 Hi, hello everybody. I'm Dave Cridland and I work for a company called Shorevine and they pay for me to come here So I might as well put their logo on things So Shorevine do a secure collaboration with people who really really care about security, which is What draws me into this kind of area But this is mostly mostly just a hobby project that I've developed and we've taken on as a As a bit of a product. So XMPP looks a bit like this on on a sort of a network diagram You have clients which talk to servers and servers talk to other servers If we add in another client, it looks much the same, but you see that clients don't talk to clients It's only that servers talk to servers. If you add in another domain Then you get Incidentally, please admire these lines. They took me ages. The Blinky lines are CSS animation animation. It's really impressive I thought so and these you get domains talking to domains talking to domains They all do full mesh and the clients just hang off particular servers But the problem with this is it's not a really sensible view of the world because These two domains are both Montague. They're both probably on the same Physical server. So in fact, they're probably in the same process let alone the same organization So the way that the way that I tend to think about XMPP is like this you have a set of If we're going to use partial language autonomous security domains Which I have within them they operate their own security policy they Set the they set the rules The clients live within those that the servers live within those everything and then they have borders And then they send traffic past those borders into in this case Capulets sending to house Verona and house Montague to ages of Shakespearean research to figure out a third one there So what's meter and well, I like to call it a borderline server, but marketing told me that I can't So it's maybe an An S2S proxy a server to server proxy is one way of looking at it a border gateway, although that's possibly a bit misleading Yeah, and that's an SBC in SIP terms But XMPP doesn't have those and a perimeter filter is another way of looking at it There is another way of looking at it, but we don't mention that So where does it fit in this diagram because I gotta put in the diagram somewhere and the answer is well It kind of doesn't because that this diagram doesn't change What we're doing is meter lives in these lines here in these boxes. It acts as the border. It acts as the perimeter so Capulet servers Have many has connect to the its meter as if it's Montague. They they don't really care. They're just connecting out So open fire prosody both have overrides to let you do this very very nice and simply and meter then pretends to be Capulet as it connects to Montague servers. So it is Fronting Capulet that I don't like that word pretends though because it implies that it's doing something wrong And there's lots of words that sound really wrong here spoofs fakes masquerades all of these have to go What it's doing is it's it's it Authenticates as Capulet to Montague. It's it's legitimately acting that way So quick reminder of how authentication works in server-to-server in XMPP Because not everyone will remember this straight off and it's a bit complicated Originally, we had dial back That was our first attempt at security in server-to-server and it looks roughly that you've got two connections one connection comes in Says hello. I'm had it. You know hey Bob. It's Alice the Receiving server then connects back to the originating server and just checks that it's the right connection and if it is then we're all good And dial back is reliant on DNS and here's a an alternative fact quote from Trump explaining how good DNS is And DNS can be spoofed. It's though. There are problems there We've never had a problem in the XMPP network as far as I'm aware, but it's not good to rely on it So you wouldn't know So maybe we should do DNS that And so DNS that secure DNS. I mean it basically it's that the TLS for DNS I don't know I call it what you like it it means that you can rely on the DNS data At a cryptographic level and this gives us something called securely derived reference identifiers, which are to do with it's not TLS It's signing of records hush now So for TLS In XMPP turns we always have to check the certificate for the domain and not the host Unless you've got DNS sir at which point is the host as well You know unless there's Dane at which point it might be neither or we might be doing something else with with fingerprinting entirely So there's a lot of variations there TLS with XMPP is opportunistic. We use the start TLS model Which was sort of pioneered by ACAP as I'm sure you're all familiar with ACAP. I like to slip ACAP into every talk Except that we've actually developed a quite recent spec is at 368 Where it acts more like HTTPS where it operates on a separate port So there are again a lot of variations Sorry, I did these last night when I was drunk So meter supports a selection of standards is beyond the the basic XMPP and I I'm sure you all know what all of these are. So is that 220 is? Dialback yes at 344 That's dialback with TLS Then there's 361 that's satcom XMPP over satcom meter supports that as well for low-bound with situation 368 We've mentioned immediate mode TLS 6125 TLS P kicks off and a rather obscure one because nobody seems to reference it. It's quite useful 433 to 35 is DNS sec 5280 is P kicks and CRLs. We have to do CRL checking. What's that? And then we've got Dane and Dane SRV So there's quite a lot there and the other features it can do Lots and lots and lots of per domain controls so that you can tweak the cipher lists of particular domains you can tweak the The DH parameter length to particular domains if you want and as well as whether you're enforcing TLS or not It also handles DNS overrides. Oh, I should have really logged out, you know, and it Say hello to Chris so DNS overrides allow you to Override what connection it's what server it's connecting to and everyone's coming on offline I really should have should have thought of that before It allows you to inject SRV records and it allows you to thank you Edwin and it allows you to Inject TLS a records so that you can do certificate pinning via injected Dane records if you want Which is again. Yeah, useful Quick trip around the internals am I doing for time? Okay Quick trip around the internals. It's written in C++ 11 With bits of 14 as I gradually gradually got to got familiar with them So that might give you some idea of how long I've been working on this now and All of the code and all of its operations are assumed to be security sensitive which which has certain implications on the design Yes, it's assumed that it is internet facing it as assumed that it is right on the on the perimeter It is assumed that every configuration option has a security impact It's designed to be sysadmin friendly. It doesn't have users users don't connect to it It's designed to be support friendly so that we can build sure vain can build support contracts and it's designed Once all of those are dealt with it is designed to be very very fast at switching at switching stanzas XMPP sort of packet equivalent To go through a bit more detail. I think this was actually Edwin. It was there you go That's why I picked C++ 11 because it's it's it's really nice No other reason really Security there is no web interface It's just a straightforward flat config file you edit it with operating system security And there's there isn't even any sick hub support because I decided that when I looked at it to work out Exactly which which connections had to be restarted for a given config change I simply thought was too high a risk. So that's gone. It does have pretty terrible testing. I will admit that If if any of you are Google some of the summer of code students I would love to where to see some approaches to to a test framework for this On the other hand the code is very carefully statically analyzed and and its exploratory tested fairly well, but As far as this admin friendly goes well XML config file. Do we like XML? I don't know I I like it and It has smart cascading defaults. So a changing a changing a global will have an effect on other dependent Other dependent settings to make them the sensible default given the global this sort of thing It also has a runtime config done which I'll come on to a bit At the moment that it really comes into its own when you're dealing with support So by a runtime config dump the config file that it reads in it will then write out the entire configuration Into a file. This is actually an example of part of the config file Screen's not wide enough But you'll see that not only do it does it write out all the settings including any defaults any derived settings So it includes like the fact that we're checking pickaxe status and this sort of thing it it also includes comments about the configuration so We so in order to figure out exactly what your running configuration really is you have a complete snapshot of it Including any reference certificates keys the the whole lot put in the data directory so that you can find it and examine it and Yeah, potentially examine it for changes So fast switching means very few buffer copies Very fast parsing. I use a fork of rapid XML, which I've announced a bit And that one of the things that rapid XML allows us to do is skip XML reserialization reserialization is is at least as slow as parsing so if we can skip it We skipped half the time and what I mean by this is here's a here's a stanza and We've got the what we tend to refer to as a stanza header Sort of the the message tags themselves and what we can do is we can extract this string here And simply copy it from one buffer to another Rapid XML allows us to do this it makes it very very fast to to move stanzas from one interface to another Which keeps the latency very nice and low So as I say I I wrote these while I was drunk so What what can we do now because we are? Sitting in this in this diagram on these edges now that we're there and we've established the the security between these At a basic communications level. What else can we do with this? so Mita has a concept of filters which allow you to read in the stanzas as they're going through Perhaps choose to discard them Perhaps choose to create new ones so that we can respond to traffic that before it the hits the the real server and Potentially alter them only have actually written the API for that but you can always just discard and create new ones So it's not a huge deal The examples that I got The XMPP world has a has a problem with Russian spam at the moment So just as a just as a proof of concept I knocked out something that will take unicode code blocks and go yeah It contains this one, and I don't speak any Russian Despite having Russian friends, and so I can drop those packets on the floor and my spam goes away. That's very very nice Although quite brutal But it's a it's a it's an interesting proof of concept A slightly more interesting one is this disco is the capability discovery mechanism and XMPP and What we can do is as Disco requests come in so for the discovery We can hand back a previous discovery response so that again that never passes through now this in combination with Use of meter in in for example satcom when you've got very slow links can save quite a large amount of traffic Those XMPP servers already have the ability to cache client discos. At least one does because I've put it in there before And so what's on the roadmap? And on the roadmap We can we've got the the functionality so what else can we do we could we could actually suppress maybe inject client capabilities Which seems like a useful trick to be able to do so we can instead of many blocking say file transfer traffic If you don't want to allow that across your perimeter We might say we might start saying well actually this this client can't even do file transfer Don't offer it which improves the user experience instead of simply blocking traffic Other things we can do speaking of file transfer. We can intercept maybe bridge between So that we can inject File transfer proxies things like this and strip out internal network addresses on on pit of his sessions Maybe even check files. Maybe dump them in and and virus scan them on the way through So we've got again a large number of options things that you want to do on your perimeter and Finally security labeling Like I say sure vine works in in some high security environments Although we mostly use security labeling in cyber threat intelligence in the enterprise world We've already got a complete security labeling implementations called spiffing I did a lightning talk on that last year and so we can actually build in a policy enforcement point check labels against clearances exciting things like that and We can do where we can do more than that I'm really keen to if anybody is a potential Google summer of code student And I'm really keen to where to see what people can do with this You would be will be working within the the ex the XMPP standards foundation as an umbrella group for Google a summer of code and And if you're if you're able to pitch in an idea, I'm really I'm all ears So with that I make it three minutes 20 seconds. Are there any questions? Have you done interrupt tests between meter and other service or other border service edge service? Well, there is only one of them. I know and and You develop it. I know so you can answer that question yourself, which would be not yet But I I have discussed Discussed this with your CEO in fact And he said yes So, yeah, that's very much on the cards because much as we like to have what the entire pie obviously If we don't we should at least interoperate indeed. Yeah, because there have been too many problems with interrupt very much so I mean I I run meter in production against my Protecting my own server. So I'm confident that it works with a wide range of servers But yeah formal interrupt testing particularly with a sack on Common labeling. Yeah, absolutely Okay Is it open source and if so It is open source and I really should have put the github repository on here shouldn't I it is open source Otherwise, that would be really embarrassing coming here and talking about something that wasn't wouldn't Yeah, so it's MIT license and it is on github was within my github You can look for meter within my github handle is DWD Delta whiskey Delta flow and do you see that the issue that you don't see the road IP is an issue or something you would like to solve I mean that's in This in the perimeter you don't see the remote IP of the other entity No, you don't that's because you will see meters IP address from the inside It's only a problem if you're trying to do security in perimeter security on the inside But I'm assuming that you do the perimeter security within meter, so I'm thinking not go on I got one minute 13 seconds I guess I think you've made some time