n2n version 3 − version 3 of the n2n decentralised peer-to-peer network overlay VPN.
n2n is a peer-to-peer network overlay or VPN system that provides layer 2 over layer 3 encapsulation with data transform capabilities such as encryption and compression. This guide also discusses the differences of version 3 of n2n from version 2.
n2n-3 basically uses the same set of messages to communicate with edges and supernodes. However, due to slight packet format changes, the n2n-3 messages are not compatible with n2n-2. There is no backward compatibility for n2n-2.
n2n-3 offers four different ciphers for payload encryption as well as optional header encryption. Earlier versions of n2n-2 provided a mechanism using a key schedule which has been removed in n2n-3. A basic user authentication scheme relying on asymmetric cryptography has been added to n2n-3.
n2n-3 provides
the following ciphers to chose from for payload encryption;
more can be added as required:
(1) NULL
Data is encapsulated unchanged. Useful for testing and high-performance, low sensitivity applications.
(2) TF-CTS
Twofish AES candidate in CTS mode.
(3) AES-CTS
AES in CTS mode with up to 256-bit key.
(4) CHACHA20
ChaCha20, a well known stream cipher developped by Daniel J. Bernstein.
(5) SPECK-CTR
A fast block cipher developped by the NSA used as stream cipher in CTR mode.
Full Header Encyption
The optional full header encryption also encrypts packets’ header which include some administrative data. In addition, it adds replay protection.
User Password Authentication
n2n-3 implements an optional user-password authentication scheme. A key generator assists in generating user’s public keys to be stored at the supernode side.
LZO for payload compression is an always available option at n2n-3. If compiled with zstdlib support, ZSTD is at optional service as well.
n2n-3 decouples the data transform system from the core of the edge operation. This allows for easier addition of new data transform operations. n2n-3 reserves some standard transform identifiers (such as TwoFish encryption) but allocates transform identifiers for user-defined transforms. This allows anyone to add to n2n new private transforms without breaking compatibility with the standard offering.
n2n-3 incorporates the capability of multiple supernodes to be federated. Federation acts transparently and balances the workload evenly among the federated supernodes. Supernodes keep track of edges connected to different supernodes and forward packets as required. This feature naturally supports fail-over and this increases redundancy and resilience.
Information on additional supernodes is propagated to all edges. In addition, the n2n-3 edge implementation allows multiple supernodes to be specified on the command line. Edges monitor the current supernode for responses to REGISTER_SUPER as well as PING messages. After three responses from current supernode are missed or when a better supernode in terms of significant lower workload is found, the edge tries to connect to another supernode. It cycles through the list f supernodes which over and over again is sorted according to reported workload.
Edge and supernode in n2n-3 provide a UDP-based management console. Both listen on the localhost address 127.0.0.1. Commands can be sent to the programs by sending to the UDP socket. Responses are returned to the socket from which commands were issued. This only works from the computer on which the programs are running. Statistics can be retrieved and commands issued. The netcat utility is all that is required; but more sophisticated tools could be built on the interface.
The supernode federation name serves as private key shared between the supernodes only. The corresponding public key can be provided to the edges.
The following
message types work within n2n-3.
REGISTER_SUPER
Sent from an edge to its local supernode to register its MAC with the community. Also, federated supernodes use this packet format to register to each other.
REGISTER_SUPER_ACK
Sent from a supernode to an edge to confirm registration. This also carries the definition of the edge socket as seen at the supernode so NAT can be detected and described. Furthermore, it carries information about additional federated supernodes.
REGISTER_SUPER_NAK
Supernode refusing to register an edge.
|
PACKET |
Encapsulated ethernet packets sent between edges. Supernodes forward or broadcast these and edges send them direct in peer-to-peer mode. |
REGISTER
A peer-to-peer mode registration request from one edge to another. Supernodes forward these to facilitate NAT crossing introductions.
REGISTER_ACK
Complete peer-to-peer mode setup between two edges. These messages need to travel direct between edges.
QUERY_PEER
Queries a supernode about another edge, especially its public socket in case of no peer-to-peer communication can be established. Additionally, it serves as PING to query supernodes about themselves.
PEER_INFO
Answers the QUERY_PEER; it also covers the special case of the PING query, internally called PONG.
Richard Andrews
andrews (at) ntop.org - main author of n2n-2
Luca Deri
deri (at) ntop.org - code inherited from n2n-1
ifconfig(8)
edge(8) supernode(1)
the documentation contained in the source code
the extensive documentation found in n2n’s doc/
folder