[Freedombox-discuss] Request for Comment: FreedomBuddy-VPN Setup
Nick M. Daly
nick.m.daly at gmail.com
Fri Jul 6 00:10:41 UTC 2012
Hi Michael, thanks for looking at this. I appreciate the insight, you
do touch on a few issues I don't think are solved yet. If I didn't
reply to it, I think Ian's clarified it in his reply:
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2012-June/004032.html
On Tue, 26 Jun 2012 10:07:24 +0100, Michael Rogers wrote:
> How does Alice discover who Bob's buddies are and stay up-to-date with
> their IP addresses (since presumably buddies might also have dynamic
> addresses)?
Friend-to-friend request proxying is something I looked into a few
months ago and wasn't able to solve. I don't know if this is the right
layer for it. The idealized dream is:
1. Alice can't reach Bob directly.
2. Alice and Bob can both talk to Calvin, say, over a different
protocol.
3. Calvin relays the messages between Alice and Bob.
There are lots of hurdles between where we are now and solving this
completely:
- How do you prevent routing loops?
- How do you expire requests (the Gnutella model; maybe something
better)?
> Is there any form of revocation if Bob stops trusting a buddy?
- Announcing new locations to all his other friends.
- Not sharing services between friends.
- Using client-authentication within the service itself.
Actually *all services* Bob or Alice offer to anybody should be
client-authenticated, to prevent interference from an untrustworthy
client (one who shares your locations, but not his key; one who lucks
out and finds your location).
> When Alice receives an ssh-vpn service location from Bob's buddy, how
> does the buddy (or Alice) know the IP address provided by the buddy is
> up to date?
Right now, it's up to Alice to remove locations that don't reply
properly. It's easy enough to remove them (a PUT request), but there's
nothing automatic. Alice can clear the list before learning more, but
Bob doesn't have any method of declaring locations outdated right now.
Maybe he should? Presumably, this is only a problem if your key's
compromised, and then you alerady have a dozen other, bigger, problems.
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20120705/a93ff76d/attachment.pgp>
More information about the Freedombox-discuss
mailing list