Slack released Nebula—an open source “global overlay network” developed to address cross-region networking needs for deployments of the company’s core workplace communication product—on Tuesday at GitHub.
Nebula has been used across every server at Slack for over two years, though this release represents the first public acknowledgement of the project.
Though Slack evaluated other existing software, a lack of a workable solution that met its requirements necessitated the creation of Nebula, according to a Medium post accompanying the release Foremost among the problems Slack sought to solve was limitations around security groups—allowing for traffic filtering based on group membership, rather than manual IP address or range. While convenient for single-region deployments, security groups do not scale between regions on public cloud providers, requiring a pipe for connecting these instances.
SEE: Slack: A cheat sheet (free PDF) (TechRepublic)
Previously, the company used IPSec to connect multiple cloud regions, though this was proving difficult to scale as more users subscribed to the service, the post stated. IPSec, as a VPN protocol, requires an extra hop in network routes—and the volume of traffic requires dedicated instances to shuttle bits between cloud regions.
“You get this problem where—as you expand this—if you lose any one node, it can cause temporary issues with hosts communicating,” said Ryan Huber, security architect at Slack. “What we really wanted to get away from was having a conduit that everything goes across—this sort of big pipe between regions.”
Connecting systems, and connecting systems securely, are two discretely different tasks—and Slack’s focus is on the latter. Rather than develop a whole-cloth implementation with their own crypto, Nebula utilizes the Noise Protocol Framework, created by Trevor Perrin, co-author of the Signal Protocol, which is the underpinning of the security-focused Signal Messenger.
“It’s very prescriptive about using best of breed current encryption,” said Huber. “There’s no such thing as a downgrade attack in a noise communication session. You have to decide up front which cryptography protocols you’re going to use. If you migrate to a new one, you change it for the entire network at once,” in contrast to attacks targeting TLS, forcing the use of older, weaker, exploitable protocols.
Why Nebula could be the security solution for IoT woes
Though Nebula was created to address Slack’s business needs, Huber is quick to note how scalable Nebula is—the model is node-to-node, and can be used in as simple of a configuration as installing on a computer that connects to a compute instance on DigitalOcean, or some other cloud provider. This scalability offers flexibility for internet of things (IoT) devices, providing public internet access but without explicitly allowing traffic in or out on predefined ports as a firewall rule.
“We wrote [Nebula] for ourselves, as well. This is the kind of tool I have wanted at various jobs in my career, and we finally had the resources to create it. My friend Joe… is a mechanical engineer. He’s technical enough, he deals with computers, but he’s not a network person. He uses Linux, but he’s not a Linux person. Joe has the use case of wanting to network his 3D printers, his CNC router, and these have little controllers—Raspberry Pis, etc. We were able to stand up a Nebula mesh where Joe can—no matter where his laptop is—connect to everything and not have to open his home network, his firewall, anything. That’s because we do certain things to facilitate direct node-to-node communication,” said Huber.
That node-to-node communication works behind firewalls or NAT, through a system called Lighthouse. As a quick overview, only the Lighthouse, serving as the discovery mechanism, needs a routable IP. “It’s kind of like DNS. You ask the Lighthouse, how do I reach this Nebula node? It gives you an answer, then you make a direct handshake with that node and complete that connection,” said Huber.
What Nebula runs on today, and what can use it in the future
Presently, Nebula is available on Linux, MacOS, and Windows, with prototypes running on iOS. Android support is roadmapped, with the Android version anticipated to be serviceable on Chromebooks.
While there is Linux on Chromebooks, “you can’t really use that as your system-wide VPN. You can run a VPN inside the Linux container, but it’s confined to that container, not the browser on the main system. Android apps [can do that], so once there is an Android version, then Chromebooks will be supported,” said Huber.
Slack is releasing Nebula as an open source solution. “We built a lot of Slack on open source tools, I think giving back to the community is really important,” said Huber. “I love when companies source software, because it gives you insight into the good engineering happening within organizations, I think this is an example of that engineering.”
Though Nebula is not a commercial product, Slack is covering it as part of HackerOne, to provide bounties for discovering vulnerabilities. Slack has paid over $512,000 in bounties since joining HackerOne.