git:// links no longer work, refer to the https:// one.

[wiki] / goals.mdwn

## Design goals

This is a list of the design goals for tinc, sorted on importance.
Although we already achieved a lot of what is below, not all goals
are covered yet.

**Be as secure as possible**

This should of course be the primary goal of any VPN
implementation. Security is not only achieved by applying strong
cryptography, we are also trying to make tinc free of buffer
overflows and other design faults that could allow root exploits,
trying to prevent private data from lying around (in memory, swap
or regular files), trying to prevent errors from human carelessness
(wrong permissions on files containing the configuration and
private keys), trying to avoid security problems arising from the
interaction between different (security) mechanisms. We also hope
we can get a lot of people and possibly security experts to audit
our code.

**Allow for scalability**

After our first real stable implementation of tinc (around version
0.2.19), we noticed that setting up a large VPN with many sites
required a lot of tunnels. Even worse, because we used a star
network, the node in the middle was passing through a lot of
network traffic for other nodes. From then on we tried to make the
tinc daemon accept more than one connection, and let the tinc
daemons contact each other directly in the most direct way, without
requiring the VPN sites to configure all those direct routes
themselves. We hope to let tinc scale to VPNs with over 1000
sites.

**Stability and reliability**

We are trying to make sure the tinc daemons stay up and running no
matter what happens. Network errors should not be a reason for
requiring an administrator to restart the daemons. We try to make
sure tinc runs as long as your UPS does.

**Easy configuration**

The configuration of tinc should be as easy as possible. Any error
made in the configuration files can be a compromise to security.
However, we do require the administrator to have a good knowledge
of network administration.

**Flexibility**

Of course, we want tinc to be able to run in any kind of setup or
environment. We try to make tinc run on as many operating systems
and architectures as possible, and make it provide a solution for
any network topology.

## Plans for tinc 1.0.x

The stable branch of tinc, with version numbers 1.0.x, will not see
any significant development. Only bugs will be fixed, and perhaps
non-invasive features that do not conflict with existing features
and do not depend on new libraries might be added.

## Plans for tinc 1.1

The 1.1 branch of tinc has been created as a stepping stone towards
2.0. Only gradual changes to the source code are allowed, ensuring
that the code is always in a mostly usable state. The protocol will
stay compatible with that of the 1.0 branch. The following features
are planned or are already implemented in this branch:

**Replaceble cryptography backend**

The 1.0 branch uses OpenSSL exclusively. Although this library is
well known and widely available, it has two drawbacks: it is quite
large and its license is not completely compatible with the GPL. In
1.1 there will be an abstraction layer that allows tinc to be
linked with different cryptography libraries. At least OpenSSL and
libgcrypt will be supported.

**Control socket**

The 1.0 branch has limitted support to control a running tinc
daemon. In 1.1 the tinc daemon will have a control socket that
allows a tinc control program to connect to it and issue commands
to or retrieve information from the running daemon. This will also
allow for a GUI or dock applet to control tinc or show its status.

**Automatic connection management**

The 1.0 branch can exchange packets directly with other peers via
UDP, creating a full mesh. However, the TCP control connections are
only made according to the manually specified ConnectTo statements
in the tinc.conf files. It is desirable to have tinc manage the
creation of control connections as well, so that the administrator
does not have to do this manually anymore.

**Automate setting up nodes**

The tincctl utility should have a wizard-like interface that asks a few
necessary questions and then creates all the configuration files.  Another
useful feature would be to allow it to export a GPG signed email to selected
recipients, which would be able to import them with a simple command.  Another
option would be to allow a user to connect via SSH to a remote node (if he has
an account there), and do a two-way exchange of configuration files.

## Plans for tinc 2.0

The 2.0 branch will be a complete rewrite of tinc. Expectations
have changed in the past 10 years. Applications should just work,
and should do as much as possible automatically. For example,
setting up a VPN with 1.0 requires the administrator to create a
number of configuration files (tinc.conf, tinc-up, a host config
file), generate keys, and exchange host config files with peers
somehow. This should be reduced to a simple `tinc setup`
command, which asks the user a few relevant details (name, subnet),
and perhaps asks if the credentials (the host config file in 1.0)
should be sent to another person, via email or other means. The
recipient of these credentials should just pipe them through
`tinc import` which would show a fingerprint and ask the
user if he was sure, and would then automatically update the
running tinc daemon's configuration with the new information. Of
course, there should also be a GUI to manage one's setup,
preferably well integrated into the OS and desktop environment of
the user's choice. Features from the 1.0 and 1.1 branches will be
included in the 2.0 branch if possible. Other features planned for
2.0 are:

**Certificate based authorisation**

In tinc 1.x authentication and authorisation is based on exchange
of public RSA keys and full trust principles. For finer control
over the VPN, and to limit the damage a rogue peer can do, a web of
trust should be formed using certificates. This can be in the style
of X.509, i.e. with a single authority who can sign certificates
for peers and the subnets they are allocated, or in the style of
PGP, where peers can sign each other, and if there are enough
signatures, they can allow communication. Trust management should
be simple, for example using a command like

    tinc trust foo

which should let the local tinc
daemon trust information from the peer named *foo*. To authorise
the use of addresses on the VPN, a command like the following could
be used:

    tinc allow bar 192.168.3.0/24

This should generate a small certificate that proves that the node that
issued this command trusts node *bar* with the 192.168.3.0/24 range
of addresses. This certificate should then be added to the local
tinc daemon's configuration, but also spread immediately amongst
the other peers in the VPN. It is also important to allow trust and
authorisation to be revoked in the same way:

    tinc distrust foo

This should make the local tinc daemon stop trusting any information from *foo*.

    tinc deny bar

This should generate a certificate (with a newer timestamp than the previous one) denying
*bar* any access, and spread this amongst the other peers as well.
The other peers should replace the previous certificates for *bar*
from this peer with the new one, and recalculate their trust of
*bar* based on other certificates they might have.

**Replacable tunnel backend**

Tinc 1.x uses its own protocols to set up tunnels to other tinc
daemons. Once a tunnel has been set up, it synchronises the other
end with the rest of the VPN. Whereas most other VPN daemons
concentrate on the workings of a single tunnel, this is of less
importance to tinc, which is more about managing lots of tunnels
between peers to create a seamless network. It also is better to
use a well-established protocol such as SSH or TLS instead of our
own. Also, it is not necessary at all to use the same protocol for
all the connections in a single VPN. Tinc should therefore allow
tunnel backends as plugins, and allow other peers to be reached via
URLs such as `ssh://some.server.org` or
`https://another.server.net:4443`.