Send in your ideas. Deadline December 1, 2024
logo
hex
Vendor stores
Nix Flake
Grant
Theme fund: Internet Hardening Fund
Period: 2017-02 — 2019-05

ARPA2 Steamworks

ARPA2 Steamworks

Computer systems nowadays are entangled with networks, and a simple server may in fact depend on other systems to be online to be able to fulfill its services. This constitutes a degree of fragility that is not always desirable; for instance, where security policies or system access is concerned. To make things worse, there is a growing tendency to combine information sources from various parties, and crossing the technical and political boundaries of organisations can introduce many new issues that complicate normal system management.

So what we need is a system that can share (configuration) information across such parties, and reduce their cross-dependency. This is where SteamWorks steps in; it enables a central site to configure settings for a large conglomeration or a distributed enterprise, and each of the sites can clone this information and spread it internally. Updates are automatically spread out as soon as possible, but in case of network failure the old information is retained and used until the downtime is resolved.

Why does this actually matter to end users?

ARPA2 SteamWorks is a set of tools that co-operate to transmit more-or-less centrally controlled configuration settings over any network, and make these settings available to individual programs. Updates are passed around instantaneously when network connections are good, but the last version of the information can be used when the network temporarily degrades. The project is part of the ARPA2 project, which is engineering towards an overall architecture scalable to run a future internet that is secure by design.

Configuring and provisioning TLS — trusted (root) certificates, intermediates, end-user certificates, and public keys — can be a complicated business. The ARPA2 TLS Pool project makes it simpler for third-party applications (e.g. a web browser, or a web server) to use TLS and identity information. Configuration of TLS Pool itself however is still somewhat complicated: it provides a number of databases for configuring its behavior -- that is, the way it provides TLS and identity support to applications and the parameters of its outgoing TLS connections -- but filling those databases needs an API and a user interface.

ARPA2 SteamWorks is about creating machinery for distributing configuration information through LDAP and using that for local provisioning through the Pulley (a local daemon) and Pulley Plug-ins (used to configure specific applications, e.g. TLS Pool). The configuration of the Pulley is done through a Pulley Script (which can, in turn, be distributed through LDAP).

The Pulley Plug-in mechanism is generic and in the longer term will evolve more plug-ins for configuring other (sub)systems, e.g. writing ISC DHCPd configuration or Local Unbound configuration files. The project will make it possible to connect the complete configuration of TLS Pool to the SteamWorks machinery by building a SteamWorks Pulley Plug-In and Pulley Scripts that can fully configure TLS Pool. This includes defining all of the configuration elements for TLS Pool in LDAP schemata. SteamWorks also provides a framework for writing web-based front-ends to the LDAP configuration though the Crank component of SteamWorks. In order to provide the user interface for TLS Pool provisioning, we will construct that front-end (web application). This gives us a mechanism for filling the TLS Pool configuration in LDAP, distributing it to the Pulley through LDAP, and then locally turning it into configuration for provisioning TLS for applications. (An extension of this mechanism would involve generically associating Some parts of this system are already built as proofs-of-concept: there is a stub Pulley Plug-in for configuring the trusted root certificates in TLS Pool, as well as a rudimentary web-interface for filling those in in LDAP. This project aims to turn those proofs-of-concept into fully functional configuration tools.

Earlier work on ARPA2 Steamworks was funded with a joint subsidy from NLnet and the programme "[veilig] door innovatie" from the Netherlands government.

Run by ARPA2

Logo NLnet: abstract logo of four people seen from above Logo Netherlands Ministry of Economic Affairs and Climate Policy

This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy.