Hello, I'd like to request multiple configurable channel support for memcached, to clarify I want to be able to configure a single instance of memcached to listen to multiple network interfaces (or IP address/ Port combinations) and to enable/disable SASL authentication on the different channels (and potentially other connection options in future).
If this functionality already exists and I missed it I apologies and would appreciate it if someone can direct w.r.t configuring it. By enabling this enhancement it will greatly improve the security configuration options that are available and also allow different clients with different capabilities to connect to memcached. I hope the following use case describes the benefits. I have a range of potential clients to my memcached instance, they include clients that: • Support SASL authentication • Don’t support SASL authentication • Are deployed to trusted networks • Are deployed to un-trusted networks In order to securely allow access to all these client types I currently have to disable SASL on my memcached instance (as some of my clients don’t support it) and employ a firewall (e.g. ITPABLES) and encrypted transports (e.g. STUNNEL) to enable authentication and protect against a range of threats from client connections from un- trusted networks (man in the middle being the main threat). While all this is doable it greatly increases the complexity of my solution and introduces an administrative burden, which while it is acceptable is not optimal. If I could configure memcached to listen for connections on a range of IP addresses bound to different interfaces some of which can be configured to support SASL and others without, this would allow the broadest range of client connectivity while also maintaining fine grained access control to memcached and limit the performance loss associated with security to only those clients that require it. The complexity is centralised in memcached and the number of moving parts is potentially reduced. The enhancement essentially increases my operational agility and there other use cases that will benefit from this enhancement, for example if I need to bridge connections from different VLANs (which may well be a constraint I’ll face in the near future). Any thoughts or comments are welcome.
