Conflicting Default Values. A trusts B. B trusts EvilNode. Does that mean A trusts EvilNode?
Guus Sliepen
guus at tinc-vpn.org
Thu Jan 24 11:14:05 CET 2013
On Thu, Jan 24, 2013 at 10:53:18AM +0100, Guus Sliepen wrote:
> There are two kinds of connections. If node A does not have the public key of
> EvilNode, then EvilNode cannot make a meta-connection to A (it cannot ConnectTo
> A). However, UDP packets to/from EvilNode will be allowed, unless you use
> either StrictSubnets or the combination of Forwarding, DirectOnly and
> IndirectData mentioned above.
[...]
> In the case of EvilNode, the proper way to deny it access to the VPN would be
> for B to remove hosts/EvilNode. [...]
What I forgot to mention is that EvilNode can only exchange packets with A,
either directly or forwarded via B, if and only if EvilNode has a working
meta-connection to B. So once B removes hosts/EvilNode and reloads its
configuration, it will kill the meta-connection between B and EvilNode, and A
will then immediately stop accepting packets from EvilNode.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130124/bbc66627/attachment.pgp>
More information about the tinc
mailing list