Yggdrasil Network: The Dawn of Home Mesh Networks, or the Internet of the Future

Hornbeam

13 min

View Original

The era of mesh networks is gradually approaching. At a minimum, this term is appearing more and more often in the information sphere. What attracts the attention of networkers and why does the concept of “household mesh network” appear in the title of the article? Let's try to understand the issue, taking as an example the Yggdrasil network as one of the promising prototypes. The article is intended for a wide range of readers.

General understanding of topology

The Internet, like any other network, for example, a local one for several computers, is a network of interconnected computers. The order in which devices are connected on a network is called topology and is determined purely by the preferences and capabilities of the administrator. At home, you may have a Wi-Fi hotspot for easy connection from your smartphone, and a couple of desktop computers connected to the router with a cable. Obviously, the procedure for connecting your laptop to the Internet in your apartment depends only on you. There is no single and mandatory configuration, but any solution has its pros and cons.

As can be seen in the illustration, the most vulnerable is the star topology; it is also the most common in everyday life due to the simplicity of its organization. You don’t have to look far for an example: you probably have a single switch or router in your home or office, through which all computers are connected into one local network. If the connecting device is disconnected, all subscribers will be left without communication. The “tree” topology can be considered a logical continuation of the “star”: imagine a building where on each floor there is a separate switch, to which the offices located on the floor are connected. Thanks to the connection of switches with each other, offices from different floors can communicate. If the switch on the second floor fails, offices on other floors can still communicate with each other, but the first floor will lose communication with the rest.

Mesh or “mesh topology” is a network architecture in which all network participants have equal rights and act as both a client and a router for other participants. The main advantage of the mesh is its high fault tolerance, and the disadvantage is the complexity of practical implementation. Mesh topology has been widely used for decades, firstly by the military, and secondly, by large businesses. It involves complex design taking into account all possible conditions and is often associated with radio technologies, because radio is an indispensable assistant in organizing communications in the field.

Network data transmission model

As a child, while watching TV, many wondered about the magic that allows sound and picture to be transmitted over a thin coaxial cable. Now there are even more questions, because the entire world wide web is somehow transmitted wirelessly straight into a small box called a smartphone.

Everyone is familiar with the concept of an IP address - a subscriber’s logical address for routing its incoming and outgoing information over the network. Without going into the technical details of the TCP/IP stack, where IP is the easy-to-remember “Internet Protocol,” there are two main types of IP addresses:

1. IPv4 – four-byte addresses written in decimal notation and byte separation separated by a dot in the form “192.168.1.10”. IPv4 is familiar to the eye and easy to understand, but has a small address space of approximately four billion variations. Less than the population of the Earth: it will not be possible to issue each person with a unique address, not to mention the Internet of Things.

2. IPv6 – sixteen-byte addresses written in hexadecimal number system with every two bytes separated by colons. It looks something like this: “fe80:2a30:6b30:c26d:3d39:3ce4:218:6376.” It is difficult to perceive and remember, but it has an unlimited number of possible addresses for the human imagination. The IPv6 address space is enough for many planets, taking into account that each resident will have three coffee makers with a unique address.

IPv6 appeared later than IPv4 and to this day some software operates over the network only using the IPv4 protocol. This remark is especially relevant for old software, the developers of which have stopped actively developing the product.

To get closer to the representation of digital transmission, i.e. Binary information, made up of bits—0s and ones—requires a basic understanding of the Open Systems Interconnection (or simply OSI) networking model. If you wish, you can find detailed help in two clicks, so I won’t rewrite the textbook. Know: from an electrical impulse in a wire to displaying a picture in a browser, several logical levels are involved, and the lower the level, the less energy consumption on the client side. While the signal is traveling through the wire, the computer is not connected to it in any way. Then the signal reaches the device’s network card and its low-level processing begins by the network card itself. After this, the information is transferred directly to the operating system, and its logical processing falls on the main resources of the computer. The highest point of this chain is the client application, for example, a browser, and the image in it. In total, the electrical impulse is converted into bits, then these bits form packets, are sent to the browser and assembled into a picture on the user’s monitor.

Classic network

Almost any modern telecommunications network implies the presence of an administrator - a user endowed with authority and responsibility. The administrator establishes connectivity, connects new subscribers, and also has the right to censor and limit in every possible way the segment of the network under his control. This rule applies both to local networks and to the global Internet. In the case of the Internet, we resort to the services of providers who connect us to their network. In turn, small providers use the services of mainline providers; those who unite countries and continents with their cable. The more serious the level of the network, the greater the number of people servicing it. In addition to physically connecting different computers with wires, a tremendous amount of work is carried out on the logical setup of the network - routing. Thanks to it, our requests to another continent fly away in a few tens of milliseconds, because every higher-level router knows who needs to transmit the packet next. Even a tiny local network for several offices cannot do without setting up routing and the person who will set it up!

In the modern paradigm of the global network, centralization has taken root, i.e. control of critical infrastructure by a certain circle of persons: government and commercial structures. Some have the right to set prices, others have the right to completely deprive us of communication with the world. And they all have the power to monitor and regulate user activity. It seems that there is no escape from this.

Yggdrasil

Has it ever happened that your home router went down and everyone in the household was left without access to the network? Imagine how good it would be if the router was not a bottleneck, and if it failed, all members of the home network could access the Internet through a smart TV, neighbor’s wireless networks, and ultimately through your smartphone, and all this without any problem. or additional configuration after a router failure!

All application programs are forced to use encryption when transmitting information over the network so that intermediate participants cannot intercept sensitive information. For example, almost all modern websites use the HTTPS protocol, which allows you to establish an encrypted connection between the user and the server. Thanks to this, we calmly enter passwords and bank card data and believe that the information we enter will be received only by its intended recipient. Imagine that the network connection is always secure at the protocol level and there is no need to pile up additional security measures, including no need for certification authorities - organizations in which the whole world trusts the already mentioned HTTPS (a certification authority is a security failure point, because .he assures us of the reliability of the connection,

To organize a local network in an enterprise, set up a VPN for remote employees, even for a small network of three computers, one or another level of literacy and an appropriate specialist are required. What if there is a solution that allows zero configuration on the side of the average user, while allowing you to combine or separate local networks with full routing preservation (with physically accessible nodes)?

As you already understand, all of the above features have been implemented and are being actively developed. We got to the main agenda of the article - Yggdrasil - a software implementation of a mesh network with absolute scalability, automatic routing and end-to-end encryption of all traffic from user to user. Yggdrasil is a software solution that eliminates the need for an administrator when organizing small and medium-sized networks, as well as minimizing the impact of crazy lawmakers on the connectivity of the network as a whole.

Addressing in Yggdrasil

Yggdrasil uses IPv6 addressing with a netmask of 200::/7. Addresses from this subnet are not used on the Internet, so there are no collisions. Each user also has its own 300::/64 subnet, which allows you to assign shorter addresses to network interfaces, issue addresses from this subnet to local users at home, and also use them to host multiple resources at different addresses (for example, websites, all of which use port number 80). The short address is automatically routed to the full address from the 200::/7 subnet, the first 64 bits of which are the same. For example, the address [3 24:9de3:fea4:f6ac: :ace] is routed to a node with the full address [2 24:9de3:fea4:f6ac:6d7c:68f5:6c8e:f9a9]. Addresses from the user's additional subnet are easily recognized by the first three in the address, because full addresses always use two.

The user address is generated when the network software client is launched for the first time. To eliminate the possibility of assigning someone else's address, the IPv6 address in Yggdrasil is directly derived from the encryption key. The connection will not be established if the encryption key does not match the IPv6 address. Because picking up or stealing someone else's key is a very non-trivial task, we can conclude that addresses in Yggdrasil are resistant to malicious attempts to interfere with their use. Read more about the cryptographic formation of IPv6 addresses in Yggdrasil in the article .

Due to the fact that the entire Yggdrasil network, regardless of the scale and physical location of the nodes, uses one subnet, it is impossible to conduct global address routing using canonical network administration tools.

Building a common coordinate tree in Yggdrasil

In traditional networks, where there is a meaningful distribution of allocated addresses, the routing logic is configured by numerous administrators, but how can a network operate without an administrator when it has thousands of nodes around the world? The name Yggdrasil comes from the tree of the same name in Scandinavian mythology, which unites the worlds. The name for the network was not chosen by chance, because... routing in it has a tree structure.

In addition to the IP address, network nodes have coordinates that reflect their logical place in the network. In order for these coordinates to have a reference point, some equal network participant is selected among the nodes.

The above network map does not show all connections between nodes, but only some routes according to the logic of coordinate formation. The impression of centralization is erroneous, because this is not a topology for information transmission, but a diagram of the orientation of nodes within the network.

Logic for calculating the zero coordinate node

When an address is first accessed, a broadcast poll of nearby participants occurs, then the search query is propagated further across the network. When the request reaches a node that directly sees the target address, a response is returned to the requester. The concept of Yggdrasil lies in the shortest paths and the highest possible speed of information transfer. Unlike the first request, an established session between two participants in most cases follows one route based on the coordinates of transit nodes. Due to this specificity, the first response has the longest waiting time, and when the session is established and the optimal route is determined, the delay stabilizes.

The most noticeable bug, overshadowing all other possible smaller flaws, is “network storms”. The threat model consists of the pulse-like appearance and disappearance of a node with a signature key, which forces other participants to rearrange coordinates, taking it as a starting point. As you might guess, if coordinates are constantly rearranged, network routing suffers greatly, even to the point of complete loss of pings.

Experience and theory of using Yggdrasil in production

The first release on GitHub dates back to February 17, 2018. However, to this day, Yggdrasil is positioned as a “raw” product, beta, and is not recommended for use in serious projects.

Many threats to network instability are relevant only when connected to the global segment of the network, where much of what happens does not depend on us. In the case of business solutions, there are cases of successful connection through Yggdrasil of remote employees, for example, accountants: RDP without unnecessary configuration of routers and port forwarding. Such networks are organized in isolation, and therefore are not subject to a “network storm”: a public feast is organized on a server controlled by a full-time system administrator, to which all employees connect in overlay mode (i.e. via the Internet). The result is an easily scalable network like a VPN with internal IPv6. Yggdrasil can also be used to forward IPv4 local networks - the corresponding parameters are available in the configuration file.

Yggdrasil has built-in means of restricting access to the operating system network interface, allowing only a trusted list of keys that are specified in the configuration file. This way, only manually added users will be able to connect to the machine's TUN interface. Untrusted network participants will not even be able to ping such an IPv6-Yggdrasil, while transit traffic on the node will not be affected in any way.

Also, since version 0.3.15, Yggdrasil allows you not only to block or allow some addresses, but to specify encryption and signature keys when setting up a connection to a public peer. In the case of centralized connection of organization employees to a certain public peer, this parameter is more appropriate than ever, because Due to direct key manipulation, it protects against a theoretical attack in the form of IPv6 address spoofing.

Technical Notes

Yggdrasil operates at a very high network level (L3), forming its tunnels on top of regular TCP/IP. All processing of intranet traffic requires operating system computing resources. This is primarily due to cryptography: before transmitting information to the virtual network interface, which will be perceived by the operating system along with regular traffic, cryptographic operations are performed in the Yggdrasil service. When there is a lot of passing traffic on weak hardware, brakes may occur.

To work on a local network, i.e. automatic peer detection, you must enable IPv6 on the real network interfaces of the computer. In the case of systems without IPv6 support (for example, Windows XP), connecting to Yggdrasil is only possible by specifying the IPv4 address of the public peer (the address can be local).

The network scales automatically: if one of the users of an isolated network segment registers an open public peer, the entire segment will become part of the global Yggdrasil network.

Getting started

Detailed instructions, a list of public peers, as well as a list of known intranet services are available on the official project page . The network client is cross-platform. At the time of publication, all common operating systems are supported: Windows , Linux, MacOS, IOS and Android.

To connect to the global Yggdrasil segment, you need to register public peers in the configuration file, a list of which can be found at the link above in the “Public peers” section. After a successful start, visit the on-line directory of the Russian-speaking community http://[222:a8e4:50cd:55c:788e:b0a5:4e2f:a92c]:. It's like Wikipedia, only inside Yggdrasil and contains a lot of practical manuals and background information on the topic.

Yggdrasil will be of interest to both network enthusiasts and administrators, and the younger generation, for example, for playing Minecraft on a pseudo local network (as a replacement for Hamachi).

Postscript

At the beginning of the 2010s, the word “cryptocurrency” was almost unknown: in some places it sounded like science fiction, and in others like nonsense. Only a small group of people understood what it was about, and an even smaller group understood the essence and began to actively get acquainted with Bitcoin. Now there are all sorts of cryptocurrencies in bulk and the hype train has already started moving, and jumping into the last carriage is not an easy and expensive task.

Having heard about mesh networks, you will understand with pleasant satisfaction that this train did not leave without you.

UPD: In the release of Yggdrasil 0.4, the protocol has been significantly changed, read about it in the article “ Yggdrasil Network 0.4 - A Leap in the Development of a Secure Self-Organizing Network ”.

Просмотры: