Authenticating VPN addresses: a proposal
Sven-Haegar Koch
haegar at sdinet.de
Tue Nov 24 17:00:45 CET 2015
On Mon, 23 Nov 2015, Guus Sliepen wrote:
> It also works in a situation where a group of people trust a central
> authority which provides them with the configuration for their tinc
> nodes, if StrictSubnets is used. The drawback is that an external tool
> needs to be used (ChaosVPN is one such example, but there are others)
> and it is not very flexible, but I would disagree that it is
> unmanageable.
In ChaosVPN we use StrictSubnets, and additionally the following patch
on the core-nodes where (nearly) everyone connects to:
(cut&paste whitespace damaged)
diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c
index 06dafbc..e2d4bfc 100644
--- a/src/protocol_subnet.c
+++ b/src/protocol_subnet.c
@@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char *request) {
if(strictsubnets) {
logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized %s from %s (%s): %s",
"ADD_SUBNET", c->name, c->hostname, subnetstr);
+ /* Disabled forwarding of unauthorized subnets!
forward_request(c, request);
+ */
return true;
}
This was added because after a few years of operation of the network we
had so many no-longer-existing subnet definitions flowing around that
each connect created lots of error messages and a ton of useless
metadata-traffic bouncing around, even when the nodes/subnets have been
deleted from the hosts files for ages - as there was never a time that
all nodes were down whenever one was restarted it learned the bogus
routes again from something else, and spread it later (and tinc purge
never worked for this).
Since the bogus subnets are not forwarded anymore from the central nodes
they only stay known to the edges until the next restart, so after a
while they are really gone.
c'ya
sven-haegar
--
Three may keep a secret, if two of them are dead.
- Ben F.
More information about the tinc
mailing list