Skip to content

foshardware/kallisti

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
Network/Kallisti
Network/Kallisti
 
 
cbits
cbits
 
 
.gitignore
.gitignore
 
 
INSTALL
INSTALL
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
kallisti.cabal
kallisti.cabal
 
 
kallisti.hs
kallisti.hs
 
 

Repository files navigation

Generate a keypair

$ kallisti keypair

Use /dev/random instead

$ kallisti scalarmult < /dev/random

Establish peering

$ cp example* config.json
$ nano config.json
$ sudo kallisti config.json

Set point-to-point and a route, for example:

$ sudo ip addr 10.42.42.2/24 peer 10.42.42.1 dev kallisti42
$ sudo ip route add 10.42.42.0/24 dev kallisti42

Use 2 CPU cores

$ sudo kallisti +RTS -N2 -RTS config.json

Setting TCPDROP variable for websocket-based peerings (experimental)

$ export TCPDROP=1024
$ sudo kallisti

This drops every 1024th TCP packet sent from your tun device.

Useful to prevent TCP meltdowns, stemming from the TCP-over-TCP problem: The inner TCP retransmission timer is never increased, resulting in exponential retransmissions in the inner TCP stack on packet loss, which completely congest the inner TCP stack and impair the outer TCP stack.

The TCPDROP environment variable effectively flattens the bandwidth curve, by distributing retransmissions evenly among all transmissions, that would have otherwise occured during a TCP meltdown.

Lower this value, when you have bad connectivity. Set this value to 0, when you have perfect connectivity.

Protocols

Find a way to securely synchronize your system clock (for instance NTP)!

Criteria

  • authentication: the playload is authenticated

  • encryption: the payload is encrypted

  • forward secrecy: the payload is encrypted using ephemeral keys

  • efficiency: the protocol is designed with maximum performance in mind

  • asynchronicity: after the initial handshake (if any) clock skews do not result in temporary DoS

  • interoperability: the protocol plays nice with existing web standards like TCP, TLS, HTTP, etc. and deals with real world limitations like web proxies, firewalls, etc.

Comparison

  • kallistn (experimental): authentication, encryption, asynchronicity, efficiency, forward secrecy

  • kallistai (recommended): authentication, encryption, forward secrecy, effenciency

  • nacltai: authentication, encryption, effenciency

  • nacl0: asynchronicity, efficiency

  • raw: efficiency, asynchronicity

  • wsnacln (with TLS): interoperability, authentication, encryption, asynchronicity, forward secrecy

  • wsraw (with TLS): interoperability, asynchronicity

  • wsnacln: authentication, encryption, interoperability, asynchronicity, forward secrecy

  • wsraw: interoperability, asynchronicity

Protocols running over websockets secure wss:// do not gain additional security through TLS, since no certificate validation takes place. An additional TLS layers might be interesting in special cases of web proxies, that do not handle cleartext websockets well.

API

About

Usable, secure and efficient network protocols

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages