Cjdns

From meshwiki
Jump to: navigation, search
cjdns
Original author(s) Caleb James DeLisle
Preview release git HEAD
Development status Active, 95[1] live nodes in experimental network (Hyperboria)[2]
Written in C
Wikipedia:Operating system Wikipedia:Linux Wikipedia:Illumos Apple OSX
Platform Wikipedia:x86 Wikipedia:amd64 MIPS ARM Wikipedia:PowerPC[3]
Size Approximately 1/2MB executable which uses around 2MB of memory.
Type Wikipedia:VPN Wikipedia:Peer-to-peer Wikipedia:Router (computing)
License GPLv3
Website http://cjdns.info/ (unofficial)

Cjdns (Caleb James DeLisle's Network Suite[4]) is a networking protocol and reference implementation, founded on the ideology that networks should be easy to set up, protocols should scale up smoothly, and security should be ubiquitous.

Interface

The Cjdns program talks to other programs on the computer through a TUN device which the computer sees as a regular network connection. Any application which uses Wikipedia:IPv6 can communicate in a Cjdns based network without modification.

Address Generation

Cjdns addresses are the first 16 bytes (128 bits) of the SHA-512 of the SHA-512 of the public key. All addresses must begin with the byte 0xFC, which in IPv6 resolution, is a private address (so there is no collision with any external Internet addresses).

The address is generated initially when a node is setup, through a brute-forced key generation process (keys are repeatedly generated until the result of double SHA-512 begins with 0xFC). This process is unique, as it guarantees cryptographically bound addresses (the double SHA-512 of the public key), sourced from random data (private key is random data, public key is the scalar multiplication of this data).

Internals

The routing engine stores its Wikipedia:routing table in a Wikipedia:Distributed hash table similar to Kademlia.[5] When forwarding a packet, rather than looking up an entry using the traditional Kademlia approach of asking a node whose id is similar to that of the target, Cjdns forwards the packet to that node for further processing.[6] In order to allow a node to be in touch with many nodes despite being directly connected only to as few as one, there is a switch layer which underlies the routing layer. The switch is inspired by Wikipedia:MPLS protocol but without the universal uniqueness nor longevity of MPLS labels but instead with added ability to determine the source of an incoming packet from its label and ability to determine whether a given node is part of the path represented by a label, and ability to switch a label without any memory lookups. In the most simple terms: a switch label is like driving directions to a destination.

It is designed so that every node is equal; there is no hierarchy or edge routing. Rather than assigning addresses based on topology, all cjdns IPv6 addresses are within the FC00::/8 Unique local address space (keys which do not hash to addresses starting with 'FC' are discarded).[7] Although nodes are identified with IPv6 addresses, Cjdns does not depend upon having IPv6. Each node connects to a couple other nodes by manually configured links over an IPv4 network (such as the Internet) or via the Ethernet Interface. The Ethernet Interface allows for peering of cjdns nodes over raw ethernet frames, making it easier to set up local cjdns-based network. The ultimate goal is to have every node connected directly by physical means; be it wire, optical cable or radio waves.

A CryptoAuth session between two given nodes is set up with a two packet handshake. Each of these two packets contains the permanent and temporary keys of the sending node which are piggybacked on top of normal data packets. The data in those packets is encrypted using the permanent keys. Once the temporary keys have been exchanged, the permanent keys are no longer used in that session and the temporary keys are discarded when the session ends so that the data sent during that session can not be decrypted later.[8] Since the handshake is piggybacked on top of the first two packets, the maximum allowable packet size differs from packet to packet but the encryption is set up without introducing lag to the application.

Routing

Routing is designed such that each packet requires very little handling by an individual router, or node. Each node will respond to 'search queries' asking it for other nodes nearby to it. This allows the sending node to determine and add routes to its own Wikipedia:routing table.[9] Once the sending node has determined a route, it sends its packet to the first node on said route. For each hop, the receiving node reads the packet's header to determine where to next send the packet. Before the packet is forwarded to the next hop, the node performs a bit shift on the packet's headers, making it ready for use by the next node.[10]

Security

The belief that security should be ubiquitous and unintrusive like air is part of cjdns core. The routing engine runs in Wikipedia:user space and is compiled by default with Wikipedia:stack-smashing protection, Wikipedia:position-independent code, non-executable stack, and remapping of the Wikipedia:global offset table as read-only (relro). The code also relies on an ad-hoc sandboxing feature based on setting the resource limit for open files to zero, on many systems this serves block access to any new Wikipedia:file descriptors, severely limiting the code's ability to interact with the system around it.[11]

Development

Development discussion goes on in the #cjdns IRC channel on the Wikipedia:EFnet IRC network, that network having been chosen because of its decentralized control structure (a mirror of the Cjdns security model).[12] Caleb James DeLisle maintains Wikipedia:Benevolent Dictator for Life status over the project. The cjdns GitHub repository is used for source code hosting and as a bug tracker.

Distribution

Cjdns employs a Wikipedia:rolling release style model because the protocols and algorithms are new inventions and the way they behave in the real world is still not well understood.[13] Users can clone the git repository containing the source code and run a shell script which compiles the source code, runs unit tests, and outputs a binary.

Cjdns is available on most Wikipedia:UNIX-like systems like Wikipedia:Linux (Debian, Wikipedia:Ubuntu etc.), Wikipedia:Mac OS X, Wikipedia:Illumos and Wikipedia:FreeBSD. A wide variety of architectures are supported, most notably Wikipedia:x86, Wikipedia:x64, Wikipedia:PowerPC and MIPS. This allows users the flexibility of using old or new Wikipedia:hardware, making it easy to get started with cjdns. There are nodes running on high-end gaming machines, Wikipedia:PlayStation3 and even old Wikipedia:OpenWRT-compatible routers.

Hyperboria

Hyperboria is the experimental network set up by the testers and developers of cjdns to use and experiment with the software and learn about networking. While Hyperboria is currently an invite only network, a number of generous operators have extended open invitations by publicising their connection credentials. The Hyperboria Wikipedia:community encourages people wishing to join the network to meet their peers in the #cjdns IRC channel and become part of the community.

Current Services

Hyperboria is a little bit like the internet of the late 1980s, there are a few services running now but it is more of a play internet where people get to experiment and do new and interesting things. The following is a partial list of such services, some of which are available on both Hyperboria and Wikipedia:The Internet, while some are only available on Hyperboria.

A full list of public services can be found on this page - Known Hyperboria sites

Security concerns with joining Hyperboria

The operator of a cjdns node has an ip address which is accessible to other users of the Hyperboria network, meaning any server which they are running on their computer will now be publicly accessible. This, like switching to IPv6, is a change from the status of a computer behind a network address translator which typically blocks incoming connections. The cjdns readme document explains how members can to do a self-check to make sure they are not unintentionally running services which might compromise their security.[14]

References

External links