Authenticating VPN addresses: a proposal
Etienne Dechamps
etienne at edechamps.fr
Mon Nov 23 22:59:57 CET 2015
On 23 November 2015 at 08:48, Рысь <lynx at lynxlynx.tk> wrote:
> I don't think StrictSubnets is flawed. It works nice, and embedded
> tincs running it has no issues. I think that network must be
> consistent. Hence every node must know about others.
If by "every node must know about others" you mean "every node should
have host files for every other node", then I strongly disagree. I
don't think that's scalable, and I don't think that's what tinc is
designed for. Otherwise tinc wouldn't have this entire protocol with
messages like ADD_EDGE and ADD_SUBNET that precisely *remove* the need
for static configuration. tinc works perfectly well without static
host configuration and that doesn't mean the network is
inconsistent... as long as you don't try to use StrictSubnets. Hence
my proposal.
> There is also TunnelServer option if you want to manage network through gateways.
Yeah... no. I want my nodes to do everything they can (probing, UDP
hole punching, UPnP, etc.) to maximize performance by ensuring they
*don't* have to go through relays to talk to each other. In fact, I
wrote quite a lot of code in tinc-1.1 already to improve this logic.
In that regard, TunnelServer is the absolute opposite of what I want
:)
More information about the tinc
mailing list