Comments (5)
Of the three, I think the third is the most feasible. It is probably not obvious from the existing (limited) documentation, but the lighthouses are outside of the trust model in a way we would like to retain. A single compromised lighthouse cannot do much to disrupt a nebula network, because they simply return answers to queries, and do not coordinate with each other at all.
As you noticed, we do have blacklisting in the config file, which would allow this to be pushed out via a config management system, and is how we use it ourselves.
The ability for a central authority to blacklist nodes is something we've considered, but that power comes with a downside, which is potential for abuse. I am not opposed to this if there is a good solution, likely involving some kind of signed CA blacklist.
from nebula.
Thanks for the quick reply!
OCSP responses are signed, we could either use Nebula CA or an independent CA for checking OCSP responses.
Let's close this issue for now, I'll get back to you with a pull request in a few month when it is time to implement this feature (if I haven't found a better workaround in the meantime of course 😄)
from nebula.
Hello! Any updates on this feature?
@goireu did you manage to find a workaround?
from nebula.
Our current workaround is a mix of short lived certificates and blacklist, nebula configuration is regularly generated and fetched from a central API.
from nebula.
I see. Thank you!
from nebula.
Related Issues (20)
- Thanks for nebula
- example config: commented punchy.respond value should be false HOT 1
- 🐛 BUG: tests fail after 2027-11-11 HOT 1
- 🐛 BUG: Unable to reconnect after server crash HOT 4
- 🐛 BUG: overall poor behavior with "not before" field in host certificate HOT 5
- Feature request: push unsafe routes from lighthouse HOT 1
- 🐛 BUG:Failed to setup adapter (problem code: 0x34) HOT 21
- Feature Request: Relative paths in config HOT 1
- Feature Request: `nebula-service -test -config` should warn about unknown keys and stuff in config yaml
- 🐛 BUG: wintun failed HOT 6
- 🐛 BUG: Event Log spam when handshake timeout fails HOT 10
- 🐛 BUG: "Refusing to handshake with myself" when configuring self as unsafe_routes via
- Windows is not as fast as linux for downloading files
- 🐛 BUG: Nebula nodes cannot ping each other , however they can ping the lighthouse vpn IP HOT 1
- 🐛 BUG: Linux (386) "panic: runtime error: makeslice: len out of range" HOT 2
- 🐛 BUG:test
- can i use port range ?
- 🐛 BUG: use_system_route_table not considering multipath routes HOT 1
- 🐛 BUG: wakes up the CPU a lot
- 🐛 BUG: after dns changed, connection lost forever
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nebula.