 25 in performance by adapting the code in various ways. We have ideas to improve the performance even more in the future - we also work on using OCaml string and bytes, instead of off-the-OCaml-heap-allocated bigarrays (see our previous article, which provided some speedups).
+To conclude: we already achieved a factor of 25 in performance by adapting the code in various ways. We have ideas to improve the performance even more in the future - we also work on using OCaml string and bytes, instead of off-the-OCaml-heap-allocated bigarrays (see our previous article, which provided some speedups).
Don't hesitate to reach out to us on GitHub, or by mail if you're stuck.
We want to thank NLnet for their funding (via NGI assure), and eduVPN for their interest.
-
diff --git a/articles/miragevpn-server.html b/articles/miragevpn-server.html
index 2e1250a..4a96fd1 100644
--- a/articles/miragevpn-server.html
+++ b/articles/miragevpn-server.html
@@ -5,13 +5,13 @@
-
Meet DNSvizor: run your own DHCP and DNS MirageOS unikernel - https://blog.robur.coop//articles/dnsvizor01.html + https://blog.robur.coop/articles/dnsvizor01.htmlhttps://blog.robur.coop//articles/dnsvizor01.html +https://blog.robur.coop/articles/dnsvizor01.html Fri, 25 Oct 2024 00:00:00 GMT -
Runtime arguments in MirageOS - https://blog.robur.coop//articles/arguments.html + https://blog.robur.coop/articles/arguments.html- https://blog.robur.coop//articles/arguments.html +https://blog.robur.coop/articles/arguments.html Tue, 22 Oct 2024 00:00:00 GMT -
How has robur financially been doing since 2018? - https://blog.robur.coop//articles/finances.html + https://blog.robur.coop/articles/finances.html- https://blog.robur.coop//articles/finances.html +https://blog.robur.coop/articles/finances.html Mon, 21 Oct 2024 00:00:00 GMT -
MirageVPN and OpenVPN - https://blog.robur.coop//articles/2024-08-21-OpenVPN-and-MirageVPN.html + https://blog.robur.coop/articles/2024-08-21-OpenVPN-and-MirageVPN.htmlhttps://blog.robur.coop//articles/2024-08-21-OpenVPN-and-MirageVPN.html +https://blog.robur.coop/articles/2024-08-21-OpenVPN-and-MirageVPN.html Wed, 21 Aug 2024 00:00:00 GMT -
The new Tar release, a retrospective - https://blog.robur.coop//articles/tar-release.html + https://blog.robur.coop/articles/tar-release.html- https://blog.robur.coop//articles/tar-release.html +https://blog.robur.coop/articles/tar-release.html Thu, 15 Aug 2024 00:00:00 GMT
+ -
+
Testing MirageVPN against OpenVPN™ + https://blog.robur.coop/articles/miragevpn-testing.html ++ https://blog.robur.coop/articles/miragevpn-testing.html +Wed, 26 Jun 2024 00:00:00 GMT + -
qubes-miragevpn, a MirageVPN client for QubesOS - https://blog.robur.coop//articles/qubes-miragevpn.html + https://blog.robur.coop/articles/qubes-miragevpn.html- https://blog.robur.coop//articles/qubes-miragevpn.html +https://blog.robur.coop/articles/qubes-miragevpn.html Mon, 24 Jun 2024 00:00:00 GMT -
MirageVPN server - https://blog.robur.coop//articles/miragevpn-server.html + https://blog.robur.coop/articles/miragevpn-server.html- https://blog.robur.coop//articles/miragevpn-server.html +https://blog.robur.coop/articles/miragevpn-server.html Mon, 17 Jun 2024 00:00:00 GMT -
Speeding up MirageVPN and use it in the wild - https://blog.robur.coop//articles/miragevpn-performance.html + https://blog.robur.coop/articles/miragevpn-performance.htmlhttps://blog.robur.coop//articles/miragevpn-performance.html +https://blog.robur.coop/articles/miragevpn-performance.html Tue, 16 Apr 2024 00:00:00 GMT -
GPTar - https://blog.robur.coop//articles/gptar.html + https://blog.robur.coop/articles/gptar.html- https://blog.robur.coop//articles/gptar.html +https://blog.robur.coop/articles/gptar.html Wed, 21 Feb 2024 00:00:00 GMT -
Speeding elliptic curve cryptography - https://blog.robur.coop//articles/speeding-ec-string.html + https://blog.robur.coop/articles/speeding-ec-string.htmlhttps://blog.robur.coop//articles/speeding-ec-string.html +https://blog.robur.coop/articles/speeding-ec-string.html Tue, 13 Feb 2024 00:00:00 GMT -
Cooperation and Lwt.pause - https://blog.robur.coop//articles/lwt_pause.html + https://blog.robur.coop/articles/lwt_pause.html- https://blog.robur.coop//articles/lwt_pause.html +https://blog.robur.coop/articles/lwt_pause.html Sun, 11 Feb 2024 00:00:00 GMT -
Python's `str.__repr__()` - https://blog.robur.coop//articles/2024-02-03-python-str-repr.html + https://blog.robur.coop/articles/2024-02-03-python-str-repr.html- https://blog.robur.coop//articles/2024-02-03-python-str-repr.html +https://blog.robur.coop/articles/2024-02-03-python-str-repr.html Sat, 03 Feb 2024 00:00:00 GMT -
MirageVPN updated (AEAD, NCP) - https://blog.robur.coop//articles/miragevpn-ncp.html + https://blog.robur.coop/articles/miragevpn-ncp.html- https://blog.robur.coop//articles/miragevpn-ncp.html +https://blog.robur.coop/articles/miragevpn-ncp.html Mon, 20 Nov 2023 00:00:00 GMT -
MirageVPN & tls-crypt-v2 - https://blog.robur.coop//articles/miragevpn.html + https://blog.robur.coop/articles/miragevpn.html- https://blog.robur.coop//articles/miragevpn.html +https://blog.robur.coop/articles/miragevpn.html Tue, 14 Nov 2023 00:00:00 GMT -
@@ -44,10 +44,10 @@
2024-10-22 - Runtime arguments in MirageOS
+ Runtime arguments in MirageOS
The history of runtime arguments to a MirageOS unikernel
- + -
@@ -57,10 +57,10 @@
2024-10-21 - How has robur financially been doing since 2018?
+ How has robur financially been doing since 2018?
How we organise as a collective, and why we're doing that.
- + -
@@ -70,10 +70,10 @@
2024-08-21 - MirageVPN and OpenVPN
+ MirageVPN and OpenVPN
Discoveries made implementing MirageVPN, a OpenVPN-compatible VPN library
- + -
@@ -83,10 +83,23 @@
2024-08-15 - The new Tar release, a retrospective+
+ The new Tar release, a retrospective
A little retrospective to the new Tar release and changes
- + ++ -
+ + ++
+
+ 2024-06-26 + Testing MirageVPN against OpenVPN™
+Some notes about how we test MirageVPN against OpenVPN™
++ -
@@ -96,10 +109,10 @@
2024-06-24 - qubes-miragevpn, a MirageVPN client for QubesOS
+ qubes-miragevpn, a MirageVPN client for QubesOS
A new OpenVPN client for QubesOS
- + - @@ -109,10 +122,10 @@
-
@@ -122,10 +135,10 @@
2024-04-16 - Speeding up MirageVPN and use it in the wild
+ Speeding up MirageVPN and use it in the wild
Performance engineering of MirageVPN, speeding it up by a factor of 25.
- + - @@ -135,10 +148,10 @@
-
@@ -148,10 +161,10 @@
2024-02-13 - Speeding elliptic curve cryptography
+ Speeding elliptic curve cryptography
How we improved the performance of elliptic curves by only modifying the underlying byte array
- + -
@@ -161,10 +174,10 @@
2024-02-11 - Cooperation and Lwt.pause
+ Cooperation and Lwt.pause
A disgression about Lwt and Miou
- + -
@@ -174,10 +187,10 @@
2024-02-03 - Python's `str.__repr__()`
+ Python's `str.__repr__()`
Reimplementing Python string escaping in OCaml
- + -
@@ -187,10 +200,10 @@
2023-11-20 - MirageVPN updated (AEAD, NCP)
+ MirageVPN updated (AEAD, NCP)
How we resurrected MirageVPN from its bitrot state
- + -
@@ -200,10 +213,10 @@
2023-11-14 - MirageVPN & tls-crypt-v2
+ MirageVPN & tls-crypt-v2
How we implementated tls-crypt-v2 for miragevpn
- +
MirageVPN server
-It is a great pleasure to finally announce that we have finished a server implementation for MirageVPN (OpenVPN™-compatible). This allows to setup a very robust VPN network on both the client and the server side.
-As announced last year, MirageVPN is a reimplemtation of OpenVPN™ in OCaml, with MirageOS unikernels.
+It is a great pleasure to finally announce that we have finished a server implementation for MirageVPN (OpenVPN™-compatible). This allows to setup a very robust VPN network on both the client and the server side.
+As announced last year, MirageVPN is a reimplemtation of OpenVPN™ in OCaml, with MirageOS unikernels.
Why a MirageVPN server?
Providing Internet services with programming languages that have not much safety requires a lot of discipline by the developers to avoid issues which may lead to exploitable services that are attacked (and thus will circumvent any security goals). Especially services that are critical for security and privacy, it is crucial to avoid common memory safety pitfalls.
Some years back, when we worked on the client implementation, we also drafted a server implementation. The reasoning was that a lot of the code was already there, and just a few things needed to be developed to allow clients to connect there.
diff --git a/articles/miragevpn-testing.html b/articles/miragevpn-testing.html index 04514a5..a63961a 100644 --- a/articles/miragevpn-testing.html +++ b/articles/miragevpn-testing.html @@ -1,4 +1,3 @@ - @@ -9,10 +8,10 @@ Robur's blog - Testing MirageVPN against OpenVPN™ - - - - + + + +Testing MirageVPN against OpenVPN™
-As our last milestone for the EU NGI Assure funded MirageVPN project (for now) we have been working on testing MirageVPN, our OpenVPN™-compatible VPN implementation against the upstream OpenVPN™. +
As our last milestone for the EU NGI Assure funded MirageVPN project (for now) we have been working on testing MirageVPN, our OpenVPN™-compatible VPN implementation against the upstream OpenVPN™. During the development we have conducted many manual tests. However, this scales poorly and it is easy to forget testing certain cases. Therefore, we designed and implemented interoperability testing, driving the C implementation on the one side, and our OCaml implementation on the other side. The input for such a test is a configuration file that both implementations can use. @@ -36,7 +35,7 @@ This means we can use an off-the-shelf OpenVPN binary from the package repositor Testing against a future version of OpenVPN becomes trivial. We do not just test a single part of our implementation but achieve an end-to-end test. The same configuration files are used for both our implementation and the C implementation, and each configuration is used twice, once our implementation acts as the client, once as the server.
-We added a flag to our client and our recently finished server applications, --test, which make them to exit once a tunnel is established and an ICMP echo request from the client has been replied to by the server.
+
We added a flag to our client and our recently finished server applications, --test, which make them to exit once a tunnel is established and an ICMP echo request from the client has been replied to by the server.
Our client and server can be run without a tun device which otherwise would require elevated privileges.
Unfortunately, OpenVPN requires privileges to at least configure a tun device.
Our MirageVPN implementation does IP packet parsing in userspace.
diff --git a/articles/miragevpn.html b/articles/miragevpn.html
index bb531fc..7486adb 100644
--- a/articles/miragevpn.html
+++ b/articles/miragevpn.html
@@ -5,13 +5,13 @@
MirageVPN & tls-crypt-v2
-In 2019 Robur started working on a OpenVPN™-compatible implementation in OCaml. +
In 2019 Robur started working on a OpenVPN™-compatible implementation in OCaml.
The project was funded for 6 months in 2019 by prototypefund.
In late 2022 we applied again for funding this time to the NGI Assure open call, and our application was eventually accepted.
In this blog post I will explain why reimplementing the OpenVPN™ protocol in OCaml is a worthwhile effort, and describe the Miragevpn implementation and in particular the tls-crypt-v2 mechanism.
qubes-miragevpn, a MirageVPN client for QubesOS
-We are pleased to announce the arrival of a new unikernel: +
We are pleased to announce the arrival of a new unikernel: qubes-miragevpn. The latter is the result of work begun several months ago on miragevpn.
Indeed, with the ambition of completing our unikernel suite and the success of diff --git a/articles/speeding-ec-string.html b/articles/speeding-ec-string.html index ae8552b..aadfb42 100644 --- a/articles/speeding-ec-string.html +++ b/articles/speeding-ec-string.html @@ -5,13 +5,13 @@
Speeding elliptic curve cryptography
-TL;DR: replacing cstruct with string, we gain a factor of 2.5 in performance.
+TL;DR: replacing cstruct with string, we gain a factor of 2.5 in performance.
Mirage-crypto-ec
In April 2021 We published our implementation of elliptic curve cryptography (as mirage-crypto-ec opam package) - this is DSA and DH for NIST curves P224, P256, P384, and P521, and also Ed25519 (EdDSA) and X25519 (ECDH). We use fiat-crypto for the cryptographic primitives, which emits C code that by construction is correct (note: earlier we stated "free of timing side-channels", but this is a huge challenge, and as reported by Edwin Török likely impossible on current x86 hardware). More C code (such as point_add, point_double, and further 25519 computations including tables) have been taken from the BoringSSL code base. A lot of OCaml code originates from our TLS 1.3 work in 2018, where Etienne Millon, Nathan Rebours, and Clément Pascutto interfaced elliptic curves for OCaml (with the goal of being usable with MirageOS).
The goal of mirage-crypto-ec was: develop elliptic curve support for OCaml & MirageOS quickly - which didn't leave much time to focus on performance. As time goes by, our mileage varies, and we're keen to use fewer resources - and thus fewer CPU time and a smaller memory footprint is preferable.
diff --git a/articles/tar-release.html b/articles/tar-release.html index faf10bf..511fe66 100644 --- a/articles/tar-release.html +++ b/articles/tar-release.html @@ -5,13 +5,13 @@The new Tar release, a retrospective
-We are delighted to announce the new release of ocaml-tar. A small library for
+
We are delighted to announce the new release of ocaml-tar. A small library for
reading and writing tar archives in OCaml. Since this is a major release, we'll
take the time in this article to explain the work that's been done by the
cooperative on this project.
The Robur blog.
+The Robur blog.
Essays and ramblings
@@ -31,10 +31,10 @@+ Meet DNSvizor: run your own DHCP and DNS MirageOS unikernel
The NGI-funded DNSvizor provides core network services on your network; DNS resolution and DHCP.