The era of mesh networks is gradually coming. At the very least, this term appears more and more often in the information field. What attracts the attention of networkers and why does the notion "household mesh network" appear in the title of the article? Let's try to understand the issue, taking the Yggdrasil network as an example, as one of the promising prototypes. The article is intended for a wide range of readers.
Understanding Topology
The Internet, like any other network, for example, a local network for several computers, is a network of interconnected computers. The order in which devices are connected in a network is called a topology and is determined solely by the preferences and capabilities of the administrator. At home, you can have a Wi-Fi hotspot for easy connection from your smartphone, and a couple of desktops are connected to the router by cable. Obviously, the procedure for connecting a laptop to the Internet in your apartment is entirely up to you. There is no single and mandatory configuration, but every solution has its pros and cons.As you can see in the illustration, the most vulnerable topology is the "star", it is also the most common in everyday life due to the simplicity of the organization. You don't need to look far for an example: you probably have a single switch or router at home or in your office, through which all computers are united into one local network. If the linking device is disconnected, all subscribers will remain disconnected. The tree topology can be considered a logical continuation of the star: imagine a building with a separate switch on each floor to which the offices located on the floor are connected. Thanks to the communication of the switches with each other, offices from different floors can communicate. If the switch on the second floor breaks, the offices on the other floors can still communicate with each other, but the communication between the first floor and the rest will be lost.
Mesh or "mesh topology" is a network architecture in which all network participants are equal and act simultaneously as a client and a router for other participants. The main advantage of a mesh is its high fault tolerance, and its disadvantage is the complexity of practical implementation. Mesh topology has been widely used for decades, firstly, by the military, and secondly, by big business. It implies a complex design taking into account all possible conditions and is often associated with radio technologies, since radio is an irreplaceable assistant in organizing communications in the field.
Network communication model
As a child, watching TV, many wondered about the magic that allows sound and picture to be transmitted through a thin coaxial cable. Now there are even more questions, because the entire world wide web is somehow transmitted wirelessly directly into a small box called a smartphone.Everyone is familiar with the concept of an IP address - a logical address of a subscriber for routing its incoming and outgoing information over the network. Without going into the technical details of the TCP / IP stack, where IP is the catchy "Internet Protocol", there are two main types of IP addresses that need to be distinguished:
- IPv4 - four-byte addresses with decimal notation and byte-separated bytes as "192.168.1.10". IPv4 is familiar to the eye and easy to read, but it has a small address space of about four billion variations. Less than the population of the Earth: it will not work to give each person a unique address, let alone the Internet of Things.
- IPv6 is a hexadecimal number of sixteen-byte addresses, separated by colons for every two bytes. It looks like this: "fe80: 2a30: 6b30: c26d: 3d39: 3ce4: 218: 6376". Difficult to understand and remember, but has an unlimited number of possible addresses for the human imagination. The IPv6 address space will be enough for many planets, taking into account that each inhabitant will have three coffee makers with a unique address.
To approach the representation of digital transmission, ie binary information consisting of bits - zeros and ones - you need a basic understanding of the Open Systems Interconnection (or simply: OSI) networking model. If you wish, you will find detailed help in two clicks, so I will not rewrite the tutorial. Be aware: from an electrical impulse in a wire to displaying a picture in a browser, several logical levels are involved, and the lower the level, the less power consumption on the client side. As long as the signal is on the wire, the computer is not connected to it in any way. Then the signal reaches the network card of the device and its low-level processing begins by the forces of the network card itself. After that, the information is transferred directly to the operating system, and its logical processing falls on the main resources of the computer. The highest point of this chain is a client application, for example, a browser, and a picture in it. In total, the electrical impulse is converted into bits, then these bits form packets, sent to the browser and collected into a picture on the user's monitor.
Classic network
Almost any modern telecommunications network implies the presence of an administrator - a user with authority and responsibility. The administrator establishes connectivity, connects new subscribers, and also has the right to censor and in every possible way limit the network segment under his control. This rule applies to both local networks and the global Internet. In the case of the Internet, we use the services of providers who connect us to their network. In turn, small providers use the services of backbone providers; those who connect countries and continents with their cable. The more serious the level of the network, the more people serve it. In addition to the physical connection of different computers with wires, colossal work is being done to logically configure the network - routing. Thanks to it, our requests to another continent fly away in a few tens of milliseconds, because each upstream router knows who needs to forward the packet further. Even a tiny local area network for several offices will not do without setting up routing and a person who will configure it!Centralization has taken root in the modern paradigm of the global network, ie controllability of critical infrastructure to a certain circle of persons: government and commercial structures. Some have the right to set prices, others - to completely deprive us of our connection with the world. And they all have the power to monitor and regulate user activity. It seems that there is no getting away from it.
Yggdrasil
Has it ever happened that your home router went out of order, and all household members were left without access to the network? Imagine how nice it would be if the router was not a bottleneck, and in case of its failure, all participants in the home network could access the Internet through a smart TV, neighboring wireless networks, and ultimately through your smartphone, and all this without any or additional configuration after a breakdown of the router!All applications are forced to use encryption when transmitting information over the network so that intermediate participants cannot intercept sensitive information. For example, almost all modern sites use the HTTPS protocol, which allows an encrypted connection between the user and the server. Thanks to this, we calmly enter passwords, data from bank cards and believe that the information entered by us will be received only by its explicit addressee. Imagine that a network connection is always secure at the protocol level and there is no need to pile up additional security measures, including the need for certification authorities - organizations on the trust of which the whole world uses the already named HTTPS (a certification authority is a security point of failure, because. he assures us of the reliability of the connection,
To organize a local network in an enterprise, to set up a VPN for remote employees, even for a small network of three computers, one or another level of literacy and an appropriate specialist are required. But what if there is a solution that allows zero configuration on the side of a regular user, while allowing you to combine or separate local networks with full preservation of routing (with physically accessible nodes)?
As you already understood, all of the listed features have been implemented and are being actively developed. We got to the main agenda of the article - Yggdrasil - a software implementation of a mesh network with absolute scalability, automatic routing and end-to-end encryption of all traffic from user to user. Yggdrasil is a software solution that eliminates the need for an administrator when setting up small and medium-sized networks, and also minimizes the impact of crazy lawmakers on network connectivity in general.
Addressing in Yggdrasil
Yggdrasil uses IPv6 addressing with a netmask of 200 :: / 7. Addresses from this subnet are not used on the Internet, so no collisions occur. Each user also has its own subnet 300 :: / 64, which allows you to assign shorter addresses to network interfaces, issue addresses from this subnet to local users at home, and also use them to host several resources at different addresses (for example, sites, all of which use port # 80). The short address is automatically routed to a full address on the 200 :: / 7 subnet, the first 64 bits of which match. For example, the address [3 24: 9de3: fea4: f6ac:: ace] is routed to the full address [2 24: 9de3: fea4: f6ac:6d7c: 68f5: 6c8e: f9a9]. Addresses from the user's additional subnet can be easily recognized by the first three in the address, since full addresses always use two.
The user address is generated the first time the network software client is started. To exclude the possibility of assigning someone else's address, the IPv6 address in Yggdrasil is directly derived from the encryption key. The connection will fail if the encryption key does not match the IPv6 address. Because picking up or stealing someone else's key is a very non-trivial task, we can conclude that addresses in Yggdrasil are resistant to malicious attempts to interfere with their use. Read more about the cryptographic formation of IPv6 addresses in Yggdrasil in the article.
Due to the fact that the entire Yggdrasil network, regardless of the size and physical location of the nodes, uses one subnet, it is impossible to conduct global address routing using the canonical means of network administration.
Building a common coordinate tree in Yggdrasil
In traditional networks, where there is a meaningful allocation of dedicated addresses, the routing logic is configured by numerous administrators, but how can a network work without an administrator when there are thousands of nodes around the world in it? The name Yggdrasil comes from the tree of the same name in Scandinavian mythology, which unites the worlds. The name for the network was not chosen by chance, since routing in it has a tree structure.In addition to the IP address, hosts have coordinates that represent their logical place in the network. In order for these coordinates to have the origin, some equal network participant is selected among the nodes.
On the given map of the network, not all connections between nodes are displayed, but only some routes according to the logic of forming coordinates. The impression of being centralized is erroneous because it is not a topology of information transfer, but a scheme of orientation of nodes within a network.
The logic for calculating the zero coordinate node
At the first access to the address, a broadcast poll of the nearest participants occurs, then the search request is propagated further along the network. When the request reaches a node that directly sees the target address, a response is returned to the requester. The concept of Yggdrasil is based on the shortest paths and the maximum possible speed of information transfer. Unlike the first request, the established session between two participants in most cases follows one route based on the coordinates of transit nodes. Due to this specificity, the first response has the longest waiting time, and when the session is established and the optimal route is determined, the delay stabilizes.
The most notable bug, overshadowing all other possible minor flaws, is "network storms". The threat model consists in the impulsive appearance and disappearance of a node with a signature key, which forces the rest of the participants to rebuild the coordinates, taking it as a starting point. As it is not difficult to guess, if the coordinates are constantly being rebuilt, the network routing suffers greatly, up to a complete loss of pings.
Experience and theory of using Yggdrasil in production
The first release on GitHub dates back to February 17, 2018. However, to this day, Yggdrasil is positioned as a "raw" product, beta, and is not recommended for use in serious projects.Many threats to network instability are relevant only when connected to the global network segment, where much of what is happening does not depend on us. In the case of business solutions, there are cases of successful connection through Yggdrasil of remote employees, for example, accountants: RDP without unnecessary configuration of routers and port forwarding. Such networks are organized in isolation, so they are not subject to a "network storm": a public feast is organized on a server controlled by a full-time system administrator, to which all employees are connected in overlay mode (ie via the Internet ). It turns out a highly scalable network like a VPN with internal IPv6. Yggdrasil can also be used to forward local IPv4 networks - the corresponding parameters are available in the configuration file.
Yggdrasil has a built-in means of restricting access to the network interface of the operating system, allowing only a trusted list of keys, which are specified in the configuration file. Thus, only manually added users will be able to connect to the TUN interface of the machine. Untrusted network participants will not even be able to ping such an IPv6-Yggdrasil, while the transit traffic on the host will not be affected in any way.
Also, since version 0.3.15, Yggdrasil allows you not only to block or allow some addresses, but to specify encryption and signature keys when setting up a connection to a public feast. In the case of a centralized connection of the organization's employees to a certain public feast, this parameter is more appropriate than ever, since through direct key manipulation, it insures against a theoretical attack in the form of spoofing of the IPv6 address.
Technical Notes
Yggdrasil operates at a very high network layer (L3), forming its tunnels on top of regular TCP / IP. All processing of intranet traffic requires the computing resources of the operating system. This is primarily related to cryptography: before transferring information to a virtual network interface, which will be perceived by the operating system on a par with normal traffic, cryptographic operations are performed in the Yggdrasil service. With a lot of passing traffic on weak hardware, brakes may occur.To work in a local network, ie automatic peer discovery, you must enable IPv6 on the real network interfaces of the computer. In the case of systems without IPv6 support (for example, Windows XP), connection to Yggdrasil is possible only by specifying the IPv4 address of the public peer (the address can be local).
The network scales automatically: if one of the users of an isolated network segment prescribes a public public feast for himself, the entire segment will be part of the global Yggdrasil network.
Start to use
Detailed instructions, a list of public peers, and a list of well-known intranet services are available on the project's official page. The web client is cross-platform. At the time of publication, all common operating systems are supported: Windows, Linux, MacOS, IOS and Android.To connect to the global Yggdrasil segment, you need to register public peers in the configuration file, the list of which can be found at the link above in the "Public peers" section. After a successful start, visit the on-net directory of the Russian-speaking community: http: // [300: 529f: 150c: eafe :: 6]. It's like Wikipedia, just inside Yggdrasil and contains a lot of how-to guides and background information on the topic.
Yggdrasil will be of interest to both network enthusiasts and administrators, and the younger generation, for example, for playing Minecraft on a pseudo local network (as a replacement for Hamachi).
PS
In the early 2010s, the word "cryptocurrency" was almost unknown: somewhere it sounded at the level of fiction, and somewhere like nonsense. Only a small group of people understood what they were talking about, and even less - delved into the essence and began to actively get acquainted with bitcoin. Now all kinds of cryptocurrencies are in bulk and the HYIP train has already started, and jumping into the last carriage is not an easy and expensive task.Having heard about mesh networks, you will understand with pleasant satisfaction that this train did not leave without you.
