Unauthorized ADD_SUBNET, but known subnet

Guus Sliepen guus at tinc-vpn.org
Mon May 27 11:56:44 CEST 2013 

On Mon, May 27, 2013 at 11:05:43AM +0200, Ivan Vilata i Balaguer wrote:

> > The server needs the HUP so it will reread the host config files and
> > update its list of approved Subnets. However, the validity of a Subnet
> > that a node announces is only checked when that node announces its
> > Subnet. So the best way is to make sure the server gets the new host
> > config file and a HUP signal before the new node comes online.
> 
> Thanks for the explanation, Guus.  What I didn't mention (and is indeed
> the reason for my surprise) is that in another setup using nearly the
> same software environment, we checked that tinc doesn't need the HUP to
> accept new nodes!  The main difference is that the first one is an LXC
> container and the second one a physical host.  Go figure.  Anyway I
> guess it's better to play safe and send the HUP.

Well, maybe my explanation was not complete: tinc does not need HUP to accept
new nodes, it only needs HUP to reread the list of approved Subnets when
StrictSubnets is enabled.

> > There are various options that control forwarding of information. You
> > might want to use the TunnelServer option in your case.
> 
> In our setup we want some core nodes to have the host files of all nodes
> in the tinc network and connect among themselves, and other "peripheral"
> nodes to only have the file of the core node they ConnectTo, but still
> be able to exchange data directly with other nodes if the underlying
> network allows it.  Thus we do want to forward all the information in
> core nodes, but only if it matches what the known host file states.  In
> other words, whenever the node would print "Ignoring unauthorized
> ADD_SUBNET from X" it would not forward the info for node X, so core
> nodes would act like some kind of authenticators.  But well, with the
> warning we're at least able to spot rogue nodes. ;)

Ok, in that case StrictSubnets is exactly what you want.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130527/0faab736/attachment.pgp>

More information about the tinc mailing list