n2n - (unknown subject)

NAME  DESCRIPTION  PROTOCOLS  ENCRYPTION  COPMPRESSION  EXTENSIBILITY  FEDERATED SUPERNODES  MANAGEMENT CONSOLE  SUPERNODE AUTHENTICATION  MESSAGE SUMMARY  AUTHORS  SEE ALSO 

NAME

n2n version 3 − version 3 of the n2n decentralised peer-to-peer network overlay VPN.

DESCRIPTION

n2n is a peer-to-peer network overlay or VPN system that provides layer 2 over layer 3 encapsulation with data transform capabilities such as encryption and compression. This guide also discusses the differences of version 3 of n2n from version 2.

PROTOCOLS

n2n-3 basically uses the same set of messages to communicate with edges and supernodes. However, due to slight packet format changes, the n2n-3 messages are not compatible with n2n-2. There is no backward compatibility for n2n-2.

ENCRYPTION

n2n-3 offers four different ciphers for payload encryption as well as optional header encryption. Earlier versions of n2n-2 provided a mechanism using a key schedule which has been removed in n2n-3. A basic user authentication scheme relying on asymmetric cryptography has been added to n2n-3.

n2n-3 provides the following ciphers to chose from for payload encryption; more can be added as required:
(1) NULL

Data is encapsulated unchanged. Useful for testing and high-performance, low sensitivity applications.

(2) TF-CTS

Twofish AES candidate in CTS mode.

(3) AES-CTS

AES in CTS mode with up to 256-bit key.

(4) CHACHA20

ChaCha20, a well known stream cipher developped by Daniel J. Bernstein.

(5) SPECK-CTR

A fast block cipher developped by the NSA used as stream cipher in CTR mode.

Full Header Encyption

The optional full header encryption also encrypts packets’ header which include some administrative data. In addition, it adds replay protection.

User Password Authentication

n2n-3 implements an optional user-password authentication scheme. A key generator assists in generating user’s public keys to be stored at the supernode side.

COPMPRESSION

LZO for payload compression is an always available option at n2n-3. If compiled with zstdlib support, ZSTD is at optional service as well.

EXTENSIBILITY

n2n-3 decouples the data transform system from the core of the edge operation. This allows for easier addition of new data transform operations. n2n-3 reserves some standard transform identifiers (such as TwoFish encryption) but allocates transform identifiers for user-defined transforms. This allows anyone to add to n2n new private transforms without breaking compatibility with the standard offering.

FEDERATED SUPERNODES

n2n-3 incorporates the capability of multiple supernodes to be federated. Federation acts transparently and balances the workload evenly among the federated supernodes. Supernodes keep track of edges connected to different supernodes and forward packets as required. This feature naturally supports fail-over and this increases redundancy and resilience.

Information on additional supernodes is propagated to all edges. In addition, the n2n-3 edge implementation allows multiple supernodes to be specified on the command line. Edges monitor the current supernode for responses to REGISTER_SUPER as well as PING messages. After three responses from current supernode are missed or when a better supernode in terms of significant lower workload is found, the edge tries to connect to another supernode. It cycles through the list f supernodes which over and over again is sorted according to reported workload.

MANAGEMENT CONSOLE

Edge and supernode in n2n-3 provide a UDP-based management console. Both listen on the localhost address 127.0.0.1. Commands can be sent to the programs by sending to the UDP socket. Responses are returned to the socket from which commands were issued. This only works from the computer on which the programs are running. Statistics can be retrieved and commands issued. The netcat utility is all that is required; but more sophisticated tools could be built on the interface.

SUPERNODE AUTHENTICATION

The supernode federation name serves as private key shared between the supernodes only. The corresponding public key can be provided to the edges.

MESSAGE SUMMARY

The following message types work within n2n-3.
REGISTER_SUPER

Sent from an edge to its local supernode to register its MAC with the community. Also, federated supernodes use this packet format to register to each other.

REGISTER_SUPER_ACK

Sent from a supernode to an edge to confirm registration. This also carries the definition of the edge socket as seen at the supernode so NAT can be detected and described. Furthermore, it carries information about additional federated supernodes.

REGISTER_SUPER_NAK

Supernode refusing to register an edge.

PACKET

Encapsulated ethernet packets sent between edges. Supernodes forward or broadcast these and edges send them direct in peer-to-peer mode.

REGISTER

A peer-to-peer mode registration request from one edge to another. Supernodes forward these to facilitate NAT crossing introductions.

REGISTER_ACK

Complete peer-to-peer mode setup between two edges. These messages need to travel direct between edges.

QUERY_PEER

Queries a supernode about another edge, especially its public socket in case of no peer-to-peer communication can be established. Additionally, it serves as PING to query supernodes about themselves.

PEER_INFO

Answers the QUERY_PEER; it also covers the special case of the PING query, internally called PONG.

AUTHORS

Richard Andrews andrews (at) ntop.org - main author of n2n-2
Luca Deri

deri (at) ntop.org - code inherited from n2n-1

SEE ALSO

ifconfig(8) edge(8) supernode(1)
the documentation contained in the source code
the extensive documentation found in n2n’s doc/ folder


Updated 2024-01-29 - jenkler.se | uex.se