
Cjdns: a secure non-anonymous P2P network - crasm
https://github.com/cjdelisle/cjdns/blob/master/doc/Whitepaper.md
======
thescriptkiddie
The really cool thing about this – as opposed to something like Tor or I2P –
is that rather than coming up with a novel addressing scheme, it just
commandeers the entire (unused[0]) fc00::/8 block of IPv6. Because of this, it
is 100% compatible with every existing IPv6 application.

For bonus points, it can also tunnel IPv4 and IPv6 through the P2P network[1]
much like a traditional VPN would. But unlike a traditional VPN, it is
sufficient to connect to any single node of the P2P network, no need for
direct connectivity to the gateway. And of course that connection doesn't have
to be a UDP/IP stream over the public internet, because CJDNS can speak raw
Ethernet frames[2] over any hardware interface you like.

[0]
[https://en.wikipedia.org/wiki/Unique_local_address](https://en.wikipedia.org/wiki/Unique_local_address)
[1]
[https://github.com/cjdelisle/cjdns/tree/master/tunnel](https://github.com/cjdelisle/cjdns/tree/master/tunnel)
[2]
[https://github.com/cjdelisle/cjdns/blob/master/doc/configure...](https://github.com/cjdelisle/cjdns/blob/master/doc/configure.md#connection-
interfaces)

~~~
lkjhgfdsa57
Onioncat [1] provides this functionality for Tor and I2p. You get an Ipv6
address and it works with any application that supports IPv6. The address is
based on the hidden service (in the case of tor) backing the onioncat
instance.

[1] [https://www.onioncat.org](https://www.onioncat.org)

------
crasm
The community that's grown around this routing technology is Hyperboria
([https://hyperboria.net/](https://hyperboria.net/)), which is mainly an
overlay meshnet via the existing internet rather than an entirely new network
with dedicated cables and wireless links. It's got about 700 nodes active
right now (and about 1800 links), according to the awesome network visualizer
at: [http://www.fc00.org/](http://www.fc00.org/)

~~~
Kinnard
Anything more focused on the link layer?

~~~
Hyperborian
The whole project is. The ultimate goal of CJDNS is essentially to _replace_
the current TCP/IP based internet, or at least to be an alternative global
internetwork.

The existence of Hyperboria and the use of VPNs over the current internet is
purely due to the fact that the current users are still too few and far
between to establish direct links to each other.

------
kyledrake
This is a great project with a very interesting goal that I'm not sure
everyone (or perhaps myself?) understands.

What it's trying to do is create a more distributed version of the BGP / IP
system we use to route traffic today. So instead of organizations like ARIN
and APNIC that assign addresses and AS numbers (for BGP routing), you just
generate your own IPv6 addresses, derived from a private key, and then it
peers with whomever you want to peer with. There is no centralized step here,
all you need is authentication information from the servers you want to peer
with.

I actually see this more as a replacement for BGP. BGP is what really routes
all the internet traffic around, and then the IP is like the end-point for
that routing. BGP has a similar work flow to the way you use Cjdns (find
peers, connect to them, get more redundant routing paths).

Why bother? Well, the IP/BGP ASN allocation process is a complicated,
centralized, manual, expensive mess. I've recently acquired some IP space and
an ASN and it took a long time and a lot of difficult work to get it all
worked out. With Cjdns, you just boot it up, peer with some upstreams and
you're ready to go. And because it uses IPv6 for the exit, it works with any
application that supports IPv6, so it's compatible with pretty much
everything, no rewriting is needed.

A lot of people don't like that it isn't perfectly anonymous, but that's okay.
It's trying to be as fast and efficient as possible, as opposed to something
like Tor that is trying to improve privacy and anonymity at the expense of
performance. You can always run things like Tor on top of it if you want to do
that. Anyways, we don't know if Tor is the final answer to that problem, so
this allows you to solve the routing problem, and then implement protocols to
deal with the privacy/anonymity problem above that.

I'd really love to see this project get more adoption, but it's going to be an
uphill battle to get a large amount of the internet peering through it.

I'm not sure if this is the best way to describe cjdns, so feel free to
correct me on any of this.

~~~
Hyperborian
The protocol is also key to Project Meshnet (a response to the many current
concerns over censorship and net neutrality), which seeks to use it to
essentially replace ISPs with local community mesh networks, ultimately
seeking to interconnect those networks and, basically, replace the current
internet from the ground up.

------
vdloo
cjdns is amazing. I've been using it for a while now as a decentralized vpn.
It is really powerful to just be able to link machines together in a network
where each node can reach each node as long as at least one other node can
connect to that node. For example, I have two machines behind one router and
two machines behind another router. Only one in each zone is approachable from
the internet, and not always both (due to dynamic residential IPs for
example). With cjdns all machines can access all machines as long as there is
at least one path that can be traversed from the source machine to the
destination, transparently hopping through intermediary machines if necessary.
Even if the source machine can not reach the destination machine, but the
destination can reach the source there is no problem because of the UDP
tunneling.

~~~
LinuxBender
By any chance have you run iperf3 when routing through a couple hops? I would
be very interested in the numbers. Today I accomplish that behavior using Tinc
vpn, but it is slow when routing through multiple hops.

------
HarfTarf
This is ingenious, your public address is also your public key, and the
payload of the packet can only be decrypted by your private key. So awesome,
it has encryption built in.

~~~
theptip
Doesn't that make key rotation painful?

~~~
Hyperborian
It's true that key rotation would mean changing your IP address, but that is
something that is fairly routine on the current internet already, though
certainly infrequently done by major sites and services.

The primary purpose of the encryption in CJDNS is simply to establish identity
and make the completely decentralized addressing system (the key component)
possible. Using the keys to do built in transparent end-to-end encryption is
an important and valuable feature as well, but ultimately is secondary. If you
need the kind of security that requires frequent key rotation, you should
really be using an additional encryption and identity verification layer on
top, just like with the current internet.

Also, CJDNS uses 512 bit keys, and the nature of how the protocol works means
that any address collisions (which would be unavoidable by someone
impersonating you) would be obvious and detectable, so for it's intended
purpose it should not be necessary to rotate keys very often at all.

~~~
theptip
Is it common to use DNS or some other name resolution system to get from
'abstract service name' to 'concrete IP'?

Just thinking through the remediation steps in the case of compromised keys;
how would you propagate the change-of-identity information?

~~~
Hyperborian
Currently the typical solution on Hyperboria is indeed the current internet
DNS system, primarily for lack of a widely accepted decentralized alternative.

A truly decentralized alternative to the current DNS system is a difficult
problem to solve, and one that people continue to work on. IP addresses are
easier because they are interchangeable, it really doesn't matter _which_ one
you have as long as you're the only one who has it. Domain names, though, are
not at all, in fact that's basically their entire point. The question of who
gets which names, issues around fraud and phishing, mass registration and
domain squatting... how do you solve those problems without some sort of
authority to arbitrate and enforce rules?

The closest alternative to the ideal that I know of right now is probably
Namecoin, which works quite well with Hyperboria, but it still involves a
number of compromises that not everyone is happy with.

~~~
theptip
Thanks for the detailed explanation.

------
JacobHenner
cjdns is excellent, I've been using it for quite some time now for all sorts
of things. If anyone is interested in peering in the NY metro area, let me
know, I've got bandwidth to spare.

~~~
Tiksi
Is 2.4ghz gear typically used for this? I live in NJ, but have clear line of
sight to midtown (I can see from ~30th to 86th st out of my window, I can
easily pick up most of the city on 2m and 70cm bands with my yagi (
[http://paste.click/tnHdWr](http://paste.click/tnHdWr) ), even crappy handheld
radios). However it's around 7-8 miles so even with a highly directional
antenna, standard 2.4ghz gear would probably be a stretch. Does anyone run
800mhz gear? I feel like that would be a lot more useful as the effective
range is a LOT further and it can actually go through walls to an extent.

~~~
calgoo
Check out the Ubiquiti Wifi antennas [1] for 25km+ connections using 2.4 and 5
Ghz. However, it is recommended to use the 5Ghz, especially if you have line
of sight. What you need to find is someone on the other end who can put up an
antenna as well and you can have a ~50MBit (depends on a lot of factors, this
is an average based on experience if Barcelona and Guifi.net) connection for
around $150.

[1] [https://www.ubnt.com/](https://www.ubnt.com/)

------
znpy
How is this different from
[http://netsukuku.freaknet.org/](http://netsukuku.freaknet.org/) ?

~~~
PeCaN
Netsukuku is anonymous, while cjdns is not; cjdns uses an unused IPv6 block
for addressing, netsukuku has its own addressing thing; cjdns has a very
clever end-to-end encryption scheme, I'm not sure about netsukuku; netsukuku
has fun Lain references on its website.

~~~
znpy
Thank You for clarifying!

------
vermilingua
After seeing enough of these "alternative internets" to make your eyes water,
I have to wonder; at this point, is it even possible to implement these at
scale? As well designed as the technologies may be, how could these be
possible marketed to the layperson, who is happy with the current
infrastructure?

The only recent/ongoing shifts in internet technology are IPv6 and the https
push, and they are both built on top of existing technology, and have been
extremely logistically challenging to implement. How could a total revamp
possibly fare?

~~~
jbpetersen
I feel like all this will remain hobbywork until X country decides to
effectively shut down the internet. If there's a sufficiently polished
"alternative internet" ready to step in using whatever resources are easy
available, then it could suddenly become very serious business.

------
therealidiot
I've been using this for a while, and it's really cool. I've not found a huge
number of "public" services on the network, but I've used it for IP tunnelling
and also to access my machines without having to worry about dynamic DNS.

------
thesorrow
Do I need https when using cjdns or http is fine ?

~~~
HarfTarf
If you are trying to achieve encryption, then no, you will not need https, as
cjdns is encrypted at every packet be nature. If you are trying to comply to
some other https related standard, then you will need https.

