Secure Peer Networking with TINC

_images/hope.png

Spencer Krum, IBM

July 22nd, 2016

@nibalizer

http://spencerkrum.com/talks/tinc-hope11-2016/

Note

  • Who am I
  • What do I work on
  • github

Portland

_images/mt_hood.jpg

Logos

_images/tinc-logo.jpg
_images/consul-logo.jpg

Note

  • I've wanted to give this talk for a long time
  • This is a talk about tinc
  • A little about consul

Tinc is a VPN

_images/A-VPN-is-best-for-maintaining-online-security.jpg

Note

  • Mesh VPN
  • Different than point-to-point VPNs like OpenVPN

Tinc Fast Facts

_images/year-2000-nokia.jpg

Note

  • Written in C
  • Started in 1998, first commited to src in 2000
  • Portable (*nix, Windows, Android, IOS incoming)
  • Daemon
  • 99% 2 Developers
  • freenode channel / mailing list / dev process
  • 15 % link speed slowdown in the cloud
  • Port 655 in /etc/services

Tinc Crypto

ldd `which tincd`
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fb270d0f000)

The Network

_images/the-network-is-the-computer.jpg

Note

  • Use this with my friends / not prod lol
  • Bringing back the network / https as the only service sucks
  • University Network
  • LAN Parties
  • Services
  • Blurry line between workstation and server
  • we run it on laptops and home routers and the occasional rackmount gear

VPN & Network

_images/test1.png

Note

  • These nodes are laptops or servers or home routers

VPN & Network

_images/tinc_nodes_connections.png

Note

  • tinc has a concept of 'connect to'
  • Connections don't have to be reflexive
  • basically comes down to which nodes have a known public ip
  • public/private keys

VPN & Network

_images/tinc_nodes_connections_two_ended.png

Note

  • Network trafic is bidirectional regardless
  • Re-routes around failures

VPN & Network

_images/tinc_nodes_ip_layer.png

Note

  • Flat IP space
  • Daemon = node

VPN & Network

_images/tinc_dot.jpg

Note

  • this pic Generated every minute
  • Flat IP space
  • Daemon = node
  • Each daemon responsible for a subnet and an ip addr
  • Continually probes for most efficient routes

Getting Status

kill -USR2 $(pidof tincd); tail /var/log/syslog

Edges:
  bkero to spencer at 131.xxx.xx.xx  weight 1538
  spencer to bkero at 216.xxx.xx.xx  weight 1538
End of edges.
Subnet list:
  10.11.11.128/25#10 owner spencer
  10.11.22.0/24#10 owner bkero
End of subnet list.

Note

  • tinc uses signals to communicate
  • dumps to syslog by default
  • ALRM, USR1, USR2, HUP, INT

Getting Status (Improved)

curl -s -i http://127.0.0.1:9000/tincstat
{
  "total_bytes_in": 115324,
  "total_bytes_out": 67990,
  "connections": [
    {
      "name": "bkero",
      "ip": "216.xx.xx.xx",
      "port": 4545
    }
  ]
}

https://github.com/nibalizer/tincstat

Note

  • go utility
  • run as a daemon, partialy parses the log output
  • the motivation for me was to put it into my statusbar on my computer
  • 1.1 will bring a tinc info command, control socket

Now What

_images/malcom.jpg

Services

  • Apache
  • UPnP
  • VLC Streaming
  • StarCraft

A Problem Arises

Note

  • You think its dns at first, and we did
  • Solved it the way we thought we should, with hosts files
  • Briefly ran a bind server, that didn't scale
  • The problem is there isn't one admin domain, there are many
  • Even with domains solved, how would we say what protocols?
  • The need is for something mutable and highly available

The Requirements

Something mutable and highly available

Note

  • mutable because many people need to modify it
  • highly available because nodes die all the time

Let's do something Hip

_images/Etcd.png

Note

  • etcd is software from coreos
  • originally designed to store configs for docker because docker is write
  • sometimes refered to as a 'distributed lock manager'
  • raft consensus protocol
  • hierarchal key-value store
  • highly available, can be configured for n+2
  • start writing hostname -> ip mappings in it
  • working on a script to dump etcd keys and output a hosts file or something

Let's do something stupid

_images/dangerous-forklift.jpg

Note

  • how many people know what libnss is
  • name service switcher
  • turns out you can write endpoints for the name service switcher
  • in c
  • someone writes a libnss-etcd, which basically just shells out to the etcdctl utility
  • dns is solved!

Let's do the hippest thing imaginable

_images/consul-logo.jpg

Note

  • consul was going to come back
  • turns out the janky c code to get in the way of dns lookups, that was build into consul
  • consul can respond for keys inside dns
  • consul can also do nagios-like healthchecks, to evaluate which services have died and which have not
  • these are hackers so services are going up and going down all the time

Let's Get back to basics

_images/2000px-Avahi-logo.svg.png

Note

  • avahi is the original zeroconf
  • operates between layer 2 and 3
  • service publishing
  • dhcp-like thing avahi-autoipd

Demo

Neat Tricks

NFS

X11

What's Next

Conclusions

References

Thank You

_images/spencer_face.jpg

Spencer Krum

IBM

@nibalizer

nibz@spencerkrum.com

https://github.com/nibalizer/tinc-presentation

Note that the 'hope11' tag/branch is where this particular presentation lives