Automatic hosts files update protocol extension for Tinc
Рысь
lynx at lynxlynx.tk
Fri Oct 16 05:02:16 CEST 2015
Hello dear Tincers!
I recently developed an extension to tinc 1.0.x protocol which
introduces automatic and decentralized hosts update subsystem.
The idea is to provide stable protocol extension to tinc which will do
all the dirty work of spreading information about new hosts in network
across all nodes by powers of tinc itself.
If you're interested, you can take a look at the diff made for tinc
1.0.16 here:
https://github.com/siblynx/tinc-1.0.16_hostupd/commit/6a6cc34d6d80696ea525956375de59c7f752fa42
The code introduces two request types, and uses RSA signatures to
prevent tampering. It also introduces some sort of privileges: who can
and who cannot spread updates. Each node which has child connections
forwards update requests.
Users can decide to whom to trust, and can turn off updates for their
own node. They also can setup completely trustful network in which
everyone will be permitted to update the whole network.
Please see source file src/protocol_hostsupdate.c, it contains more
information about the extension implementation and how to configure
each node for it. In future I probably will move it to a README.hostupd
file.
This is a motivation from the lesson I learned recently when my central
update service crashed inside my network with huge disk failures, and
that node's key became unrecoverable (yeah, I lost it, no backups, it
was a cheap "PC" router), resulting in unmanaged network for a few
weeks. It served updates centrally via http, and it's URL was the only
one which was recorded in update scripts and binaries for windows
everywhere.
Even when I started using tinc, I seen that it misses something
important when I was forced to update hosts by hand for some time.
This work is still experimental, I even test it now, and if you will
want to merge it into current or future versions of Tinc, you will
probably need to trim it of my extensions for my network. It probably
_contains_ bugs I still did not found, and I am not a pro in
cryptography (albeit having some experience with in past).
This work is currently (my own code) is licensed under GPLv2 only. I
will happily unlicense it (making it public domain) if it will go into
any versions of Tinc, just with mentioning my contribution in THANKS
file. If not, it will stay as is.
With best wishes!
P.S. I found Tinc a great code inside when I developed extension for
it. I was able to quickly understand configuration and requests
subsystem, and the rest was no a problem. It's a shame that Tinc still
gets little attention in VPN area!
--
http://lynxlynx.tk/
Power electronics made simple
Unix and simple KISS C code
More information about the tinc
mailing list