diff --git a/tunnel/ircvpn/README b/tunnel/ircvpn/README index f90bfea..90f8004 100644 --- a/tunnel/ircvpn/README +++ b/tunnel/ircvpn/README @@ -1,14 +1,14 @@ IrcVPN - Irc Virtual Public Network =================================== -This is an ethernet tunnel providing basic hubbed or switchet networks via irc. +This is an ethernet tunnel providing basic hubbed or switchet networks via Irc. Warning: If you use this software on a "real" (read: not your own) network: - 1. You might run into various flood protections - 2. Your IRC-OP might kill you for that + 1. You may run into various flood protections + 2. Your IRC-OP may (should?) kill you for that Furthermore: All of your data will go kind-of plaintext over an Irc-channel. - While this is a rather uncommon way of ip transit, everybody who - is able to join the channel might be able to eavesdrop. + While this is a rather uncommon way of IP transit, everybody who + is able to join the channel may be able to eavesdrop. Installation and requirements @@ -17,45 +17,47 @@ Installation and requirements * ether2any For configuration take a look at conf.py, it has some comments to give you a -hint of what this switch will do. Some of the security settings are rather +hint of what the settings will do. Some of the security settings are rather untested, keep that in mind. After configuration, start the tunnel with -python ircvpn.py. A tap-device will open and the tunnel should be ready to run. +python ircvpn.py. A tap device will open and the tunnel should be ready to run. What it does and how it works ============================= -IrcVPN uses an ircchannel as its transport medium. When starting this tunnel, -it makes a connection to the configured irc-server, joins a channel and starts -pushing all outgoing network traffic (base64 encoded with a small header) to +IrcVPN uses an Irc channel as its transport medium. When starting this tunnel, +it makes a connection to the configured Irc server, joins a channel and starts +pushing all outgoing network traffic (base64 encoded with a small header) into that channel. The nick will be a combination of the configured prefix and -the TAP interfaces mac-address. +the TAP interfaces MAC address. -There are two network-modes available: +There are two network modes available: .Hubbed Network In a hubbed network topology all the clients share one broadcast medium, the -irc channel. +Irc channel. .Switchet Network In a switched network topology still all the clients join the irc channel and use it for broadcast messages but unicast traffic goes directly to the user -it is intended for, as it is sent to the nickprefix-macaddress combination. -Wether the user with the specific mac actually IS in the network is not -checked. +to whom it is addressed, as it is sent to the nick-prefix-MAC-address +combination. Wether the user with the specific mac actually IS in the network +is not checked. -Flood protection is kind of the biggest issue for irc as ether: After a -configured amount of messages most irc-servers queue the incoming messages -and send them out as one per second. If the send-queue is overflowed the user -gets kicked from the server. So this tunnel is not going to perform very well -on normal servers out there. Setting up an own server, the flood protection CAN -be turned off but irc-server with configurable flood protections tend to allow -flooding only in channels and only if the user is either voiced, half-op or op. -This is where voicebot.py comes in: The voicebot voices everyone who joins the -channel and utters a certain phrase. Therefore it is kind of ensured that every -bot has the right to flood the ether as much as it wants with network packets. +Flood protection is kind of the biggest issue for the IrcVPN: After a +configured amount of messages most irc servers queue the incoming messages +and send them out throttled to one message per second. If the send queue is +flooded over its capacity the responsible user gets kicked from the server. So +this tunnel is not going to perform very well on normal servers out there. +When setting up your own server, the flood protection CAN be turned off but +irc servers with configurable flood protections tend to allow flooding only in +channels (rendering switched networks unusable) and only if the user has either +voice, half-op or op permissions in that channel. This is where voicebot.py +comes in: The voicebot voices everyone who utters a certain phrase. Therefore +it is kind of ensured that every bot has permission to flood "the ether" with +network packets as much as it wants. -Ircs right management can always be used to mute, rate-limit or remove spamming -or otherwise unwanted clients. +Irc's right management can always be used to mute, rate-limit or remove +spamming or otherwise unwanted clients. Header Format @@ -65,16 +67,16 @@ Header Format The *fragmentation flag* can be either of o, b, c, e. *o* stands for oneliner, which means that afterwards there is a complete ethernet frame (no fragmentation). *b*, *c*, *e* stand for begin, continue, end and mark packets -which are broken into several pieces (as of irc does not support infinit line +which are broken into several pieces (as irc does not support infinite line length). -The packet id is just a randon generated number between 0, 99999 (incl.). +The packet id is just a random generated number between 0, 99999 (inclusive). What could be done ================== - * replace base64 with something more fitting for Irc + * replace base64 with something more suitable for Irc * test security settings - * find static linkable irc server, patch flood protection out of it - * VVLAN - a Virtual VLAN between irc-channels/servers + * find static linkable irc server, patch out flood protection + * VVLAN - a Virtual VLAN between irc channels/servers