
Iris Decentralized Cloud Messaging - norswap
http://www.bravenewgeek.com/iris-decentralized-cloud-messaging/
======
bascule
The section on security is just... bonkers.

First it starts by talking about how ZeroMQ security is an "afterthought",
linking to an article that should hopefully convince even people with casual
security backgrounds this isn't the case:
[http://hintjens.com/blog:48](http://hintjens.com/blog:48)

For what it's worth: ZeroMQ implements the closest thing to a real-world
implementation of Dan Bernstein's CurveCP protocol, with a few design flaws
fixed, and also a certificate form that allows a limited hierarchical PKI.
Normally I'd say using anything other than TLS is a huge warning sign, but as
far as non-TLS protocols go, ZeroMQ's "CurveZMQ" protocol actually ends up
looking fairly good in my book.

Iris does none of this, advocating the use of global PSKs. Global PSKs are the
bane of security professionals everywhere, as they make any system that shares
the PSK the weakest link, greatly increasing the chance that the most
overlooked system will become a vector for total system compromise. This is
why we've generally seen a move away from such systems to running internal
PKIs with unique keys per host.

Instead, they claim:

"This is achieved through the observation that if a node of a service is
compromised, the whole system is considered undermined."

This is pretty much the opposite trend of modern crypto practitioners.

It's been awhile since I actually looked at their crypto, but at a cursory
glance-over again it's hand-rolled and uses bignums without random blinding,
greatly increasing the chances of timing side-channels.

If you care about security, you probably shouldn't be using this.

------
polskibus
Iris reminds me of Tibco Rendezvous, which as far as I remember was capable of
multicast messaging with distributed task queueing. It was efficient last time
I used it (ca 6 yrs ago), I wonder how does Iris compare to Tibco, which is
still used by many financial behemoths.

~~~
zok3102
Disclaimer: I work at TIBCO

Yes, Rendezvous is still going strong. Tonnes of deployments in FSI, Telco,
Fabs, etc. That said its showing its age in the cloud among couple of other
areas. We typically point users who need low latency data distribution to RV's
successor called FTL. Similar peer to peer architecture like RV, but new
capabilities like multi-transport (tcp/mcast/rdma/shared mem), content-
selectors, pub-sub/req-reply semantics. And wicked fast on commodity hardware.

I haven't looked at Iris but the problem of abstracting physical from logical
topology in distributed systems has been a major influence on RV and FTL
architecture. Real world problem once you move beyond speeds and feeds and
"looks ma, sockets!" semantics.

------
vegabook
It looks like development has slowed down dramatically. In my view, a project
which has a large community behind it is far preferable to something which is
theoretically superior but new and small, because in the long run, long-lived
projects tend to address new use cases (ie they evolve), so they don't paint
you into a corner, unlike a wonderful-sounding idea whose author seemingly
gets bored of it after 12 months.

Personally it is for this reason that I'm going with zeromq, even though I
know it has tight-coupling downsides. I was tempted by nanomsg but even this
seems to be losing momentum somewhat (please feel free to correct me if the
last statement is incorrect).

------
dochtman
Would be interesting to also look at Mangos, a Go reimplementation of the
nanomsg protocol.

[https://github.com/gdamore/mangos](https://github.com/gdamore/mangos)

------
dozzie
Don't forget to add "scalable" buzzword.

Oh, there it is in the article. Never mind.

~~~
vruiz
which word would you use instead in that context?

~~~
dozzie
First, I would try to express what does it mean, not just throw random
buzzwords around. Look at the today's landscape: everything is scalable, cloud
based, as a service, for devops.

