Metadata flooding

Hendrik Schumacher hendrik.schumacher at meetrics.com
Tue Jun 21 13:04:31 CEST 2016 

Hi,

we use a tinc network of about 400 nodes, all of them linux servers, partly
in different datacenters (but generally low latency). Usually this is
working very well (for weeks without a problem).

>From time to time the whole network goes down though. This happened when we
restarted a larger number of servers or when there was a connectivity issue
between datacenters or some (short) maintenance on the network
infrastructure. The problem was already described in the mailing list (for
example here:
https://www.tinc-vpn.org/pipermail/tinc/2015-December/004325.html , we see
the same messages in our logs as described there). We try to avoid
situations where a large number of servers becomes unavailable but from
time to time it just happens. For us it would be important that tinc
continues working with the hosts that are still reachable and that it
recovers itself and we do not have to stop and start the whole network
manually.

We already tried to tweak the configuration to limit the amount of metadata
by only having 3 ConnectTo hosts (the same ones everywhere) and using

Broadcast = no
DirectOnly = yes
Cipher=aes-128-cbc

(Apart from Name, AddressFamily, BindToAddress, Interface and ConnectTo
that are the only settings we use in tinc.conf).

We are also going to increase PingTimeout to 30 and reduce the number of
ConnectTo hosts to 2.

Is there anything else we can do to limit the amount of metadata (as that
seems to be reason why tinc just stops working and only produces log
messages about failed connection attempts)?

Ideally we would not need any metadata updates at all (apart from key
updates) since each host can connect to every other host and all the host
config files are available everywhere locally.

We also thought about using TunnelServer = yes, would this help? Does it
make sense to somehow group ConnectTo hosts (so use two ConnectTo servers
for one host group, another two for another host group and let the
ConnectTo servers connect to each other)?

Thank you for any help with this!

Hendrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160621/61555640/attachment.html>

More information about the tinc mailing list