[HN Gopher] Yggdrasil - Early-stage implementation of an end-to-... ___________________________________________________________________ Yggdrasil - Early-stage implementation of an end-to-end encrypted IPv6 network Author : dragonsh Score : 396 points Date : 2021-06-21 08:02 UTC (14 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | [deleted] | aleken wrote: | I have two devices split by VNET and not routed out to the | internet. I connect those two and a VPS to create a small | Yggdrasil network. This allows me to access all three devices | from "anywhere". Would use again. | boardwaalk wrote: | What does this give you that Wireguard wouldn't? (Honest | question, I have no idea.) | aleken wrote: | Oh. Also. If I lose my VPS my network is still functioning to | a degree. If you lose your wireguard server I believe you're | out of luck? | aleken wrote: | Good question. I could achieve the same with Tailscale or | Innernet, both using Wireguard. So perhaps my answer has to | be that Yggdrasil tickles my interest in mesh networking. | nicce wrote: | Can someone explain, why it has end-to-end encryption by default | on this level, and why it is good? Isn't this project more about | host discovery and routing. Is it providing more performance | compared to encryption on other layers, or just for "easy | automatic" data encryption? | | Based on documentation, it sounds that they have some kind of own | crypto implementation in the end. I found the whitepaper | describing used algorithms, but I would need to know more how | exactly they are applied and why they are selected, before I | could trust the encryption. | jdsully wrote: | This allows us to focus our investment on one layer and have it | apply to all applications on top "for free". I'm not saying | this specific implementation is the right one, but having it | below the app layer makes a ton of sense. | wiml wrote: | How does this compare to cjdns? Has anyone tried both? | andrius4669 wrote: | It works pretty similar to cjdns, but implementation is not as | crashy in my experience, also some transport protocol | differences (ygg uses tcp while cjdns does udp), also DHT | routing instead of cjdns supernode stuff. | | So while usability is pretty similar, they're pretty different | underneath. | neilalexander wrote: | We're prepping for a major new release too -- information here: | https://yggdrasil-network.github.io/2021/06/19/preparing-for... | infogulch wrote: | https://yggdrasil-network.github.io/2021/06/19/preparing-for... | | > the root is the node with the lowest ed25519 public key, | rather than the highest sha512sum hash of the public key | | With this scheme, could a bad actor decide to choose a poor key | just to be the neighbor of a target in (edit) keyspace? | Ordering by the hash of a public key means that the order is | protected by the hash function's preimage resistance; does the | generation of a ed25519 key have a similar protection? | miloignis wrote: | Even with preimage resistance, it seems like it wouldn't be | insane to just burn cycles until you got one close enough, | bitcoin-style. | | Dealing with attackers in a system like this seems very | challenging, though very worthwhile in the end! Maybe | something web-of-trust-y... | infogulch wrote: | My point is that I don't think there's anything during key | generation that _requires_ the resulting key to be secure | / chosen 'well', so an attacker might exploit key | generation as a way to target a particular spot in the | line, where having an insecure/easily compromised key | doesn't matter to them even though that may be detrimental | to the health of the network. But at least with preimage | resistance any public key is just as likely as any other to | get a particular spot that they desire so there's no | incentive to exploit key generation to get it, they might | as well generate a bunch of secure keys if they want to use | a bitcoin-style brute force strategy. | infogulch wrote: | How does Yggdrasil compare to Wireguard? A github search shows | that yggrasil-go uses wireguard-tun project as the tun driver; | does it relate in any other way? The main problem/use case is | different of course (Wireguard is a manually configured point-to- | point vpn with e2ee, where yggdrasil is an internet-scale overlay | network with e2ee.), but I mean at a low level, protocol, | encryption, etc. | natural219 wrote: | I'd also be curious about this. Say for the use case of running | a small private chat server hosted on a home network; does | either of these seem better suited, or are they just different | architectures that can handle mostly similar things? | rjmalagon wrote: | Very different. WireGuard is explicit basic, only cares how | to make an encrypted link between two devices, and do it very | well. Key exchange, IP assignation and routing are manual | work. There are solution build on top of WireGuard (Tailscale | is one of them) that puts some "automagic". | | YG puts more "magic" on protocol (autorouting, mesh making, | etc), but is not that clean on design (crypto not formally | tested, latency prone TCP links, not good enough NAT | punching, etc). | | Wireguard and YG are different tools on the SDN network | toolbox, and can be mixed for special porpoises. | rjmalagon wrote: | At low level is not related to WireGuard in any way. The wintun | project only exposes a virtual network interface to Windows | systems, a clean and proper signed windows driver. That side | project to Wireguard was created because the native windows | virtual interface is too basic for "advanced vpns" and the | former windows TUN driver (OpenVPN side project TUN driver for | windows) used by everyone was clunky and old. | | YG uses it own crypto and routing, wintun is used here only to | expose the virtual network interface on Windows. | nickik wrote: | On of the use-cases for this is for Peer-to-Peer matrix: | https://matrix.org/blog/2020/06/02/introducing-p-2-p-matrix | Hbruz0 wrote: | Love it ! | adamcstephens wrote: | Except I think the matrix project is going with pinecone | instead. https://github.com/matrix-org/pinecone | lifty wrote: | Which is based on yggdrasil. | Arathorn wrote: | it's fairly circular actually - we used Yggdrasil in some | of the earlier P2P Matrix POCs. This showed up some | limitations, so we worked on solutions for them (alongside | Yggdrasil) which became Pinecone on the Matrix side, and | Ironwood on the Yggdrasil side. Then Yggdrasil 0.4 is | incorporating them for general purpose IP overlay routing, | while Pinecone is focusing on Matrix-specific application | layer overlay routing. Perhaps the two will converge in the | end, but until then they're somewhat overlapping friendly | sister projects :) | nickik wrote: | Have you considered GNUNet? That could also over a | solution for the username problem. | alophawen wrote: | Fun fact. Yggdrasil can be translated to "the horse (drasil) of | the terrible storm god (Ygg)", where Ygg is one of many names for | Odin / Wutan | | https://en.wikipedia.org/wiki/List_of_names_of_Odin | commandlinefan wrote: | The documentation is a little light - is this similar to Freenet? | rjmalagon wrote: | Nope, is more like a "Vitual public network" maker. Peer links | are encrypted, each peer has its own key, but DHT and routing | is not obfuscated. It exposes virtual network interfaces with | an IPV6 address per node. You can use common software on it. | | "Magic VPN" or "Magic E2EE LAN" kinda IPSEC for commoners, | depends on how you config it. | qxfys wrote: | the name reminds me of a paper came across my desk couple of | months back: https://arxiv.org/abs/2007.11403 - "Yggdrasil: | Privacy-aware Dual Deduplication in Multi Client Settings" | some_furry wrote: | https://github.com/yggdrasil-network/yggdrasil-go/blob/983df... | | I've never seen anyone need to check the top byte of a nonce | before. This looks very odd to me. | pharmakom wrote: | This is really exciting! What happens if nodes misbehave? | scruffyherder wrote: | When not sounding like a Linux distro reminds me of 6to4 | [deleted] | foxpurple wrote: | Can anyone explain what this means? What does it let me do? | neilalexander wrote: | Yggdrasil builds a multi-hop IPv6 overlay network using peer- | to-peer connections. You can string a whole bunch of nodes | together using whatever means (cables, wireless or TCP peerings | over the internet or any other network) and you get a full-mesh | network where everyone can reach everyone else. | | It's designed to be as minimal-configuration as possible and | scalable in a way that many other mesh routing protocols | aren't. | number6 wrote: | So it's a kind of VPN? | fragileone wrote: | A mesh VPN, or kinda a mesh TOR really. | FuriouslyAdrift wrote: | It's an overlay network (a software defined network that | runs on top of another network... like you internet service | providers network). | | It's closer to bittorent than a VPN. It has end-to-end | encryption and each node (the app that runs on your PC) | distributes routes to each other (similar to how routing | works on the Internet between large networks). It appears | to be a flat spanning-tree style network. | | They mention that it is using similar code and ideas as the | cjdns project. | abra0 wrote: | Do I understand correctly that it does not do hole- | punching, and e.g. unlike with a VPN a host behind NAT | will not be able to accept incoming connections? | Sleepytime wrote: | This is correct in the sense of peering, however hosts | behind a NAT can simply connect to any other host on the | network such as a pubic peer and then they can accept | incoming connections over the yggdrasil network. | | I use yggdrasil for NAT hole punching my VPN, for | example. | fretn wrote: | can it be a bit compared to what tailscale does for ipv4 | ? | Sleepytime wrote: | I haven't used tailscale so... I think so? Tailscale is | pretty light on the details, and even their docs say that | they have been reluctant to describe how it works. | | >People often ask us for an overview of how Tailscale | works. We've been putting off answering that, because we | kept changing it! | | Yggdrasil is fully peer to peer and doesn't require a | central coordinator like tailscale does. Ygg is closer to | a global network than a private one. You can make a | private network, but if any peers on the network peer to | the global net then your whole network is now peered. | this should be handled at the firewall level, or with an | overlay VPN. | y04nn wrote: | This page [1] has answered most of the questions I has on | the project. | | [1] https://yggdrasil-network.github.io/about.html | [deleted] | dsr_ wrote: | No, it's a kind of virtual public network. | loloquwowndueo wrote: | So not a kind of VPN, but a kind of VPN? :) | apetresc wrote: | The "P" in VPN usually stands for "Private", not | "Public". | nickik wrote: | I think that was the joke. | heythere22 wrote: | How does it compare to Zerotier? They seem to be in the same | market | rjmalagon wrote: | Quite different. ZT is centralized config, direct peer to | peer, automatic key exchange, virtual switch. | | YG is decentralized, direct peer to peer and multi hop | routing, manual key exchange for direct peering, virtual | internet (each node is a router to another nodes) | | ZT (and Tailscale) requires a central node coordinator for | automatic config and peer key exchanges, peers directly to | each node to create a flat virtual network, not multi hop | routing, between two peers you need a reachable IP or port | mapping (supports UPNP) by one of them (fixed in config | there are private TCP relays when carrier NAT/double NAT/ | restrictive firewalls are in place, very slow), Uses UDP | for the links, mimics a virtual switch and support custom | IPV4 / IPV6, good for virtual private networks. | | YG (and CJDNS) is kinda an overlay public network, is fully | decentralized, it supports automatic routing between nodes | to mimic a virtual Internet, each node is a router too, | needs to register each key for every direct peer node | connection (config needs peer key, reachable ip and port, | but supports automatic key exchange for local networks), YG | uses TCP for the links, support self-healing routing, every | peer has an IPV6 address derived by its public key. | | ZT (and Tailscale) can mimic a mesh network and node | routing because supports bridge nodes between networks | (routing between virtual switches), but is not self-healing | and somewhat heavy work to config. ZT is fully open source, | can be config with your own node coordinator and discovery | helpers (Controllers and Moons in ZT), not easy. Only | Taislcale client is open source, can't be config with your | own node coordinators for free. | | You can mix ZT and YG, weird side effects warranted but | works. (Edited post - some grammar fixes) | crad wrote: | Does it run on / require Yggdrasil Linux? | | (asking with tongue in cheek) | bigpoppa wrote: | Xenogears | 4bpp wrote: | One thing that wasn't clear to me from the documentation: What's | the typical latency you observe with this network? Does the | routing take physical distance/observed delays into account in | some way, or could you wind up with short (in network space) | paths that in reality bounce a packet back and forth between the | US and New Zealand repeatedly? | neilalexander wrote: | Latency is dependent on the underlying peering connections. | Yggdrasil will try wherever possible to take the shortest paths | in network space, but yes, it's possible those could be | physically indirect if the underlying peerings are indirect. | Generally on the public network (which is probably a couple | thousand nodes in number, where people have contributed a | number of public nodes and have interconnected them) we see | very reasonable latencies. | capableweb wrote: | > Generally on the public network [...] we see very | reasonable latencies | | Could you elaborate with some specific examples on what you | see being "very reasonable latencies"? | Sleepytime wrote: | I'm getting sub 100ms latencies across the continent with | multi hop routes through public peers. | woah wrote: | Are you not routing based on latency and reliability like | i.e. Babel does? You're only routing based on number of hops? | habibur wrote: | Need performance comparison chart. Yggdrasil | network throughput vs plain. Yggdrasil processor load and | memory overhead vs plain. Yggdrasil latency vs plain. | | No matter how bad that numbers look. One can at least know | beforehand what to expect. | heythere22 wrote: | A comparison to ZeroTier is also nice, they both seem to have | the same use case (ZT can supply and route IPv4 and IPv6 | addresses) | rwmj wrote: | Also the name of one of the first Linux distributions | (https://en.wikipedia.org/wiki/Yggdrasil_Linux/GNU/X) | Tepix wrote: | Their Linux CDs proved essential in a time where bandwidth was | scarce and expensive with home users on dialup and only | universities having a few megabits of bandwidth. | Kichererbsen wrote: | Not only that - the distribution my dad brought home included | a _book_ (remember those?) which was actually a bunch of open | source books collected in one! Tons of information on Unix | stuff, shells, commands etc. I learnt so much from those | books. I have no idea how someone would start in this day and | age... (this was so important to tell for me that I finally | stopped lurking and made an account _just_ for this comment!) | wizzwizz4 wrote: | You start by having someone tell you about man -k. That, | plus playing (typos - error messages - more words to look | up) is probably sufficient. | foobarbazetc wrote: | I used to use this distro on a 486SX. Then moved to Slackware | '96. | | Those were the days. | WalterGR wrote: | Norse mythology has that beat by over 600 years. | | https://en.wikipedia.org/wiki/Yggdrasil_(disambiguation) | reaperducer wrote: | Can anyone help with the pronunciation? There's no help from | the Wikipedia article. (Not that Wikipedia pronunciation | guides are of any use to anyone other than language nerds, | anyway.) | isatty wrote: | Lifted from the Wikipedia article: Yggdrasil Linux/GNU/X, | or LGX (pronounced igg-drah-sill) | | Don't need to be a language nerd to understand that. | mrweasel wrote: | You have to love that it's a "Linux/GNU/X" system. | | Not even at GNU/Linux, but a Linux/GNU system... Would | Stallman accept that or does GNU have to be first? | edoceo wrote: | Kernel/OS/DE seems a logical order. Or is GNU the | Philosophy first? (I thought it means the tools) | yjftsjthsd-h wrote: | I kinda prefer this designation, because it's a way to | distinguish "desktop linux" from servers and embedded. | piva00 wrote: | In parts of Europe it's quite common (at least in Sweden | and Norway I know it's true) to learn the IPA so you can | make sense of the alphabet and its phonemes, no need to be | a language nerd to have a passing knowledge of IPA. | | I recommend you studying it a little, it's really not that | hard, just looks weird. | sunshineforever wrote: | Know of any good resources to learn it? | | -noob language nerd | CoderPuppy wrote: | I like the IPA Chart website [0] which lists the phonemes | and has examples of each when clicked. To understand a | pronunciation (such as /Ig.dr@.sIl/ for Yggdrasil), I'll | match up the symbols to the chart and piece it together | from the sample sounds. | | Sidenote: I had a bit of trouble locating an IPA | transcription for Yggdrasil. The pronunciation guide in | the Wikipedia article for Yggdrasil Linux/GNU/X is not | IPA, it's using English pronunciation rules to try to | emulate the correct pronunciation. The pronunciation in | dictionaries (at least Merriam Webster) is also not quite | IPA, though it is close. I came up with this | pronunciation by merging those sources. I is probably | correct, as I found a matching transcription in an old | version of the Yggdrasil Wikipedia article which was | removed for being original research. | | [0] https://www.ipachart.com/ | murermader wrote: | Can confirm. Also learned it in school in Germany, | although I forgot most of it, because I almost never use | it. For most things, forvo [0] works good enough. | | [0] https://forvo.com/search/Yggdrasil/ | hulahoof wrote: | for some reason I thought norse mythology was older than this | ! | Tuna-Fish wrote: | No comprehensive account of Norse mythology was ever | written down by those who believed in it, or if it was, | those records or references to them have not survived to | this day. The only accounts we do have are those compiled | by Christian monks who were converting the old Norse | believers, right at the end of the pagan era. | | These accounts are heavily colored by the expectations and | the worldview of those monks, and we do not know where the | ideas that the Norse actually believed in end and where the | ideas of what the monks thought religion is supposed to be | begin. For example, much of the popular conception of | Ragnarok is heavily influenced by Christian eschatology, | instead of the original Norse beliefs. To complicate it | even further, the Norse beliefs were in no way static, and | as the influence of Christianity spread, the beliefs might | have morphed to absorb concepts from Christianity. | hutzlibu wrote: | "For example, much of the popular conception of Ragnarok | is heavily influenced by Christian eschatology, instead | of the original Norse beliefs. " | | In more easy words: christians believe that one day the | world really ends with judgment day/apocalypse, and | interpreted Ragnarok similar as the end of the world, | which is what many people today think of Ragnarok (and | that view that gets reinforced by the popular movies) | | But Ragnarok is not the end of the world, just the end of | a cycle and start of a new beginning. The snake that | bites its own tail. Endless cycle of seasons. Really a | different philosophy. | | https://www.youtube.com/watch?v=zbT8vzX4sZY | | (Einar Selvik from Band Wardruna explains it, before | performing a song about it) | JumpCrisscross wrote: | > _christians believe that one day the world really ends | with judgment day /apocalypse, and interpreted Ragnarok | similar as the end of the world, which is what many | people today think of Ragnarok_ | | There is also the interpretation that we live in a post- | Ragnarok world, which conveniently allows the Christian | narrative to perfectly mate to the end of the Norse gods' | reign. | ComodoHacker wrote: | To be fair, nothing in the New Testament explicitly | denies the possibility of repeating the cycle. CMIIW. | dash2 wrote: | Funnily enough, the early Church Father Origen believed | that time was circular. | edoceo wrote: | So does Futurama. | LinuxBender wrote: | Jackson Crawford [1] does a decent job of explaining what | bits of the mythos we still have. He also explains some | of the misconceptions you speak of and even some of the | things that movies get right and wrong. Related to some | other discussions in this thread, he also pronounces many | words for people. | | [1] - https://www.youtube.com/c/JacksonCrawford/videos | koo6 wrote: | how do _you_ know all that? | edgyquant wrote: | Maybe but the eddas are 7 and 800 years old respectively, | so still older than 600 (and these words almost certainly | existed before being written down.) | umanwizard wrote: | It is. | | First of all, it's a branch of Indo-European mythology, as | are the Greek, Roman, and Hindu pantheons. So it has | existed in some form for thousands of years. But "Norse | mythology" as we know it was mostly written down in the | 13th century - so 700+ years ago. | dagw wrote: | It is. The written sources we have for norse mythology are | 13th century, and those are compilations of earlier (lost) | writings and oral traditions. There are written fragments | from the 10th century referring to the norse gods. | | There are even 6th century writings referencing a germanic | mythology with many similarities to the norse mythology. | doctor_eval wrote: | the main reason I used Slackware was because I didn't know how | to pronounce Yggdrasil (I still don't). | RealStickman_ wrote: | > Yggdrasil Linux/GNU/X, or LGX (pronounced igg-drah-sill) | | https://en.m.wikipedia.org/wiki/Yggdrasil_Linux/GNU/X | saalweachter wrote: | Sounds more like a brand name prescription drug than a | Linux distro. | iou wrote: | I glanced at this submission (without reading url) and thought | someone was having a chuckle at this ancient distro too! | edwintorok wrote: | https://unsat.cs.washington.edu/projects/yggdrasil/ also the | name of this tool. | ddoolin wrote: | Also the name of a Schiit DAC: | https://www.schiit.com/products/yggdrasil | neatze wrote: | Interesting choice of LGPL license with exception. | snovv_crash wrote: | Could someone summarize what exactly the implications are of | the exception? It seems that it is a link-time firewall for any | GPL viral behaviour? As long as you're on the other side of the | linker you can do anything, including embed a statically linked | version in a proprietary application? | jpetso wrote: | My guess would be that this allows developers to distribute | applications on Apple's App Store without much of a headache, | where otherwise the user has no (LGPL-guaranteed) way to swap | out libraries otherwise. IANAL, and haven't spent any | significant research on this fwiw. | rijoja wrote: | Maybe they where forced to due to a dependency. | gostsamo wrote: | No, the readme says "shamelessly taken from godeb". | ment0s wrote: | What a stupid name. Looks like misspelled medicine name. | nickik wrote: | Its a great name. Its your general knowledge that is the | problem. | jancsika wrote: | I don't see anything in the rules against bringing a comment | back from the dead. | | I'm gonna bring it back from the dead. | | _Summons_ | | "What a stupid name. Looks like misspelled medicine name." | | Also of note-- the same user posted almost the same comment | twice-- once without the final word "name" in it. | | I prefer the version with the trailing "name" because it | flows better. | | Thank you. | olodus wrote: | Wow hey there, let me counter that opinion with my opposing | that is very fitting. Sure the word might look a bit crazy to | non-nordic people (it is kinda crazy, hard to disagree there) | but the meaning of the name is imo really well chosen. | | It comes from the fairly well-known norse myth of the world- | tree spanning all realms. So a overlay P2P network based on a | global spanning tree feels like a very fitting name. But hey, | you are free to dislike it for personal reasons if you want :) | ment0s wrote: | What a stupid name. Looks like misspelled medicine. | maz1b wrote: | Thought it was a StarCraft reference at first, but learned that | it actually stems from Norse mythology. | | What commercial application will this have for an average | consumer that isn't tech-savvy? ___________________________________________________________________ (page generated 2021-06-21 23:00 UTC)