Isolating a subnet on demand

err404 err404 at free.fr
Mon May 4 22:13:28 CEST 2015


On 05/04/2015 10:01 PM, Etienne Dechamps wrote:
> On 4 May 2015 at 20:53, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote:
>> We started to take a look about that, and apparently, it seems that the IP
>> in the public key is taken into account when a client connects to a gateway.
>> Spoofing at that level doesn't seem easy, because the IP address seems to be
>> part of the authentication process.
> 
> I'm having trouble understanding what you mean by "gateway",
> "authentication process" and "IP address" especially when you say it's
> part of the "public key" (it's not).
> 
> Can you clarify? I am pretty sure tinc doesn't use IP addresses in any
> of its security mechanisms, except when StrictSubnets is enabled.
> 

I tested with two node "miou" and "apeliote"
they have a connectTo. and public key from "Neptune".

"Neptune" node have their public key also. (and all node can play together)

/etc/tinc/tinclan/host/miou contain a subnet with IP and public key from "miou"
/etc/tinc/tinclan/host/apeliote contain a subnet with IP and public key from "apeliote"

If IP from miou is changed with IP from apeliote, "miou" can not connect to "Neptune"
even miou have apeliote's IP.

ok, this is not the best spoofing tentative :p

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150504/bc716346/attachment.sig>


More information about the tinc mailing list