Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I started using yggdrasil yesterday. The ability to get a static IPv6 address on a meshnet, with encrypted traffic by default, and the option to only accept inbound connections from public keys I trust is incredibly cool. Just like that I can access any of my devices that run ygg from anywhere using standard tools like git or ssh (or git-annex). It makes it really easy to network my devices together without having to screw around with split tunneling a wireguard server and create a DIY set of services to, for example, remotely manage my devices or sync things from one to the other, and that's just for starters. Feels like the Unix philosophy actually being useful for once.


In all fairness, you can do that with Zerotier or Tailscale also. But Ygg does also gives you access to the rest of the mesh and that is very cool.


Yup. Been doing this for years with zerotier


How does key distribution work though? Is it TOFU? I couldn't find anything, just some hand-wavey everything is encrypted.


Your IPv6 address is the hash of your public key


That's not hugely secure, though: IPv6 is only 128 bits, which means that the hash is would only provide 64 bits of security if it provided all the bits for the address. And I assume that the IPv6 address is not _only_ the hash, but instead some bits are used to put it into ULA space or similar. ULA uses 7 bits, which means that only 121 bits of the hash are usable, which means it provides 60.5 bits of security, which isn't nothing, but isn't really good enough for anything you care about.

In 2022, 128 bits is the bare minimum, and frankly 192 or 256 are often preferable.


Encryption is done using normal Wireguard keys so it's not a security problem. Im curious if the DHT routing is done based on the key or on the IPv6 address that represents the key.


So it's effectively Host Identity Protocol? Just perhaps with something other than IPsec underneath?


> So it's effectively Host Identity Protocol?

The software is essentially a 'node', doing the routing. Whenever it starts it reads the config file to see if there is a private key in there. If no, it will generate a new one for you and that is your identity on the network.

> Just perhaps with something other than IPsec underneath?

That is correct, it uses standard, but not ipsec, encryption based on public key cryptography. A host that saves its private key will thus forever have the same IP address and if it runs services you connect to them using the encryption to its public key.

A node that is configured to connect to the wider yggdrasil public network will thus be reachable on a single IP with an identity that is based on public key cryptography, even if the machine is moving from network to network or even another continent.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: