Comments (10)
This is probably possible only by using public key cryptography methods as the fingerprint needs to be signed by some trustworthy instance.
As far as I can see, the only way to avoid public key cryptography here is to make the supernode own a special secret key to sign, i.e. encrypt, some hash of IP/MAC for issuance in the first step and verification later with every register and letting know the other nodes - which is against the (very well thought) design of a key-free supernode, one of the main advantages of n2n as a suprenode (maybe on a vps or in the middle of elsewhere) might not be under your full control.
Did I get you correctly? Do you have something else in mind?
from n2n.
There should be no need to rely on the supernode to implement this. The idea is to generate on each edge node a pair of public and private keys. When node A wants to talk to node B it encrypts packets with the B public key. B can publish its key periodically <mac_B,public_key_B> . A can remember the past mac->key associations and on first connection/when they change could notify the user (this is something to reason on) and/or block all the connections unless the provided key is in a static list stored in a txt file. This also prevents the other nodes to read the B messages by performing mitm attacks.
from n2n.
What about broadcasts? They would need to be handled separately.
Or forwarded packets? A feature I love to use for vpn replacement :)
from n2n.
Yes, all the edges can use the same key for broadcast messages, derived from the community secret key. For the forwarded messages, the destination mac address of the packet determines the key to use. For example:
Edge A wants to send a message to the ip 10.0.0.2, which is only accessible from Edge B. Edge A encrypts the message with the B public key and sends it to B (destination mac). B decrypts it, and routes it to 10.0.0.2 as plaintext because 10.0.0.2 is outside of the edge network, otherwise if the message was directed to another edge node C, it would be encrypted with the C public key.
from n2n.
In this context, shouldn't we also ponder the scenario in which free riders use our supernode for their own (hopefully not darknet) purposes? Even if they do not know our pre-shared key, they just would need to know the address and port of the supernode (can be captured from transmitted packets) and the community name (can also be clearly read in the transmitted packets) and just use their own key. Our edges might receive a few broadcast packets that they are not able to decipher, but other than that, they would not be disturbed.
from n2n.
In such case the "guest" edges should use a different community to communicate freely without interfering in order to properly segment the broadcast domain
from n2n.
Actually, I am more concerned about malevolant guests who intentionally want to free ride on the same community name... as other community names might not be allowed by the supernode.
from n2n.
For hostile environments I think we need to implement an additional layer where the whole packet between supernode and edge nodes is encrypted. This would make n2n stealth and also prevent unauthorized clients from joining. Maybe this github issue can be solved with such an approach without the need for public key crypto, thus assuming that once an edge can join the supernode than it is authorized and friendly.
from n2n.
For hostile environments I think we need to implement an additional layer where the whole packet between supernode and edge nodes is encrypted. This would make n2n stealth and also prevent unauthorized clients from joining. Maybe this github issue can be solved with such an approach without the need for public key crypto, thus assuming that once an edge can join the supernode than it is authorized and friendly.
Do you think that -H
solved this issue?
from n2n.
Considered solved by -H
(and later -J
), please re-open if required.
from n2n.
Related Issues (20)
- Potential memleak in n2n/tools/n2n-decode.c
- Help extends from the entire office network to the entire home network
- Please clarify the intent and details of the Contributor License Agreement HOT 5
- windows ERROR: recvfrom() failed -1 errno 0 (No error) ERROR: WSAGetLastError(): 10040 HOT 1
- How to establish dhcp service over all communities? HOT 1
- No error output when fail to handshake due to OS time difference HOT 1
- The latest version 3.0 and 3.11 compile failed for OpenWrt-23.05, no libcrypto.so.1.1 found HOT 1
- Username-Password authentication cannot enable HOT 1
- [n2n.c:57] ERROR: Unable to create socket [Illegal byte sequence][-1] Error when running example_edge_embed.exe
- can n2n support UDP multicast HOT 4
- How to enable PN-DCP/LLDP protocol transfer (siemens PLC discovery)?
- [Critical] 3.1.1 and dev version crash randomly on windows,maybe code bug HOT 2
- Assing multiple IP addresses to an n2n edge node HOT 2
- Windows make install n2n HOT 6
- edge: *** bit out of range 0 - FD_SETSIZE on fd_set ***: terminated HOT 4
- 3.0 fails to build on OpenBSD HOT 2
- Anouncing n3n: A fork with improvements and no CLA required HOT 3
- Traffic Restrictions could be configured in supernode or only edge? HOT 3
- Mac os 14.1.1 HOT 1
- P2P technical suggestion: Use the birthday paradox to improve brute force scanning to achieve symmetrical punching
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from n2n.