[Novalug] Proposed Novalug topic
Stuart Gathman
stuart@gathman.org
Sun Mar 27 23:27:49 EDT 2016
On 03/05/2016 12:24 PM, greg pryzby wrote:
> Excellent. E please share an abstract for the website
CJDNS - IP6 Mesh VPN
Overview
Introduction: Purpose and Terminology
Background: Quick Overview of CGA, DHT, and source routing
Installation: Installing cjdns and building if needed
Practices: Be careful who you peer with
Purpose
As a VPN:
Configuring a point to point VPN connection is fairly straightforward, as
is configuring a centralized VPN server and clients. However, when every
node in the VPN network needs to talk securely with many other nodes,
relaying every packet through the central server becomes a drag
on performance, and a single point of failure. Mesh VPNs, like tinc and
cjdns automatically create point to point connections based on a shared
overall configuration. Each node only needs a connection to one or more
peers (that can be reused) to get things started. Cjdns, however, goes
much further than tinc. On a local LAN or mesh with broadcast, it is zero
configuration. Peers are automatically discovered via the 0xFC00 layer 2
protocol.
As a Darknet:
In a widespread VPN, address assignment must be coordinated by a central
authority. The internet also uses centralized IP assignment, which
means a government can take away your IP at any time. Cjdns uses
CryptoGraphic Addressing (CGA). Your IP6 is the SHA-512 of your public
key truncated to 128 bits. Your IP is as safe as the private key pair
which produced it, and cannot [insert standard cryptography disclaimer] be
spoofed. Most mesh VPNs decrypt packets before routing to a new node.
All cjdns packets are end to end encrypted - relay nodes are untrusted.
There is no centralized routing. If a node is "blackholeing" packets
for some reason - a sender simply doesn't route through that node anymore.
Adoption:
Cjdns is very useful as a private VPN with near zero configuration. There
is also a global cjdns mesh called Hyperboria which acts as a parallel
end to end encrypted decentralized internet. Implementations are
available for Fedora, Android, Windows, Apple, OpenWRT, and other linux
systems.
Compatibility:
Cjdns works transparently with any software that supports IP6. To integrate
with the IANA internet, all cjdns IPs are currently restricted to the
FC00::/8 subnet. FC00::/7 is reserved by IANA for private IPs.
Extensibility:
Cjdns is source routed. This means that individual nodes can experiment
with new routing algorithms while remaining compatible with the
protocol. Cjdns source routing does not enable spoofing, as every
packet is effectively signed by the sender.
-------------- next part --------------
CJDNS - IP6 Mesh VPN
Overview
Introduction: Purpose and Terminology
Background: Quick Overview of CGA, DHT, and source routing
Installation: Installing cjdns and building if needed
Practices: Be careful who you peer with
Purpose
As a VPN:
Configuring a point to point VPN connection is fairly straightforward, as
is configuring a centralized VPN server and clients. However, when every
node in the VPN network needs to talk securely with many other nodes,
relaying every packet through the central server becomes a drag
on performance, and a single point of failure. Mesh VPNs, like tinc and
cjdns automatically create point to point connections based on a shared
overall configuration. Each node only needs a connection to one or more
peers (that can be reused) to get things started. Cjdns, however, goes
much further than tinc. On a local LAN or mesh with broadcast, it is zero
configuration. Peers are automatically discovered via the 0xFC00 layer 2
protocol.
As a Darknet:
In a widespread VPN, address assignment must be coordinated by a central
authority. The internet also uses centralized IP assignment, which
means a government can take away your IP at any time. Cjdns uses
CryptoGraphic Addressing (CGA). Your IP6 is the SHA-512 of your public
key truncated to 128 bits. Your IP is as safe as the private key pair
which produced it, and cannot [insert standard cryptography disclaimer] be
spoofed. Most mesh VPNs decrypt packets before routing to a new node.
All cjdns packets are end to end encrypted - relay nodes are untrusted.
There is no centralized routing. If a node is "blackholeing" packets
for some reason - a sender simply doesn't route through that node anymore.
Adoption:
Cjdns is very useful as a private VPN with near zero configuration. There
is also a global cjdns mesh called Hyperboria which acts as a parallel
end to end encrypted decentralized internet. Implementations are
available for Fedora, Android, Windows, Apple, OpenWRT, and other linux
systems.
Compatibility:
Cjdns works transparently with any software that supports IP6. To integrate
with the IANA internet, all cjdns IPs are currently restricted to the
FC00::/8 subnet. FC00::/7 is reserved by IANA for private IPs.
Extensibility:
Cjdns is source routed. This means that individual nodes can experiment
with new routing algorithms while remaining compatible with the protocol.
More information about the Novalug
mailing list