[HN Gopher] Yggdrasil - Early-stage implementation of an end-to-...
___________________________________________________________________
Yggdrasil - Early-stage implementation of an end-to-end encrypted
IPv6 network
Author : dragonsh
Score : 396 points
Date : 2021-06-21 08:02 UTC (14 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| [deleted]
| aleken wrote:
| I have two devices split by VNET and not routed out to the
| internet. I connect those two and a VPS to create a small
| Yggdrasil network. This allows me to access all three devices
| from "anywhere". Would use again.
| boardwaalk wrote:
| What does this give you that Wireguard wouldn't? (Honest
| question, I have no idea.)
| aleken wrote:
| Oh. Also. If I lose my VPS my network is still functioning to
| a degree. If you lose your wireguard server I believe you're
| out of luck?
| aleken wrote:
| Good question. I could achieve the same with Tailscale or
| Innernet, both using Wireguard. So perhaps my answer has to
| be that Yggdrasil tickles my interest in mesh networking.
| nicce wrote:
| Can someone explain, why it has end-to-end encryption by default
| on this level, and why it is good? Isn't this project more about
| host discovery and routing. Is it providing more performance
| compared to encryption on other layers, or just for "easy
| automatic" data encryption?
|
| Based on documentation, it sounds that they have some kind of own
| crypto implementation in the end. I found the whitepaper
| describing used algorithms, but I would need to know more how
| exactly they are applied and why they are selected, before I
| could trust the encryption.
| jdsully wrote:
| This allows us to focus our investment on one layer and have it
| apply to all applications on top "for free". I'm not saying
| this specific implementation is the right one, but having it
| below the app layer makes a ton of sense.
| wiml wrote:
| How does this compare to cjdns? Has anyone tried both?
| andrius4669 wrote:
| It works pretty similar to cjdns, but implementation is not as
| crashy in my experience, also some transport protocol
| differences (ygg uses tcp while cjdns does udp), also DHT
| routing instead of cjdns supernode stuff.
|
| So while usability is pretty similar, they're pretty different
| underneath.
| neilalexander wrote:
| We're prepping for a major new release too -- information here:
| https://yggdrasil-network.github.io/2021/06/19/preparing-for...
| infogulch wrote:
| https://yggdrasil-network.github.io/2021/06/19/preparing-for...
|
| > the root is the node with the lowest ed25519 public key,
| rather than the highest sha512sum hash of the public key
|
| With this scheme, could a bad actor decide to choose a poor key
| just to be the neighbor of a target in (edit) keyspace?
| Ordering by the hash of a public key means that the order is
| protected by the hash function's preimage resistance; does the
| generation of a ed25519 key have a similar protection?
| miloignis wrote:
| Even with preimage resistance, it seems like it wouldn't be
| insane to just burn cycles until you got one close enough,
| bitcoin-style.
|
| Dealing with attackers in a system like this seems very
| challenging, though very worthwhile in the end! Maybe
| something web-of-trust-y...
| infogulch wrote:
| My point is that I don't think there's anything during key
| generation that _requires_ the resulting key to be secure
| / chosen 'well', so an attacker might exploit key
| generation as a way to target a particular spot in the
| line, where having an insecure/easily compromised key
| doesn't matter to them even though that may be detrimental
| to the health of the network. But at least with preimage
| resistance any public key is just as likely as any other to
| get a particular spot that they desire so there's no
| incentive to exploit key generation to get it, they might
| as well generate a bunch of secure keys if they want to use
| a bitcoin-style brute force strategy.
| infogulch wrote:
| How does Yggdrasil compare to Wireguard? A github search shows
| that yggrasil-go uses wireguard-tun project as the tun driver;
| does it relate in any other way? The main problem/use case is
| different of course (Wireguard is a manually configured point-to-
| point vpn with e2ee, where yggdrasil is an internet-scale overlay
| network with e2ee.), but I mean at a low level, protocol,
| encryption, etc.
| natural219 wrote:
| I'd also be curious about this. Say for the use case of running
| a small private chat server hosted on a home network; does
| either of these seem better suited, or are they just different
| architectures that can handle mostly similar things?
| rjmalagon wrote:
| Very different. WireGuard is explicit basic, only cares how
| to make an encrypted link between two devices, and do it very
| well. Key exchange, IP assignation and routing are manual
| work. There are solution build on top of WireGuard (Tailscale
| is one of them) that puts some "automagic".
|
| YG puts more "magic" on protocol (autorouting, mesh making,
| etc), but is not that clean on design (crypto not formally
| tested, latency prone TCP links, not good enough NAT
| punching, etc).
|
| Wireguard and YG are different tools on the SDN network
| toolbox, and can be mixed for special porpoises.
| rjmalagon wrote:
| At low level is not related to WireGuard in any way. The wintun
| project only exposes a virtual network interface to Windows
| systems, a clean and proper signed windows driver. That side
| project to Wireguard was created because the native windows
| virtual interface is too basic for "advanced vpns" and the
| former windows TUN driver (OpenVPN side project TUN driver for
| windows) used by everyone was clunky and old.
|
| YG uses it own crypto and routing, wintun is used here only to
| expose the virtual network interface on Windows.
| nickik wrote:
| On of the use-cases for this is for Peer-to-Peer matrix:
| https://matrix.org/blog/2020/06/02/introducing-p-2-p-matrix
| Hbruz0 wrote:
| Love it !
| adamcstephens wrote:
| Except I think the matrix project is going with pinecone
| instead. https://github.com/matrix-org/pinecone
| lifty wrote:
| Which is based on yggdrasil.
| Arathorn wrote:
| it's fairly circular actually - we used Yggdrasil in some
| of the earlier P2P Matrix POCs. This showed up some
| limitations, so we worked on solutions for them (alongside
| Yggdrasil) which became Pinecone on the Matrix side, and
| Ironwood on the Yggdrasil side. Then Yggdrasil 0.4 is
| incorporating them for general purpose IP overlay routing,
| while Pinecone is focusing on Matrix-specific application
| layer overlay routing. Perhaps the two will converge in the
| end, but until then they're somewhat overlapping friendly
| sister projects :)
| nickik wrote:
| Have you considered GNUNet? That could also over a
| solution for the username problem.
| alophawen wrote:
| Fun fact. Yggdrasil can be translated to "the horse (drasil) of
| the terrible storm god (Ygg)", where Ygg is one of many names for
| Odin / Wutan
|
| https://en.wikipedia.org/wiki/List_of_names_of_Odin
| commandlinefan wrote:
| The documentation is a little light - is this similar to Freenet?
| rjmalagon wrote:
| Nope, is more like a "Vitual public network" maker. Peer links
| are encrypted, each peer has its own key, but DHT and routing
| is not obfuscated. It exposes virtual network interfaces with
| an IPV6 address per node. You can use common software on it.
|
| "Magic VPN" or "Magic E2EE LAN" kinda IPSEC for commoners,
| depends on how you config it.
| qxfys wrote:
| the name reminds me of a paper came across my desk couple of
| months back: https://arxiv.org/abs/2007.11403 - "Yggdrasil:
| Privacy-aware Dual Deduplication in Multi Client Settings"
| some_furry wrote:
| https://github.com/yggdrasil-network/yggdrasil-go/blob/983df...
|
| I've never seen anyone need to check the top byte of a nonce
| before. This looks very odd to me.
| pharmakom wrote:
| This is really exciting! What happens if nodes misbehave?
| scruffyherder wrote:
| When not sounding like a Linux distro reminds me of 6to4
| [deleted]
| foxpurple wrote:
| Can anyone explain what this means? What does it let me do?
| neilalexander wrote:
| Yggdrasil builds a multi-hop IPv6 overlay network using peer-
| to-peer connections. You can string a whole bunch of nodes
| together using whatever means (cables, wireless or TCP peerings
| over the internet or any other network) and you get a full-mesh
| network where everyone can reach everyone else.
|
| It's designed to be as minimal-configuration as possible and
| scalable in a way that many other mesh routing protocols
| aren't.
| number6 wrote:
| So it's a kind of VPN?
| fragileone wrote:
| A mesh VPN, or kinda a mesh TOR really.
| FuriouslyAdrift wrote:
| It's an overlay network (a software defined network that
| runs on top of another network... like you internet service
| providers network).
|
| It's closer to bittorent than a VPN. It has end-to-end
| encryption and each node (the app that runs on your PC)
| distributes routes to each other (similar to how routing
| works on the Internet between large networks). It appears
| to be a flat spanning-tree style network.
|
| They mention that it is using similar code and ideas as the
| cjdns project.
| abra0 wrote:
| Do I understand correctly that it does not do hole-
| punching, and e.g. unlike with a VPN a host behind NAT
| will not be able to accept incoming connections?
| Sleepytime wrote:
| This is correct in the sense of peering, however hosts
| behind a NAT can simply connect to any other host on the
| network such as a pubic peer and then they can accept
| incoming connections over the yggdrasil network.
|
| I use yggdrasil for NAT hole punching my VPN, for
| example.
| fretn wrote:
| can it be a bit compared to what tailscale does for ipv4
| ?
| Sleepytime wrote:
| I haven't used tailscale so... I think so? Tailscale is
| pretty light on the details, and even their docs say that
| they have been reluctant to describe how it works.
|
| >People often ask us for an overview of how Tailscale
| works. We've been putting off answering that, because we
| kept changing it!
|
| Yggdrasil is fully peer to peer and doesn't require a
| central coordinator like tailscale does. Ygg is closer to
| a global network than a private one. You can make a
| private network, but if any peers on the network peer to
| the global net then your whole network is now peered.
| this should be handled at the firewall level, or with an
| overlay VPN.
| y04nn wrote:
| This page [1] has answered most of the questions I has on
| the project.
|
| [1] https://yggdrasil-network.github.io/about.html
| [deleted]
| dsr_ wrote:
| No, it's a kind of virtual public network.
| loloquwowndueo wrote:
| So not a kind of VPN, but a kind of VPN? :)
| apetresc wrote:
| The "P" in VPN usually stands for "Private", not
| "Public".
| nickik wrote:
| I think that was the joke.
| heythere22 wrote:
| How does it compare to Zerotier? They seem to be in the same
| market
| rjmalagon wrote:
| Quite different. ZT is centralized config, direct peer to
| peer, automatic key exchange, virtual switch.
|
| YG is decentralized, direct peer to peer and multi hop
| routing, manual key exchange for direct peering, virtual
| internet (each node is a router to another nodes)
|
| ZT (and Tailscale) requires a central node coordinator for
| automatic config and peer key exchanges, peers directly to
| each node to create a flat virtual network, not multi hop
| routing, between two peers you need a reachable IP or port
| mapping (supports UPNP) by one of them (fixed in config
| there are private TCP relays when carrier NAT/double NAT/
| restrictive firewalls are in place, very slow), Uses UDP
| for the links, mimics a virtual switch and support custom
| IPV4 / IPV6, good for virtual private networks.
|
| YG (and CJDNS) is kinda an overlay public network, is fully
| decentralized, it supports automatic routing between nodes
| to mimic a virtual Internet, each node is a router too,
| needs to register each key for every direct peer node
| connection (config needs peer key, reachable ip and port,
| but supports automatic key exchange for local networks), YG
| uses TCP for the links, support self-healing routing, every
| peer has an IPV6 address derived by its public key.
|
| ZT (and Tailscale) can mimic a mesh network and node
| routing because supports bridge nodes between networks
| (routing between virtual switches), but is not self-healing
| and somewhat heavy work to config. ZT is fully open source,
| can be config with your own node coordinator and discovery
| helpers (Controllers and Moons in ZT), not easy. Only
| Taislcale client is open source, can't be config with your
| own node coordinators for free.
|
| You can mix ZT and YG, weird side effects warranted but
| works. (Edited post - some grammar fixes)
| crad wrote:
| Does it run on / require Yggdrasil Linux?
|
| (asking with tongue in cheek)
| bigpoppa wrote:
| Xenogears
| 4bpp wrote:
| One thing that wasn't clear to me from the documentation: What's
| the typical latency you observe with this network? Does the
| routing take physical distance/observed delays into account in
| some way, or could you wind up with short (in network space)
| paths that in reality bounce a packet back and forth between the
| US and New Zealand repeatedly?
| neilalexander wrote:
| Latency is dependent on the underlying peering connections.
| Yggdrasil will try wherever possible to take the shortest paths
| in network space, but yes, it's possible those could be
| physically indirect if the underlying peerings are indirect.
| Generally on the public network (which is probably a couple
| thousand nodes in number, where people have contributed a
| number of public nodes and have interconnected them) we see
| very reasonable latencies.
| capableweb wrote:
| > Generally on the public network [...] we see very
| reasonable latencies
|
| Could you elaborate with some specific examples on what you
| see being "very reasonable latencies"?
| Sleepytime wrote:
| I'm getting sub 100ms latencies across the continent with
| multi hop routes through public peers.
| woah wrote:
| Are you not routing based on latency and reliability like
| i.e. Babel does? You're only routing based on number of hops?
| habibur wrote:
| Need performance comparison chart. Yggdrasil
| network throughput vs plain. Yggdrasil processor load and
| memory overhead vs plain. Yggdrasil latency vs plain.
|
| No matter how bad that numbers look. One can at least know
| beforehand what to expect.
| heythere22 wrote:
| A comparison to ZeroTier is also nice, they both seem to have
| the same use case (ZT can supply and route IPv4 and IPv6
| addresses)
| rwmj wrote:
| Also the name of one of the first Linux distributions
| (https://en.wikipedia.org/wiki/Yggdrasil_Linux/GNU/X)
| Tepix wrote:
| Their Linux CDs proved essential in a time where bandwidth was
| scarce and expensive with home users on dialup and only
| universities having a few megabits of bandwidth.
| Kichererbsen wrote:
| Not only that - the distribution my dad brought home included
| a _book_ (remember those?) which was actually a bunch of open
| source books collected in one! Tons of information on Unix
| stuff, shells, commands etc. I learnt so much from those
| books. I have no idea how someone would start in this day and
| age... (this was so important to tell for me that I finally
| stopped lurking and made an account _just_ for this comment!)
| wizzwizz4 wrote:
| You start by having someone tell you about man -k. That,
| plus playing (typos - error messages - more words to look
| up) is probably sufficient.
| foobarbazetc wrote:
| I used to use this distro on a 486SX. Then moved to Slackware
| '96.
|
| Those were the days.
| WalterGR wrote:
| Norse mythology has that beat by over 600 years.
|
| https://en.wikipedia.org/wiki/Yggdrasil_(disambiguation)
| reaperducer wrote:
| Can anyone help with the pronunciation? There's no help from
| the Wikipedia article. (Not that Wikipedia pronunciation
| guides are of any use to anyone other than language nerds,
| anyway.)
| isatty wrote:
| Lifted from the Wikipedia article: Yggdrasil Linux/GNU/X,
| or LGX (pronounced igg-drah-sill)
|
| Don't need to be a language nerd to understand that.
| mrweasel wrote:
| You have to love that it's a "Linux/GNU/X" system.
|
| Not even at GNU/Linux, but a Linux/GNU system... Would
| Stallman accept that or does GNU have to be first?
| edoceo wrote:
| Kernel/OS/DE seems a logical order. Or is GNU the
| Philosophy first? (I thought it means the tools)
| yjftsjthsd-h wrote:
| I kinda prefer this designation, because it's a way to
| distinguish "desktop linux" from servers and embedded.
| piva00 wrote:
| In parts of Europe it's quite common (at least in Sweden
| and Norway I know it's true) to learn the IPA so you can
| make sense of the alphabet and its phonemes, no need to be
| a language nerd to have a passing knowledge of IPA.
|
| I recommend you studying it a little, it's really not that
| hard, just looks weird.
| sunshineforever wrote:
| Know of any good resources to learn it?
|
| -noob language nerd
| CoderPuppy wrote:
| I like the IPA Chart website [0] which lists the phonemes
| and has examples of each when clicked. To understand a
| pronunciation (such as /Ig.dr@.sIl/ for Yggdrasil), I'll
| match up the symbols to the chart and piece it together
| from the sample sounds.
|
| Sidenote: I had a bit of trouble locating an IPA
| transcription for Yggdrasil. The pronunciation guide in
| the Wikipedia article for Yggdrasil Linux/GNU/X is not
| IPA, it's using English pronunciation rules to try to
| emulate the correct pronunciation. The pronunciation in
| dictionaries (at least Merriam Webster) is also not quite
| IPA, though it is close. I came up with this
| pronunciation by merging those sources. I is probably
| correct, as I found a matching transcription in an old
| version of the Yggdrasil Wikipedia article which was
| removed for being original research.
|
| [0] https://www.ipachart.com/
| murermader wrote:
| Can confirm. Also learned it in school in Germany,
| although I forgot most of it, because I almost never use
| it. For most things, forvo [0] works good enough.
|
| [0] https://forvo.com/search/Yggdrasil/
| hulahoof wrote:
| for some reason I thought norse mythology was older than this
| !
| Tuna-Fish wrote:
| No comprehensive account of Norse mythology was ever
| written down by those who believed in it, or if it was,
| those records or references to them have not survived to
| this day. The only accounts we do have are those compiled
| by Christian monks who were converting the old Norse
| believers, right at the end of the pagan era.
|
| These accounts are heavily colored by the expectations and
| the worldview of those monks, and we do not know where the
| ideas that the Norse actually believed in end and where the
| ideas of what the monks thought religion is supposed to be
| begin. For example, much of the popular conception of
| Ragnarok is heavily influenced by Christian eschatology,
| instead of the original Norse beliefs. To complicate it
| even further, the Norse beliefs were in no way static, and
| as the influence of Christianity spread, the beliefs might
| have morphed to absorb concepts from Christianity.
| hutzlibu wrote:
| "For example, much of the popular conception of Ragnarok
| is heavily influenced by Christian eschatology, instead
| of the original Norse beliefs. "
|
| In more easy words: christians believe that one day the
| world really ends with judgment day/apocalypse, and
| interpreted Ragnarok similar as the end of the world,
| which is what many people today think of Ragnarok (and
| that view that gets reinforced by the popular movies)
|
| But Ragnarok is not the end of the world, just the end of
| a cycle and start of a new beginning. The snake that
| bites its own tail. Endless cycle of seasons. Really a
| different philosophy.
|
| https://www.youtube.com/watch?v=zbT8vzX4sZY
|
| (Einar Selvik from Band Wardruna explains it, before
| performing a song about it)
| JumpCrisscross wrote:
| > _christians believe that one day the world really ends
| with judgment day /apocalypse, and interpreted Ragnarok
| similar as the end of the world, which is what many
| people today think of Ragnarok_
|
| There is also the interpretation that we live in a post-
| Ragnarok world, which conveniently allows the Christian
| narrative to perfectly mate to the end of the Norse gods'
| reign.
| ComodoHacker wrote:
| To be fair, nothing in the New Testament explicitly
| denies the possibility of repeating the cycle. CMIIW.
| dash2 wrote:
| Funnily enough, the early Church Father Origen believed
| that time was circular.
| edoceo wrote:
| So does Futurama.
| LinuxBender wrote:
| Jackson Crawford [1] does a decent job of explaining what
| bits of the mythos we still have. He also explains some
| of the misconceptions you speak of and even some of the
| things that movies get right and wrong. Related to some
| other discussions in this thread, he also pronounces many
| words for people.
|
| [1] - https://www.youtube.com/c/JacksonCrawford/videos
| koo6 wrote:
| how do _you_ know all that?
| edgyquant wrote:
| Maybe but the eddas are 7 and 800 years old respectively,
| so still older than 600 (and these words almost certainly
| existed before being written down.)
| umanwizard wrote:
| It is.
|
| First of all, it's a branch of Indo-European mythology, as
| are the Greek, Roman, and Hindu pantheons. So it has
| existed in some form for thousands of years. But "Norse
| mythology" as we know it was mostly written down in the
| 13th century - so 700+ years ago.
| dagw wrote:
| It is. The written sources we have for norse mythology are
| 13th century, and those are compilations of earlier (lost)
| writings and oral traditions. There are written fragments
| from the 10th century referring to the norse gods.
|
| There are even 6th century writings referencing a germanic
| mythology with many similarities to the norse mythology.
| doctor_eval wrote:
| the main reason I used Slackware was because I didn't know how
| to pronounce Yggdrasil (I still don't).
| RealStickman_ wrote:
| > Yggdrasil Linux/GNU/X, or LGX (pronounced igg-drah-sill)
|
| https://en.m.wikipedia.org/wiki/Yggdrasil_Linux/GNU/X
| saalweachter wrote:
| Sounds more like a brand name prescription drug than a
| Linux distro.
| iou wrote:
| I glanced at this submission (without reading url) and thought
| someone was having a chuckle at this ancient distro too!
| edwintorok wrote:
| https://unsat.cs.washington.edu/projects/yggdrasil/ also the
| name of this tool.
| ddoolin wrote:
| Also the name of a Schiit DAC:
| https://www.schiit.com/products/yggdrasil
| neatze wrote:
| Interesting choice of LGPL license with exception.
| snovv_crash wrote:
| Could someone summarize what exactly the implications are of
| the exception? It seems that it is a link-time firewall for any
| GPL viral behaviour? As long as you're on the other side of the
| linker you can do anything, including embed a statically linked
| version in a proprietary application?
| jpetso wrote:
| My guess would be that this allows developers to distribute
| applications on Apple's App Store without much of a headache,
| where otherwise the user has no (LGPL-guaranteed) way to swap
| out libraries otherwise. IANAL, and haven't spent any
| significant research on this fwiw.
| rijoja wrote:
| Maybe they where forced to due to a dependency.
| gostsamo wrote:
| No, the readme says "shamelessly taken from godeb".
| ment0s wrote:
| What a stupid name. Looks like misspelled medicine name.
| nickik wrote:
| Its a great name. Its your general knowledge that is the
| problem.
| jancsika wrote:
| I don't see anything in the rules against bringing a comment
| back from the dead.
|
| I'm gonna bring it back from the dead.
|
| _Summons_
|
| "What a stupid name. Looks like misspelled medicine name."
|
| Also of note-- the same user posted almost the same comment
| twice-- once without the final word "name" in it.
|
| I prefer the version with the trailing "name" because it
| flows better.
|
| Thank you.
| olodus wrote:
| Wow hey there, let me counter that opinion with my opposing
| that is very fitting. Sure the word might look a bit crazy to
| non-nordic people (it is kinda crazy, hard to disagree there)
| but the meaning of the name is imo really well chosen.
|
| It comes from the fairly well-known norse myth of the world-
| tree spanning all realms. So a overlay P2P network based on a
| global spanning tree feels like a very fitting name. But hey,
| you are free to dislike it for personal reasons if you want :)
| ment0s wrote:
| What a stupid name. Looks like misspelled medicine.
| maz1b wrote:
| Thought it was a StarCraft reference at first, but learned that
| it actually stems from Norse mythology.
|
| What commercial application will this have for an average
| consumer that isn't tech-savvy?
___________________________________________________________________
(page generated 2021-06-21 23:00 UTC)