DOI :: Notes on Yggdrasil | code quality, security, DNS

 

Notes on Yggdrasil: code quality, security, DNS

By Alex Kotov 

Medium

6 min

September 9, 2021

View Original

Now it is difficult to promote the Yggdrasil network for mass use. It is difficult for the average user because it requires configuration. It does not provide new ways to bypass the most commonly used Internet government blocking mechanisms compared to other technologies such as VPNs. It does not have a large number of unique resources. Finally, this is an experimental technology, the stability and safety of which there are questions.

Nevertheless, the very idea of ​​networks with mesh topology is extremely promising. On its basis, a fundamentally different Internet can be built, which we briefly touched upon in one of our articles . Yggdrasil is the most advanced software for the implementation of such networks, therefore it certainly deserves the attention of those who are interested not only in the current practical benefits, but also in the development and prospects of new technologies.

In addition, we have already talked about hosting websites in Yggdrasil, but very little has covered the features of this network. In doing so, we maintain a mirror of our website in it. This motivated us to study Yggdrasil in more detail. We want to share our experience and research results with you.

Code quality

It is impossible to speak professionally about software without understanding its source code. So we decided to study the source code of Yggdrasil. Fortunately, this is only 4874 lines of code in the Go programming language, or 6634 lines of code in general, excluding comments and empty lines (you can measure using the cloc program, which is available in most GNU / Linux distributions).

We were unpleasantly surprised. Let's start with the fact that the code is almost not tested. There is only one test file ( src/core/core_test.go) containing only 150 lines of code, that is, at best, this is 1/32 of the entire project code. This is very little. So, in Bitcoin, tests make up 1/7 of the code, in IPFS - 1/6, in Tor - 1/4. We made sure that the tests do not cover even such changes in the code that make the use of Yggdrasil impossible, for example, disabling the TUN/TAP virtual network interface. Needless to say, more subtle testing of variance in the data, which can pose a security risk.

The code itself is not readable. So, the function handlerin the file src/core/link.gotakes 110 lines (excluding empty lines and comments). It's pretty hard to work with. The authors of the code also recognize the problem: there is a comment in the function about the need to split it. We started our study of Yggdrasil with this file for a reason. One of our first ideas to dive into the source code was to add a new transport protocol like QUIC in addition to TCP and TLS. It seemed to us that it should be easy, but soon we were convinced of the opposite. For example, the structure linksfrom the same file contains transport layer connection information, and it is hardwired to the TCP protocol. To add QUIC, you will first need to rework the code.

Security: Privileges and Firewall

Now consider security from a more general point of view. When installing Yggdrasil on Debian and systemd-based operating systems, it runs as root. This is needed to administer the TUN / TAP virtual network interface and create a service socket file (admin socket), but then the privileges should be reset, which does not happen. The Linux capabilities for the process are set explicitly, which is good.

By default, any network member can send packets to your address. Previously, Yggdrasil had a built-in firewall, but in version 0.4 it was removed to simplify the code. While this doesn't pose an immediate threat, it can increase the attack surface on your device when combined, so it's important to set up a firewall. Next, we will offer the most strict settings that are not suitable for a server, but are suitable for a home computer. The Yggdrasil user gets one address per subnet 200::/7, as well as an entire subnet with a 64-bit prefix length on the subnet 300::/8, which is a subset of the first subnet, so does not require separate processing in the firewall. On Linux, rules for iptables that only allow outgoing connections (TCP, UDP, ICMP, and others) would look like this:

ip6tables -A INPUT  -i ygg0 -s 200::/7 -d 200::/7 -m conntrack --ctstate ESTABLISHED     -j ACCEPT  
ip6tables -A OUTPUT -o ygg0 -s 200::/7 -d 200::/7 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT  
ip6tables -A INPUT  -i ygg0    -j REJECT  
ip6tables -A OUTPUT -o ygg0    -j REJECT  
ip6tables -A INPUT  -s 200::/7 -j REJECT  
ip6tables -A OUTPUT -s 200::/7 -j REJECT  
ip6tables -A INPUT  -d 200::/7 -j REJECT  
ip6tables -A OUTPUT -d 200::/7 -j REJECT

Here ygg0, is the name of the TUN/TAP virtual network interface. It must be specified in the Yggdrasil settings (file /etc/yggdrasil.conf) in the field IfName. It is advisable to remove your keys ( PublicKey: nulland PrivateKey: null) from the configuration file. Then your IP address will change every time you start, which also makes attacks more difficult. It is worth changing the setting NodeInfoPrivacyto trueto not report information about your operating system, processor architecture, and version of Yggdrasil.

IPv4 is not used in yggdrasil, but to be safe, you can disable all such traffic on the network interface:

iptables -A INPUT  -i ygg0 -j REJECT  
iptables -A OUTPUT -o ygg0 -j REJECT

Availability: DNS and relative paths

Addressing in Yggdrasil is based on IPv6 addresses. This is not always convenient. Addresses are difficult to remember, not all programs perceive them as valid links. Therefore, users try to use DNS. For example, there is a meshname program that simply converts IPv6 addresses to domain names. This does not solve the memory problem, moreover, it requires the installation of third-party software. There are various DNS servers that allow the use of shorter domain names and standard operating system software (such as dnsmasq). However, this also requires configuration, and also binds the user to a specific server.

It turns out that the only universal way to resolve names is to use AAAA global DNS records. This entails all the corresponding disadvantages, but other mechanisms in modern operating systems are not implemented due to the conservatism of this area, which we already wrote about earlier . We believe that without the initiative from the developers of operating systems, the situation will not change, since all alternative solutions are too marginal.

Even the global domain name system does not solve some of the problems that website administrators have in Yggdrasil. For example, if one server has to distribute the site both to Yggdrasil and to the Internet, then it will not work to use a URL (of the form foobar.tld/qwe/rty). We promote the use of relative paths (of the form) in distributed networks qwe/rty. This requires some configuration of the web applications or static site generators, but is not too difficult. Relative paths are also more versatile than absolute paths (of the form /qwe/rty) because they allow you to serve websites that are not from the root path. We have already suggested this option for IPFS, but it can be useful in other cases where you cannot rely on the standard conditions of the World Wide Web, including in Yggdrasil.

conclusions

Yggdrasil is raw software. It is absolutely not to be used for any important tasks. However, it is worth helping in its development. The discussion is very active in chat in Matrix . There is also an active Russian-speaking Russian Meshnet community on Matrix and on Telegram . If you are a regular user, then go to the various chats and forums that are on the network and tell the community about your experience and problems found. If you are a programmer, then help in writing code. Only two people are actively involved in this. I think that if there are more developers, then most of the problems of Yggdrasil will be solved and we will see the real possibilities of networks with a mesh topology.

Просмотры: