Conflicting Default Values. A trusts B. B trusts EvilNode. Does that mean A trusts EvilNode?

Guus Sliepen guus at tinc-vpn.org
Thu Jan 24 11:14:05 CET 2013


On Thu, Jan 24, 2013 at 10:53:18AM +0100, Guus Sliepen wrote:

> There are two kinds of connections. If node A does not have the public key of
> EvilNode, then EvilNode cannot make a meta-connection to A (it cannot ConnectTo
> A). However, UDP packets to/from EvilNode will be allowed, unless you use
> either StrictSubnets or the combination of Forwarding, DirectOnly and
> IndirectData mentioned above.
[...]
> In the case of EvilNode, the proper way to deny it access to the VPN would be
> for B to remove hosts/EvilNode. [...]

What I forgot to mention is that EvilNode can only exchange packets with A,
either directly or forwarded via B, if and only if EvilNode has a working
meta-connection to B. So once B removes hosts/EvilNode and reloads its
configuration, it will kill the meta-connection between B and EvilNode, and A
will then immediately stop accepting packets from EvilNode.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130124/bbc66627/attachment.pgp>


More information about the tinc mailing list