Hello, How does tincd determine the subnet(s) of other remote nodes? Does tincd read its copies of the hosts file and parse and follow the subnet information contained in the local files? Or does tincd solely trust the subnet information dynamically advertised by each remote node? In my experimentation, it seems that: a) tincd reads its own subnet(s) from its copy of its own host file, but b) tincd ignores the subnets specified in the other hosts files. This would seem to mean that if: 1) There are three nodes, A, B, and C, and 2) Node B is offline, and 3) Node C is compromised and advertises itself as serving B's subnet(s), and 4) Node A sends traffic to an IP address on one of B's subnets, then 5) Node C will intercept the traffic that A believes A is sending to B's subnet. Is the above description of how tincd operates correct? Is this an intentional choice? If so, what is the reasoning behind it? It seems to me that this behavior (trusting all advertised subnets) is unexpected and possibly undocumented. The behavior would also seem to prioritize convenience over security. (I am running tinc version 1.0.24 on Debian.) Thanks! -Parke
On Thu, 4 May 2017, Parke wrote:> How does tincd determine the subnet(s) of other remote nodes? Does > tincd read its copies of the hosts file and parse and follow the > subnet information contained in the local files? Or does tincd solely > trust the subnet information dynamically advertised by each remote > node? > > In my experimentation, it seems that: > > a) tincd reads its own subnet(s) from its copy of its own host file, but > > b) tincd ignores the subnets specified in the other hosts files. > > This would seem to mean that if: > > 1) There are three nodes, A, B, and C, and > 2) Node B is offline, and > 3) Node C is compromised and advertises itself as serving B's subnet(s), and > 4) Node A sends traffic to an IP address on one of B's subnets, then > 5) Node C will intercept the traffic that A believes A is sending to B's subnet. > > Is the above description of how tincd operates correct? > > Is this an intentional choice? If so, what is the reasoning behind it? > > It seems to me that this behavior (trusting all advertised subnets) is > unexpected and possibly undocumented. The behavior would also seem to > prioritize convenience over security. > > (I am running tinc version 1.0.24 on Debian.)The StrictSubnets = yes looks like what you want. Then a node only routes subnets as defined in locally existing hosts files, not announced from the outside anymore. c'ya sven-haegar -- Three may keep a secret, if two of them are dead. - Ben F.
Hi Parke, Your assessment is correct. tinc will follow any subnet advertisements that it receives over the metaconnection graph. Subnet declarations in host files are only used by the tinc instance running on that specific host to determine which subnets it should advertise to others. I believe the rationale is to make it possible to add new nodes (with their own subnets) to the network (or change existing ones) without having to distribute host files to every other node, which would not scale well. If StrictSubnets=yes is used, then it's the opposite: tinc will only follow its own host files and ignore any dynamic subnet advertisements made over the network. In general however, I would advise against trusting other nodes, even with StrictSubnets=yes. tinc is not currently designed to provide strong protection against insider attacks - for the most part it assumes that every node inside the metaconnection graph can be trusted. In my opinion tinc will do poorly in a scenario where a "compromised node" is part of your threat model. On 5 May 2017 at 04:45, Parke <parke.nexus at gmail.com> wrote:> Hello, > > How does tincd determine the subnet(s) of other remote nodes? Does > tincd read its copies of the hosts file and parse and follow the > subnet information contained in the local files? Or does tincd solely > trust the subnet information dynamically advertised by each remote > node? > > In my experimentation, it seems that: > > a) tincd reads its own subnet(s) from its copy of its own host file, but > > b) tincd ignores the subnets specified in the other hosts files. > > This would seem to mean that if: > > 1) There are three nodes, A, B, and C, and > 2) Node B is offline, and > 3) Node C is compromised and advertises itself as serving B's subnet(s), > and > 4) Node A sends traffic to an IP address on one of B's subnets, then > 5) Node C will intercept the traffic that A believes A is sending to B's > subnet. > > Is the above description of how tincd operates correct? > > Is this an intentional choice? If so, what is the reasoning behind it? > > It seems to me that this behavior (trusting all advertised subnets) is > unexpected and possibly undocumented. The behavior would also seem to > prioritize convenience over security. > > (I am running tinc version 1.0.24 on Debian.) > > Thanks! > > -Parke > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170505/0c9e4af4/attachment.html>
Apparently Analagous Threads
- One host for forwarding only without keys
- Create network of untrusted peers (like SocialVPN, ChaosVPN, etc)
- Tincd fails to resolve domain names before it is started name resolution becomes available.
- What exactly is the meaning of "Subnet" parameter in tinc/$NETNAME/hosts/$SOMEHOSTNAME?
- Tincd fails to resolve domain names before it is started name resolution becomes available.