What if the network was the sandbox? — Remy Guercio, Tailscale
By AI Engineer
Summary
Topics Covered
- The network itself is the sandbox
- API keys are an attack surface for agents
- Identity travels with every connection
- Saying no actually means no
- Bash dominates, yet we see everything
Full Transcript
[music] Yeah, hi everybody.
[laughter] Thanks for joining. I know we're a little late starting. So, um yeah, I appreciate it. Uh yeah, I'm happy to um
appreciate it. Uh yeah, I'm happy to um excited to talk about uh kind of a both a question that I kind of want to pose and kind of want to, you know, think about. Uh and then I'll just do a
think about. Uh and then I'll just do a demo of something that uh basically what you can do. Uh a project that we're working on and building uh that you can do if you start to think about the network uh as more of a sandbox
environment rather than, you know, just necessarily the network. So,
um yeah, I mean just kind of starting by asking the question, what are the components of a sandbox, right? You know, so I know I
sandbox, right? You know, so I know I say that. You've probably all thought of
say that. You've probably all thought of different things. You probably all
different things. You probably all thought of probably a VM or a container and the debate between whether that's the case or whether or not the agent should go in the box or outside of the box or, you know, around the box or both
or things like that. Um so, uh you know, I'm just going to break it down to something, you know, very simple uh and then kind of ask, you know, a little bit of an bound, you know, about uh what it might look like at the
network layer. So, uh you know, what are
network layer. So, uh you know, what are the components like at the very, you know, very basic level? Like what are the components of a sandbox? So, first
is a boundary, right? So, that's just there's a thing in and there's a thing out.
Right? Uh of the sandbox. And the second is a set of permissions. Right? So, if
you don't have the set of permissions or identity that's a part of that, you uh you don't have a very fun sandbox, right? It's a sandbox without any toys,
right? It's a sandbox without any toys, right? And they it it's a sandbox, but
right? And they it it's a sandbox, but uh it's not there's not really anything anything there. And so, you know, if we
anything there. And so, you know, if we think about that and we think about agents, right? In a particular like what
agents, right? In a particular like what it means to put an agent in a box or something something similar to that. Uh
you know, we can kind of think about how permissions are typically handled today and what that means. And so, it's one of two ways, right? It's typically one of two ways. It's there's the first way,
two ways. It's there's the first way, which I think is what the major model labs uh would really like you to do, which is use API keys, right? So, you
pay the full price. Uh
um uh and uh you know, that's one. Uh and
you know, that doesn't also get at the heart of the true like authN versus authZ, right? It's just like here's an
authZ, right? It's just like here's an API key. It lets you
API key. It lets you you know, it lets you have access, right? To like to to you know, all of
right? To like to to you know, all of the models or some of the models or or things like that. And the other fun part is it's an API key. So, even if it's a synthetic one, the models are very clever at uh doing
things with keys that they maybe shouldn't necessarily do, uh especially if you run them in a loop for a very long time.
Uh and then the other, you know, other way, you know, the maybe the more cost-effective way uh is to use, you know, OAuth or, you know, OIDC in terms of like you know, actually handling the permissions for your agent. So, um but
again, both of these things are actually things that happen like you do them in the sandbox, right? So, like your key goes in the sandbox uh or, you know, you've like logged into your agent and it's running over there somewhere, you know, your open claws
running over there with your uh you know, your account just kind of hanging out over there in the, you know, in the corner. Um and so, um yeah, so that what that means is like the the um
you know, is the agent has access, right? To its kind of own permissions,
right? To its kind of own permissions, right? It's in a box, but it actually
right? It's in a box, but it actually actually has access to the thing uh to give it permissions. And so, my question is, you know, what if we, you know, again, what if we use the network? What
if we thought about the network? And I
don't know who's familiar with WireGuard? Like the WireGuard protocol?
WireGuard? Like the WireGuard protocol?
Okay, almost everyone.
Uh um but yeah, so uh you know, what WireGuard lets us do and that's what Tailscale is built on top of uh is uh WireGuard basically lets us, you know, give a set of keys to all of the,
you know, any node on a given network.
Uh and then at Tailscale we're actually able to put kind of like the the identity component on top of that. Uh
and so, uh you know, here basically we kind of have the question of this is this is effectively what Tailscale is.
And uh we're we're sort of kind of asking the question it's like, what if we took the components of like authN and authZ and we just stuck them at the network level? So, uh
network level? So, uh at least on a, you know, on a tailnet, right? So, we're using WireGuard to
right? So, we're using WireGuard to establish these connections. And these
are direct connections between anything that you might think. So, a container, uh a GPU server, you know, your laptop, a phone, a whatever.
Uh we are able to say um so, in each connection uh we're able to give like the actual identity of what and who might be connecting. So, uh with each
connection that happens over Tailscale uh you get a user if that user is logged into the device. You get all of the groups like in that sense of like if you're skim syncing groups. So, like if you're in the engineering org or or
things along those lines, uh you get all of you can get all of those. You can get uh you know, if this is a like an agent, so like a PR review bot maybe that you have running somewhere, right? In a in a GitHub action. Uh it can be a tag or a
GitHub action. Uh it can be a tag or a set of tags. So, this is the PR review bot for this project or this is the PR review bot for this sort of thing. Um
and you know, we can take that and apply it to every single network connection.
So, not only can we um uh we can basically govern network access based on that. So, you can't even talk to something if you don't have a certain set of permissions. But the
thing on the other side actually also gets all of the information. So, there's
a very I mean, if you're used to doing things with networking, you're probably used to doing things with like IP address or like, you know, here's a thing over here and like we're kind of like, you know, connecting things or, you know, it's IP address plus some key, again like an API
key that your service is providing. Uh
this is all kind of in one.
Uh so, the connections happen, you know, like the connections happen with identity. And so, what that lets you do
identity. And so, what that lets you do is that lets you build some very interesting applications uh on top of that. So, uh I realize this is very dark here on the screen, so I apologize.
Um the uh um let you build some very interesting applications. One of which uh we happen
applications. One of which uh we happen to build is an AI gateway. So, uh what's happening here is um you know, everybody's probably, you know, familiar with kind of your typical LLMs is, you
know, LLM gateway, right? Uh
Aperture works the same from that perspective. So, you take like a single
perspective. So, you take like a single key from a provider. Uh you know, be it, you know, Anthropic or OpenAI or, you know, Gemini or Vertex or Bedrock or whatever. You can take a single key from
whatever. You can take a single key from any given provider. You can put it on Aperture. And then on the other side, so
Aperture. And then on the other side, so Aperture is just a node again on this network. So, it's like a node node that
network. So, it's like a node node that you deployed on this network. So, it is actually able to see all of the identity from everything that's talking to it.
So, in the case of an agent in a sandbox, that sandbox has a tag. That
sandbox is like uh we can think of in this case, let's think of like get a GitHub action runner uh as sort of a sandbox that your agent is running in.
Uh you can use something like the federated OIDC from GitHub. Uh that will basically when that that runner spins up, that runner will suddenly basically gets the access into the tailnet. It
gets a tag on that tailnet. And that tag on the tailnet is what determines uh what it is able to do uh via or through Aperture.
Uh because again, it can see that. Uh
and I'll show you an example in just a second. Um
second. Um So, yeah. So, that's that's kind of like
So, yeah. So, that's that's kind of like where we are. So, we have, you know, single key on Aperture. You can then write all your rules in Aperture. And
then on the other side, there's actually no key. It's just so like that runner
no key. It's just so like that runner connecting from the sandbox has no key to accidentally exfil or share or do something with uh or, you know, kind of go beyond its boundaries. There it's
just no key whatsoever in in that sandbox.
Um So, yeah. So, that's that's that. And
So, yeah. So, that's that's that. And
just to kind of show you like live, I I kind of like to I I actually prefer to just show things. Sorry, just show things live.
Um so, this is Aperture. Just kind of like I had the screenshot before. Let me
change it to be We're going to go in light mode just to make things easier to read.
Uh so, so this is Aperture again. This is
what I was showing you.
Um this is my view into like my Aperture instance. So, I am connected here. I'm
instance. So, I am connected here. I'm
actually on our corporate tailnet. Uh
so, I'm logged in on our corporate tailnet. Uh I have visited Aperture as a
tailnet. Uh I have visited Aperture as a user. It knows who I am. Uh I'm on my
user. It knows who I am. Uh I'm on my laptop, right? So, I I'm just on my
laptop, right? So, I I'm just on my laptop. It knows I'm I'm logged in as
laptop. It knows I'm I'm logged in as me. Uh and so, it's showing me all of my
me. Uh and so, it's showing me all of my uh like usage metrics on our, you know, kind of like demo instance here. Uh and
so, you know, I can see, you know, all the tokens that I've used. I can see the models that I've used. I can see how much money I've spent on the given models uh on any given model.
Uh and then I can even see all of the requests uh that have come through the gateway from my particular identity. So,
that works for me. That also works for everything else. Um I can even drill
everything else. Um I can even drill down and see like uh so, this is me testing it before and I I'll show you live. But I just asked it to say hello.
live. But I just asked it to say hello.
Uh and with all of the context in Claude code, even if you just ask it to say hello, that costs you 20 cents. That's
a, you know, uh uh it actually 20 cents. But the the next one is not as is not as expensive. Uh
but I can actually even go in here and, you know, see all of the request headers, which request response body, you know, everything here. And if I scroll all the way down, uh there should be uh
Oh, yeah. See, this is everything In
Oh, yeah. See, this is everything In case you were wondering, this is everything that Claude code sends at the very beginning. And so, let's see if I
very beginning. And so, let's see if I say Uh let's say hello.
Oh, no. Maybe I didn't do it. Was it?
The uh uh this is literally literally everything that Claude sends right off the like right off the bat as a particular uh request. And then you can see the
uh request. And then you can see the response in the response body. Uh oh,
sorry. I asked it to tell me a 10-word story. So, there we go. Uh um you know,
story. So, there we go. Uh um you know, a cat sat on a mat and then simply vanished. But this is the like this is
vanished. But this is the like this is what's actually going through the the gateway when you make that first like very first request uh from Claude code.
Um so, yeah. So, that's that's that. If
I wanted to look at me, right? See,
that's me here. I can see my my session.
This is my Claude code session with two uh [clears throat] you know, with two requests here. So,
there was the haiku thing to tell me, you know, to give you the summary of what was going on and the 20 cents I spent to to get that 10-word story. And
then I can even also, so you know, I mentioned like GitHub actions runners.
So, this is actually a PR review bot uh that we have, you know, it's just a small like simple check uh that we have run on on every PR like update.
And so you can even see here, right? So
this is it. It has a tag. It's our dog food tag. Uh and you know, you can see
food tag. Uh and you know, you can see everything that the dog food bot has done here over the last 30 days.
And I can open it up. I can take a look.
I can see every single request that it's run and I can even take a look at something like this and we can see, you know, here it spent 4 cents. Uh and it ran three commands at the same time. So
I'm actually able to see all of the like bash commands and everything along those lines. Uh here.
lines. Uh here.
Uh Yeah, so you know, that's the case there.
You know, I you know, I mentioned seeing those bash commands. You can actually extract and it's a fun part about working at the LLM layer and having everything at the network layer. There's
no Uh I have a sort of a guarantee uh that I've seen every tool call that this thing has ever like this thing has ever made uh through the instance. This is not happening like from inside the container. This is not happening from
container. This is not happening from the harness or anything along those lines. If it had to make a tool call, it
lines. If it had to make a tool call, it had to go through aperture and we would, you know, we would extract it here and you would you would see it. So if I like go here and you know, uh you can see all of the uh you know,
all of the tool calls that it made. It,
you know, requested MCP tool call to update the code review, did some bash, did some grep, you know, and then re-updated the comment on the code review and there's no like uh again, we see everything. So right if you wanted
see everything. So right if you wanted to cut it off or you wanted to stop it, uh it's happening at the network network layer. So the moment you say no,
layer. So the moment you say no, it it's not like it has a key and it can be like, "Oh, I see the key no longer works. Let me go to this other endpoint,
works. Let me go to this other endpoint, right? Or let me try this other thing.
right? Or let me try this other thing.
Or let me do this, you know, you know, I would want to be very helpful here, right? It literally is like, "Oh, I key
right? It literally is like, "Oh, I key no longer works." It's just it's just a dash. So
dash. So uh and just to show you that, um we have our like sort of agent uh agent setup script. This is all you actually have to
script. This is all you actually have to do. So in like Claude code, it's just,
do. So in like Claude code, it's just, "Hey, you're going to run an API key mode." There's a dash. Like just so you
mode." There's a dash. Like just so you have something so you don't complain that there is no API key for API key mode. And then here is the endpoint that
mode. And then here is the endpoint that you need to, you know, the base URL that you need to use. And it again, it works across, you know, like Codex or Claude code or Gemini CLI. Uh and here's what you need to use and you know, when you do that, uh you can just again, I can
say, you know, I'm going to say Claude. Uh
this is my actual settings.json. You can
see the same little same things up here at the top. Uh but you know, I can do that and I can say, you know, again, tell me uh 10-word story.
By the way, if I when I asked it to tell me a 10-word story like 3 weeks ago, it was all about robots. And then it became about dogs. And then now it's about
about dogs. And then now it's about cats. So if there's a sort of uh I don't
cats. So if there's a sort of uh I don't know, model eval suite or something like that. I don't know. You can tell uh
that. I don't know. You can tell uh something's happening on the back end.
[laughter] Uh um so you know, in terms of what they do, we got cat you know, cat sat on a mat and then found a home. But
Yeah, actually wow. So still can't count.
Uh that's fun.
Opus 4.6 1 million context.
You know, um [laughter] [laughter] There we go, right?
[laughter] Uh and then finally found home. So there
we go, right? You know, it just forgot the extra bit. Um but again, you know, if we wanted to see that, right? You
know, hey, you've got a pipeline that, you know, actually depends on that being 10 words or something, you know, or having a certain structure.
Things can easily break like in a PR review bot and you know, that can happen and when it happens in like something like a PR review bot, it's hard to actually know what's going on or you know, what happened or when.
You know, I can go back to my logs, right? Here here's my session, right?
right? Here here's my session, right?
With three requests instead.
And you know, here they all are, right?
Here's the summary thing and then here's the first request with the all, you know, all of the input tokens.
Uh you know, that was the 20 cents and then here's the, you know, are you sure about that?
Uh and you know, here's the you're right that was nine.
Uh so you know, again, if you're trying to go back and and look at certain things, you can do that here as well. Uh
and again, there's no hiding it from you cuz it's not like, you know, I'm going to be super helpful and go do this thing and all that sort of stuff and go around. Uh it's, you know, it's it just
around. Uh it's, you know, it's it just has to has to be here. Uh one other fun thing that you can do here in the middle is um well, you know, first we can also do like costs and cost controls and you know, all those sorts of things that
actually work across providers. So if
you want to set a budget or like a like a some sort of budget in in the aperture, you can actually have it work across every provider. It's not like here's a thousand dollars for everybody.
It's here's just a thousand dollars and you can decide to use it how you wish.
Um and then the other thing is you can actually do integrations. So we offer webhooks uh on top of this uh where for each of those tool calls or for each of those things, you can actually send a
request out to a third party uh to um uh you know, with all of the information about the tool call. Uh and again, there's no hiding it. It just it has to go through here. Uh so you can, you know, these hooks are basically
guaranteed to sort of exist, right? And
run uh no matter no matter what. Um so
yeah, so so yeah, that's that's uh that's mostly it. If you want to, you know, like again, if you want to set up things like quotas, you can actually, you know, go in say, "Hey, here's, you know, you get $5 a day, you know, all
those sorts of things." And um kind of, you know, have as sort of much safe fun, I guess you could say, as you as you as you want to uh in the, you know, through the gateway. And again, it works with pretty much any provider that
you can imagine across the board um that supports the major major context. And so
you know, I kind of talked about this at the beginning, but um this is aperture, right? This that, you know, that we have
right? This that, you know, that we have built uh and that you can use. Uh it's
available on our free plan. However, it
is built using the Tailscale identity primitives and those are and that is all available via like a an open source library we have called TS net where you can write your own go program, right?
That actually puts itself on the tailnet and can read all of the same identity information, can read everything else.
Uh and so you can do things like if you want to build an MCP server, but it's internal to your org or something along those lines or an API endpoint or something that's internal to your org, you don't have to think about OAuth or
just think about opening it up to everybody. You can actually do the exact
everybody. You can actually do the exact same thing and be like, "Hey, who made this request? You know, I'm going to, you know, force that into, you know, whatever uh you know, whatever thing I'm proxying on the, you know, on
the MCP side or or things along those lines. So you can actually take all of
lines. So you can actually take all of that same uh you know, all that same information and do it yourself. Hilariously, you can actually
yourself. Hilariously, you can actually build aperture yourself if you really wanted to uh using the same things. We
had a whole charge here which was uh it had to be built on top of Tailscale. It
couldn't be built like inside like using private API endpoints or anything along those lines. Uh so this is actually
those lines. Uh so this is actually built entirely in a way that in theory, you could go build too uh to yourself. So um yeah, I'm, you know, if any ideas have come from this, if you think about, you know, things
that you would like to build internally, I would love to, you know, would love to hear and would love to chat. Chat
afterwards. So
yeah, I think I'm like a minute under here and uh yeah, so I, you know, if there is a question, I'm happy to happy to answer it. Uh yeah, yeah.
How do you configure the permissions?
How do you configure the permissions for like who can ac- So the question is how can you configure the permissions? And
are you saying is it like for who can access what or who gets to see sort Yeah, so all of the um so we actually can let you configure them in two places. So there's another fun little
places. So there's another fun little feature of like uh how Tailscale identity and how like that sort of stuff gets pushed through the network. First
is uh you actually can set them up here in grants. Uh so you know, you can ask
in grants. Uh so you know, you can ask say who this applies to. We're going to be adding like the groups and everything soon here as well.
Uh but then you can say like uh we actually also have an MCP server in like MCP proxy in here as well. So you can say model access and quotas, MCP access, hooks, roles, like you know, kind of everything along those lines. Uh you do
the grants. You can even also define
the grants. You can even also define those. So Tailscale as a whole has a
those. So Tailscale as a whole has a policy file that you can uh that you can use. Um it's how you define who can
use. Um it's how you define who can access what on the network. Uh you can actually put this sort of these are called application This right here is called like an application capability.
Uh you can actually stick that in your main ACL file or your main access control file to send along with the identity. So you not only can you send
identity. So you not only can you send like the user or the tags or everything else, you can actually send any arbitrary metadata that you want uh guaranteed by the [snorts] Tailscale control [clears throat] plane as well. Um so yeah, so we we try to,
as well. Um so yeah, so we we try to, you know, we have the visual editor, but we also have everything is like a possible to do in JSON. Just, you know, most folks a lot of folks using this at scale are
they want to put it in some sort of GitOps workflow. So uh you know, we have
GitOps workflow. So uh you know, we have that. We have the API as well to if you
that. We have the API as well to if you actually want to like just, you know, put this as part of some sort of GitOps workflow that you have um to do that.
Any other any other questions? I think
that was Yeah. I think I saw you when you were setting up in Claude code, you set the base URL to your aperture node rather than like the default Yes.
Is it possible to catch that just like at the network layer and just swap it out? Yeah. Everything that goes to
out? Yeah. Everything that goes to Claude code instead goes to your node.
Yeah, so the question is do you have to put the base URL in or is it possible to kind of like capture that at the network layer and just kind of transparent there. Um that is something we could do.
there. Um that is something we could do.
That was kind of a big point of discussion when we were first, you know, thinking about this.
And um in reality, it kind of it's not well, we could, it's not really something that we uh um it's not really in the I wouldn't call it the Tailscale way necessarily. The
whole point here is we want to make things like really, really easy like like for you to, you know, you want to be able to get, you know, LLM access and or you know, into a sandbox. You want to be able to do, you know, on somebody's computer. We want to make that like
computer. We want to make that like super, super easy uh from the outset. I
realize, you know, there's some transparency stuff, but you know, when you do that, things can kind of start to break and shift and kind of move. Yeah,
and it gets very confusing and moves out from under you. You know, we just want to make it the easiest way for you to actually, you know, offer this sort of LLM access and not uh necessarily you know, kind of do it hidden under the
surface where you're you're kind of doing everything else. So, um it's it's definitely meant for folks who want to build, you know, with AI. And then on the other side, right, is like a security or an IT admin, it's like, "Great, you get easy-to-use controls.
You get easy to, you know, like easy to, kind of you get to see all of the tool calls. You get to see, you know, all of
calls. You get to see, you know, all of those sorts of things." So, we're really trying to do the best of best of both worlds uh for, you know, both devs and the kind of, you know, IT / security like manager.
Yeah.
all based like can you say like these users are allowed to use these tools or is it just the model and the provider? Uh so, it's today it's uh we're yes, we we want to uh
work working on that. It's today is model provider. Uh you can think of
model provider. Uh you can think of basically anything that we would put through aperture, you should be able to say, "Hey, this group or this, you know, as defined by my skim provider, as
defined by, you know, whatever, gets access to model uh it's not just model and provider, it's also all of the quota stuff, you know, that I kind of that all also has the same sort of uh
permissioning system. So, you can say,
permissioning system. So, you can say, "This team gets this big budget, you know, each individual gets this, you know, smaller budget." And then, you know, we kind of do the, you know, the union of the two there or, you know, or
even do it where it's like, you know, you can use as much as you want of the internal GPU, you know, like, you know, kind of like the internal GPU endpoints that we're hosting. But, you know, if it's
we're hosting. But, you know, if it's Opus 4.6, you only get, you know, you know, this amount or something along those lines.
Yeah. How does permissioning work in a world where it doesn't do tool calls?
It's it's just writing code.
How does permissioning work in a world where it doesn't do tool calls? It's
just writing code.
I think well, a lot of agents are they're somewhat moving away from tool calls and executing code which actually makes
So, some network traffic is harder to parse. Yes.
parse. Yes.
Yeah, so uh you know, the question, you know, in a world where people are moving away from MCP and maybe the structured tool calling, what do we, you know, what do we, you know, how does it work? How
does permissioning and things like that work? Uh you're right, that is a little
work? Uh you're right, that is a little bit more complicated. However, it's the whole reason we chose to do this. We had
originally thought about maybe doing this at the MCP like just the MCP layer uh and we realized it was like, "Hey, it's actually way more valuable to, you know, do the LLM the LLM layer here."
And this is where, you know, like if I go to Well, let me just go to the logs.
And I you know, I go again to uh not to the chat, but to the you know, a given here, let's see, the given metric. Um
given metric. Um you know, this is Right? So, even with skills and
Right? So, even with skills and everything else, right, or code, you're still running a like you're typically still running something. Yeah. Uh now,
of course, you could write the thing, maybe obfuscate the thing, and then run the thing. Uh you know,
the thing. Uh you know, one step at a time kind of, you know, kind of thing. Uh um you know, and a lot of folks to be honest, a lot of folks that we talked to were like, "I don't even know what tools people are using.
Like, please just tell me like forget about blocking it for a second. I don't
even like what are people even doing, right? You know, it's like cuz MCP was
right? You know, it's like cuz MCP was all the rage and it's like, are they using MCPs? Are they just using bash
using MCPs? Are they just using bash commands?" I can tell you internally,
commands?" I can tell you internally, like this is Sorry, this is just our demo instance, but internally, if you were to look at our actual instance, bash dominates Yeah. everything else. Um
but again, we get to see the command uh and we typically, you know, we get to see all the commands and, you know, and everything that's actually being run. Uh
and we'll be adding in more guardrails along the lines of like, "Hey, you can you know, this is the bash command.
Let's, you know, if it's rm -rf / Right?
Uh maybe not, you know, or you know, you know, or something along those lines. Uh you know, we'll be we'll be
lines. Uh you know, we'll be we'll be adding that in. But, that's the whole reason why we decided to do it at the LLM layer.
Um so, yeah, we we had that whole discussion of like, "Well, and if you can't see everything, then how valuable is it, right?" You know, if you can't see everything. And so, we
wanted to be able to see uh um you know, at least from particular agents that you want to put there, you know. Uh yeah.
know. Uh yeah.
Any other I mean, I was going to say I don't, you know, I don't know exactly what the time is here, but uh um I know we're we're kind of at the end. Uh I'm
happy to answer any other questions downstairs if you want to come to the booth or in the hall. Um but yeah, thank you.
[applause] [music]
Loading video analysis...