Open Kubuxu opened 8 years ago
Are you sure bruteforcing 120 bits is reasonable? This should be 2^120. Assuming it is, what prevents me from joining your subnet by generating a public key that matches your subnet?
If you are reading this, you can skip it. We had dual miscommunication.
Subnet of size /120
is of size 256 so you would have generate one of the 256 addresses to join my subnet.
2^120/300/60/60/24/2 = 6.9144195e+25 years (you traget 2^120 bits, 300 keys per second)
to have 50% chance you getting address in trageted subnet.
EDIT: You would have to get same exact address because cjdns would route fcxx:xxxx:xxxx:xxxx:xxxx:xxxx:0000:00yy
to fcxx:xxxx:xxxx:xxxx:xxxx:xxxx:0000:0000
either way.
many applications might require they own, unique IPv6 address.
That's where you'd run multiple cjdns processes, each bundled with the app in a countainer. In fact I made this just yesterday: https://github.com/cjdelisle/cjdns/compare/crashey...hyperboria:dockerfile
this addresses have one out of 2^32 (4.2e+9) chance of being generated which gives about 100 days of digging to create one such address (on one 8 core i7) which is quite reasonable.
Okay, can we discuss further steps once you've generated a few addresses within the same /120? ;)
The point is that you wouldn't need to generate addresses in same /120
Cjdns would route specific /120
into one node using only this one node's (00
) crypto keys. From the network map point of view it is only one node but routing knows that whole /120
should be passed to it.
Generation of addresses has to be time consuming as a form of limitation of their count.
Running multiple nodes is possible but it won't allow ie. virtual local network,requires to run same daemon multiple times (or whole docker containers) which is just a loss of resources (not saying about consecutive IP addresses).
I think I misread your initial post. I assumed you want an actual subnet with multiple nodes. This could work if you want to map all 256 addresses to one node.
I'm not sure we should add that much extra complexity into the key verification though.
I recommend containers, too. You don't have to run a whole userland, you mostly modify the environment your process is executed in. Autopeering containers with a bridge is really nice, too.
The space of IPv6 is enormous and in future many applications might require they own, unique IPv6 address. As any end user in the Internet is (in theory) going to get
/64
subnet I propose that we create our own subnet protocol.Proposition:
/120
: This gives 255 addresses routed to one node.fcxx:xxxx:xxxx:xxxx:xxxx:xxxx:0000:0000
fcxx:xxxx:xxxx:xxxx:xxxx:xxxx:0000:0000/120
subnet.2^32 (4.2e+9)
chance of being generated which gives about 100 days of digging to create one such address (on one 8 core i7) which is quite reasonable.Before establishment of connection cjdns would check and if address has form
fcxx:xxxx:xxxx:xxxx:xxxx:xxxx:0000:00yy
it would establish connection withfcxx:xxxx:xxxx:xxxx:xxxx:xxxx:0000:0000
instead. One byte field would have to be sent (I don't know if it is possible to send it only on establishment or it needs to be every packet).This would allow for creation of internal networks directly visible from cjdns or servicing HTTP or different without use of vhosts.
Skipping
fcxx:xxxx:xxxx:xxxx:xxxx:xxxx:0000:00yy
in case of key generation would also be added.