Comments (6)
gsliepen
commented on September 6, 2024
On Wed, Nov 22, 2017 at 03:20:48AM +0000, JD wrote:
When data is encrypted to be sent to a node, are the session keys unique between each node or is the same session key shared across the entire subnet?
Session keys are always unique between nodes. However: with tinc 1.0.*,
data is encrypted in a hop-by-hop fashion. That means that if tinc
cannot route packets between two nodes directly, it will route it via
one or more intermediate nodes, each of which will decrypt and
re-encrypt the traffic. This allows the intermediate nodes to read the
data. It might also possible for a malicious node to send false
information to other nodes and possibly get traffic rerouted via it.
In tinc 1.1, data is encrypted end-to-end. That means that even if data
is routed via an intermediate node, those intermediate nodes cannot read
the data. But, there are still ways for malicious nodes to interfere. By
default, tinc is trusting all peers, and so a peer can announce it has
any Subnet it wants, and can thus cause traffic to be redirected to it.
The StrictSubnets option can be used to prevent this from happening.
However, it is only useful in router mode.
In short, if you want to separate nodes so they cannot read each other's
traffic, don't put them in the same VPN.
…--
Met vriendelijke groet / with kind regards,
Guus Sliepen <[email protected]>
from tinc.
conn
commented on September 6, 2024
This is informative! Thanks for such a well-written response.
By default, tinc is trusting all peers, and so a peer can announce it has
any Subnet it wants, and can thus cause traffic to be redirected to it.
The StrictSubnets option can be used to prevent this from happening.
However, it is only useful in router mode.
This setup would work very well in a LAN so it's more or less the use case I was looking for (the alternative being to use IPSec in transport mode).
Are there any (planned?) equivalents to StrictSubnets for switch/hub? It might be marginally useful to allow for MAC address pinning in a similar fashion.
from tinc.
gsliepen
commented on September 6, 2024
On Wed, Nov 22, 2017 at 05:30:44PM +0000, JD wrote:
> By default, tinc is trusting all peers, and so a peer can announce it has
> any Subnet it wants, and can thus cause traffic to be redirected to it.
> The StrictSubnets option can be used to prevent this from happening.
> However, it is only useful in router mode.
This setup would work very well in a LAN so it's more or less the use case I was looking for (the alternative being to use IPSec in transport mode).
Are there any (planned?) equivalents to `StrictSubnets` for switch/hub? It might be marginally useful to allow for MAC address pinning in a similar fashion.
Well, it already works for switch and hub modes. And you can have MAC
address Subnets, so if you know which nodes use which MAC addresses, you
can indeed use it!
…--
Met vriendelijke groet / with kind regards,
Guus Sliepen <[email protected]>
from tinc.
conn
commented on September 6, 2024
...wait really?? Since what version? You can use Subnet = 00:16:3e:12:34:56 ?
from tinc.
gsliepen
commented on September 6, 2024
On Wed, Nov 22, 2017 at 05:42:20PM +0000, JD wrote:
...wait really?? Since what version? You can use `Subnet = 00:16:3e:12:34:56` ?
Yes, since 1.0.11 (maybe even earlier). Indeed, you just write Subnet =
01:23:45:67:89:ab.
…--
Met vriendelijke groet / with kind regards,
Guus Sliepen <[email protected]>
from tinc.
conn
commented on September 6, 2024
That's perfect. Thanks for the information.
from tinc.
Related Issues (20)
- Got bad ID from <unknown> HOT 2
- Error joining to Linux node from Windows
- this page is broken. https://www.tinc-vpn.org/examples/ipv6-network/ HOT 1
- Relaying doesn't work when TCPOnly is enabled
- Performance improvements via TSO/GRO and UDP_SEGMENT HOT 4
- Please add time when you output the log. There are too many retry link logs but do not know the time. HOT 1
- Peer has an invalid key! on tinc join
- DNS failure and delays break connections HOT 1
- Is the project still being maintained? HOT 20
- Which routing protocol does Tinc use in router mode? HOT 5
- [Bug] Adding a simple failing test case for sssp_bfs() HOT 3
- zip build HOT 3
- Invitation-generated tinc-up tries to set address/route before bringing up interface
- Handling 100+ groups? (+1 master) HOT 1
- server can not exchange the server‘s host HOT 1
- Peer tries to roll back protocol version to 17.0, Error while processing ID
- have the ability to compile with mbed-tls
- Question: Is there a limit/impact of huge amount of Subnet announcement?
- Compile with miniupnpc 2.2.8 fails
- systemd tinc.service gone after installing deb from Release section.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tinc.