New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use fake dns and long domain name to replace ipv6 for collision immune #1106
Comments
Irrespective of a DNS mapping, the IPv6 address still truncates the public key, so this doesn't solve the issue. |
note: if you use base32 it will fit into the size needed for a dns label.
you can use dns64/nat64 it is meant to be used for ephemeral ips for dns then add PTR records which point back. it is what i was meaning to do in lokinet. |
That's true, but then we end up with a lot of code to remap IP addresses, rewrite checksum etc. Right now Yggdrasil can pass through IPv6 traffic completely unmodified and that's extremely powerful and far simpler. For the purposes of what we want to do at this stage, truncating public keys is a tradeoff that we accept. If Yggdrasil ever does end up taking over the world, it would maybe warrant a new address family anyway. |
oh i know very well the pains of doing that, this is just my two cents on the DNS method. |
But we can use domain name instead ipv6 as yggdrasil node id. And in routing progress, we are talking about node id rather than ipv6.
IP exists only to be compatible with third-party applications (ie browser),in fact, there is no ip concept in yggdrasil-network. In this way, we don't need to truncate anything. Besides, domain name( in fact domain name is just node id) is just a 256 bit. It needn't to be base32, base58 maybe better, friendly to human eyes. IP is just a compatible layer, it can be ipv4, ipv6 or whatever the real network support. We route by node id, and since node id is totally controlled by yggdrasil, it can be 256 bit, 512 bit, or whatever is secure enough to be public key. fake-dns see some proxy project like |
Note: this way may make real domain dns harder. old:
now:
Besides, I don't know if applications (like curl, browser) support top domain. If support, maybe we needn't to append |
speaking from experience you do not want to support ipv4, that is a mistake because of the mountains of painful things they got wrong, like supporting IP fragmentation.
there is, in fact that is the distinguishing aspect of yggdrasil.
this does not work, you need to attach an there is a lot more you'll run into with the DNS approach that makes this insanely difficult and then you hit the cache invalidation issues. |
imo, you could make an extended version of yggdrasil which supports this and can do this DNS tomfoolery with other nodes who advertise they support it. you could put something into some kind of public nodeinfo to advertise this capability or negotiate capabilities with the other end on the fly, falling back to normal addressing if they dont support it. talking to remotes who support this alternative mode would have their it'd be a fun toy to add on the side for others to use, keeping it separated from yggdrasil internals would let it be used for other networks too like tor and i2p, just use another part of the dns 64 range for those backends. even if you dont support multiple backend networks this is a larger undertaking than you think so it really should not be in scope for yggdrasil proper. trust me i've done something like this before, it's a lot of stuff involved. |
Some variation of this has come up in discussion a few times. The bigger reason to provide fake domain names is to support applications that don't work right (if at all) without a domain name. As far as I know, if we shipped our own resolver in ygg, there still isn't a good way to set things up automatically. The user would need to configure their system to use our resolver, and some applications may still bypass it by default (e.g. DoH in modern web browsers), so I expect it would not work well in practice. |
this is the secret eternal truth and pain of DNS. I don't think it's THAT bad as people make it out to be but it isn't something to ignore either. yggdrasil cannot fix this, nor can any other dns resolver. this is a system layer issue and thus the sole responsibility of the system layer's maintainer, in the case of yggdrasil, such is the end user's responsibility to babysit. documentation on how to do that with troubleshooting and a discussion area is really all you need. |
Perhaps related article by Tailscale people: https://tailscale.com/blog/sisyphean-dns-client-linux/ |
@Arceliar but what I want to solve is ipv6's 128 bits is too small to save a hash result of pub key by a much more secure hash function like sha256. Current:
I want it become:
Maybe I got yggdrasil-network's essential wrong. |
besides, in this way, a PC can run both ygg4 and ygg5 at the same time, and even other protocol similar with ygg, distinct with each other by the top level domain (or maybe we can call it suffix).
|
OK, maybe we can do this after Yggdrasil taking over the world. 😀 |
@majestrate Oh, I finally got your meaning. Besides, lokinet seems a great project, I'll have it a try. |
you still have collison issues here because of how DNS works if you can collide the top most label you can trick caches. |
But that has nothing to do with security. I can even
And in Or were your meaning is you are worrying about bad guys registered Poor english and little network programming knowledge make our communication hard, sorry. |
if i can generate a public key |
there are a lot of subtleties to DNS like that which seep into upper layers, e.g. CORS rules on http could be bypassed with that kind of collision. |
your blog:
https://yggdrasil-network.github.io/2018/07/28/addressing.html#:~:text=Fixing%20that%20is%20on%20my%20wish%2Dlist%20for%20IPv7%2C%20if%20for%20some%20reason%20that%20ever%20happens.
but what if
curl http://e5da8447dc2c320edc0fc52fa01885c103de8c118481f683643cacc3220dafce.ygg
and yggdrasil's virtual network card offers a fake dns service.The text was updated successfully, but these errors were encountered: