You might enjoy Ousterhout's A Philosophy of Software Design - it discusses the many ways a programmer/system designer can fight rising complexity in the code base
I think it's fine for tools to be complex internally if they make things easier for people externally.
Go is generally simple to work with, but it intentionally doesn't provide syntax sugar for many things, like error handling. I suspect this is because the creators of Go also want to keep their codebase simple as well.
At first this explicitness is great, but then it turns into boilerplate, obscures the purpose of your code, and increases the code you need to maintain. But having worked a lot with Rails, I do still value the explicitness of Go. So it's a tradeoff.
So I get that things were easier before all networks needed to be treated as zero trust. But should we really return to that? Just adding another layer of network abstraction with another malted milk-ball network security configuration? (gooey and unprotected on the inside)
Part of me thinks this is like when cars were super simple to work on and you had plenty of "shadetree" mechanics. As vehicle safety systems and emissions controls increased we built safer and cleaner vehicles. They are harder to work on at first because you have to learn the concepts of more systems. Brake systems evolved to ABS controllers then further on to Traction/Stability Controllers. Understanding one system makes it easier to understand the others.
I guess I am saying improvement does make things more complex. The most basic engine is loud, pollutes but works just fine. That does not mean it better- it was fun to toy with but a tuned well engineered machine is just as much fun if you can learn to tinker with it and play.
There will always be someone who will tell you your fuel injected, closed loop, oxygen and maf sensor controlled combustion cycle is less fun than an ol' fashion v8 with a carb.
I actually enjoy the paranoid world where we are building inherent security into every layer of computing. I learn something new every day and get to make something better.
> I learn something new every day and get to make something better.
Best wishes to you. But what about the masses who want to get things done with their tools, not build tools? Who can't afford even $20K car, who aren't being served by the Googles and Amazons who only want to build datacenter-hosted systems?
Tailscale networks are private. The only way to access an IP is through a WireGuard tunnel. The only way to be in the WireGuard configuration file is to have linked your public key against your identity. Every packet has an identity attached.
How do I get the identity for the connection? conn.RemoteAddr() will give me the ip address, but how do I know what the metadata associated with the identity is?
Same sort of idea for inbound http requests.. if I wanted to identify if a connection was from a user or an admin?
As I understand it, much of beyond corp type implementations rely on client certs or Identity Aware Proxies that include the user metadata along with the request.
I like the idea but unfortunately there is not much documentation.
I got it up and running on my home “server” (a arm sbc) and on my iphone and ipad but none of them can contact the server on the provided ip. Probably something I am doing wrong but there is not really much on how to debug it.
Enterprise networks are becoming less LANish and now our home networks are supposed to move towards a VPN based architecture? Should we not drive security in the direction e2e and application level?
My opinion is that, in its current form, tailscale essentially provides a cross-platform super-configurable discovery and key-management layer to a P2P network overlay on top of the public internet and secured by Wireguard.
It's like stunnel or ghosttunnel but for L3, and that let's you replace the gargantuan IPSec with something that's way simpler and nimbler like wireguard.
As for LAN vs BeyondCorp... tailscale has BeyondCorp influences. It uses federated identity (OpenID for instance) and device credentials (see: wireguard crypto-routing) to let you in on any mesh network that you have access to be . It is not something novel but super complicated to do it as simply as possible. And wireguard is a key enabler for just that.
BeyondCorp is obviously much more than just SSO. You might also be interested in: https://www.beyondcorp.com/
The team at tailscale is stellar. I love the mission statement, as well: With B Cantrill's https://oxide.computer taking on the hardware and OS side of things and tailscale starting off with the network, things are really shaping up for a post-cloud future, already. I'm sure you'll find a use for perkeep to reduce the long tail of the software development [0].
Good luck (not that you need it), Brad Fitz. Your work on pubsubhubbub has inspired me since I was a school going kid.
It's obvious that Tailscale founders are well connected and have very powerful friends, nobody can even tell what the product is yet they already popular on HN and Twitter. This Heptio-tier strategy already proved to be very profitable and successful. Probably the company will be sold to Google within 3 years at a huge number then merged and burned within a year later without nobody noticing what the hell what that was all about.
Reminds me of the Redis manifesto that has provided helpful perspective over the years.
We're against complexity. We believe designing systems is a fight against complexity.
http://download.redis.io/redis-stable/MANIFESTO