Possible improvements to LocalDiscovery
Guus Sliepen
guus at tinc-vpn.org
Mon Jul 22 17:19:59 CEST 2013
On Sun, Jul 21, 2013 at 05:41:06PM +0100, Etienne Dechamps wrote:
> - In case the two nodes are behind the same NAT and can reach other
> *but* are not on the same broadcast domain, LocalDiscovery won't
> work. This is a typical situation in entreprise/university
> environments where there are often multiple routed private subnets
> behind the NAT.
>
> - Contrary to popular belief, sending packets to 255.255.255.255
> doesn't send them on all network interfaces. This is true for Linux
> and Windows[1]. It is hard to predict which interface will be used
> unless one manually looks at the routing table. This can lead to
> ironic situations where tinc tries to send MTU probes on its own
> VPN. Fixing this requires iterating over all interfaces to manually
> send the probes on each one, which is complicated and AFAIK hard to
> do in a portable way.
As suggested by Folkert van Heusden, I added the LocalDiscoveryAddress option
to change the broadcast address. That is still not perfect of course.
> To fix these issues, I am suggesting adding functionality to the
> tinc protocol that allows nodes to advertise their own local socket
> addresses (IP and port) to the rest of the graph. Then, instead of
> sending probes to the broadcast address, they would be sent directly
> to the node's local socket address.
>
> IMHO this is an elegant solution that solves both issues above and
> as an added bonus is more friendly to the underlying local network
> since it doesn't use broadcasts. The only situation where it would
> break is if there is a local private NAT between the two local
> nodes, but this is probably an unsolvable problem anyway since we
> just don't have the necessary information to make them reach each
> other in this case, and broadcasts obviously won't get through a
> NAT.
>
> I guess the local socket information could be added to ADD_EDGE
> messages and stored in edge_t.
That is indeed a better way, and the ADD_EDGE messages can be extended while
preserving backwards compatibility.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20130722/14a85888/attachment.sig>
More information about the tinc-devel
mailing list