Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:geekend1"
(→dns) |
|||
Line 70: | Line 70: | ||
* d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes | * d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes | ||
* e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down | * e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down | ||
+ | |||
+ | = Update Policy for the client = | ||
+ | |||
+ | I would like to suggest the following policy: | ||
+ | |||
+ | * The central configuration is signed and encrypted | ||
+ | * The Signature and/or the signed configuration contains the signing timestamp | ||
+ | * The configuration is signed automatically at least once within 24 hours | ||
+ | * The signed configuration is pushed to multiple servers | ||
+ | |||
+ | When a client downloads the configuration, he executes the following steps: | ||
+ | |||
+ | * Get a list '''l''' of (ip-adresses) of servers via the local configuration and/or DNS | ||
+ | * Sort '''l''' randomly | ||
+ | * '''c''' = local config | ||
+ | * '''t''' = age of local config | ||
+ | * for ('''i''' = 0; '''i''' < '''l'''.length; '''i'''++) | ||
+ | ** '''d''' = get config from server '''l'''['''i'''] | ||
+ | ** check signature of '''d''' | ||
+ | ** if signature is correct: | ||
+ | *** '''u''' = now - timestamp of '''d''' | ||
+ | *** if '''u''' < '''t''' | ||
+ | **** '''c''' = '''d''' | ||
+ | **** '''t''' = '''u''' | ||
+ | **** if '''c''' < 24h + delta, then break for-loop | ||
+ | * if '''t''' > 24h + delta | ||
+ | ** Warn the user | ||
+ | |||
+ | |||
+ | |||
= questions? answers! = | = questions? answers! = | ||
join the irc #chaosvpn @ spaceboyz.net | join the irc #chaosvpn @ spaceboyz.net |
Revision as of 17:55, 29 January 2011
Contents
what?
Lets do a geekend and get things done on the chaosvpn.
where
Hamburg. In the new Hackerspace of attraktor and CCC Hamburg.
when
The Geekend will be on January 28th - 30th.
participants
- arrived:
+ mc.fly + guus + crest
- still missing
+ Jens + hc + nomaam + wopot + zocker
Issues
monitoring
User:mc.fly wants to build a munin / nagios server for chaosvpn.
- the server itself is up and running.
- munin running, but no chaosvpn node configured so far
- nagios installed but not configured.
- Haegar recommends icinga
dns
Improve dns usage in ChaosVPN.
- which dnsd (pro and con. discusion)
- anycast
connect people
connect the router at some spaces
packages
build debian and openwrt packages
- debian
- build Packages
- get in squeeze?
- OpenWRT
- package
- image with tinc and config for fonera 2.0n
Goals
- Set up warzone properly
- Get dns in the default images and improve dns use by adding nodes to the zonefile
- rework the Doku
infrastructure
lodging
- best western queens hotel hamburg around the corner
- limited sleeping in the hackerspace is possible
attendes
suggested topics
- a) maintaining the chaosvpn.net content
- b) making chaosvpn more secure - hc's nonroot changes alone are not enough
- c) (re)define a joining policy/policies
- d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes
- e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down
Update Policy for the client
I would like to suggest the following policy:
- The central configuration is signed and encrypted
- The Signature and/or the signed configuration contains the signing timestamp
- The configuration is signed automatically at least once within 24 hours
- The signed configuration is pushed to multiple servers
When a client downloads the configuration, he executes the following steps:
- Get a list l of (ip-adresses) of servers via the local configuration and/or DNS
- Sort l randomly
- c = local config
- t = age of local config
- for (i = 0; i < l.length; i++)
- d = get config from server l[i]
- check signature of d
- if signature is correct:
- u = now - timestamp of d
- if u < t
- c = d
- t = u
- if c < 24h + delta, then break for-loop
- if t > 24h + delta
- Warn the user
questions? answers!
join the irc #chaosvpn @ spaceboyz.net