is a layer-two peer-to-peer virtual private network (VPN) which allows bypassing intermediate firewalls.
| n2n.7 (n2n-2.8) | : | n2n.7 (n2n-3.0) |
|---|
|
| .TH "n2n_v2" 7 "Sep 21, 2009" "revision 3909" "Background" | | .TH "n2n_v3" 7 "Sep 27, 2021" "version 3" "Background" |
| .SH NAME | | .SH NAME |
|
| N2n Version 2 \- version 2 of the n2n decentralised peer-to-peer network overlay | | n2n version 3 \- version 3 of the n2n decentralised peer-to-peer network overlay |
| VPN. | | VPN. |
| .SH DESCRIPTION | | .SH DESCRIPTION |
|
| N2n is a peer-to-peer network overlay or VPN system that provides layer 2 over | | n2n is a peer-to-peer network overlay or VPN system that provides layer 2 over |
| layer 3 encapsulation with data transform capabilities such as encryption and | | layer 3 encapsulation with data transform capabilities such as encryption and |
|
| compression. This guide discusses the differences of version 2 or n2n from | | compression. This guide also discusses the differences of version 3 of n2n from |
| version 1. | | version 2. |
| .SH PROTOCOLS | | .SH PROTOCOLS |
|
| N2n-2 uses a different set of messages to communicate with edges and | | n2n-3 basically uses the same set of messages to communicate with edges and |
| supernodes. The n2n-2 messages are not compatible with n2n-1. There is no | | supernodes. However, due to slight packet format changes, the n2n-3 messages |
| backward compatibility for n2n-1. | | are not compatible with n2n-2. There is no backward compatibility for n2n-2. |
| .SH ENCRYPTION | | .SH ENCRYPTION |
|
| N2n-2 offers a new way of handling encryption compared to n2n-1. N2n-1 provided | | n2n-3 offers four different ciphers for payload encryption as well as optional |
| facility for a single community password with no expiration. In n2n-2 this | | header encryption. Earlier versions of n2n-2 provided a mechanism using a key |
| method is preserved but a new mechanism has been added using a key schedule | | schedule which has been removed in n2n-3. A basic user authentication scheme |
| file. | | relying on asymmetric cryptography has been added to n2n-3. |
| .TP | | |
| Key Schedule | | n2n-3 provides the following ciphers to chose from for payload encryption; more |
| A key schedule file lists a number of keys with the period for which each is | | can be added as required: |
| valid along with the encryption type identifier and the actual key value. This | | |
| allows the user to define up to 32 keys in advance with a pre-set time at which | | |
| they keys will change. The key schedule file can be reloaded while the edge is | | |
| running to allow new keys to be loaded and unused keys expunged. | | |
| .TP | | |
| Timing Requirements When a key rolls over to the next in the schedule, the new | | |
| key is used for all transmitted packets; however any packets received using an | | |
| older key can still be decoded as the keys from the key schedule are still | | |
| known. As a result edges do not need to have accurate time synchronisation. The | | |
| accuracy of required synchronisation depends to a large degree on the key | | |
| schedule. Rapid key roll-overs requires more accurate time synchronisation. | | |
| .P | | |
| N2n-2 provides the following encryption ciphers; more can be added as required: | | |
| .TP | | .TP |
| .B (1) NULL | | .B (1) NULL |
| Data is encapsulated unchanged. Useful for testing and high-performance, low | | Data is encapsulated unchanged. Useful for testing and high-performance, low |
| sensitivity applications. | | sensitivity applications. |
| .TP | | .TP |
|
| .B (2) TF | | .B (2) TF-CTS |
| Twofish AES candidate. | | Twofish AES candidate in CTS mode. |
| .P | | |
| The following additional ciphers are specified but not yet implemented: | | |
| .TP | | |
| .B (3) AES-CBC | | |
| AES in CBC mode with 256-bit key. | | |
| .TP | | .TP |
|
| .B (4) LZO | | .B (3) AES-CTS |
| LZO compression of data (no encryption). | | AES in CTS mode with up to 256-bit key. |
| .TP | | .TP |
|
| .B (5) TF-LZO | | .B (4) CHACHA20 |
| TF cipher with LZO compression of data prior to encryption. | | ChaCha20, a well known stream cipher developped by Daniel J. Bernstein. |
| .TP | | .TP |
|
| .B (6) AES-CBC-LZO | | .B (5) SPECK-CTR |
| AES-CBC ciper with LZO compression of data prior to encryption. | | A fast block cipher developped by the NSA used as stream cipher in CTR mode. |
| | | .TP |
| | Full Header Encyption |
| | The optional full header encryption also encrypts packets' header which include |
| | some administrative data. In addition, it adds replay protection. |
| | .TP |
| | User Password Authentication |
| | n2n-3 implements an optional user-password authentication scheme. A key |
| | generator assists in generating user's public keys to be stored at the |
| | supernode side. |
| | .SH COPMPRESSION |
| | LZO for payload compression is an always available option at n2n-3. If compiled |
| | with |
| | zstdlib support, ZSTD is at optional service as well. |
| .SH EXTENSIBILITY | | .SH EXTENSIBILITY |
|
| N2n-2 decouples the data transform system from the core of the edge | | n2n-3 decouples the data transform system from the core of the edge |
| operation. This allows for easier addition of new data transform | | operation. This allows for easier addition of new data transform |
|
| operations. N2n-2 reserves 64 standard transform identifiers (such as TwoFish | | operations. n2n-3 reserves some standard transform identifiers (such as TwoFish |
| encryption) but allocates transform identifiers 64 - 65536 for user-defined | | encryption) but allocates transform identifiers for user-defined |
| transforms. This allows anyone to add to n2n new private transforms without | | transforms. This allows anyone to add to n2n new private transforms without |
| breaking compatibility with the standard offering. | | breaking compatibility with the standard offering. |
|
| | | .SH FEDERATED SUPERNODES |
| .SH MULTIPLE SUPERNODES | | n2n-3 incorporates the capability of multiple supernodes to be federated. |
| N2n-2 introduces the capability of multiple supernodes to be used by an | | Federation acts transparently and balances the workload evenly among the |
| edge. N2n-2 offers supernode in several flavours: | | federated supernodes. Supernodes keep track of edges connected to different |
| .TP | | supernodes and forward packets as required. This feature naturally supports |
| Stand-alone supernode | | fail-over and this increases redundancy and resilience. |
| | |
| This is the same concept as from n2n-1. Supernode is a small efficient C program | | |
| which operates in isolation. | | |
| .TP | | |
| Federated supernodes | | |
| | |
| This is a cluster of supernodes which share information. Edges registered to any | | |
| of the cooperating supernodes can relay packets through the supernode federation | | |
| and switch supernodes if required. Supernodes can send PACKET or REGISTER | | |
| messages to other supernodes to try and find the destination edge. | | |
| | | |
| .P | | .P |
|
| The n2n-2 edge implementation allows multiple supernodes to be specified on the | | Information on additional supernodes is propagated to all edges. In addition, |
| | the n2n-3 edge implementation allows multiple supernodes to be specified on the |
| command line. Edges monitor the current supernode for responses to | | command line. Edges monitor the current supernode for responses to |
|
| REGISTER_SUPER messages. If 3 responses are missed then the edge starts looking | | REGISTER_SUPER as well as PING messages. After three responses from current |
| for a new supernode. It cycles through the list of supernodes specified until it | | supernode are missed or when a better supernode in terms of significant lower wo |
| finds a working one. | | rkload |
| | is found, the edge tries to connect to another supernode. It cycles through the |
| .SH EFFICIENCY | | list |
| The n2n-2 message formats have been made more efficient. The amount of data | | f supernodes which over and over again is sorted according to reported workload. |
| overhead has been reduced by ensuring the messages contain only the data fields | | |
| required. Some optional fields do not consume data if they are not present. | | |
| | |
| .SH DAEMON OPERATION | | |
| The supernode and edge use daemon mode of operation by default. This sense is | | |
| inverted from n2n-1 where they ran in the foreground by default. They can be | | |
| made to run in the foreground so tools such a DJB's daemontools can work with | | |
| them. See the | | |
| .B -f | | |
| option | | |
| | |
| .SH MANAGEMENT CONSOLE | | .SH MANAGEMENT CONSOLE |
|
| Edge and supernode in n2n-2 provide a UDP-based management console. Both listen | | Edge and supernode in n2n-3 provide a UDP-based management console. Both listen |
| on the localhost address 127.0.0.1. Commands can be sent to the programs by | | on the localhost address 127.0.0.1. Commands can be sent to the programs by |
| sending to the UDP socket. Responses are returned to the socket from which | | sending to the UDP socket. Responses are returned to the socket from which |
| commands were issued. This only works from the computer on which the programs | | commands were issued. This only works from the computer on which the programs |
| are running. Statistics can be retrieved and commands issued. The netcat utility | | are running. Statistics can be retrieved and commands issued. The netcat utility |
| is all that is required; but more sophisticated tools could be built on the | | is all that is required; but more sophisticated tools could be built on the |
| interface. | | interface. |
| | |
| .SH SUPERNODE AUTHENTICATION | | .SH SUPERNODE AUTHENTICATION |
|
| .B (To be implemented) | | The supernode federation name serves as private key shared between the supernode |
| Space has been reserved in the supernode registration messages for an | | s only. |
| authentication mechanism. | | The corresponding public key can be provided to the edges. |
| | |
| .SH MESSAGE SUMMARY | | .SH MESSAGE SUMMARY |
|
| The following message types work within n2n-2. | | The following message types work within n2n-3. |
| .TP | | .TP |
| REGISTER_SUPER | | REGISTER_SUPER |
| Sent from an edge to its local supernode to register its MAC with the community. | | Sent from an edge to its local supernode to register its MAC with the community. |
|
| | Also, federated supernodes use this packet format to register to each other. |
| .TP | | .TP |
| REGISTER_SUPER_ACK | | REGISTER_SUPER_ACK |
| Sent from a supernode to an edge to confirm registration. This also carries the | | Sent from a supernode to an edge to confirm registration. This also carries the |
| definition of the edge socket as seen at the supernode so NAT can be detected | | definition of the edge socket as seen at the supernode so NAT can be detected |
|
| and described. | | and described. Furthermore, it carries information about additional federated |
| | supernodes. |
| .TP | | .TP |
| REGISTER_SUPER_NAK | | REGISTER_SUPER_NAK |
| Supernode refusing to register an edge. | | Supernode refusing to register an edge. |
| .TP | | .TP |
| PACKET | | PACKET |
| Encapsulated ethernet packets sent between edges. Supernodes forward or | | Encapsulated ethernet packets sent between edges. Supernodes forward or |
| broadcast these and edges send them direct in peer-to-peer mode. | | broadcast these and edges send them direct in peer-to-peer mode. |
| .TP | | .TP |
| REGISTER | | REGISTER |
| A peer-to-peer mode registration request from one edge to another. Supernodes | | A peer-to-peer mode registration request from one edge to another. Supernodes |
| forward these to facilitate NAT crossing introductions. | | forward these to facilitate NAT crossing introductions. |
| .TP | | .TP |
| REGISTER_ACK | | REGISTER_ACK |
| Complete peer-to-peer mode setup between two edges. These messages need to | | Complete peer-to-peer mode setup between two edges. These messages need to |
| travel direct between edges. | | travel direct between edges. |
| .TP | | .TP |
|
| FEDERATION | | QUERY_PEER |
| Federated supernodes exchanging community information. | | Queries a supernode about another edge, especially its public socket in case of |
| | no peer-to-peer communication can be established. Additionally, it serves as PIN |
| .SH OTHER DIFFERENCES | | G |
| .TP | | to query supernodes about themselves. |
| HTTP Tunneling | | .TP |
| This experimental feature (-t option in n2n_v1) of n2n_v1 has been removed | | PEER_INFO |
| entirely from n2n_v2. | | Answers the QUERY_PEER; it also covers the special case of the PING query, inter |
| | nally |
| | called PONG. |
| .SH AUTHORS | | .SH AUTHORS |
| .TP | | .TP |
| Richard Andrews andrews (at) ntop.org - main author of n2n-2 | | Richard Andrews andrews (at) ntop.org - main author of n2n-2 |
| .TP | | .TP |
| Luca Deri | | Luca Deri |
| deri (at) ntop.org - code inherited from n2n-1 | | deri (at) ntop.org - code inherited from n2n-1 |
| .SH SEE ALSO | | .SH SEE ALSO |
| ifconfig(8) edge(8) supernode(1) | | ifconfig(8) edge(8) supernode(1) |
|
| | .br |
| | the documentation contained in the source code |
| | .br |
| | the extensive documentation found in n2n's \fBdoc/\fR folder |
| | | |
| End of changes. 22 change blocks. |
|---|
| 93 lines changed or deleted | | 71 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 