Difference between revisions of "ChaosVPN:geekend1"

From CCCHHWiki
Jump to: navigation, search
(dns)
Line 70: Line 70:
 
* d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes
 
* d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes
 
* e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down
 
* e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down
 +
 +
= Update Policy for the client =
 +
 +
I would like to suggest the following policy:
 +
 +
* The central configuration is signed and encrypted
 +
* The Signature and/or the signed configuration contains the signing timestamp
 +
* The configuration is signed automatically at least once within 24 hours
 +
* The signed configuration is pushed to multiple servers
 +
 +
When a client downloads the configuration, he executes the following steps:
 +
 +
* Get a list '''l''' of (ip-adresses) of servers via the local configuration and/or DNS
 +
* Sort '''l''' randomly
 +
* '''c''' = local config
 +
* '''t''' = age of local config
 +
* for ('''i''' = 0; '''i''' < '''l'''.length; '''i'''++)
 +
** '''d''' = get config from server '''l'''['''i''']
 +
** check signature of '''d'''
 +
** if signature is correct:
 +
*** '''u''' = now - timestamp of '''d'''
 +
*** if '''u''' < '''t'''
 +
**** '''c''' = '''d'''
 +
**** '''t''' = '''u'''
 +
**** if '''c''' < 24h + delta, then break for-loop
 +
* if '''t''' > 24h + delta
 +
** Warn the user
 +
 +
 +
  
 
= questions? answers! =
 
= questions? answers! =
 
join the irc #chaosvpn @ spaceboyz.net
 
join the irc #chaosvpn @ spaceboyz.net

Revision as of 17:55, 29 January 2011

what?

Lets do a geekend and get things done on the chaosvpn.

where

Hamburg. In the new Hackerspace of attraktor and CCC Hamburg.

when

The Geekend will be on January 28th - 30th.

participants

  • arrived:
 + mc.fly 
 + guus
 + crest
  • still missing
 + Jens
 + hc
 + nomaam
 + wopot
 + zocker

Issues

monitoring

User:mc.fly wants to build a munin / nagios server for chaosvpn.

  • the server itself is up and running.
    • munin running, but no chaosvpn node configured so far
    • nagios installed but not configured.
      • Haegar recommends icinga

dns

Improve dns usage in ChaosVPN.

  • which dnsd (pro and con. discusion)
  • anycast

connect people

connect the router at some spaces

packages

build debian and openwrt packages

  • debian
    • build Packages
    • get in squeeze?
  • OpenWRT
    • package
    • image with tinc and config for fonera 2.0n

Goals

  • Set up warzone properly
  • Get dns in the default images and improve dns use by adding nodes to the zonefile
  • rework the Doku

infrastructure

lodging

attendes

suggested topics

  • a) maintaining the chaosvpn.net content
  • b) making chaosvpn more secure - hc's nonroot changes alone are not enough
  • c) (re)define a joining policy/policies
  • d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes
  • e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down

Update Policy for the client

I would like to suggest the following policy:

  • The central configuration is signed and encrypted
  • The Signature and/or the signed configuration contains the signing timestamp
  • The configuration is signed automatically at least once within 24 hours
  • The signed configuration is pushed to multiple servers

When a client downloads the configuration, he executes the following steps:

  • Get a list l of (ip-adresses) of servers via the local configuration and/or DNS
  • Sort l randomly
  • c = local config
  • t = age of local config
  • for (i = 0; i < l.length; i++)
    • d = get config from server l[i]
    • check signature of d
    • if signature is correct:
      • u = now - timestamp of d
      • if u < t
        • c = d
        • t = u
        • if c < 24h + delta, then break for-loop
  • if t > 24h + delta
    • Warn the user



questions? answers!

join the irc #chaosvpn @ spaceboyz.net