[Novalug] Proposed Novalug topic

Stuart Gathman stuart@gathman.org
Sun Mar 27 23:27:49 EDT 2016


On 03/05/2016 12:24 PM, greg pryzby wrote:
> Excellent. E please share an abstract for the website


	CJDNS - IP6 Mesh VPN

Overview

    Introduction: Purpose and Terminology
    Background: Quick Overview of CGA, DHT, and source routing
    Installation: Installing cjdns and building if needed
    Practices: Be careful who you peer with

Purpose

As a VPN:
Configuring a point to point VPN connection is fairly straightforward, as
is configuring a centralized VPN server and clients.  However, when every
node in the VPN network needs to talk securely with many other nodes,
relaying every packet through the central server becomes a drag
on performance, and a single point of failure.  Mesh VPNs, like tinc and
cjdns automatically create point to point connections based on a shared
overall configuration.  Each node only needs a connection to one or more
peers (that can be reused) to get things started.  Cjdns, however, goes
much further than tinc.  On a local LAN or mesh with broadcast, it is zero
configuration.  Peers are automatically discovered via the 0xFC00 layer 2
protocol.

As a Darknet:
In a widespread VPN, address assignment must be coordinated by a central
authority.  The internet also uses centralized IP assignment, which
means a government can take away your IP at any time.  Cjdns uses
CryptoGraphic Addressing (CGA).  Your IP6 is the SHA-512 of your public
key truncated to 128 bits.  Your IP is as safe as the private key pair
which produced it, and cannot [insert standard cryptography disclaimer] be
spoofed.  Most mesh VPNs decrypt packets before routing to a new node.
All cjdns packets are end to end encrypted - relay nodes are untrusted.
There is no centralized routing.  If a node is "blackholeing" packets
for some reason - a sender simply doesn't route through that node anymore.

Adoption:
Cjdns is very useful as a private VPN with near zero configuration.  There
is also a global cjdns mesh called Hyperboria which acts as a parallel
end to end encrypted decentralized internet.  Implementations are
available for Fedora, Android, Windows, Apple, OpenWRT, and other linux
systems.

Compatibility:
Cjdns works transparently with any software that supports IP6.  To integrate
with the IANA internet, all cjdns IPs are currently restricted to the
FC00::/8 subnet.  FC00::/7 is reserved by IANA for private IPs.

Extensibility:
Cjdns is source routed.  This means that individual nodes can experiment
with new routing algorithms while remaining compatible with the
protocol.  Cjdns source routing does not enable spoofing, as every
packet is effectively signed by the sender.
-------------- next part --------------
	CJDNS - IP6 Mesh VPN

Overview

    Introduction: Purpose and Terminology
    Background: Quick Overview of CGA, DHT, and source routing
    Installation: Installing cjdns and building if needed
    Practices: Be careful who you peer with

Purpose

As a VPN:
Configuring a point to point VPN connection is fairly straightforward, as
is configuring a centralized VPN server and clients.  However, when every
node in the VPN network needs to talk securely with many other nodes, 
relaying every packet through the central server becomes a drag
on performance, and a single point of failure.  Mesh VPNs, like tinc and
cjdns automatically create point to point connections based on a shared
overall configuration.  Each node only needs a connection to one or more 
peers (that can be reused) to get things started.  Cjdns, however, goes
much further than tinc.  On a local LAN or mesh with broadcast, it is zero
configuration.  Peers are automatically discovered via the 0xFC00 layer 2
protocol.

As a Darknet:
In a widespread VPN, address assignment must be coordinated by a central
authority.  The internet also uses centralized IP assignment, which 
means a government can take away your IP at any time.  Cjdns uses
CryptoGraphic Addressing (CGA).  Your IP6 is the SHA-512 of your public
key truncated to 128 bits.  Your IP is as safe as the private key pair
which produced it, and cannot [insert standard cryptography disclaimer] be
spoofed.  Most mesh VPNs decrypt packets before routing to a new node.  
All cjdns packets are end to end encrypted - relay nodes are untrusted.
There is no centralized routing.  If a node is "blackholeing" packets
for some reason - a sender simply doesn't route through that node anymore.

Adoption:
Cjdns is very useful as a private VPN with near zero configuration.  There
is also a global cjdns mesh called Hyperboria which acts as a parallel 
end to end encrypted decentralized internet.  Implementations are
available for Fedora, Android, Windows, Apple, OpenWRT, and other linux
systems.  

Compatibility:
Cjdns works transparently with any software that supports IP6.  To integrate
with the IANA internet, all cjdns IPs are currently restricted to the
FC00::/8 subnet.  FC00::/7 is reserved by IANA for private IPs.

Extensibility:
Cjdns is source routed.  This means that individual nodes can experiment
with new routing algorithms while remaining compatible with the protocol.


More information about the Novalug mailing list