Dustin, Thanks for the response,
On Fri, Apr 8, 2011 at 10:40 PM, Dustin <[email protected]> wrote: > > On Apr 8, 2:16 pm, hoos <[email protected]> wrote: > > same machine as memcached. While the SASL authentication meets the > > security requirement we believe it would cause a significant > > degradation in performance (although I haven't load tested a SASL > > enabled memcached and cannot quantify the loss in performance). > > Why do you believe that? It'll increase the cost of the initial > connection, but if you're initially connecting a lot, you'll gain more > by just... not doing that than you will by trying to make it a bit > cheaper. > At this stage I don't know enough about the clients behaviour i.e. if it opens and closes connections rapidly or if attempts to reuse a single connection to memcached across multiple client requests (multiplexing connections would seem to be a good option for a client to implement in this instance). I plan to test both the SASL and IPTABLES approach to see what difference in response times is against our expected workload and I'll be happy to share the results once I have them. To date I have been accepting the arguments of my colleges on this issue but I think carrying out an objective test is probably the best way to settle the matter. > > > Furthermore not all clients support SASL authentication, most notably > > the nginex modules don't support it and that really torpedoes the SASL > > option. > > That's probably not too hard to fix. :) > Well, probably, but I'm under a difficult time constraint and we consider any solutions that require code alterations to be less preferential than those that don't (coding and testing the changes will take longer than configuring infrastructure and testing the stack). > > Instead we are considering the use of IPTABLES using the owner module > > to be enable filtering of packets based on UID for example the > > following iptables command rejects any packets bound for the memcached > > daemon which have not been created by the memclient user: > > > > iptables -A INPUT -p tcp --dport 11111 -d 127.0.0.1 -m owner ! --uid- > > owner memclient -j REJECT > > > > This approach is simple to implement and provides the minimum level > > security we need. > > > > Another approach is to use UNIX domain sockets instead of TCP and > > secure the domain socket however this method also suffers from a lack > > of client support. > > If you're absolutely sure that you'll only need memcached on > localhost forever, then this should be OK. You could use this as an > opportunity to improve the clients you're using, though. :) > Let's see what the performance impact of SASL is. If it happens to be acceptable I'll post my results and an RFC to the NGINEX Memcached module maintainers. :)
