Conflicting Default Values. A trusts B. B trusts EvilNode. Does that mean A trusts EvilNode?
Rob Townley
rob.townley at gmail.com
Wed Jan 30 02:12:09 CET 2013
On Thu, Jan 24, 2013 at 4:14 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:
> On Thu, Jan 24, 2013 at 10:53:18AM +0100, Guus Sliepen wrote:
>
>> There are two kinds of connections. If node A does not have the public key of
>> EvilNode, then EvilNode cannot make a meta-connection to A (it cannot ConnectTo
>> A). However, UDP packets to/from EvilNode will be allowed, unless you use
>> either StrictSubnets or the combination of Forwarding, DirectOnly and
>> IndirectData mentioned above.
> [...]
>> In the case of EvilNode, the proper way to deny it access to the VPN would be
>> for B to remove hosts/EvilNode. [...]
>
> What I forgot to mention is that EvilNode can only exchange packets with A,
> either directly or forwarded via B, if and only if EvilNode has a working
> meta-connection to B. So once B removes hosts/EvilNode and reloads its
> configuration, it will kill the meta-connection between B and EvilNode, and A
> will then immediately stop accepting packets from EvilNode.
>
> --
> Met vriendelijke groet / with kind regards,
> Guus Sliepen <guus at tinc-vpn.org>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
In a large network with large number of /hosts/ files on a large
number of not always connected machines, centralized management
provides a way to curtail the effects of a compromised machine
immediately.
More information about the tinc
mailing list