Subnet authority and trust

Etienne Dechamps etienne at edechamps.fr
Fri May 5 19:26:47 CEST 2017 

Hi Parke,

Your assessment is correct. tinc will follow any subnet advertisements that
it receives over the metaconnection graph. Subnet declarations in host
files are only used by the tinc instance running on that specific host to
determine which subnets it should advertise to others. I believe the
rationale is to make it possible to add new nodes (with their own subnets)
to the network (or change existing ones) without having to distribute host
files to every other node, which would not scale well.

If StrictSubnets=yes is used, then it's the opposite: tinc will only follow
its own host files and ignore any dynamic subnet advertisements made over
the network.

In general however, I would advise against trusting other nodes, even with
StrictSubnets=yes. tinc is not currently designed to provide strong
protection against insider attacks - for the most part it assumes that
every node inside the metaconnection graph can be trusted. In my opinion
tinc will do poorly in a scenario where a "compromised node" is part of
your threat model.

On 5 May 2017 at 04:45, Parke <parke.nexus at gmail.com> wrote:

> Hello,
>
> How does tincd determine the subnet(s) of other remote nodes?  Does
> tincd read its copies of the hosts file and parse and follow the
> subnet information contained in the local files?  Or does tincd solely
> trust the subnet information dynamically advertised by each remote
> node?
>
> In my experimentation, it seems that:
>
> a) tincd reads its own subnet(s) from its copy of its own host file, but
>
> b) tincd ignores the subnets specified in the other hosts files.
>
> This would seem to mean that if:
>
> 1) There are three nodes, A, B, and C, and
> 2) Node B is offline, and
> 3) Node C is compromised and advertises itself as serving B's subnet(s),
> and
> 4) Node A sends traffic to an IP address on one of B's subnets, then
> 5) Node C will intercept the traffic that A believes A is sending to B's
> subnet.
>
> Is the above description of how tincd operates correct?
>
> Is this an intentional choice?  If so, what is the reasoning behind it?
>
> It seems to me that this behavior (trusting all advertised subnets) is
> unexpected and possibly undocumented.  The behavior would also seem to
> prioritize convenience over security.
>
> (I am running tinc version 1.0.24 on Debian.)
>
> Thanks!
>
> -Parke
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170505/0c9e4af4/attachment.html>

More information about the tinc mailing list