Open GoogleCodeExporter opened 9 years ago
When the DNS server is removed, the network would either have to fail open, and
allow anyone to connect, or fail closed, effectively banning everyone. Neither
of those seem appealing. Also, an attacker could access everyone's files just
by hijacking DNS.
If the network were redesigned given this new constraint, one approach would be
to bake a public key into the binary, and make nodes promiscuously propagate
whichever signed config has the largest timestamp. That way, even an
unanchored network could still maintain a consistent config.
Original comment by sparkm...@gmail.com
on 20 Sep 2011 at 8:32
The other problem I see is that even if you have a public key to validate a
signed config, this still opens the possibility for whomever has the private
key to push a new block of IPs, which could effectively disable the network.
In the present form, to do this, all the users would have to upgrade versions
to allow a change to be made. By staying on the old version they could refuse
the updated subnet list.
The general theme here is that the easier you make the network to reconfigure,
the easier it is to damage/cripple it.
Original comment by jacob.feisley
on 22 Sep 2011 at 11:54
Original comment by jacob.feisley
on 22 Sep 2011 at 11:55
Original issue reported on code.google.com by
tgavan...@gmail.com
on 19 Sep 2011 at 5:33