undefined | Better HN

0 pointsvlovich1231y ago0 comments

It’s answered in the opening paragraph although I’ll admit I’m still unclear.

> We are committed to keeping your data safe through end-to-end encryption and to making Coder easy to run across a wide variety of systems from client laptops and desktops to VMs, containers, and bare metal. If we used the TCP implementation in the OS, we’d need a way for the TCP packets to get from the operating system back into Coder for encryption. This is called a TUN device in unix-style operating systems and creating one requires elevated permissions, limiting who can run Coder and where. Asking for elevated permissions inside secure clusters at regulated financial enterprises or top secret government networks is at best a big delay and at worst a nonstarter.

The specific part that’s unclear is why encryption needs to be applied at the TCP layer and at that point if they need it at the transport layer why they’re not using something like QUIC which has a much more mature user-space implementation.

0 comments

dpeckett1y ago

I think the key insight behind this approach (and I'm biased here having written something similar) is that the difference between QUIC and (wireguard + network stack) is A LOT less than you might think.

Xelynega1y ago

I'm confused on why they would need a TUN device for a client or server application, so why they would need this solution in the first place(even with their explanation).

As I understand the only reason you'd use a TUN interface is if you want to send/receive raw IP packets. Their marketing doesn't make it very clear what their product does, but I can't see a reason it would need to send/receive raw IP packets rather than TCP/UDP packets over a specific port...

cricketlover1y ago

Agree. Very unclear why they won't simply use a secure socket or why a user space tunnel will be needed.

I surmise that the reason might be that a user space tunnel might be faster (like maybe they can do UDP over TCP or something to gain speed improvements).

Good post nevertheless.

immibis1y ago

Or TLS. It seems to be a remote cloud desktop type of product, so why not use TLS like every other one?

neonsunset1y ago

The quote - is this yet another issue caused by abysmal FFI overhead in Go?

zer00eyz1y ago

https://www.reddit.com/r/golang/comments/12nt2le/when_dealin...

If your C doesn't fight the scheduler it isn't that bad.

kbolino1y ago

Great find! Specifically:

On a goroutine not locked to an OS thread (the default), don't take more than 1 microsecond in a single C call. If you need to take longer in C, lock the goroutine to an OS thread (runtime.LockOSThread), but then don't do things in Go that would park that goroutine (time.Sleep, blocking channel read/write, etc).

tazjin1y ago

There's nothing related to FFI calls in this quote.

j / k navigate · click thread line to collapse