mirror of https://github.com/ntop/n2n.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
132 lines
5.5 KiB
132 lines
5.5 KiB
.TH "n2n_v3" 7 "Sep 27, 2021" "version 3" "Background"
|
|
.SH NAME
|
|
n2n version 3 \- version 3 of the n2n decentralised peer-to-peer network overlay
|
|
VPN.
|
|
.SH DESCRIPTION
|
|
n2n is a peer-to-peer network overlay or VPN system that provides layer 2 over
|
|
layer 3 encapsulation with data transform capabilities such as encryption and
|
|
compression. This guide also discusses the differences of version 3 of n2n from
|
|
version 2.
|
|
.SH PROTOCOLS
|
|
n2n-3 basically uses the same set of messages to communicate with edges and
|
|
supernodes. However, due to slight packet format changes, the n2n-3 messages
|
|
are not compatible with n2n-2. There is no backward compatibility for n2n-2.
|
|
.SH ENCRYPTION
|
|
n2n-3 offers four different ciphers for payload encryption as well as optional
|
|
header encryption. Earlier versions of n2n-2 provided a mechanism using a key
|
|
schedule which has been removed in n2n-3. A basic user authentication scheme
|
|
relying on asymmetric cryptography has been added to n2n-3.
|
|
|
|
n2n-3 provides the following ciphers to chose from for payload encryption; more
|
|
can be added as required:
|
|
.TP
|
|
.B (1) NULL
|
|
Data is encapsulated unchanged. Useful for testing and high-performance, low
|
|
sensitivity applications.
|
|
.TP
|
|
.B (2) TF-CTS
|
|
Twofish AES candidate in CTS mode.
|
|
.TP
|
|
.B (3) AES-CTS
|
|
AES in CTS mode with up to 256-bit key.
|
|
.TP
|
|
.B (4) CHACHA20
|
|
ChaCha20, a well known stream cipher developped by Daniel J. Bernstein.
|
|
.TP
|
|
.B (5) SPECK-CTR
|
|
A fast block cipher developped by the NSA used as stream cipher in CTR mode.
|
|
.TP
|
|
Full Header Encyption
|
|
The optional full header encryption also encrypts packets' header which include
|
|
some administrative data. In addition, it adds replay protection.
|
|
.TP
|
|
User Password Authentication
|
|
n2n-3 implements an optional user-password authentication scheme. A key
|
|
generator assists in generating user's public keys to be stored at the
|
|
supernode side.
|
|
.SH COPMPRESSION
|
|
LZO for payload compression is an always available option at n2n-3. If compiled with
|
|
zstdlib support, ZSTD is at optional service as well.
|
|
.SH EXTENSIBILITY
|
|
n2n-3 decouples the data transform system from the core of the edge
|
|
operation. This allows for easier addition of new data transform
|
|
operations. n2n-3 reserves some standard transform identifiers (such as TwoFish
|
|
encryption) but allocates transform identifiers for user-defined
|
|
transforms. This allows anyone to add to n2n new private transforms without
|
|
breaking compatibility with the standard offering.
|
|
.SH FEDERATED SUPERNODES
|
|
n2n-3 incorporates the capability of multiple supernodes to be federated.
|
|
Federation acts transparently and balances the workload evenly among the
|
|
federated supernodes. Supernodes keep track of edges connected to different
|
|
supernodes and forward packets as required. This feature naturally supports
|
|
fail-over and this increases redundancy and resilience.
|
|
.P
|
|
Information on additional supernodes is propagated to all edges. In addition,
|
|
the n2n-3 edge implementation allows multiple supernodes to be specified on the
|
|
command line. Edges monitor the current supernode for responses to
|
|
REGISTER_SUPER as well as PING messages. After three responses from current
|
|
supernode are missed or when a better supernode in terms of significant lower workload
|
|
is found, the edge tries to connect to another supernode. It cycles through the list
|
|
f supernodes which over and over again is sorted according to reported workload.
|
|
|
|
.SH MANAGEMENT CONSOLE
|
|
Edge and supernode in n2n-3 provide a UDP-based management console. Both listen
|
|
on the localhost address 127.0.0.1. Commands can be sent to the programs by
|
|
sending to the UDP socket. Responses are returned to the socket from which
|
|
commands were issued. This only works from the computer on which the programs
|
|
are running. Statistics can be retrieved and commands issued. The netcat utility
|
|
is all that is required; but more sophisticated tools could be built on the
|
|
interface.
|
|
|
|
.SH SUPERNODE AUTHENTICATION
|
|
The supernode federation name serves as private key shared between the supernodes only.
|
|
The corresponding public key can be provided to the edges.
|
|
|
|
.SH MESSAGE SUMMARY
|
|
The following message types work within n2n-3.
|
|
.TP
|
|
REGISTER_SUPER
|
|
Sent from an edge to its local supernode to register its MAC with the community.
|
|
Also, federated supernodes use this packet format to register to each other.
|
|
.TP
|
|
REGISTER_SUPER_ACK
|
|
Sent from a supernode to an edge to confirm registration. This also carries the
|
|
definition of the edge socket as seen at the supernode so NAT can be detected
|
|
and described. Furthermore, it carries information about additional federated
|
|
supernodes.
|
|
.TP
|
|
REGISTER_SUPER_NAK
|
|
Supernode refusing to register an edge.
|
|
.TP
|
|
PACKET
|
|
Encapsulated ethernet packets sent between edges. Supernodes forward or
|
|
broadcast these and edges send them direct in peer-to-peer mode.
|
|
.TP
|
|
REGISTER
|
|
A peer-to-peer mode registration request from one edge to another. Supernodes
|
|
forward these to facilitate NAT crossing introductions.
|
|
.TP
|
|
REGISTER_ACK
|
|
Complete peer-to-peer mode setup between two edges. These messages need to
|
|
travel direct between edges.
|
|
.TP
|
|
QUERY_PEER
|
|
Queries a supernode about another edge, especially its public socket in case of
|
|
no peer-to-peer communication can be established. Additionally, it serves as PING
|
|
to query supernodes about themselves.
|
|
.TP
|
|
PEER_INFO
|
|
Answers the QUERY_PEER; it also covers the special case of the PING query, internally
|
|
called PONG.
|
|
.SH AUTHORS
|
|
.TP
|
|
Richard Andrews andrews (at) ntop.org - main author of n2n-2
|
|
.TP
|
|
Luca Deri
|
|
deri (at) ntop.org - code inherited from n2n-1
|
|
.SH SEE ALSO
|
|
ifconfig(8) edge(8) supernode(1)
|
|
.br
|
|
the documentation contained in the source code
|
|
.br
|
|
the extensive documentation found in n2n's \fBdoc/\fR folder
|
|
|