-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proved that 300::/64 Yggdrasil subnet is vurnerable against private key brute force attack #779
Comments
AFAIK this calls "Birthday attack". Wikipedia says that difficulty of search a collision in hash function typically is 2^(n/2) where n is hash lenght. In Yggdrasil lenght of hash is 56, and it's very easy to found a similar subnets. |
Ultimately we knew this was going to happen and it is because we are truncating a longer 512-bit hash of the public key into an even smaller fraction of a smaller 128-bit address space. We are truncating the keys not because we really want to, but because it's the best way to test the Yggdrasil design with existing IPv6 stacks. Ideally we would address nodes using their full public key without any truncation but this would require a new address family with a kernel-space implementation and significantly more engineering effort than makes sense at this stage. The reason that the I am somewhat inclined to say that we should just accept this risk as it is for now, knowing that this isn't likely to be the thing that will kill Yggdrasil — we're much more interested in whether the routing scheme performs as advertised at scale. If Yggdrasil does succeed at fitting our goals then it may be a good candidate for a future version of IP which is not constrained by 128-bit addressing anyway. @Arceliar Do you have any other thoughts on this? |
Me, @r4sas, @zhoreeq and @Revertron tested the accesibility of two nodes: mine was peering with German peers and R4SAS's used French one. Both nodes were running web servers with on the same ports. As result I noticed timeout issues while attempt to open web pages for the address http://[300:2300:7c67:6c3::1]:8080/ from USA node which is far away from the first and second one. Secondly, R4SAS took more priority from other locations which were trying to open mentioned URL. Sometimes Yggdrasil restart helps to resolve issue with timeout. |
This is working as intended. The purpose of the The second byte of a ygg address is a counter of the number of leading 1 bits in the public key. The leading 1 bits and the first 0 bit are stripped from the start of the key, and then the rest of the key is used as the remaining bits of the IPv6 address or subnet prefix. So if you want to make these attacks more difficult, then you can brute force a stronger key (more leading 1 bits) to make attacks proportionally more difficult. Hosting services on a |
I guess, one of the concerns is if those collisions could break the application logic, i.e. sessions stop working. I didn't notice anything terrible though, the collision even worked as a load balancer. |
@zhoreeq other peoples might be confused. This issue is not about load balancing but taking control Yggdrasil node traffic. I noticed deny of service issues which leads timeouts and target host unavailability. BTW this is a good starting point to think about some additional features as load balancing. |
Just adding that this issue is also tracked in #33, although the best question from that was "do we really need |
@vikulin there are two different tasks:
First one is important because of what @zhoreeq said. @neilalexander as a hack, you may use above mentioned miner (one very important optimization is implemented there!) to get >308 addresses for everyone (new users I mean). It will take less than a second, but it will be a huge problem for bruteforcers. |
could we add a separate api that can find the full public key from an ipv6 address? that way we can check the public key against one that you know is real, and give out the real public key with the ipv6 address. |
no, ipv6 is an hash of public key. so way to find ipv6->pub key directly. |
A mining step can solve this issue? A public key is valid for an ip if the hash matches the ip AND contains some leading zeros. |
@Arceliar @neilalexander addresses with subnets collision was naturally generated in network recently (well, almost naturally, meant "not on purpose"). Discovered in RU community chat, some guy complained about "my 300::/64 subnet does not work because of collision". |
This is why it's a bad idea to brute force vanity keys for a /64. I assume they were both trying to get a short prefix in this case, or maybe just a short address. If you must use a /64 then, then you should be brute forcing a stronger key if possible (higher byte 2 in the address compressing 0 bits of the key), since otherwise a /64 is pretty much begging for a collision. That's why we compress bits in the first place, to give people a way to mitigate this if they really must use a /64 to make ygg reachable for an unsupported device (network printers etc). |
This made by @Filarius . He managed to collect huge number of private/public keys and select only pairs with matching 300::/64 subnet. His hardware/software were following:
Matching keys example:
Subnet: 300:2300:7c67:6c3::/64
@neilalexander , can we extend prefixlen from 64 to 32 to make the subnet stronger?
The text was updated successfully, but these errors were encountered: