Automatic exchange of dynamic node-IPs between nodes

Thu Mar 28 12:13:40 CET 2013

2013/3/26 Guus Sliepen <guus at tinc-vpn.org>:
> On Tue, Mar 26, 2013 at 11:45:48AM +0000, Bartsch, Rene wrote:
>
>> In my setup one master node has a static public IP. All other nodes have dynamic public IPs changing every 24 hours (and yes, in Germany even Global IPv6 Unicast Prefixes are dynamic on DSL/Cable sockets :-( ).
>
> I hope they are not all changing at the same instant...

Luckily, no. In Germany we have a traditional 24 hours timeout on the
DSL connections which causes a new IP via PPPOE. By pulling the plug
on the routers at different times you can manipulate the time of day
they get disconnected. Because of VoIP some ISPs are going for a
180-day-timeout, now. But no fixed IPs or reverse DNS for Consumers.
The business model of our ISPs is simple. Consumers pay 25-40 €/month
for an internet socket with a flatrate but get only dynamic IPs and
can't set up their own server services (like NAS, P2P social Network,
...). So they have to pay extra for "Cloud"-services an entrust their
private data to cloud-service providers. Companies can get internet
sockets with a flatrate and fixed IP(s) for 100 - 500 €/month.

I personally like the idea of a static global IPv6 unicast prefix for
incoming connections and dynamic global IPv6 unicast prefix for
outgoing connections. That way you can be reached and still have a
little anonymity on the internet. For an ISP the
router-advertisement-configuration is simple:

static global IPv6 unicast prefix:     Preferred lifetime 1 (Privacy
Extensions are disabled because of zero value after a second)
                                                  Valid       lifetime
infinity (you can receive connections forever)

dynamic global IPv6 unicast prefix: Preferred lifetime 12 hours (used
for twelve hours)
                                                   Valid
lifetime 48 hours (existing connections can last 48 hours)

As the preferred lifetime is zero, new connections will never be set
up over the static prefix (except you overwrite the preferred lifetime
for a subnet/host).

>> To distribute the dynamic node-IPs to all other nodes, the following "host-up" script is used:
>>
>> ------------------------------------------------------------- snip --------------------------------------------------------------
>>
>> #!/bin/bash
>>
>> FILE="/etc/tinc/$NETNAME/hosts/$NODE"
>> ADDRESS="Address = $REMOTEADDRESS $REMOTEPORT"
>>
>> if grep -q Address $FILE; then
>>     /bin/sed s:'^Address.*=.*$':"$ADDRESS": -i $FILE
>> else
>>     echo $ADDRESS >> $FILE
>> fi
>>
>> ------------------------------------------------------------- snap > --------------------------------------------------------------
>>
>> Please implement such a function directly into the Tinc code! Maybe even with distributed tables without the need of a master with a static IP.
>
> Yes, that is indeed one of the things I will implement at some point (although
> the host-up script you use is doing the job quite well). In tinc version
> 1.1pre4 and later complement this with the AutoConnect option and by
> automatically distributing the public keys of nodes, if you use the
> ExperimentalProtocol option.

I'm still at 1.0.x because of Ubuntu/OpenWrt releases. But I've seen
you're planning CA-support for 2.0, which simplifies larger
installations like mesh communities.
I also have a proposal:

To assign a subnet to a specific tinc-node, the CA could assign a
x.509 certificate which has the network address and CIDR as common
name and tinc automatically configures the subnet.
That way mesh communities would be able to easily deploy subnets to nodes.

Best regards,

Renne