Routing and keying Questions

Frithjof Hammer mail at frithjof-hammer.de
Wed Jul 9 19:38:24 CEST 2008 

Hi
> > Is there a documentation what is meant by the option value and the weight
> > value?
>
> Node weights are the approximate latency of the node. Higher weight =
> slower node. They're currently used for calculating the minimum spanning
> tree of the network, for tinc metadata broadcast.
>

thanks!

> > * Is there a posibility to resolve the routing path through a tinc mesh?
>
> I'm not entirely sure what you mean.

As I understand there is a routing mechanism, that sends traffic from A to C 
via B, if A and C and reach each other directly. Is that correct? If so, is 
there a possibility to resolve this routing path? 


> Look into TunnelServer, it might be what you want. You'd probably want to
> set it on B.

I will test it in a few days, thanks.

>
> Oh yes, one thing that might help you out, send a USR1 signal to tinc, to
> output all direct connections.
>
In what way may that help me? USR1 gives me fewer information that the USR2 
signal, nor?

>> Then why use different keys for each node and not a shared key for 
everyone? 
>>   
>With this you can add or remove other node, or just stop the access 
>right for one specific node without regenerating all the key....

I don't think I get this right: If I have a VPN-network fully under my 
administration, i had to log on every node and delete the key of a node i 
want to exclude. If I want to include a node, I have to copy that key to 
every other node. In this case a shared key would have been easier. So there 
is no advantage against changing a shared key.

In an other scenario, if I have a VPN-network that is not fully under my 
administration (like: I connect to a friend, and he connects his friend to 
the same tinc-vpn), everybody has to agree to throw one out. I cannot select 
a subgroup of friends I trust and only let them communicate to me while my 
friend select a different subgroup. 
At the moment I am not convinced that this "key-exchange-feature" is a 
helpfull compared to VPN with shared key on the one side and a VPN only 
talking to nodes with known keys on the other side. 
But I have to test the TunnelServer parameter and give i bit more thinking. 
Meanwhile, any enlightenment is welcome.

Frithjof

More information about the tinc mailing list