ChaosVPN:geekend1

From CCCHHWiki
Revision as of 19:16, 29 January 2011 by HC (talk | contribs) (Update Policy for the client)
Jump to: navigation, search

what?

Lets do a geekend and get things done on the chaosvpn.

where

Hamburg. In the new Hackerspace of attraktor and CCC Hamburg.

when

The Geekend will be on January 28th - 30th.

participants

  • arrived:
 + mc.fly 
 + guus
 + crest
  • still missing
 + Jens
 + hc
 + nomaam
 + wopot
 + zocker

Issues

monitoring

User:mc.fly wants to build a munin / nagios server for chaosvpn.

  • the server itself is up and running.
    • munin running, but no chaosvpn node configured so far
    • nagios installed but not configured.
      • Haegar recommends icinga

dns

Improve dns usage in ChaosVPN.

  • which dnsd (pro and con. discusion)
  • anycast

connect people

connect the router at some spaces

packages

build debian and openwrt packages

  • debian
    • build Packages
    • get in squeeze?
  • OpenWRT
    • package
    • image with tinc and config for fonera 2.0n

Goals

  • Set up warzone properly
  • Get dns in the default images and improve dns use by adding nodes to the zonefile
  • rework the Doku

infrastructure

lodging

attendes

suggested topics

  • a) maintaining the chaosvpn.net content
  • b) making chaosvpn more secure - hc's nonroot changes alone are not enough
  • c) (re)define a joining policy/policies
  • d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes
  • e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down

Update Policy for the client

I would like to suggest the following policy:

  • The central configuration is signed and encrypted
  • The Signature and/or the signed configuration contains the signing timestamp
  • The configuration is signed automatically at least once within 24 hours
  • The signed configuration is pushed to multiple servers

When a client downloads the configuration, he executes the following steps:

  • Get a list l of (ip-adresses) of servers via the local configuration and/or DNS
  • Sort l randomly
  • c = local config
  • t = age of local config
  • for (i = 0; i < l.length; i++)
    • d = get config from server l[i]
    • check signature of d
    • if signature is correct:
      • u = now - timestamp of d
      • if u < t
        • c = d
        • t = u
        • if c < 24h + delta, then break for-loop
  • if t > 24h + delta
    • Warn the user

In short words, get a configuration from a random mirror, if it is older than 24 hours, try all other mirrors, until you have found a configuration not older than 24 hours. If all mirrors have been tried, use the newest available configuration with a correct signature, and warn the user.

Suggestion by hc: warning the user won't help; if the configuration is older than, say, 7 weeks, disconnect from chaosvpn till situation resolved.

questions? answers!

join the irc #chaosvpn @ spaceboyz.net