n2n_v3(7) Background n2n_v3(7) NAME n2n version 3 - version 3 of the n2n decentralised peer-to-peer network overlay VPN. DESCRIPTION n2n is a peer-to-peer network overlay or VPN system that provides layer 2 over layer 3 encapsulation with data transform capabilities such as encryption and compression. This guide also discusses the differences of version 3 of n2n from version 2. PROTOCOLS n2n-3 basically uses the same set of messages to communicate with edges and supernodes. However, due to slight packet format changes, the n2n-3 messages are not compatible with n2n-2. There is no backward compatibility for n2n-2. ENCRYPTION n2n-3 offers four different ciphers for payload encryption as well as optional header encryption. Earlier versions of n2n-2 provided a mechanism using a key schedule which has been removed in n2n-3. A basic user authentication scheme relying on asymmetric cryptography has been added to n2n-3. n2n-3 provides the following ciphers to chose from for payload encryption; more can be added as required: (1) NULL Data is encapsulated unchanged. Useful for testing and high- performance, low sensitivity applications. (2) TF-CTS Twofish AES candidate in CTS mode. (3) AES-CTS AES in CTS mode with up to 256-bit key. (4) CHACHA20 ChaCha20, a well known stream cipher developped by Daniel J. Bernstein. (5) SPECK-CTR A fast block cipher developped by the NSA used as stream cipher in CTR mode. Full Header Encyption The optional full header encryption also encrypts packets' header which include some administrative data. In addition, it adds replay protection. User Password Authentication n2n-3 implements an optional user-password authentication scheme. A key generator assists in generating user's public keys to be stored at the supernode side. COPMPRESSION LZO for payload compression is an always available option at n2n-3. If compiled with zstdlib support, ZSTD is at optional service as well. EXTENSIBILITY n2n-3 decouples the data transform system from the core of the edge operation. This allows for easier addition of new data transform operations. n2n-3 reserves some standard transform identifiers (such as TwoFish encryption) but allocates transform identifiers for user- defined transforms. This allows anyone to add to n2n new private transforms without breaking compatibility with the standard offering. FEDERATED SUPERNODES n2n-3 incorporates the capability of multiple supernodes to be federated. Federation acts transparently and balances the workload evenly among the federated supernodes. Supernodes keep track of edges connected to different supernodes and forward packets as required. This feature naturally supports fail-over and this increases redundancy and resilience. Information on additional supernodes is propagated to all edges. In addition, the n2n-3 edge implementation allows multiple supernodes to be specified on the command line. Edges monitor the current supernode for responses to REGISTER_SUPER as well as PING messages. After three responses from current supernode are missed or when a better supernode in terms of significant lower workload is found, the edge tries to connect to another supernode. It cycles through the list f supernodes which over and over again is sorted according to reported workload. MANAGEMENT CONSOLE Edge and supernode in n2n-3 provide a UDP-based management console. Both listen on the localhost address 127.0.0.1. Commands can be sent to the programs by sending to the UDP socket. Responses are returned to the socket from which commands were issued. This only works from the computer on which the programs are running. Statistics can be retrieved and commands issued. The netcat utility is all that is required; but more sophisticated tools could be built on the interface. SUPERNODE AUTHENTICATION The supernode federation name serves as private key shared between the supernodes only. The corresponding public key can be provided to the edges. MESSAGE SUMMARY The following message types work within n2n-3. REGISTER_SUPER Sent from an edge to its local supernode to register its MAC with the community. Also, federated supernodes use this packet format to register to each other. REGISTER_SUPER_ACK Sent from a supernode to an edge to confirm registration. This also carries the definition of the edge socket as seen at the supernode so NAT can be detected and described. Furthermore, it carries information about additional federated supernodes. REGISTER_SUPER_NAK Supernode refusing to register an edge. PACKET Encapsulated ethernet packets sent between edges. Supernodes forward or broadcast these and edges send them direct in peer- to-peer mode. REGISTER A peer-to-peer mode registration request from one edge to another. Supernodes forward these to facilitate NAT crossing introductions. REGISTER_ACK Complete peer-to-peer mode setup between two edges. These messages need to travel direct between edges. QUERY_PEER Queries a supernode about another edge, especially its public socket in case of no peer-to-peer communication can be established. Additionally, it serves as PING to query supernodes about themselves. PEER_INFO Answers the QUERY_PEER; it also covers the special case of the PING query, internally called PONG. AUTHORS Richard Andrews andrews (at) ntop.org - main author of n2n-2 Luca Deri deri (at) ntop.org - code inherited from n2n-1 SEE ALSO ifconfig(8) edge(8) supernode(1) the documentation contained in the source code the extensive documentation found in n2n's doc/ folder version 3 September 27, 2021 n2n_v3(7)