Home / Companies / Tailscale / Blog / August 2021

August 2021 Summaries

3 posts from Tailscale

Filter
Month: Year:
Post Summaries Back to Blog
Role-based access control (RBAC) and its successor, attribute-based access control (ABAC), are powerful security models that have been underutilized in modern implementations, as they often strip down the original concepts to weaker forms. The article traces the evolution of access control from Discretionary Access Control (DAC) to Mandatory Access Control (MAC), highlighting the strengths and limitations of each. While DAC allows users to grant permissions on their owned objects, MAC imposes stricter rules set by administrators, making it challenging to implement effectively. RBAC, a subset of MAC, simplifies access management by assigning users to roles that determine access levels, whereas ABAC refines this by considering additional user attributes. The discussion expands to cover the inadequacies of filesystem ACLs in implementing true RBAC due to their complexity and maintenance challenges. By introducing object tags and a more centralized management approach, the article outlines a more robust framework for managing permissions, emphasizing the separation of responsibilities among various system roles such as HR, security teams, and object owners. This refined model, as implemented by Tailscale, offers a clean and efficient design that facilitates the management of access permissions across network systems, demonstrating that a well-structured RBAC/ABAC model is both feasible and advantageous when implemented from the core of a system.
Aug 27, 2021 3,690 words in the original blog post.
The August Tailscale newsletter highlights the release of version 1.14 of the Tailscale client, which enhances peer-to-peer connection capabilities, particularly through improved NAT traversal. This update includes support for the Port Control Protocol and expanded UPnP support, resulting in faster traffic for home and small-business networks. The newsletter features community contributions, including tutorials on installing Tailscale on various devices and detailed walkthroughs of its functionalities. It also introduces new guides for using Tailscale in different contexts, such as running private Minecraft servers and integrating with the hosting platform fly.io. Additionally, the newsletter announces the availability of the Taildrop feature on Android, allowing encrypted file transfers across major platforms. The team invites feedback to further improve their product, emphasizing their commitment to continuous enhancement and community engagement.
Aug 26, 2021 648 words in the original blog post.
Tailscale, a zero-configuration networking solution, requires interaction with the Windows firewall to function correctly, particularly for allowing incoming WireGuard tunnels. The core of Windows firewalling is the Windows Filtering Platform (WFP), which manages packet filtering rules through in-kernel and userspace facilities. While most users interact with Windows Defender Firewall for basic configuration, more advanced users can directly access WFP via its API for automated or complex firewall rule management. This process involves creating sessions and rules within WFP layers, which are inspection points in the packet processing flow, to allow or block specific traffic based on detailed connection information. The concept of sublayers enables the coexistence of different sets of filtering rules, with rule priority determined by weights. Tailscale uses the inet.af/wf package in Go for managing Windows firewall rules, aiming to streamline connectivity and enhance centralized Access Control List (ACL) enforcement, with the package still open to contributions for improvements.
Aug 13, 2021 2,804 words in the original blog post.