See https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/ for examples with linphone and opensmtpd. It uses Cjdns - but yggdrasil works the same.
- Welcome to Yggdrasil Community.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Server software in Yggdrasil / Re: What would in-network email look like?
September 06, 2023, 04:16:09 PM #2
Yggdrasil Discussion / Re: What is your practical use of Yggdrasil?
September 06, 2023, 04:12:15 PM
Besides authorized services, Cjdns and yggdrasil allow common applications to be fully decentralized.
DNS is federated, but was centralized via ICANN (who can spoof/cancel domains at will). Not everyone is up to running their own nameserver and making DNS federated again. (However, see https://www.opennic.org for an alternate centralized root zone.)
TLS depends on a shadowy cabal that determines what CAs are trusted. All mainstream browsers either trust a CA fully, or not at all. (Need browser extensions to "veto" CAs using information in the cert. E.g. trust this CA only for .GEEK tld.) This allows the cabal to man in the middle TLS connections.
By using raw Yggdrasil/Cjdns ips, you get the equivalent of TLS connections without the risk of getting fooled by ICANN or TLS cabal. Opensmtpd works well for fully decentralized email in this manner. SIP phones like Linphone can call a raw ip6 - and these work just as well as phone numbers in the address book.
XMPP and Matrix want a domain - so you can either go with federated DNS and TLS, or just add the hostnames to /etc/hosts with ygg/cjd IP.
DNS is federated, but was centralized via ICANN (who can spoof/cancel domains at will). Not everyone is up to running their own nameserver and making DNS federated again. (However, see https://www.opennic.org for an alternate centralized root zone.)
TLS depends on a shadowy cabal that determines what CAs are trusted. All mainstream browsers either trust a CA fully, or not at all. (Need browser extensions to "veto" CAs using information in the cert. E.g. trust this CA only for .GEEK tld.) This allows the cabal to man in the middle TLS connections.
By using raw Yggdrasil/Cjdns ips, you get the equivalent of TLS connections without the risk of getting fooled by ICANN or TLS cabal. Opensmtpd works well for fully decentralized email in this manner. SIP phones like Linphone can call a raw ip6 - and these work just as well as phone numbers in the address book.
XMPP and Matrix want a domain - so you can either go with federated DNS and TLS, or just add the hostnames to /etc/hosts with ygg/cjd IP.
#3
Yggdrasil Discussion / Re: What is your practical use of Yggdrasil?
September 06, 2023, 03:49:48 PM
Yggdrasil does relay when you have 2 or more peers (otherwise there is no point).
My practical use is an an alternative to Cjdns that uses TCP instead of UDP (which evades different kinds of attempts to block vpns).
What did I use Cjdns for? The e2e encryption and IP authentication provide a simplified alternative to private certificate authority schemes with signed certs used by large corporations. For any service, I just list all the Cjdns/ygg ips authorized to use it. (E.g. using ipset.) An example would be nameservers. Recursive nameservers are hard to make public without getting DoSed.
Obviously, this doesn't scale - those lists of IPs become like /etc/hosts. This is why Big Corps use a private CA. The central authority also obviates the need for lists of ips on each service - the signed certs list what services they are authorized to access.
A key principle to take away is the distinction between authentication (not an imposter) and authorization (are you authorized to use this service).
You could scale the lists of IPs by providing a well known service that returns whether an IP is authorized for a service (or just return a list of authorized services which can be cached).
As for VPN use, yggdrasil fools firewalls that try to block vpns (by blocking UDP traffic), but allow websites (with possible blacklist). On the other hand, Cjdns connects from behind firewalls that block web traffic, but allow UDP sessions on random ports.
My practical use is an an alternative to Cjdns that uses TCP instead of UDP (which evades different kinds of attempts to block vpns).
What did I use Cjdns for? The e2e encryption and IP authentication provide a simplified alternative to private certificate authority schemes with signed certs used by large corporations. For any service, I just list all the Cjdns/ygg ips authorized to use it. (E.g. using ipset.) An example would be nameservers. Recursive nameservers are hard to make public without getting DoSed.
Obviously, this doesn't scale - those lists of IPs become like /etc/hosts. This is why Big Corps use a private CA. The central authority also obviates the need for lists of ips on each service - the signed certs list what services they are authorized to access.
A key principle to take away is the distinction between authentication (not an imposter) and authorization (are you authorized to use this service).
You could scale the lists of IPs by providing a well known service that returns whether an IP is authorized for a service (or just return a list of authorized services which can be cached).
As for VPN use, yggdrasil fools firewalls that try to block vpns (by blocking UDP traffic), but allow websites (with possible blacklist). On the other hand, Cjdns connects from behind firewalls that block web traffic, but allow UDP sessions on random ports.
Pages1