Isolating a subnet on demand
Anne-Gwenn Kettunen
anwen at asphodelium.eu
Mon May 4 21:53:25 CEST 2015
We started to take a look about that, and apparently, it seems that the
IP in the public key is taken into account when a client connects to a
gateway. Spoofing at that level doesn't seem easy, because the IP
address seems to be part of the authentication process.
Dealing with inside threats seems however a good feature for future
versions ;)
Le 04/05/2015 21:50, Etienne Dechamps a écrit :
> Whatever you do, keep in mind that tinc will always trust all nodes as
> long as they are part of the graph. It is not currently designed to
> deal with insider threats. Most importantly, that means anyone can
> impersonate any Subnet on a tinc network, just by changing the Subnet
> declaration in their node file.
>
> The only way around that is to use StrictSubnets, but that requires
> every node to be statically configured with the subnet of every other
> node.
More information about the tinc
mailing list