Conflicting Default Values. A trusts B. B trusts EvilNode. Does that mean A trusts EvilNode?
Rob Townley
rob.townley at gmail.com
Thu Jan 24 04:58:50 CET 2013
*You should repeat this for all nodes you ConnectTo, or which ConnectTo
you. However, remember that you do not need to ConnectTo all nodes in the
VPN; it is only necessary to create one or a few meta-connections, after
the connections are made tinc will learn about all the other nodes in the
VPN, and will automatically make other connections as necessary. *
The above is from the docs. Assuming all nodes in router mode. How does
this not mean that "A trusts B. B trusts EvilNode. Does that mean A
trusts EvilNode? by default?"
If A and EvilNode, have not exchanged public keys directly, they can still
establish sockets with one another over their TINC IP addresses.
I know if both node A and EvilNode ConnectTo B, then EvilNode can establish
internet connections with node A's tinc IP.
"Forwarding=OFF" or "TunnelServer=YES" or "IndirectData=NO" are supposed
to prevent this.
EvilNode can connect and establish a tinc IP connection to A. I have to
assume this happens because of Forwarding=internal by default.
"config get IndirectData" and "config get Forwarding" and "config get
TunnelServer" all return "No matching configuration variables found." So
we have to rely on documentation or source code to determine what the
default values are. Default configuration parameters are in conflict but
we have no way with tincctl to know what the actual parameters are for
verification.
The default value "Forwarding=internal" contradicts both default values
"IndirectData=NO" AND "TunnelServer=no", however "Forwarding=internal"
WINS allowing EvilNode to connect to A.
Is there an option to not allow any other node to connect to your node? It
could still ConnectTo Server1, but not allow any incoming connections.
Without somewhat centralized control, it is hard to know who is connecting
to who, which would be a good reason to have the option to put network keys
into a DNSSEC server.
http://www.tinc-vpn.org/documentation-1.1/tinc_4.html#How-to-configure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130123/583db4e5/attachment.html>
More information about the tinc
mailing list