Having no centralized server looks very appealing for a mesh overlay network in a home environment. Any Yggdrasil reviews? The main two things I’m curious about are:
Security: I’m having trouble understanding how just firewalling specific IP addresses is enough security. What prevents someone else from using the same IP address?
Performance: the official site compares itself to OpenVPN and SSH. But what about Wireguard/ZeroTier?
Re: security: from what I know, Yggdrasil IP addresses are derived from the public part of the keypair used to connect to the network - in order to use the same IP address as you, someone would basically have to crack your private key or find another private key that corresponds to a public key that becomes the same IP address.
I must be missing something still. People can use whatever ip address they want. Are you saying that people can use whatever ip, but a Yggdrasil node won’t communicate beyond some initial authentication step if you can’t prove you have the private key for that ip? Is every udp packet unwrapped to do that Auth?
Every packet is encrypted to the target’s public key, so a TCP connection can’t complete a handshake if one of the peers doesn’t have the private key to decrypt the packet’s contents. I’m not sure, but I wouldn’t be surprised if the packets are signed by the source’s private key so that the target can verify packets are coming from the source, making UDP secure.
Having no centralized server looks very appealing for a mesh overlay network in a home environment. Any Yggdrasil reviews? The main two things I’m curious about are:
Re: security: from what I know, Yggdrasil IP addresses are derived from the public part of the keypair used to connect to the network - in order to use the same IP address as you, someone would basically have to crack your private key or find another private key that corresponds to a public key that becomes the same IP address.
I must be missing something still. People can use whatever ip address they want. Are you saying that people can use whatever ip, but a Yggdrasil node won’t communicate beyond some initial authentication step if you can’t prove you have the private key for that ip? Is every udp packet unwrapped to do that Auth?
Every packet is encrypted to the target’s public key, so a TCP connection can’t complete a handshake if one of the peers doesn’t have the private key to decrypt the packet’s contents. I’m not sure, but I wouldn’t be surprised if the packets are signed by the source’s private key so that the target can verify packets are coming from the source, making UDP secure.