23 Mar
2018
23 Mar
'18
11:53 a.m.
I was not aware librenet6 uses mesh RPs over tinc to enhance security.
That sounds really strange to me.
Doesnt that:
1. Kill performance (due to tinc user-space tunnels and encryption)?
2. Obfuscate routing decisions which are now done in tinc and again in
the routing protocol on top of it.
3. Did anybody understand how the security implications for routing in
in tinc? Like A,B, and C do mesh and are all parts of the same tinc VPN
cloud. Does tinc guarantee anything for communication between A and B
if attacked by C? Or can this only be achieved if C is always excluded
from joining the tinc VPN. In the latter case you would essentially have
a closed & private network. Not an open one.
/axel
On 23.03.2018 09:14, Gio wrote:
I am aware that wireguard is the last cool thing in
terms of VPN, but I am
very doubtfull about it's usefulness in our setup, in librenet6 we use tinc in
switch mode, this way we can run any routing protocol on top of it, I already
know that some Routing Protocol has started woking on doing routing on top of
unicast only devices too but that is very limiting in term of RP choice and
still an investigation topic.
In LiMe we always try to be RP agnostic so que can eventually switch to a
better fitting solution without redesign everithing from scratch like we did
(non RP) from adhoc to 80211s that became as easy as to change a line in the
config file.
I would rather investigate how does it fit the new tinc 1.1 with our needs and
if with some configuration we could prevent it from doing L2 routing behing the
scenes as we already need to run an L3 RP on top of it, and also explore how
latency based metrics behave on such setup (mixing both phisical and tunnel
links)
Cheers
Gio
On Thursday, 22 March 2018 00:36:12 CET Paul Spooren wrote:
Dear all,
as some may know I've been working last year [1] in GSoC and like to
repeat that. I checked the Freifunk project page [2] and found the
following project of LibreMesh I liked most: LibreNet6 integration [3].
As discussed on GitHub [4] wireguard [5] could be a slim & fast
replacement for Tinc. Problem is the missing auto provisioning of the
clients, as stated on the official website as well [6]. I came up with
a small PoC [7] as a centralized solution for the following tasks:
* Granting administrators/supporters device access to help with network
issues
* Secure connection over an unencrypted mesh network
* Offer public IPv4/6 to routers
A second approach could be to use bmx7-sms plugin to distribute public
keys within the mesh and enable not only the three points above but
also secure connections between all nodes. The second approach may
become obsolete as bmx7 might use `ip xfrm` [8] to encrypt tunnels
directly.
I'm aware that focus shouldn't be the coolest project but the one most
usable for the (Libre)Mesh community. So please share you thoughts if
you find other (not listed) project ideas I could work on. Please keep
in mind the deadline to apply is within the next weeks.
Best,
Paul
[1] https://github.com/aparcar/attendedsysupgrade-server
[2] https://projects.freifunk.net/#/projects
[3]
https://projects.freifunk.net/#/projects?project=libremesh_librenet6_integra
tions&lang=en [4] https://github.com/libremesh/lime-packages/issues/99
[5] http://wireguard.com/
[6] https://www.wireguard.com/todo/#dynamic-web-app-for-provisioning
[7] https://github.com/aparcar/wireguard-provisioning
[8] http://man7.org/linux/man-pages/man8/ip-xfrm.8.html#DESCRIPTION
_______________________________________________
lime-dev mailing list
lime-dev(a)lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-dev
_______________________________________________
lime-dev mailing list
lime-dev(a)lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-dev