Amazon EC2 推出 I3 系列機器

Amazon EC2 推出使用 NVMe SSD 的機器,I3 系列:「Now Available – I3 Instances for Demanding, I/O Intensive Applications」。

以東京區的價錢來看,r4.16xlarge 與 i3.16xlarge 都是 64 vCPU 與 488GB RAM。不一樣的地方只有兩個:

  • 第一個是 r4 只有 195 vCPU,而 i3 有 200 vCPU,快了一些。
  • 第二個是 i3 多了 8 個 1900 NVMe SSD。

但價錢卻只差一些 ($5.12/hr 與 $5.856/hr),如果速度可以善用 SSD 的話,跟 r4.* 比起來其實頗超值的...

Etsy 如何用 Let's Encrypt 的 SSL certificate 做生意...

Etsy 的「How Etsy Manages HTTPS and SSL Certificates for Custom Domains on Pattern」這篇文章講了如何用 Let's Encrypt 實作 Custom Domain。

主要是因為 Let's Encrypt 在設計時就考慮到的 auto-renew 機制,可以全自動處理後續的動作。這使得接 Let's Encrypt 比起接其他家來得容易 (而且省掉許多費用與合約上要處理的問題)。

文章後半段則是討論另外一個問題:當你有上千把 private key (& certificate) 時要怎麼管理,以確保這些 private key 都夠安全。其中有提到未來打算要引入 HSM

One of our stretch goals is to look into deploying HSMs. If there are bugs in the underlying software, the integrity of the entire system could be compromised thus voiding any guarantees we try to keep. While bugs are inevitable, moving critical cryptographic functions into secure hardware will mitigate their impact.

由於不太可能是把所有的 private key 塞到 HSM 裡面,應該是用 HSM 管理加密後的 private key,可以想像一下整個系統又會多了好幾個元件將責任拆開...

Amazon EC2 的大量新資訊

這次 re:InventAmazon EC2 的更新真是有夠多的,總集篇被整理在這邊:「EC2 Instance Type Update – T2, R4, F1, Elastic GPUs, I3, C5」。

先是 F1 系列提供 FPGA 能力:「Developer Preview – EC2 Instances (F1) with Programmable Hardware」。

再來是 T2 系列提供更大台的機器,不過往上提供的 CPU 級距還是 1.5 倍 (費用是 2 倍),主要還是給量還不夠大的使用者使用,如果夠大的就應該換去 C 系列,加上 auto scaling 的方式降低成本:「New T2.Xlarge and T2.2Xlarge Instances」。

另外一個大賣點是 GPU 變成可以掛在各種機器上,雖然還沒推出:「In the Works – Amazon EC2 Elastic GPUs」:

Today, you have the ability to set up freshly created EBS volumes when you launch new instances. You’ll be able to do something similar with Elastic GPUs, specifying the desired size during the launch process, with the option to stop, modify, and then start a running instance in order to make a change.

最後是推出了 R4、I3 與 C5 系列,主要是在於硬體升級而更新。

Netflix 對 sendfile() 在 TLS 情況下的加速

Netflix 對於寫了一篇關於隱私保護的技術細節:「Protecting Netflix Viewing Privacy at Scale」。

其中講到 2012 年的 Netflix Open Connect 中的 Open Connect Appliance (OCA,放伺服器到 ISP 機房的計畫) 只有單台伺服器 8Gbps,到現在 2016 可以達到 90Gbps:

As we mentioned in a recent company blog post, since the beginning of the Open Connect program we have significantly increased the efficiency of our OCAs - from delivering 8 Gbps of throughput from a single server in 2012 to over 90 Gbps from a single server in 2016.

早期的 Netflix 走 sendfile() 將影片丟出去,這在 kernel space 處理,所以很有效率:

當影片本身改走 HTTPS (TLS) 時,其中一個遇到的效能問題是導致 sendfile() 無法使用,而必須在 userland space 加密後改走回傳統的 write() 架構,這對於效能影響很大:

所以他們就讓 kernel 支援 AES 系列加密 (包括 AES-GCM 與 AES-CBC),效能的提昇大約是 30%:

Our changes in both the BoringSSL and ISA-L test situations significantly increased both CPU utilization and bandwidth over baseline - increasing performance by up to 30%, depending on the OCA hardware version.

文章開頭也有提到選 AES-GCM 與 AES-CBC 的一些來龍去脈,主要是 AES-GCM 的安全強度比較好,另外考慮到舊的 client 不支援 AES-GCM 時會使用 AES-CBC:

We evaluated available and applicable ciphers and decided to primarily use the Advanced Encryption Standard (AES) cipher in Galois/Counter Mode (GCM), available starting in TLS 1.2. We chose AES-CGM over the Cipher Block Chaining (CBC) method, which comes at a higher computational cost. The AES-GCM cipher algorithm encrypts and authenticates the message simultaneously - as opposed to AES-CBC, which requires an additional pass over the data to generate keyed-hash message authentication code (HMAC). CBC can still be used as a fallback for clients that cannot support the preferred method.

另外 OCA 機器本身也都夠新,支援 AES-NI 指令集,效能上不是太大的問題:

All revisions of Open Connect Appliances also have Intel CPUs that support AES-NI, the extension to the x86 instruction set designed to improve encryption and decryption performance. We needed to determine the best implementation of AES-GCM with the AES-NI instruction set, so we investigated alternatives to OpenSSL, including BoringSSL and the Intel Intelligent Storage Acceleration Library (ISA-L).

不過在「Netflix Open Connect Appliance Deployment Guide」(26 July 2016 版) 這份文件裡看起來還是用多條 10Gbps 透過 LACP 接上去:

You must be able to provision 2-4 x 10 Gbps ethernet ports in a LACP LAG per OCA. The exact quantity depends on the OCA type.

可能是下一版準備要上 40Gbps 或 100Gbps 的準備...?

Apple 打算把 iCloud 加密用的 Key 放到用戶端

在經過最近 FBIApple 的戰鬥中 (FBI–Apple encryption dispute),Apple 正規劃把 iCloud 加密所使用的 key 放到用戶端裝置上,而非放在伺服器端:「Apple to Hand iCloud Encryption Key Management to Account Holders」:

In effect, Apple is following the lead of secure cloud services such as SpiderOak which has been offering what it calls “Zero Knowledge” cloud storage. By that, SpiderOak retains no information about whatever is stored in its cloud service, nor the means of gaining access to it.

也就是加解密都放在 client 端處理,server 端只是 storage。

這類型最大的問題是 server 端沒辦法運用資料,但 iCloud 的確可以放掉這些功能 (搜尋之類的),純粹當 storage 使用,藉以讓使用者自己裝置保護。

而蘋果在使用者的裝置上把類似於 HSM 的系統做的頗強大... 不知道 Android 有沒有機會也跟進。(雖然我自己是用 Apple 家的東西...)

AWS 推出備份用的硬體設備:Snowball

AWS Import/Export 服務推出硬體:「AWS Import/Export Snowball – Transfer 1 Petabyte Per Week Using Amazon-Owned Storage Appliances」。

原先 AWS Import/Export 需要自己買硬碟寄到 AWS 指定的地方,對於一次性的用途來說不太合理 (硬碟只用一次?),而現在 AWS Import/Export 推出整台 appliance 來解決這個問題,長這樣:

本身就是可郵寄的包裝,包括了 E-ink 電子墨水面板 (很明顯是從 Kindle 那邊弄來的技術),所以連寄回的地址都不用填寫。而本身就有防水防震設計保護寄送過程稍微摔到或是淋到水也不會有事情,另外透過 AES 256bits 安全加密確保資料不會被盜用,NIST Special Publication 800-88 確認加密的資料沒有被盜取。

整個規劃看起來很有種軍規的設計感...

而每個 appliance 可以傳輸 50TB 的資料:

From there you simply copy up to 50 terabytes of data to the Snowball and disconnect it (a shipping label will automatically appear on the E Ink display), and ship it back to us for ingestion.

目前支援美東 (us-east-1) 與美西二區 (us-west-2):

You can import data to the US Standard and US West (Oregon) regions, with more on the way.

怎麼說呢,很科幻感的東西?

AWS 推出的 Device Farm

AWS Device Farm 正式啟用了,可以測 AndroidAmazonFire OS 手機:「AWS Device Farm – Test Mobile Apps on Real Devices」。

有支援各種測試框架:

也可以設定手機的狀態:

然後各種 screenshot:

以及測試時的資源使用狀態:

價錢就如同之前提到的,USD$0.17/min 或是單隻包月 USD$250 (大約是測一整天的價錢):

Pricing is in units of device minutes, basically the duration of a single test run on a particular device. You get 250 minutes at no charge as part of a Free Trial; after that you pay $0.17 per device minute. You can also opt in to our unmetered testing plan; you can perform unlimited testing on any supported Android or FireOS device for a flat monthly fee of $250.

為 Open Source Hardware 發放 USB Product ID 的 pid.codes

pid.codes 的說明就很清楚了:「Welcome to pid.codes」。

由於 USB-IF 對每個 vendor 收 USD$5000,而且不可以跟其他單位共用:

If you’re a maker, hobbyist, or startup company producing your own USB device, you’ve probably discovered that you need a USB Vendor ID and Product ID to uniquely identify your device to computers. The USB-IF’s position is that the only way to do this is for each organisation to pay $5000 for a unique Vendor ID, which they may not share with other individuals or organisations.

所以就造成很多人惡搞 Vendor ID 與 Product ID:

For many makers and small companies, this is a prohibitive amount of money, and forces them to resort to workarounds, such as using other organisations' VIDs without permission, or simply making up a VID and PID. These solutions make things worse for everyone, by damaging the assumption that a VID/PID combination is unique to a given device.

而他們尋求解決方案,取得了一份在 USB-IF 禁止共用前的 Vendor ID,從而解決這個問題:

pid.codes seeks to solve this issue for anyone producing open-source hardware. We have been gifted a Vendor ID by a company that was issued one by USB-IF and has since ceased trading; they obtained the Vendor ID before the USB-IF changed their licensing terms to prohibit transfers or subassignments.

用 Intel 網卡上的 Flow Director 過濾封包

在「Traffic filtration using NIC capabilities on wire speed (10GE, 14Mpps)」這邊看到的技巧。

作者建議另外安裝 driver,因為 Linux kernel 內的 driver 功能有限:「Intel Ethernet Drivers and Utilities」。

重點在 ethtool 這個工具,可以看到條件設定:

ethtool --help:
        ethtool -N|-U|--config-nfc|--config-ntuple DEVNAME    Configure Rx network flow classification options or rules
        rx-flow-hash tcp4|udp4|ah4|esp4|sctp4|tcp6|udp6|ah6|esp6|sctp6 m|v|t|s|d|f|n|r... |
        flow-type ether|ip4|tcp4|udp4|sctp4|ah4|esp4
            [ src %x:%x:%x:%x:%x:%x [m %x:%x:%x:%x:%x:%x] ]
            [ dst %x:%x:%x:%x:%x:%x [m %x:%x:%x:%x:%x:%x] ]
            [ proto %d [m %x] ]
            [ src-ip %d.%d.%d.%d [m %d.%d.%d.%d] ]
            [ dst-ip %d.%d.%d.%d [m %d.%d.%d.%d] ]
            [ tos %d [m %x] ]
            [ l4proto %d [m %x] ]
            [ src-port %d [m %x] ]
            [ dst-port %d [m %x] ]
            [ spi %d [m %x] ]
            [ vlan-etype %x [m %x] ]
            [ vlan %x [m %x] ]
            [ user-def %x [m %x] ]
            [ action %d ]
            [ loc %d]] |
        delete %d

看起來 stateless 的過濾可以在上面做...

對 Tor 的攻擊開始了...

先前幾天 Tor 官方才猜測會被攻擊 (Tor 官方預測將會被攻擊),在今天的 Hacker News Daily 就看到有機器被扣:「[tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation」。

Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.

偵測到機器被打開,並且插入 USB device,接下來失去對機器的控制權。