V2 certificate format #1216
V2 certificate format #1216
Conversation
|
|
||
| -- At least 1 ipv4 or ipv6 address must be present if isCA is false | ||
| networks SEQUENCE OF Network, | ||
| unsafeNetworks SEQUENCE OF Network OPTIONAL, |
There was a problem hiding this comment.
Very happy to see this getting renamed from -ips and -subnets which were a bit confusing (many people believed subnets was essentially the CIDR part of -ips.) That being said, calling them both "networks" might also be confusing. I think I'd lean towards simply calling this unsafeRoutes to match the config option.
There was a problem hiding this comment.
I'm not opposed to calling these unsafeRoutes, it doesn't quite feel right though since this field is describing a network that can be used to configure unsafe routes on another host.
| @@ -62,6 +62,7 @@ message NebulaHandshakeDetails { | |||
| uint32 ResponderIndex = 3; | |||
| uint64 Cookie = 4; | |||
| uint64 Time = 5; | |||
| uint32 CertVersion = 8; | |||
There was a problem hiding this comment.
thoughts on making this an enum to match cert.go?
There was a problem hiding this comment.
It would be a cyclical import for the cert package or else we'd have to do silly type conversions between the two packages.
I will say using cert.Version* for protocol level stuff gave me the ick.
| default: | ||
| return nil, r, ErrInvalidPEMCertificateBanner | ||
| } | ||
|
|
||
| if err != nil { | ||
| return nil, r, err |
There was a problem hiding this comment.
semantics changed a little bit here -- we used to not return the pem-remainder on err, now we do. It's probably fine? It's more consistent with the default/ErrInvalidPEMCertificateBanner branch.
lighthouse.go
Outdated
| func (lhh *LightHouseHandler) handleHostQueryReply(n *NebulaMeta, vpnIp netip.Addr) { | ||
| if !lhh.lh.IsLighthouseIP(vpnIp) { | ||
| func (lhh *LightHouseHandler) handleHostQueryReply(n *NebulaMeta, reqHostinfo *HostInfo) { | ||
| //TODO: this is kind of dumb |
There was a problem hiding this comment.
it is dumb, but it raises some good questions about multi-IP stuff. Are we going to require users to put each IP for a lighthouse in their config file? If we do, does it make sense to group them?
lighthouse:
hosts:
- 10.0.0.1 # the old way
- ["fc00::2", "10.0.0.2"] # a new way
similar ideas apply wrt the static host map
There was a problem hiding this comment.
From a user perspective I would say no. I think it would be better to layer in learned lighthouse vpn addrs but as a stop gap I have included a IsAnyLighthouseIP (which the name is wrong ugh) that checks if any of the addrs are a lighthouse addr.
| return err | ||
| //set route MTU | ||
| for i := range t.vpnNetworks { | ||
| if err = t.setDefaultRoute(t.vpnNetworks[i]); err != nil { |
There was a problem hiding this comment.
this still races and errors sometimes on my proxmox host. Not sure why. On hosts that use systemd-networkd I haven't observed any issues.
…o to the lighthouse request handler
* send in relays on protocol v2 * remove old comment
* combine icmp and icmpv6 handling in the firewall * correct ipv6 port number interpretation * add unit test, fix orientation of ports * gofmt
* fix nebula-cert json printing * fix test
* dns support for v4 and v6 addresses * fix comment
* lighthouse updates with v2 tunnels * tweak message object location
| q, | ||
| cache.Get(u.l), | ||
| ) | ||
| r(netip.AddrPortFrom(netip.AddrFrom16(rua.Addr).Unmap(), (rua.Port>>8)|((rua.Port&0xff)<<8)), buffer[:n]) |
There was a problem hiding this comment.
use binary to avoid endianness issues
| } | ||
| if *sf.networks != "" { | ||
| for _, rs := range strings.Split(*sf.networks, ",") { | ||
| //TODO: error on duplicates? Mainly only addr matters, having two of the same addr in the same or different prefix space is strange |
| if err != nil { | ||
| return newHelpErrorf("invalid subnet definition: %s", rs) | ||
| return newHelpErrorf("invalid -unsafe-networks definition: %s", rs) |
| return fmt.Errorf("error while signing with PKCS#11: %w", err) | ||
|
|
||
| if version == cert.Version1 { | ||
| // If we are asked to mint a v1 certificate only then we cant just ignore any v6 addresses |
There was a problem hiding this comment.
We arent ignoring them
WIP based on cert-interface branch