Status of Experimental Protocol

Guus Sliepen guus at tinc-vpn.org
Sun Apr 6 17:50:31 CEST 2014 

On Sun, Apr 06, 2014 at 11:24:42PM +0800, shikkc wrote:

> Is there any indication of when we might see the protocol stabilize in the
> 1.1pre branch? It seems to be quite an improvement already.

What has to happen is this:

- Authentication should be done using Ed25519 keys, and the ECDH part should
  use Curve25519. There are two reasons for this: 1) there is currently much
  more trust in these curves than in the NIST curves, and 2) I am not very happy
  wih OpenSSL's support for EC curves, and some distributors (notably RedHat)
  seem to disable support for EC operations in OpenSSL, so I want to include a
  stand-alone EC library anyway.

- Forwarding of SPTPS packets via intermediate nodes is not efficient (it
  always uses TCP), it should use UDP where possible. The problem is that this
  requires adding some header to the UDP packets, as SPTPS provides end-to-end
  encryption so intermediate nodes can no longer peek at the IP header of the
  encapsulated packet to make routing decisions.

- The authentication phase of datagram SPTPS should be done over UDP. Currently
  it is still done over TCP, because there is no retry mechanism for dropped
  packets during this phase yet.

- Some more testing is required for broadcast packets.

> Perhaps some configuration could be added to allow for specifying a protocol
> version, rather than the 'ExperimentalProtocol=yes' flag?

Well, I want to keep that configuration option until it is stabilised a bit
more.  But eventually it should indeed be just an option for specifying the
protocol version.

> While I'm more of a network administrator than a programmer, I'd be happy to
> help in any way I can.

Test new versions when they come out! Also, if you encounter bugs, trying to
create a minimal setup that reproduces the bug would be very helpful. There is
a directory test/ in the source code, where there are several tests that are
done when you run "make check". The current tests are quite simple. If you
want, you could make some more complicated tests that simulate VPNs with more
than 2 nodes. For example, have a look at the test Julien Muchembled made[1].
It uses Linux's network namespaces feature to isolate the tincd processes from
each other, allowing each to see a different routing table and firewall rules.
Note that it doesn't have to be on Linux, tests for other operating systems
would be nice as well.

[1] http://www.tinc-vpn.org/pipermail/tinc/2014-April/003675.html

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20140406/d587e882/attachment.sig>

More information about the tinc-devel mailing list