
Joining Tailscale: Simplifying Networking, Authentication, and Authorization - typical182
https://bradfitz.com/2020/01/30/joining-tailscale
======
chishaku
> I used to tolerate and expect complexity. Working on Go the past 10 years
> has changed my perspective, though.

Reminds me of the Redis manifesto that has provided helpful perspective over
the years.

 _We 're against complexity. We believe designing systems is a fight against
complexity._

[http://download.redis.io/redis-
stable/MANIFESTO](http://download.redis.io/redis-stable/MANIFESTO)

~~~
veeralpatel979
I think it's fine for tools to be complex internally if they make things
easier for people externally.

Go is generally simple to work with, but it intentionally doesn't provide
syntax sugar for many things, like error handling. I suspect this is because
the creators of Go also want to keep their codebase simple as well.

At first this explicitness is great, but then it turns into boilerplate,
obscures the purpose of your code, and increases the code you need to
maintain. But having worked a lot with Rails, I do still value the
explicitness of Go. So it's a tradeoff.

~~~
harryh
_I think it 's fine for tools to be complex internally if they make things
easier for people externally._

Is it though? [https://www.jwz.org/doc/worse-is-
better.html](https://www.jwz.org/doc/worse-is-better.html)

------
typical182
For context, this is a post from bradfitz, the creator of LiveJournal,
memcached, OpenID, been on the core Go team for last 10 years or so.

There was a recent thread on him leaving Google:
[https://news.ycombinator.com/item?id=22161383](https://news.ycombinator.com/item?id=22161383)

------
crmrc114
So I get that things were easier before all networks needed to be treated as
zero trust. But should we really return to that? Just adding another layer of
network abstraction with another malted milk-ball network security
configuration? (gooey and unprotected on the inside)

Part of me thinks this is like when cars were super simple to work on and you
had plenty of "shadetree" mechanics. As vehicle safety systems and emissions
controls increased we built safer and cleaner vehicles. They are harder to
work on at first because you have to learn the concepts of more systems. Brake
systems evolved to ABS controllers then further on to Traction/Stability
Controllers. Understanding one system makes it easier to understand the
others.

I guess I am saying improvement does make things more complex. The most basic
engine is loud, pollutes but works just fine. That does not mean it better- it
was fun to toy with but a tuned well engineered machine is just as much fun if
you can learn to tinker with it and play.

There will always be someone who will tell you your fuel injected, closed
loop, oxygen and maf sensor controlled combustion cycle is less fun than an
ol' fashion v8 with a carb.

I actually enjoy the paranoid world where we are building inherent security
into every layer of computing. I learn something new every day and get to make
something better.

~~~
gowld
> I learn something new every day and get to make something better.

Best wishes to you. But what about the masses who want to get things done with
their tools, not build tools? Who can't afford even $20K car, who aren't being
served by the Googles and Amazons who only want to build datacenter-hosted
systems?

------
anderspitman
Interesting. Authentication via IP could definitely simplify a lot of things.
But how do you handle authorization/delegation for 3rd party access?

~~~
crawshaw
Tailscale networks are private. The only way to access an IP is through a
WireGuard tunnel. The only way to be in the WireGuard configuration file is to
have linked your public key against your identity. Every packet has an
identity attached.

~~~
justinsaccount
> Every packet has an identity attached.

So, this part is super interesting to me, but I'm curious on how you envision
that working inside applications.

For example, I have a tcp server that does

    
    
      ln, err := net.Listen("tcp", ":8080")
      conn, err := ln.Accept()
    

How do I get the identity for the connection? conn.RemoteAddr() will give me
the ip address, but how do I know what the metadata associated with the
identity is?

Same sort of idea for inbound http requests.. if I wanted to identify if a
connection was from a user or an admin?

As I understand it, much of beyond corp type implementations rely on client
certs or Identity Aware Proxies that include the user metadata along with the
request.

~~~
gowld
Aside, why would you write 'err' instead of '_' if you aren't using the
result?

~~~
justinsaccount
Because hacker news is not a go compiler.

------
Tomte
That's the company of the guy blogging at apenwarr.ca (I always forget his
name, although I really like his blog).

~~~
harryh
Avery Pennarun is his name.

~~~
bradfitz
... Tailscale is his game.

~~~
harryh
At first I had written "His name is Avery Pennarun" but that was way too Fight
Club.

------
j88439h84
This seems like identity based authn all over again, with all the problems
that go with it. Confused deputy, etc.

------
msh
I like the idea but unfortunately there is not much documentation.

I got it up and running on my home “server” (a arm sbc) and on my iphone and
ipad but none of them can contact the server on the provided ip. Probably
something I am doing wrong but there is not really much on how to debug it.

~~~
dfcarney
(co-founder here)

Please email support@tailscale.com and we’ll help you out!

------
heisenbit
Enterprise networks are becoming less LANish and now our home networks are
supposed to move towards a VPN based architecture? Should we not drive
security in the direction e2e and application level?

~~~
ignoramous
My opinion is that, in its current form, tailscale essentially provides a
cross-platform super-configurable discovery and key-management layer to a P2P
network overlay on top of the public internet and secured by Wireguard.

It's like stunnel or ghosttunnel but for L3, and that let's you replace the
gargantuan IPSec with something that's way simpler and nimbler like wireguard.

As for LAN vs BeyondCorp... tailscale _has_ BeyondCorp influences. It uses
federated identity (OpenID for instance) _and_ device credentials (see:
wireguard crypto-routing) to let you in on any mesh network that you have
access to be . It is not something novel but super complicated to do it as
_simply_ as possible. And wireguard is a key enabler for just that.

BeyondCorp is obviously much more than just SSO. You might also be interested
in: [https://www.beyondcorp.com/](https://www.beyondcorp.com/)

------
BillSaysThis
For a company that wants to be open, Tailscale.com is conspicuously missing
any pricing info at all.

~~~
bradfitz
In progress. Super early days. Most importantly, things need to be
finished/polished.

~~~
ignoramous
Are you joining as a founder?

The team at tailscale is stellar. I love the mission statement, as well: With
B Cantrill's [https://oxide.computer](https://oxide.computer) taking on the
hardware and OS side of things and tailscale starting off with the network,
things are really shaping up for a post-cloud future, already. I'm sure you'll
find a use for perkeep to reduce _the long tail of the software development_
[0].

Good luck (not that you need it), Brad Fitz. Your work on pubsubhubbub has
inspired me since I was a school going kid.

[0] I guess the name is a nod to one of the most fascinating tech papers I've
ever read: [https://blog.acolyer.org/2015/01/15/the-tail-at-
scale/](https://blog.acolyer.org/2015/01/15/the-tail-at-scale/)

------
sansnomme
It looks like competition is heating up for ZeroTier, Gravitational, and
Cloudflare Access.

------
nif2ee
It's obvious that Tailscale founders are well connected and have very powerful
friends, nobody can even tell what the product is yet they already popular on
HN and Twitter. This Heptio-tier strategy already proved to be very profitable
and successful. Probably the company will be sold to Google within 3 years at
a huge number then merged and burned within a year later without nobody
noticing what the hell what that was all about.

