From 229de91a3ae35cf0b088fc6064494cb8a9ab3a4b Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 15:01:27 +0000 Subject: [PATCH 01/18] Fix AllowedEncryptionPublicKeys so that it works in incoming connections and not outgoing ones --- src/yggdrasil/link.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yggdrasil/link.go b/src/yggdrasil/link.go index 9c9223b..10c7e0b 100644 --- a/src/yggdrasil/link.go +++ b/src/yggdrasil/link.go @@ -175,7 +175,7 @@ func (intf *linkInterface) handler() error { return errors.New("failed to connect: wrong version") } // Check if we're authorized to connect to this key / IP - if !intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) { + if intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) { intf.link.core.log.Warnf("%s connection to %s forbidden: AllowedEncryptionPublicKeys does not contain key %s", strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:])) intf.msgIO.close() From c388885a922cea4f0e5e8a6f46c314c6c0cc0e9e Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 15:29:42 +0000 Subject: [PATCH 02/18] Update config comments for AllowedEncryptionPublicKeys --- src/config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config/config.go b/src/config/config.go index 270ce96..eed6bb7 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -16,7 +16,7 @@ type NodeConfig struct { AdminListen string `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."` Peers []string `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."` InterfacePeers map[string][]string `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."` - AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow or incoming TCP\nconnections from. If left empty/undefined then all connections\nwill be allowed by default."` + AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings."` EncryptionPublicKey string `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."` EncryptionPrivateKey string `comment:"Your private encryption key. DO NOT share this with anyone!"` SigningPublicKey string `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."` From dc3a05f13ab2ea084a6453b0b11915a5458e2ec5 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 16:03:02 +0000 Subject: [PATCH 03/18] Correctly classify link-local addresses in the TCP handler, fix AllowedPublicEncryptionKeys warning --- src/yggdrasil/link.go | 2 +- src/yggdrasil/tcp.go | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/yggdrasil/link.go b/src/yggdrasil/link.go index 10c7e0b..bfec714 100644 --- a/src/yggdrasil/link.go +++ b/src/yggdrasil/link.go @@ -176,7 +176,7 @@ func (intf *linkInterface) handler() error { } // Check if we're authorized to connect to this key / IP if intf.incoming && !intf.force && !intf.link.core.peers.isAllowedEncryptionPublicKey(&meta.box) { - intf.link.core.log.Warnf("%s connection to %s forbidden: AllowedEncryptionPublicKeys does not contain key %s", + intf.link.core.log.Warnf("%s connection from %s forbidden: AllowedEncryptionPublicKeys does not contain key %s", strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.box[:])) intf.msgIO.close() return nil diff --git a/src/yggdrasil/tcp.go b/src/yggdrasil/tcp.go index 8b91457..8acf9c1 100644 --- a/src/yggdrasil/tcp.go +++ b/src/yggdrasil/tcp.go @@ -19,6 +19,7 @@ import ( "fmt" "math/rand" "net" + "strings" "sync" "time" @@ -332,7 +333,7 @@ func (t *tcp) handler(sock net.Conn, incoming bool, options interface{}) { stream.init(sock) local, _, _ := net.SplitHostPort(sock.LocalAddr().String()) remote, _, _ := net.SplitHostPort(sock.RemoteAddr().String()) - remotelinklocal := net.ParseIP(remote).IsLinkLocalUnicast() + force := net.ParseIP(strings.Split(remote, "%")[0]).IsLinkLocalUnicast() var name string var proto string if socksaddr, issocks := options.(string); issocks { @@ -342,7 +343,7 @@ func (t *tcp) handler(sock net.Conn, incoming bool, options interface{}) { name = "tcp://" + sock.RemoteAddr().String() proto = "tcp" } - link, err := t.link.core.link.create(&stream, name, proto, local, remote, incoming, remotelinklocal) + link, err := t.link.core.link.create(&stream, name, proto, local, remote, incoming, force) if err != nil { t.link.core.log.Println(err) panic(err) From 830be7f4db5de9836dbd2a49fdefae5aa0cec7ff Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 16:06:12 +0000 Subject: [PATCH 04/18] Update comments again --- src/config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config/config.go b/src/config/config.go index eed6bb7..4f97a2b 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -16,7 +16,7 @@ type NodeConfig struct { AdminListen string `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."` Peers []string `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."` InterfacePeers map[string][]string `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."` - AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings."` + AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings, nor\ndoes it affect link-local peers discovered via multicast."` EncryptionPublicKey string `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."` EncryptionPrivateKey string `comment:"Your private encryption key. DO NOT share this with anyone!"` SigningPublicKey string `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."` From 4062c93e18129b8f51ea86602b7d90c4b86e509c Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 19:04:30 +0000 Subject: [PATCH 05/18] Re-order config, update default Listen --- src/config/config.go | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/src/config/config.go b/src/config/config.go index 4f97a2b..6ee1013 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -2,9 +2,6 @@ package config import ( "encoding/hex" - "fmt" - "math/rand" - "time" "github.com/yggdrasil-network/yggdrasil-go/src/crypto" "github.com/yggdrasil-network/yggdrasil-go/src/defaults" @@ -12,16 +9,16 @@ import ( // NodeConfig defines all configuration values needed to run a signle yggdrasil node type NodeConfig struct { - Listen []string `comment:"Listen addresses for peer connections. Default is to listen for all\nTCP connections over IPv4 and IPv6 with a random port."` + Peers []string `comment:"List of connection strings for outbound peer connections in URI format,\ne.g. tcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j. These connections\nwill obey the operating system routing table, therefore you should\nuse this section when you may connect via different interfaces."` + InterfacePeers map[string][]string `comment:"List of connection strings for outbound peer connections in URI format,\narranged by source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }.\nNote that SOCKS peerings will NOT be affected by this option and should\ngo in the \"Peers\" section instead."` + Listen []string `comment:"Listen addresses for incoming connections. You will need to add\nlisteners in order to accept incoming peerings from non-local nodes.\nMulticast peer discovery will work regardless of any listeners set\nhere. Each listener should be specified in URI format as above, e.g.\ntcp://0.0.0.0:0 or tcp://[::]:0 to listen on all interfaces."` AdminListen string `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."` - Peers []string `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."` - InterfacePeers map[string][]string `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."` + MulticastInterfaces []string `comment:"Regular expressions for which interfaces multicast peer discovery\nshould be enabled on. If none specified, multicast peer discovery is\ndisabled. The default value is .* which uses all interfaces."` AllowedEncryptionPublicKeys []string `comment:"List of peer encryption public keys to allow incoming TCP peering\nconnections from. If left empty/undefined then all connections will\nbe allowed by default. This does not affect outgoing peerings, nor\ndoes it affect link-local peers discovered via multicast."` EncryptionPublicKey string `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."` EncryptionPrivateKey string `comment:"Your private encryption key. DO NOT share this with anyone!"` SigningPublicKey string `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."` SigningPrivateKey string `comment:"Your private signing key. DO NOT share this with anyone!"` - MulticastInterfaces []string `comment:"Regular expressions for which interfaces multicast peer discovery\nshould be enabled on. If none specified, multicast peer discovery is\ndisabled. The default value is .* which uses all interfaces."` LinkLocalTCPPort uint16 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."` IfName string `comment:"Local network interface name for TUN/TAP adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN/TAP."` IfTAPMode bool `comment:"Set local network interface to TAP mode rather than TUN mode if\nsupported by your platform - option will be ignored if not."` @@ -70,12 +67,7 @@ func GenerateConfig(isAutoconf bool) *NodeConfig { spub, spriv := crypto.NewSigKeys() // Create a node configuration and populate it. cfg := NodeConfig{} - if isAutoconf { - cfg.Listen = []string{"tcp://[::]:0"} - } else { - r1 := rand.New(rand.NewSource(time.Now().UnixNano())) - cfg.Listen = []string{fmt.Sprintf("tcp://[::]:%d", r1.Intn(65534-32768)+32768)} - } + cfg.Listen = []string{} cfg.AdminListen = defaults.GetDefaults().DefaultAdminListen cfg.EncryptionPublicKey = hex.EncodeToString(bpub[:]) cfg.EncryptionPrivateKey = hex.EncodeToString(bpriv[:]) @@ -91,6 +83,7 @@ func GenerateConfig(isAutoconf bool) *NodeConfig { cfg.SessionFirewall.Enable = false cfg.SessionFirewall.AllowFromDirect = true cfg.SessionFirewall.AllowFromRemote = true + cfg.SessionFirewall.AlwaysAllowOutbound = true cfg.SwitchOptions.MaxTotalQueueSize = 4 * 1024 * 1024 cfg.NodeInfoPrivacy = false From 41872820c38574fbc3fd6be3265e43ce49fb0333 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 Mar 2019 19:18:43 +0000 Subject: [PATCH 06/18] Remove isAutoconf option to GenerateConfig --- cmd/yggdrasil/main.go | 6 +++--- src/config/config.go | 2 +- src/yggdrasil/mobile.go | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go index e0c764e..8c8340f 100644 --- a/cmd/yggdrasil/main.go +++ b/cmd/yggdrasil/main.go @@ -62,7 +62,7 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *nodeCo // then parse the configuration we loaded above on top of it. The effect // of this is that any configuration item that is missing from the provided // configuration will use a sane default. - cfg := config.GenerateConfig(false) + cfg := config.GenerateConfig() var dat map[string]interface{} if err := hjson.Unmarshal(conf, &dat); err != nil { panic(err) @@ -154,7 +154,7 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *nodeCo // Generates a new configuration and returns it in HJSON format. This is used // with -genconf. func doGenconf(isjson bool) string { - cfg := config.GenerateConfig(false) + cfg := config.GenerateConfig() var bs []byte var err error if isjson { @@ -191,7 +191,7 @@ func main() { case *autoconf: // Use an autoconf-generated config, this will give us random keys and // port numbers, and will use an automatically selected TUN/TAP interface. - cfg = config.GenerateConfig(true) + cfg = config.GenerateConfig() case *useconffile != "" || *useconf: // Read the configuration from either stdin or from the filesystem cfg = readConfig(useconf, useconffile, normaliseconf) diff --git a/src/config/config.go b/src/config/config.go index 6ee1013..a900758 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -61,7 +61,7 @@ type SwitchOptions struct { // or whether to generate a random port number. The only side effect of setting // isAutoconf is that the TCP and UDP ports will likely end up with different // port numbers. -func GenerateConfig(isAutoconf bool) *NodeConfig { +func GenerateConfig() *NodeConfig { // Generate encryption keys. bpub, bpriv := crypto.NewBoxKeys() spub, spriv := crypto.NewSigKeys() diff --git a/src/yggdrasil/mobile.go b/src/yggdrasil/mobile.go index 76fbe54..81aa47f 100644 --- a/src/yggdrasil/mobile.go +++ b/src/yggdrasil/mobile.go @@ -45,7 +45,7 @@ func (c *Core) addStaticPeers(cfg *config.NodeConfig) { func (c *Core) StartAutoconfigure() error { mobilelog := MobileLogger{} logger := log.New(mobilelog, "", 0) - nc := config.GenerateConfig(true) + nc := config.GenerateConfig() nc.IfName = "dummy" nc.AdminListen = "tcp://localhost:9001" nc.Peers = []string{} @@ -64,7 +64,7 @@ func (c *Core) StartAutoconfigure() error { func (c *Core) StartJSON(configjson []byte) error { mobilelog := MobileLogger{} logger := log.New(mobilelog, "", 0) - nc := config.GenerateConfig(false) + nc := config.GenerateConfig() var dat map[string]interface{} if err := hjson.Unmarshal(configjson, &dat); err != nil { return err @@ -82,7 +82,7 @@ func (c *Core) StartJSON(configjson []byte) error { // Generates mobile-friendly configuration in JSON format. func GenerateConfigJSON() []byte { - nc := config.GenerateConfig(false) + nc := config.GenerateConfig() nc.IfName = "dummy" if json, err := json.Marshal(nc); err == nil { return json From 5bacfabae7061abf3e0a4e7dc6f7628d6c2f378d Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 17:43:33 +0000 Subject: [PATCH 07/18] Handle cases where link-local addresses may disappear or change --- src/yggdrasil/multicast.go | 39 +++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/src/yggdrasil/multicast.go b/src/yggdrasil/multicast.go index dacad27..ca3a1f7 100644 --- a/src/yggdrasil/multicast.go +++ b/src/yggdrasil/multicast.go @@ -122,11 +122,48 @@ func (m *multicast) announce() { // There might be interfaces that we configured listeners for but are no // longer up - if that's the case then we should stop the listeners for name, listener := range m.listeners { - if _, ok := interfaces[name]; !ok { + // Prepare our stop function! + stop := func() { listener.stop <- true delete(m.listeners, name) m.core.log.Debugln("No longer multicasting on", name) } + // If the interface is no longer visible on the system then stop the + // listener, as another one will be started further down + if _, ok := interfaces[name]; !ok { + stop() + continue + } + // It's possible that the link-local listener address has changed so if + // that is the case then we should clean up the interface listener + found := false + listenaddr, err := net.ResolveTCPAddr("tcp6", listener.listener.Addr().String()) + if err != nil { + stop() + continue + } + // Find the interface that matches the listener + if intf, err := net.InterfaceByName(name); err == nil { + if addrs, err := intf.Addrs(); err == nil { + // Loop through the addresses attached to that listener and see if any + // of them match the current address of the listener + for _, addr := range addrs { + if ip, _, err := net.ParseCIDR(addr.String()); err == nil { + // Does the interface address match our listener address? + if ip.Equal(listenaddr.IP) { + found = true + break + } + } + } + } + } + // If the address has not been found on the adapter then we should stop + // and clean up the TCP listener. A new one will be created below if a + // suitable link-local address is found + if !found { + stop() + } } // Now that we have a list of valid interfaces from the operating system, // we can start checking if we can send multicasts on them From d0aeffb5f444707c7feb2dfa7684c08e071e707a Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 18:05:59 +0000 Subject: [PATCH 08/18] Update CHANGELOG.md --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 76a5d2d..5894598 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - in case of vulnerabilities. --> +## [0.3.5] - 2019-03-13 +### Fixed +- The `AllowedEncryptionPublicKeys` option has now been fixed to handle incoming connections properly and no longer blocks outgoing connections (this was broken in v0.3.4) +- Multicast TCP listeners will now be stopped correctly when the link-local address on the interface changes or disappears altogether + ## [0.3.4] - 2019-03-12 ### Added - Support for multiple listeners (although currently only TCP listeners are supported) From d4437afa34cfe61286b82e910966fd8c66ca1bbd Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 18:27:20 +0000 Subject: [PATCH 09/18] Update CircleCI to 2.1 --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2255716..8c1988c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ # Golang CircleCI 2.0 configuration file # # Check https://circleci.com/docs/2.0/language-go/ for more details -version: 2 +version: 2.1 jobs: build-linux: docker: From d6111911d465d8a29f3280a89da767a5443bf2d3 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 18:36:28 +0000 Subject: [PATCH 10/18] Update CircleCI again --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8c1988c..9f51d3c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -178,8 +178,8 @@ jobs: destination: / workflows: - version: 2 - build-all: + version: 2.1 + build: jobs: - build-linux - build-macos From 9f16fc47b3c5493d6d02d45b8b75cbdc59a34ffc Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 18:41:47 +0000 Subject: [PATCH 11/18] Update CircleCI again --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9f51d3c..d02e84e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ version: 2.1 jobs: build-linux: docker: - - image: circleci/golang:1.11 + - image: circleci/golang:1.12 steps: - checkout From 8ddadce699ff61561d3b1de88be4236aa21f6af6 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 18:47:03 +0000 Subject: [PATCH 12/18] Update CircleCI to use Go 1.12 on macOS --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index d02e84e..f29bfe0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -79,11 +79,11 @@ jobs: echo -e "Host *\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config - run: - name: Install Go 1.11 + name: Install Go 1.12 command: | cd /tmp - curl -LO https://dl.google.com/go/go1.11.5.darwin-amd64.pkg - sudo installer -pkg /tmp/go1.11.5.darwin-amd64.pkg -target / + curl -LO https://dl.google.com/go/go1.12.darwin-amd64.pkg + sudo installer -pkg /tmp/go1.12.darwin-amd64.pkg -target / - run: name: Install Gomobile From 14afb8881e744f4cbf65fac01c0ebb1dcbdadfd8 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 18:51:00 +0000 Subject: [PATCH 13/18] Update CircleCI to use Go 1.12 on other --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f29bfe0..5b32c2f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -119,7 +119,7 @@ jobs: build-other: docker: - - image: circleci/golang:1.11 + - image: circleci/golang:1.12 steps: - checkout From 9019ccc118a2805762e4d42060750ebc6436d7e7 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 19:09:09 +0000 Subject: [PATCH 14/18] Don't install gomobile for now --- .circleci/config.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 5b32c2f..99088d1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -85,11 +85,11 @@ jobs: curl -LO https://dl.google.com/go/go1.12.darwin-amd64.pkg sudo installer -pkg /tmp/go1.12.darwin-amd64.pkg -target / - - run: - name: Install Gomobile - command: | - GO111MODULE=off go get golang.org/x/mobile/cmd/gomobile - gomobile init + #- run: + # name: Install Gomobile + # command: | + # GO111MODULE=off go get golang.org/x/mobile/cmd/gomobile + # gomobile init - run: name: Build for macOS From 09c92698dffa5d54e61702acd7191efccafbd517 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 20:06:02 +0000 Subject: [PATCH 15/18] Update README.md --- .gitmodules | 3 + README.md | 215 +++++++++++++++----------------- doc/yggdrasil-network.github.io | 1 + 3 files changed, 103 insertions(+), 116 deletions(-) create mode 100644 .gitmodules create mode 160000 doc/yggdrasil-network.github.io diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..e4e8b52 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "doc/yggdrasil-network.github.io"] + path = doc/yggdrasil-network.github.io + url = https://github.com/yggdrasil-network/yggdrasil-network.github.io/ diff --git a/README.md b/README.md index 11a4cbe..a9a9d96 100644 --- a/README.md +++ b/README.md @@ -3,149 +3,132 @@ [![CircleCI](https://circleci.com/gh/yggdrasil-network/yggdrasil-go.svg?style=shield&circle-token=:circle-token )](https://circleci.com/gh/yggdrasil-network/yggdrasil-go) -## What is it? +## Introduction -This is a toy implementation of an encrypted IPv6 network, with many good ideas stolen from [cjdns](https://github.com/cjdelisle/cjdns), which was written to test a particular routing scheme that was cobbled together one random afternoon. -It's notably not a shortest path routing scheme, with the goal of scalable name-independent routing on dynamic networks with an internet-like topology. -It's named Yggdrasil after the world tree from Norse mythology, because that seemed like the obvious name given how it works. -More information is available at . +Yggdrasil is an early-stage implementation of a fully end-to-end encrypted IPv6 +network. It is lightweight, self-arranging, supported on multiple platforms and +allows pretty much any IPv6-capable application to communicate securely with +other Yggdrasil nodes. Yggdrasil does not require you to have IPv6 Internet +connectivity - it also works over IPv4. -This is a toy / proof-of-principle, and considered alpha quality by the developers. It's not expected to be feature complete, and future updates may not be backwards compatible, though it should warn you if it sees a connection attempt with a node running a newer version. -You're encouraged to play with it, but it is strongly advised not to use it for anything mission critical. +Although Yggdrasil shares many similarities with +[cjdns](https://github.com/cjdelisle/cjdns), it employs a different routing +algorithm based on a globally-agreed spanning tree and greedy routing in a +metric space, and aims to implement some novel local backpressure routing +techniques. In theory, Yggdrasil should scale well on networks with +internet-like topologies. + +## Supported Platforms + +We actively support the following platforms, and packages are available for +some of the below: + +- Linux + - `.deb` and `.rpm` packages are built by CI for Debian and Red Hat-based + distributions + - Void and Arch packages also available within their respective repositories +- macOS + - `.pkg` packages are built by CI +- Ubiquiti EdgeOS + - `.deb` Vyatta packages are built by CI +- Windows +- FreeBSD +- OpenBSD +- NetBSD + +Please see our [Platforms](https://yggdrasil-network.github.io/) pages for more +specific information about each of our supported platforms, including +installation steps and caveats. ## Building -1. Install Go (requires 1.11 or later, [godeb](https://github.com/niemeyer/godeb) is recommended for Debian-based Linux distributions). -2. Clone this repository. -2. `./build` +If you want to build from source, as opposed to installing one of the pre-built +packages: -Note that you can cross-compile for other platforms and architectures by specifying the `$GOOS` and `$GOARCH` environment variables, for example, `GOOS=windows ./build` or `GOOS=linux GOARCH=mipsle ./build`. +1. Install [Go](https://golang.org) (requires Go 1.11 or later) +2. Clone this repository +2. Run `./build` -The build script sets its own `$GOPATH`, so the build environment is self-contained. +Note that you can cross-compile for other platforms and architectures by +specifying the `GOOS` and `GOARCH` environment variables, e.g. `GOOS=windows +./build` or `GOOS=linux GOARCH=mipsle ./build`. ## Running -To run the program, you'll need permission to create a `tun` device and configure it using `ip`. -If you don't want to mess with capabilities for the `tun` device, then using `sudo` should work, with the usual security caveats about running a program as root. +To generate static configuration, either generate a HJSON file (human-friendly, +complete with comments): -To run with default settings: - -1. `./yggdrasil --autoconf` - -That will generate a new set of keys (and an IP address) each time the program is run. -The program will bind to all addresses on a random port and listen for incoming connections. -It will send announcements over IPv6 link-local multicast, and it will attempt to start a connection if it hears an announcement from another device. - -In practice, you probably want to run this instead: - -1. `./yggdrasil --genconf > conf.json` -2. `./yggdrasil --useconf < conf.json` - -This keeps a persistent set of keys (and by extension, IP address) and gives you the option of editing the configuration file. -If you want to use it as an overlay network on top of e.g. the internet, then you can do so by adding the remote devices domain/address and port (as a string, e.g. `"1.2.3.4:5678"`) to the list of `Peers` in the configuration file. -By default, it peers over TCP (which can be forced with `"tcp://1.2.3.4:5678"` syntax), but it's also possible to connect over a socks proxy (`"socks://socksHost:socksPort/1.2.3.4:5678"`). -The socks proxy approach is useful for e.g. [peering over tor hidden services](https://github.com/yggdrasil-network/public-peers/blob/master/other/tor.md). -UDP support was removed as part of v0.2, and may be replaced by a better implementation at a later date. - -### Platforms - -#### Linux - -- Should work out of the box on most Linux distributions with `iproute2` installed. -- systemd service scripts are included in the `contrib/systemd/` folder so that it runs automatically in the background (using `/etc/yggdrasil.conf` for configuration), copy the service files into `/etc/systemd/system`, copy `yggdrasil` into your `$PATH`, i.e. `/usr/bin`, and then enable the service: ``` -systemctl enable yggdrasil -systemctl start yggdrasil -``` -- Once installed as a systemd service, you can read the `yggdrasil` output: -``` -systemctl status yggdrasil -journalctl -u yggdrasil +./yggdrasil -genconf /path/to/yggdrasil.conf ``` -#### macOS +... or generate a plain JSON file (which is easy to manipulate +programmatically): -- Tested and working out of the box on macOS 10.13 High Sierra. -- May work in theory on any macOS version with `utun` support (which was added in macOS 10.7 Lion), although this is untested at present. -- TAP mode is not supported on macOS. - -#### FreeBSD, NetBSD - -- Works in TAP mode, but currently doesn't work in TUN mode. -- You may need to create the TAP adapter first if it doesn't already exist, i.e. `ifconfig tap0 create`. - -#### OpenBSD - -- Works in TAP mode, but currently doesn't work in TUN mode. -- You may need to create the TAP adapter first if it doesn't already exist, i.e. `ifconfig tap0 create`. -- OpenBSD is not capable of listening on both IPv4 and IPv6 at the same time on the same socket (unlike FreeBSD and NetBSD). This affects the `Listen` and `AdminListen` configuration options. You will need to set `Listen` and `AdminListen` to use either an IPv4 or an IPv6 address. -- You may consider using [relayd](https://man.openbsd.org/relayd.8) to allow incoming Yggdrasil connections on both IPv4 and IPv6 simultaneously. - -#### Windows - -- Tested and working on Windows 7 and Windows 10, and should work on any recent versions of Windows, but it depends on the [OpenVPN TAP driver](https://openvpn.net/index.php/open-source/downloads.html) being installed first. -- Has been proven to work with both the [NDIS 5](https://swupdate.openvpn.org/community/releases/tap-windows-9.9.2_3.exe) (`tap-windows-9.9.2_3`) driver and the [NDIS 6](https://swupdate.openvpn.org/community/releases/tap-windows-9.21.2.exe) (`tap-windows-9.21.2`) driver, however there are substantial performance issues with the NDIS 6 driver therefore it is recommended to use the NDIS 5 driver instead. -- Be aware that connectivity issues can occur on Windows if multiple IPv6 addresses from the `200::/7` prefix are assigned to the TAP interface. If this happens, then you may need to manually remove the old/unused addresses from the interface (though the code has a workaround in place to do this automatically in some cases). -- TUN mode is not supported on Windows. -- Yggdrasil can be installed as a Windows service so that it runs automatically in the background. From an Administrator Command Prompt: ``` -sc create yggdrasil binpath= "\"C:\path\to\yggdrasil.exe\" -useconffile \"C:\path\to\yggdrasil.conf\"" -sc config yggdrasil displayname= "Yggdrasil Service" -sc config yggdrasil start= "auto" -sc start yggdrasil -``` -- Alternatively, if you want the service to autoconfigure instead of using an `yggdrasil.conf`, replace the `sc create` line from above with: -``` -sc create yggdrasil binpath= "\"C:\path\to\yggdrasil.exe\" -autoconf" +./yggdrasil -genconf /path/to/yggdrasil.conf -json ``` -#### EdgeRouter +You will need to edit the `yggdrasil.conf` file to add or remove peers, modify +other configuration such as listen addresses or multicast addresses, etc. -- Tested and working on the EdgeRouter X, using the [vyatta-yggdrasil](https://github.com/neilalexander/vyatta-yggdrasil) wrapper package. - -## Optional: advertise a prefix locally - -Suppose a node has generated the address: `200:1111:2222:3333:4444:5555:6666:7777` - -Then the node may also use addresses from the prefix: `300:1111:2222:3333::/64` (note the `200` changed to `300`, a separate `/8` is used for prefixes, but the rest of the first 64 bits are the same). - -To advertise this prefix and a route to `200::/7`, the following seems to work on the developers' networks: - -1. Enable IPv6 forwarding (e.g. `sysctl -w net.ipv6.conf.all.forwarding=1` or add it to sysctl.conf). - -2. `ip addr add 300:1111:2222:3333::1/64 dev eth0` or similar, to assign an address for the router to use in that prefix, where the LAN is reachable through `eth0`. - -3. Install/run `radvd` with something like the following in `/etc/radvd.conf`: +To run with the generated static configuration: ``` -interface eth0 -{ - AdvSendAdvert on; - prefix 300:1111:2222:3333::/64 { - AdvOnLink on; - AdvAutonomous on; - }; - route 200::/7 {}; -}; +./yggdrasil -useconffile /path/to/yggdrasil.conf ``` -This is enough to give unsupported devices on the LAN access to the yggdrasil network. See the [configuration](https://yggdrasil-network.github.io/configuration.html) page for more info. +To run in auto-configuration mode (which will use sane defaults and random keys +at each startup, instead of using a static configuration file): -## How does it work? +``` +./yggdrasil --autoconf +``` -I'd rather not try to explain in the readme, but it is described further on the [about](https://yggdrasil-network.github.io/about.html) page, so you can check there if you're interested. -Be warned that it's still not a very good explanation, but it at least gives a high-level overview and links to some relevant work by other people. +You will likely need to run Yggdrasil as a privileged user or under `sudo`, +unless you have permission to create TUN/TAP adapters. On Linux this can be done +by giving the Yggdrasil binary the `CAP_NET_ADMIN` capability. -## Obligatory performance propaganda +## Documentation -A [simplified model](misc/sim/treesim-forward.py) of this routing scheme has been tested in simulation on the 9204-node [skitter](https://www.caida.org/tools/measurement/skitter/) network topology dataset from [caida](https://www.caida.org/), and compared with results in [arxiv:0708.2309](https://arxiv.org/abs/0708.2309). -Using the routing scheme as implemented in this code, the average multiplicative stretch is observed to be about 1.08, with an average routing table size of 6 for a name-dependent scheme, and approximately 30 additional (but smaller) entries needed for the name-independent routing table. -The number of name-dependent routing table entries needed is proportional to node degree, so that 6 is the mean of a distribution with a long tail, but this may be an acceptable tradeoff(it's at least worth trying, hence this code). -The size of name-dependent routing table entries is relatively large, due to cryptographic signatures associated with routing table updates, but in the absence of cryptographic overhead, each entry should otherwise be comparable in size to the BC routing scheme described in the above paper. -A modified version of this scheme, with the same resource requirements, achieves a multiplicative stretch of 1.02, which drops to 1.01 if source routing is used. -Both of these optimizations are not present in the current implementation, as the former depends on network state information that appears difficult to cryptographically secure, and the latter optimization is both tedious to implement and would make debugging other aspects of the implementation more difficult. +Documentation is available on our [`GitHub +Pages`](https://yggdrasil-network.github.io) site, or in the base submodule +repository within `doc/yggdrasil-network.github.io`. + +- [Configuration file options](https://yggdrasil-network.github.io/configuration.html) +- [Platform-specific documentation](https://yggdrasil-network.github.io/platforms.html) +- [Frequently asked questions](https://yggdrasil-network.github.io/faq.html) +- [Admin API documentation](https://yggdrasil-network.github.io/admin.html) + +## Performance + +A [simplified model](misc/sim/treesim-forward.py) of this routing scheme has +been tested in simulation on the 9204-node +[skitter](https://www.caida.org/tools/measurement/skitter/) network topology +dataset from [caida](https://www.caida.org/), and compared with results in +[arxiv:0708.2309](https://arxiv.org/abs/0708.2309). Using the routing scheme as +implemented in this code, the average multiplicative stretch is observed to be +about 1.08, with an average routing table size of 6 for a name-dependent scheme, +and approximately 30 additional (but smaller) entries needed for the +name-independent routing table. The number of name-dependent routing table +entries needed is proportional to node degree, so that 6 is the mean of a +distribution with a long tail, but this may be an acceptable tradeoff (it's at +least worth trying, hence this code). The size of name-dependent routing table +entries is relatively large, due to cryptographic signatures associated with +routing table updates, but in the absence of cryptographic overhead, each entry +should otherwise be comparable in size to the BC routing scheme described in the +above paper. A modified version of this scheme, with the same resource +requirements, achieves a multiplicative stretch of 1.02, which drops to 1.01 if +source routing is used. Both of these optimizations are not present in the +current implementation, as the former depends on network state information that +appears difficult to cryptographically secure, and the latter optimization is +both tedious to implement and would make debugging other aspects of the +implementation more difficult. ## License -This code is released under the terms of the LGPLv3, but with an added exception that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb). -Under certain circumstances, this exception permits distribution of binaries that are (statically or dynamically) linked with this code, without requiring the distribution of Minimal Corresponding Source or Minimal Application Code. +This code is released under the terms of the LGPLv3, but with an added exception +that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb). +Under certain circumstances, this exception permits distribution of binaries +that are (statically or dynamically) linked with this code, without requiring +the distribution of Minimal Corresponding Source or Minimal Application Code. For more details, see: [LICENSE](LICENSE). diff --git a/doc/yggdrasil-network.github.io b/doc/yggdrasil-network.github.io new file mode 160000 index 0000000..1067221 --- /dev/null +++ b/doc/yggdrasil-network.github.io @@ -0,0 +1 @@ +Subproject commit 10672210f2fdce97dd5c301dfeed47284d4a28f2 From 7478c8ba2b583a275af49c9b0801702d53d1c3a6 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 20:08:50 +0000 Subject: [PATCH 16/18] Update README.md --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a9a9d96..8c1f168 100644 --- a/README.md +++ b/README.md @@ -55,23 +55,27 @@ specifying the `GOOS` and `GOARCH` environment variables, e.g. `GOOS=windows ## Running +### Generate configuration + To generate static configuration, either generate a HJSON file (human-friendly, complete with comments): ``` -./yggdrasil -genconf /path/to/yggdrasil.conf +./yggdrasil -genconf > /path/to/yggdrasil.conf ``` ... or generate a plain JSON file (which is easy to manipulate programmatically): ``` -./yggdrasil -genconf /path/to/yggdrasil.conf -json +./yggdrasil -genconf -json > /path/to/yggdrasil.conf ``` You will need to edit the `yggdrasil.conf` file to add or remove peers, modify other configuration such as listen addresses or multicast addresses, etc. +### Run Yggdrasil + To run with the generated static configuration: ``` ./yggdrasil -useconffile /path/to/yggdrasil.conf @@ -81,7 +85,7 @@ To run in auto-configuration mode (which will use sane defaults and random keys at each startup, instead of using a static configuration file): ``` -./yggdrasil --autoconf +./yggdrasil -autoconf ``` You will likely need to run Yggdrasil as a privileged user or under `sudo`, @@ -90,8 +94,8 @@ by giving the Yggdrasil binary the `CAP_NET_ADMIN` capability. ## Documentation -Documentation is available on our [`GitHub -Pages`](https://yggdrasil-network.github.io) site, or in the base submodule +Documentation is available on our [GitHub +Pages](https://yggdrasil-network.github.io) site, or in the base submodule repository within `doc/yggdrasil-network.github.io`. - [Configuration file options](https://yggdrasil-network.github.io/configuration.html) From e582ac102b76e2bd2ce14dd36495b0000dd616f8 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 20:12:08 +0000 Subject: [PATCH 17/18] Update README.md --- README.md | 25 ++----------------------- 1 file changed, 2 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 8c1f168..7553824 100644 --- a/README.md +++ b/README.md @@ -103,30 +103,9 @@ repository within `doc/yggdrasil-network.github.io`. - [Frequently asked questions](https://yggdrasil-network.github.io/faq.html) - [Admin API documentation](https://yggdrasil-network.github.io/admin.html) -## Performance +## Community -A [simplified model](misc/sim/treesim-forward.py) of this routing scheme has -been tested in simulation on the 9204-node -[skitter](https://www.caida.org/tools/measurement/skitter/) network topology -dataset from [caida](https://www.caida.org/), and compared with results in -[arxiv:0708.2309](https://arxiv.org/abs/0708.2309). Using the routing scheme as -implemented in this code, the average multiplicative stretch is observed to be -about 1.08, with an average routing table size of 6 for a name-dependent scheme, -and approximately 30 additional (but smaller) entries needed for the -name-independent routing table. The number of name-dependent routing table -entries needed is proportional to node degree, so that 6 is the mean of a -distribution with a long tail, but this may be an acceptable tradeoff (it's at -least worth trying, hence this code). The size of name-dependent routing table -entries is relatively large, due to cryptographic signatures associated with -routing table updates, but in the absence of cryptographic overhead, each entry -should otherwise be comparable in size to the BC routing scheme described in the -above paper. A modified version of this scheme, with the same resource -requirements, achieves a multiplicative stretch of 1.02, which drops to 1.01 if -source routing is used. Both of these optimizations are not present in the -current implementation, as the former depends on network state information that -appears difficult to cryptographically secure, and the latter optimization is -both tedious to implement and would make debugging other aspects of the -implementation more difficult. +Feel free to join us on our [Matrix channel](https://matrix.to/#/#yggdrasil:matrix.org) at `#yggdrasil:matrix.org` or in the `#yggdrasil` IRC channel on Freenode. ## License From b57030430cfaa71b37ea933ce80027ffbb7bb250 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 13 Mar 2019 20:21:01 +0000 Subject: [PATCH 18/18] Update README.md --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7553824..e9e0c7d 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,9 @@ Please see our [Platforms](https://yggdrasil-network.github.io/) pages for more specific information about each of our supported platforms, including installation steps and caveats. +You may also find other platform-specific wrappers, scripts or tools in the +`contrib` folder. + ## Building If you want to build from source, as opposed to installing one of the pre-built @@ -102,10 +105,13 @@ repository within `doc/yggdrasil-network.github.io`. - [Platform-specific documentation](https://yggdrasil-network.github.io/platforms.html) - [Frequently asked questions](https://yggdrasil-network.github.io/faq.html) - [Admin API documentation](https://yggdrasil-network.github.io/admin.html) +- [Version changelog](CHANGELOG.md) ## Community -Feel free to join us on our [Matrix channel](https://matrix.to/#/#yggdrasil:matrix.org) at `#yggdrasil:matrix.org` or in the `#yggdrasil` IRC channel on Freenode. +Feel free to join us on our [Matrix +channel](https://matrix.to/#/#yggdrasil:matrix.org) at `#yggdrasil:matrix.org` +or in the `#yggdrasil` IRC channel on Freenode. ## License