search for: e2d4bfc

...flexible, but I would disagree that it is > unmanageable. In ChaosVPN we use StrictSubnets, and additionally the following patch on the core-nodes where (nearly) everyone connects to: (cut&paste whitespace damaged) diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c index 06dafbc..e2d4bfc 100644 --- a/src/protocol_subnet.c +++ b/src/protocol_subnet.c @@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char *request) { if(strictsubnets) { logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized %s from %s (%s): %s",...

...> > unmanageable. > > In ChaosVPN we use StrictSubnets, and additionally the following patch > on the core-nodes where (nearly) everyone connects to: > > (cut&paste whitespace damaged) > > diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c > index 06dafbc..e2d4bfc 100644 > --- a/src/protocol_subnet.c > +++ b/src/protocol_subnet.c > @@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char > *request) { > if(strictsubnets) { > logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized > %s from %s (%s):...

...> > unmanageable. > > In ChaosVPN we use StrictSubnets, and additionally the following patch > on the core-nodes where (nearly) everyone connects to: > > (cut&paste whitespace damaged) > > diff --git a/src/protocol_subnet.c b/src/protocol_subnet.c > index 06dafbc..e2d4bfc 100644 > --- a/src/protocol_subnet.c > +++ b/src/protocol_subnet.c > @@ -117,7 +117,9 @@ bool add_subnet_h(connection_t *c, const char > *request) { > if(strictsubnets) { > logger(DEBUG_ALWAYS, LOG_WARNING, "Ignoring unauthorized > %s from %s (%s):...

TL;DR: a proposal for a new tinc feature that allows nodes to filter ADD_SUBNET messages based on the metaconnection on which they are received, so that nodes can't impersonate each other's VPN Subnets. Similar to StrictSubnets in spirit, but way more flexible. BACKGROUND: THE ISSUE OF TRUST IN A TINC NETWORK In terms of metaconnections (I'm not discussing data tunnels here), one of