Last month, Slack open-sourced its network overlay tool, Nebula. Nebula allows you to connect computers anywhere in the world in a performant, simple, and secure way.
According to Slack, Nebula incorporates several existing concepts, such as encryption, security groups, certificates, and tunneling. The company believes that what sets the solution apart from other solutions is that it brings those separate ideas together, “resulting in a sum that is greater than its individual parts,” Ryan Huber, security architect at Slack, wrote in a post.
Slack set out to create Nebula because as their network stack grew more complex, it became harder to do network segmentation. A core segmentation-related issue arose when crossing network boundaries. According to Slack, most cloud providers offer user-defined network host grouping, that allows you to filter network traffic based on group membership, rather than individually by IP address or range. However, these groups are siloed to individual regions and there is no interoperable version of groups between different hosts. As a result, as you expand to multiple regions and providers, the only way to do network segmentation is by IP address or IP network range, which can be complex to manage.
As the company worked on creating Nebula to alleviate these challenges, they had a few goals in mind of what they wanted it to accomplish:
- Enable encrypted connections between hosts
- Be service provider agnostic
- Allow for high-level traffic filtering
- Provide strong identity
- Be fast
- Enable testing
“We are ready to share Nebula publicly, so others can kick the tires and let us know what they think, and future posts will dig into the nuts and bolts,” said Huber. “At Slack, we appreciate that we could not have built our service without open source software, and we hope this small contribution to open source can help others by providing software they need so they can focus on building software they want.”
In addition to open-sourcing Nebula, Slack is including the project in its bug-bounty program. Nebula has also gone through a paid vulnerability assessment and several internal security reviews.