Hello, How does tincd determine the subnet(s) of other remote nodes? Does tincd read its copies of the hosts file and parse and follow the subnet information contained in the local files? Or does tincd solely trust the subnet information dynamically advertised by each remote node?
In my experimentation, it seems that: a) tincd reads its own subnet(s) from its copy of its own host file, but b) tincd ignores the subnets specified in the other hosts files. This would seem to mean that if: 1) There are three nodes, A, B, and C, and 2) Node B is offline, and 3) Node C is compromised and advertises itself as serving B's subnet(s), and 4) Node A sends traffic to an IP address on one of B's subnets, then 5) Node C will intercept the traffic that A believes A is sending to B's subnet. Is the above description of how tincd operates correct? Is this an intentional choice? If so, what is the reasoning behind it? It seems to me that this behavior (trusting all advertised subnets) is unexpected and possibly undocumented. The behavior would also seem to prioritize convenience over security. (I am running tinc version 1.0.24 on Debian.) Thanks! -Parke _______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
