search for: sptps

...; and I recently started seeing lots of these messages on my VPN and cannot connect to various hosts from other hosts: (I have obscured the hostnames and vpn name, but otherwise this is a direct paste from syslog) Aug 19 14:51:51 AAA tinc.nnn[2217]: Got REQ_KEY from XXX while we already started a SPTPS session! Aug 19 14:51:54 AAA tinc.nnn[2217]: Got REQ_KEY from YYY while we already started a SPTPS session! Aug 19 14:52:04 AAA tinc.nnn[2217]: Got REQ_KEY from ZZZ while we already started a SPTPS session! Aug 19 14:52:06 AAA tinc.nnn[2217]: Got REQ_KEY from YYY while we already started a SPTPS se...

I've been using SPTPS (a.k.a ExperimentalProtocol) for a while now, but I've only recently started looking into the details of the protocol itself. I have some questions about the design: - I am not sure what the thread model for SPTPS is when compared with the legacy protocol. SPTPS is vastly more complex than...

Hi, I'm currently trying to troubleshoot what appears to be a very subtle bug (most likely a race condition) in SPTPS that causes state to become corrupted during SPTPS key regeneration. The tinc version currently deployed to my production nodes is git 7ac5263, which is somewhat old (2014-09-06), but I think this is still relevant because the affected code paths haven't really changed since. The only differen...

On Sat, May 16, 2015 at 04:53:33PM +0100, Etienne Dechamps wrote: > I believe there is a design flaw in the way SPTPS key regeneration > works, because upon reception of the KEX message the other nodes will > send both KEX and SIG messages at the same time. However, the node > expects SIG to arrive after KEX. Therefore, there is an implicit > assumption that messages won't arrive out of order. tinc...

...resses the general issue, at least for the short term: https://github.com/gsliepen/tinc/pull/83 On 16 May 2015 at 19:36, Guus Sliepen <guus at tinc-vpn.org> wrote: > On Sat, May 16, 2015 at 04:53:33PM +0100, Etienne Dechamps wrote: > >> I believe there is a design flaw in the way SPTPS key regeneration >> works, because upon reception of the KEX message the other nodes will >> send both KEX and SIG messages at the same time. However, the node >> expects SIG to arrive after KEX. Therefore, there is an implicit >> assumption that messages won't arrive ou...

Is SPTPS protocol enabled in 1.1 by default? Or we need to manually enable it. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20180316/2360e357/attachment.html>

.../s. When I run an iperf test from node1 (client) to node2 (server) with default options, I have 300 Mbit/s MAX. The strange thing is that 300 Mbit/s was the limit with Tinc 1.0. I checked twice, both of nodes are now running tinc 1.1... Of course, when I do iperf without Tinc, I have 1 Gbit/s... sptps_speed report correct speeds (node1 is less powerfull than node2) : root at node1:~# sptps_speed Generating keys for 10 seconds: 597.41 op/s ECDSA sign for 10 seconds: 549.90 op/s ECDSA verify for 10 seconds: 470.60 op/s ECDH for 10 seconds:...

On Sun, May 17, 2015 at 07:46:45PM +0100, Etienne Dechamps wrote: > I sent you a pull request that addresses the general issue, at least > for the short term: https://github.com/gsliepen/tinc/pull/83 Merged. > > You are right. The main issue with the SPTPS datagram protocol is that > > it actually doesn't handle any packet loss or reordering during > > authentication and key regeneration. I will add this, so it will be able > > to run completely over UDP. > > Well, actually... in the pull request above I "solved&quot...

On Fri, 16 Mar 2018 14:37:58 -0700, al so wrote: > Is SPTPS protocol enabled in 1.1 by default? Or we need to manually enable > it. It is enabled by default. You can disable it by setting ExperimentalProtocol = no in tinc.conf. - todd

Are you sure it is enabled by default? On Fri, Mar 16, 2018 at 4:07 PM, Todd C. Miller <Todd.Miller at sudo.ws> wrote: > On Fri, 16 Mar 2018 14:37:58 -0700, al so wrote: > > > Is SPTPS protocol enabled in 1.1 by default? Or we need to manually > enable > > it. > > It is enabled by default. You can disable it by setting > ExperimentalProtocol = no in tinc.conf. > > - todd > _______________________________________________ > tinc mailing list > tin...

...:05 -0600, "Todd C. Miller" wrote: > Note that it will only be used if you generate ed25519 keys to use > with it. The new protocol is one of the main reasons to run 1.1. Also, tinc 1.1 can still interoperate with tinc 1.0 nodes using the legacy protocol. You can read more about sptps in the tinc 1.1 manual in the security section. - todd

...3 port 655) May 09 09:25:25 node-1 tincd[14195]: Invalid packet seqno: 385 != 0 from node_2 (10.0.0.3 port 655) May 09 09:25:25 node-1 tincd[14195]: Invalid packet seqno: 386 != 0 from node_2 (10.0.0.3 port 655) May 09 09:25:44 node-1 tincd[14195]: Got REQ_KEY from node_3 while we already started a SPTPS session! May 09 09:25:44 node-1 tincd[14195]: Handshake phase not finished yet from node_3 (10.0.0.2 port 655) May 09 09:25:44 node-1 tincd[14195]: Got REQ_KEY from node_2 while we already started a SPTPS session! May 09 09:25:44 node-1 tincd[14195]: Got REQ_KEY from node_2 while we already started...

...we've decided to test it. The results are quite surprising: * using the experimental protocol, throughput falls to around 380Mbit/s; both tincd are at or just above 100% CPU (the host has 8 cores) * not specificing ECDSA keys, throughput is around 600Mbit/s; both tincd are at around 90-95% CPU sptps_speed reports: Generating keys for 10 seconds: 5200.94 op/s ECDSA sign for 10 seconds: 3710.72 op/s ECDSA verify for 10 seconds: 1734.05 op/s ECDH for 10 seconds: 1449.40 op/s SPTPS/TCP authenticate for 10 seconds: 641.37 op/s SPTPS/TCP...

Hi all, I have two nodes, connected to a switch, using Tinc 1.1 from git. They connect each other with sptps, and to other nodes in the Internet with old protocol because they have Tinc 1.0. There is no problem with remote nodes, but between my 2 local nodes, they see 1518 PMTU. But local network is 1500 MTU !!! So nodes can ping each other but larger data does not go. test1=sllm1 test2=sllm2 test1:/us...

On Wed, 21 Mar 2018 14:54:07 -0700, al so wrote: > Are you sure it is enabled by default? Yes. See the description of ExperimentalProtocol in the tinc.conf manual for details. If you don't believe that, check src/protocol.c and you will see that the "experimental" flag is set to true by default. - todd

I am surprised this experimental protocol is enabled by default. On Wed, Mar 21, 2018 at 3:07 PM, Todd C. Miller <Todd.Miller at sudo.ws> wrote: > On Wed, 21 Mar 2018 14:54:07 -0700, al so wrote: > > > Are you sure it is enabled by default? > > Yes. > > See the description of ExperimentalProtocol in the tinc.conf manual > for details. If you don't believe

In the past 24 hours multiple persons have contacted me regarding the use of elliptic curve cryptography in tinc 1.1 in light of the suspicion that the NSA might have weakened algorithms and/or elliptic curves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS) property. For both the ephemeral keys used in ECDH and the long-lived keys used for ECDSA, tinc uses the "secp521r1" curve, as published by NIST. There are suspi...

In the past 24 hours multiple persons have contacted me regarding the use of elliptic curve cryptography in tinc 1.1 in light of the suspicion that the NSA might have weakened algorithms and/or elliptic curves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS) property. For both the ephemeral keys used in ECDH and the long-lived keys used for ECDSA, tinc uses the "secp521r1" curve, as published by NIST. There are suspi...

...kit-daemon[1658]: GLib-CRITICAL: Source ID 190 was not found when attempting to remove it Dec 10 15:44:16 JOTVPN console-kit-daemon[1658]: GLib-CRITICAL: Source ID 190 was not found when attempting to remove it Dec 10 15:47:22 JOTVPN tinc.vpn[1021]: Got REQ_KEY from Node4 while we already started a SPTPS session! Dec 10 15:47:22 JOTVPN tinc.vpn[1021]: Got REQ_KEY from Node1 while we already started a SPTPS session! Dec 10 15:47:22 JOTVPN tinc.vpn[1021]: Got REQ_KEY from Node3 while we already started a SPTPS session! Dec 10 15:48:13 JOTVPN mpt-statusd: detected non-optimal RAID status Dec 10 15:55:...

...up_node_udp(&addr); - - if(!n) { - // It might be from a 1.1 node, which might have a source ID in the packet. - pkt.offset = 2 * sizeof(node_id_t); - from = lookup_node_id(SRCID(&pkt)); - if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) { - if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t))) - n = from; - else - goto skip_harder; +#ifndef HAVE_RECVMMSG + pkt[0].len = len; +#endif + + for (i = 0; i < num; i++) + { +#ifdef HAVE_RECVMMSG + pkt[i].len = msg[i].msg_len; + if(p...