Personally, I've been building my mesh network up over Yggdrasil[1]. A router can even hand out Ygg IP's, resolve traffic for-, and firewall off- naive IOT devices (neccessary if you route through the public mesh, which isn't the only way to set things up).
Hopefully the network segregation[1] feature makes it in at some point:
> A shared network key, included in the tree announcements, will ensure that two nodes that peer with what should be segregated networks will ignore each other. This should make it much easier to operate private Yggdrasil meshes and not worry that they will end up accidentally peered to the public network.
The current code we have for Yggdrasil v0.5 allows creating isolated networks using TLS roots. You can optionally provision the node identity as a TLS certificate and key and specify a root certificate, so that Yggdrasil will reject peerings with other nodes unless the peer presents a certificate from the same root. It should make it significantly easier to manage fleets of nodes under the same root whilst preventing accidental peerings to other networks.
Is it possible to use Yggdrasil in a way that it never gets connected to the public mesh and without knowing the public IP addresses of all the nodes in your private mesh?
Specifically, I'm wondering if it's possible to prevent outside nodes from completely establishing a connection to your nodes and therefore cause your private traffic to route over the public mesh.
That is, assuming that your Yggdrasil traffic has to route over the public Internet and is not contained within a private network itself.
The next version will make it much simpler to deploy isolated networks by using TLS roots to prevent accidental peerings.
It's also worth noting that Yggdrasil doesn't have the equivalent of "peer exchange" — only directly connected peers would ever find out your public IP address. Yggdrasil will not form new peerings automatically, with the single exception being multicast-discovered nodes on the same LAN.
> The next version will make it much simpler to deploy isolated networks by using TLS roots to prevent accidental peerings.
Is that PR #1038 [1]? Any info on how to use that feature and whether it works over multicast as well?
I noticed this PR uses SHA-1 for matching fingerprints. SHA-1 has been broken for 18 years now. Is it possible to use something more secure?
> It's also worth noting that Yggdrasil doesn't have the equivalent of "peer exchange" — only directly connected peers would ever find out your public IP address. Yggdrasil will not form new peerings automatically, with the single exception being multicast-discovered nodes on the same LAN.
Right, my worry is that by having a server with a public IPv4 address and Yggdrasil running on an open port (so that my other nodes can connect to it) will allow someone else to connect to it (either on purpose or accidentally) and cause my traffic to route over their node(s) and/or the public mesh.
1: https://yggdrasil-network.github.io/