1. 28
  1. 2

    The other technologies people are comparing it to are VPNs. I guess you could look at Yggdrasil as an “open VPN” anyone can connect to, but a bigger difference seems to be the built-in authentication: any TCP connection over Yggdrasil is bidirectionally authenticated by the client and server’s key-pairs. And neither side’s software needs to mess with TLS nor SSH to get that.

    1. 1

      The article mentions Tinc as a P2P vnet, there is also n2n in that space.

      1. 1

        Could definitely using Yggdrasil compare it to zerotier? From the description, it sounds like they’re almost the same.

        (Big difference I could find is that ZT can assign ipv4 on the private network)

        1. 2

          I think this is not a private network

          1. 1

            It’s public by default (e.g. by opening a listener you choose to allow others to connect to you), but can be made private with some simple configuration. You can either restrict membership to link-local devices (which could be useful if you can’t control your private network say if you’re living with relatives or family) or check for a known public-key.

          2. 2

            It sure looks like it’s trying to solve the same problems as zerotier and tailscale.

          3. 1

            Very exciting. I’m building a P2P system with key-based identities, and Yggdrasil looks like it solves the connectivity and routing problems I’ve been procrastinating on. (In other words, my code currently lets peer A connect to peer B and sync state … but only if B’s IP address is known to and reachable from A.)

            1. 1

              Another option for that use case might be libp2p (which is a layer ipfs is built on top of)

              1. 1

                Except there’s no implementation of libp2p with a C/C++ API.

            2. 1

              I’ve been using Yggdrasil for more than a year now, and I love it. All my servers and my workstation are connected to the network, and I use it to ssh between them.

              The coolest aspect of yggdrasil is IMO the built-in encryption at the network card level. Knowing that any p2p connection is fully encrypted AND authenticated is a huge step forward regarding full encryption, and it puts the encryption where it should be: at the link level rather than application. This means that older protocols like telnet, smtp, gopher, irc, … are all fully encrypted now, and there is no need to bother with when implementing them.

              My only real question about it, is as follows:

              Assuming Yggdrasil becomes a thing, and replaced the clearnet. How would ygg nodes peer with each others ? In the current implementation, Yggdrasil need an established network (either ipv4 or ipv6) to setup the peering betwen nodes, before they can start communicating.
              Would it be possible to simply cut that part, and have Yggdrasil directly assign ipv6 addresses to the network card, and communicate directly with other nodes ?

              1. 2

                Mesh networks have always been intriguing me, but they never seemed to work/scale all that well. It sounds like Yggdrasil might actually do well.

                Up to version v0.3.13 they had the IfTAPMode option to create a TAP interface. My guess is that you could’ve used that to bridge with a physical adapter. That way your network card would get a Yggdrasil based ipv6 address. It could discover Yggdrasil on your local Ethernet using NDP, which was implemented.

                As a way to replace the current IPv6 internet you can imagine that the modem/router supplied by your ISP runs a Yggdrasil node, and all the devices on the local Ethernet run one too. The ISP is also a Yggdrasil node that your router connects too. Now you’ve replaced the traditional IPv6 internet with a Yggdrasil IPv6 internet. Of course in practice ISP’s wont support Yggdrasil.

                But the nice thing is it’s just all 1 flat network, there are no routing tables, so anyone can add links/peers and the entire network can make use of that. So you could envision your WiFi access point peering with your neighbors, and theirs with their neighbors, and so on to create a giant mesh network.

                As cool as it is I do have 2 reservations:

                • As far as I can tell it has never been tested against people adding bad routes, on purpose or by lack of knowledge. For example someone peering from their home connection with their 2 VPN server on opposite sides of the planet. It seems very tempting to do because then you have a “direct” connection to your servers instead of going though several Yggdrasil peers. Except that connection still goes through multiple hops over the traditional internet, while the routing in Yggdrasil assumes you are adding direct wired/radio links. It sounds like you could severely degrade the network performance this way, from reading their blog post Practical peering.

                • The public keys are truncated to 64 bit for seemingly no good reason. IPv6 is 128 bits. They have to use a 32 bit prefix in order to not conflict with normal IPv6 internet usage. But then they supply a 64 bit network to each node? Why? The only reason given is that you might want to connect low powered devices that can’t run their own Yggdrasil node to the network. Who is going to connect 2^64 low power devices to a single Yggdrasil node? My guess is that it’s to allow the low powered devices to pick a random address rather then having to assign one. But this seems like such a rare use case to me that I would have rather seen this address space reduced to 16 bit, and have the public key truncated to just 80 bits, which seems a lot more secure.

                1. 1

                  Thanks for the explanation ! I didn’t think about NDP to discover other nodes, it makes quite a lot of sens indeed.

                  As far as I can tell it has never been tested against people adding bad routes

                  I read that Yggdrasil uses a spanning-tree for the routing table, which, as I understand STP, it implies that if two routes lead to the same network, one of them will be disabled in favor to the other.

                  The public keys are truncated to 64 bit for seemingly no good reason

                  My guess here is that it’s pretty “common” among service providers to give out full /64 to their customers, so they went with the same idea here.
                  Keep in mind that Yggdrasil is still a proof-of-concept, so they don’t need to “save” IPv6 addresses. If it ever gets adopted, it’ll probably be reworked against “practical” use-cases, and eventually grow the size of the keys (or make it variable in size, maybe?).

                  1. 1

                    I read that Yggdrasil uses a spanning-tree for the routing table, which, as I understand STP, it implies that if two routes lead to the same network, one of them will be disabled in favor to the other.

                    Not much of a mesh network then?

                    1. 1

                      Indeed, but Yggdrasil was never meant to be a mesh network in the first place. I agree that on this part the article is misleading.