Authenticating VPN addresses: a proposal

[Sven-Haegar Koch]

On Mon, 23 Nov 2015, Guus Sliepen wrote:

> It also works in a situation where a group of people trust a central
> authority which provides them with the configuration for their tinc
> nodes, if StrictSubnets is used. The drawback is that an external tool
> needs to be used (ChaosVPN is one such example, but there are others)
> and it is not very flexible, but I would disagree that it is
> unmanageable.

In ChaosVPN we use StrictSubnets, and additionally the following patch 
on the core-nodes where (nearly) everyone connects to:

(cut&paste whitespace damaged)

diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c
index 06dafbc..e2d4bfc 100644
--- a/src/protocol_subnet.c
+++ b/src/protocol_subnet.c
@@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char *request) {
        if(strictsubnets) {
                logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized %s from %s (%s): %s",
                                "ADD_SUBNET", c->name, c->hostname, subnetstr);
+               /* Disabled forwarding of unauthorized subnets!
                forward_request(c, request);
+               */
                return true;
        }

This was added because after a few years of operation of the network we 
had so many no-longer-existing subnet definitions flowing around that 
each connect created lots of error messages and a ton of useless 
metadata-traffic bouncing around, even when the nodes/subnets have been 
deleted from the hosts files for ages - as there was never a time that 
all nodes were down whenever one was restarted it learned the bogus 
routes again from something else, and spread it later (and tinc purge 
never worked for this).

Since the bogus subnets are not forwarded anymore from the central nodes 
they only stay known to the edges until the next restart, so after a 
while they are really gone.

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.