Move allowed_subnets to dconfig

[GoogleCodeExporter]

Some campuses change their subnets around somewhat frequently, and so being 
able to update the allowed_subnets by simply changing a dconfig setting in the 
bridge would be extremely useful. Right now, redistributing the client can be 
difficult (especially while Issue 10 is open).

Original issue reported on code.google.com by tgavan...@gmail.com on 19 Sep 2011 at 5:33

[GoogleCodeExporter]

When the DNS server is removed, the network would either have to fail open, and 
allow anyone to connect, or fail closed, effectively banning everyone.  Neither 
of those seem appealing.  Also, an attacker could access everyone's files just 
by hijacking DNS.

If the network were redesigned given this new constraint, one approach would be 
to bake a public key into the binary, and make nodes promiscuously propagate 
whichever signed config has the largest timestamp.  That way, even an 
unanchored network could still maintain a consistent config.

Original comment by sparkm...@gmail.com on 20 Sep 2011 at 8:32

[GoogleCodeExporter]

The other problem I see is that even if you have a public key to validate a 
signed config, this still opens the possibility for whomever has the private 
key to push a new block of IPs, which could effectively disable the network.

In the present form, to do this, all the users would have to upgrade versions 
to allow a change to be made. By staying on the old version they could refuse 
the updated subnet list.

The general theme here is that the easier you make the network to reconfigure, 
the easier it is to damage/cripple it.

Original comment by jacob.feisley on 22 Sep 2011 at 11:54

[GoogleCodeExporter]

Original comment by jacob.feisley on 22 Sep 2011 at 11:55

• Added labels: Type-Enhancement, Component-Core
• Removed labels: Type-Defect, Component-Client