diff options
Diffstat (limited to 'doc/chapters/user.texi')
-rw-r--r-- | doc/chapters/user.texi | 1819 |
1 files changed, 0 insertions, 1819 deletions
diff --git a/doc/chapters/user.texi b/doc/chapters/user.texi deleted file mode 100644 index 2a8c899b9..000000000 --- a/doc/chapters/user.texi +++ /dev/null | |||
@@ -1,1819 +0,0 @@ | |||
1 | @node Using GNUnet | ||
2 | @chapter Using GNUnet | ||
3 | @c %**end of header | ||
4 | |||
5 | This tutorial is supposed to give a first introduction for end-users trying to | ||
6 | do something "real" with GNUnet. Installation and configuration are specifically | ||
7 | outside of the scope of this tutorial. Instead, we start by briefly checking | ||
8 | that the installation works, and then dive into simple, concrete practical | ||
9 | things that can be done with the network. | ||
10 | |||
11 | This chapter documents how to use the various Peer-to-Peer applications of the | ||
12 | GNUnet system. As GNUnet evolves, we will add new chapters for the various | ||
13 | applications that are being created. Comments and extensions are always welcome. | ||
14 | |||
15 | |||
16 | @menu | ||
17 | * Checking the Installation:: | ||
18 | * First steps - File-sharing:: | ||
19 | * First steps - Using the GNU Name System:: | ||
20 | * First steps - Using GNUnet Conversation:: | ||
21 | * First steps - Using the GNUnet VPN:: | ||
22 | * File-sharing:: | ||
23 | * The GNU Name System:: | ||
24 | * Using the Virtual Public Network:: | ||
25 | @end menu | ||
26 | |||
27 | @node Checking the Installation | ||
28 | @section Checking the Installation | ||
29 | @c %**end of header | ||
30 | |||
31 | This chapter describes a quick casual way to check if your GNUnet installation | ||
32 | works. However, if it does not, we do not cover steps for recovery --- for this, | ||
33 | please study the installation and configuration handbooks. | ||
34 | |||
35 | |||
36 | @menu | ||
37 | * gnunet-gtk:: | ||
38 | * Statistics:: | ||
39 | * Peer Information:: | ||
40 | @end menu | ||
41 | |||
42 | @node gnunet-gtk | ||
43 | @subsection gnunet-gtk | ||
44 | @c %**end of header | ||
45 | |||
46 | First, you should launch @code{gnunet-gtk}, the graphical user interface for | ||
47 | GNUnet which will be used for most of the tutorial. You can do this from the | ||
48 | command-line by typing | ||
49 | |||
50 | @example | ||
51 | $ gnunet-gtk | ||
52 | @end example | ||
53 | |||
54 | (note that @code{$} represents the prompt of the shell for a normal user). | ||
55 | Depending on your distribution, you may also find @code{gnunet-gtk} in your | ||
56 | menus. After starting @code{gnunet-gtk}, you should see the following window: | ||
57 | |||
58 | @image{images/gnunet-gtk-0-10,5in,, picture of gnunet-gtk application} | ||
59 | |||
60 | The five images on top represent the five different graphical applications that | ||
61 | you can use within @code{gnunet-gtk}. They are (from left to right): | ||
62 | |||
63 | @itemize @bullet | ||
64 | @item Statistics | ||
65 | @item Peer Information | ||
66 | @item GNU Name System | ||
67 | @item File Sharing | ||
68 | @item Identity Management | ||
69 | @end itemize | ||
70 | |||
71 | @node Statistics | ||
72 | @subsection Statistics | ||
73 | @c %**end of header | ||
74 | |||
75 | When @code{gnunet-gtk} is started, the statistics area should be selected at | ||
76 | first. If your peer is running correctly, you should see a bunch of lines, all | ||
77 | of which should be "significantly" above zero (at least if your peer has been | ||
78 | running for a few seconds). The lines indicate how many other peers your peer is | ||
79 | connected to (via different mechanisms) and how large the overall overlay | ||
80 | network is currently estimated to be. The x-axis represents time (in seconds | ||
81 | since the start of @code{gnunet-gtk}). | ||
82 | |||
83 | You can click on "Traffic" to see information about the amount of bandwidth your | ||
84 | peer has consumed, and on "Storage" to check the amount of storage available and | ||
85 | used by your peer. Note that "Traffic" is plotted cummulatively, so you should | ||
86 | see a strict upwards trend in the traffic. | ||
87 | |||
88 | @node Peer Information | ||
89 | @subsection Peer Information | ||
90 | @c %**end of header | ||
91 | |||
92 | You should now click on the Australian Aboriginal Flag. Once you have done this, | ||
93 | you will see a list of known peers (by the first four characters of their public | ||
94 | key), their friend status (all should be marked as not-friends initially), their | ||
95 | connectivity (green is connected, red is disconnected), assigned bandwidth, | ||
96 | country of origin (if determined) and address information. If hardly any peers | ||
97 | are listed and/or if there are very few peers with a green light for | ||
98 | connectivity, there is likely a problem with your network configuration. | ||
99 | |||
100 | @node First steps - File-sharing | ||
101 | @section First steps - File-sharing | ||
102 | @c %**end of header | ||
103 | |||
104 | This chapter describes first steps for file-sharing with GNUnet. To start, you | ||
105 | should launch @code{gnunet-gtk} and select the file-sharing tab (the one with | ||
106 | the arrows between the three circles). | ||
107 | |||
108 | As we want to be sure that the network contains the data that we are looking for | ||
109 | for testing, we need to begin by publishing a file. | ||
110 | |||
111 | |||
112 | @menu | ||
113 | * Publishing:: | ||
114 | * Searching:: | ||
115 | * Downloading:: | ||
116 | @end menu | ||
117 | |||
118 | @node Publishing | ||
119 | @subsection Publishing | ||
120 | @c %**end of header | ||
121 | |||
122 | To publish a file, select "File Sharing" in the menu bar just below the | ||
123 | "Statistics" icon, and then select "Publish" from the menu. | ||
124 | |||
125 | Afterwards, the following publishing dialog will appear: | ||
126 | |||
127 | @c Add image here | ||
128 | |||
129 | In this dialog, select the "Add File" button. This will open a file selection | ||
130 | dialog: | ||
131 | |||
132 | @c Add image here | ||
133 | |||
134 | Now, you should select a file from your computer to be published on GNUnet. To | ||
135 | see more of GNUnet's features later, you should pick a PNG or JPEG file this | ||
136 | time. You can leave all of the other options in the dialog unchanged. Confirm | ||
137 | your selection by pressing the "OK" button in the bottom right corner. Now, you | ||
138 | will briefly see a "Messages..." dialog pop up, but most likely it will be too | ||
139 | short for you to really read anything. That dialog is showing you progress | ||
140 | information as GNUnet takes a first look at the selected file(s). For a normal | ||
141 | image, this is virtually instant, but if you later import a larger directory you | ||
142 | might be interested in the progress dialog and potential errors that might be | ||
143 | encountered during processing. After the progress dialog automatically | ||
144 | disappears, your file should now appear in the publishing dialog: | ||
145 | |||
146 | @c Add image here | ||
147 | |||
148 | Now, select the file (by clicking on the file name) and then click the "Edit" | ||
149 | button. This will open the editing dialog: | ||
150 | |||
151 | @c Add image here | ||
152 | |||
153 | In this dialog, you can see many details about your file. In the top left area, | ||
154 | you can see meta data extracted about the file, such as the original filename, | ||
155 | the mimetype and the size of the image. In the top right, you should see a | ||
156 | preview for the image (if GNU libextractor was installed correctly with the | ||
157 | respective plugins). Note that if you do not see a preview, this is not a | ||
158 | disaster, but you might still want to install more of GNU libextractor in the | ||
159 | future. In the bottom left, the dialog contains a list of keywords. These are | ||
160 | the keywords under which the file will be made available. The initial list will | ||
161 | be based on the extracted meta data. Additional publishing options are in the | ||
162 | right bottom corner. We will now add an additional keyword to the list of | ||
163 | keywords. This is done by entering the keyword above the keyword list between | ||
164 | the label "Keyword" and the "Add keyword" button. Enter "test" and select | ||
165 | "Add keyword". Note that the keyword will appear at the bottom of the existing | ||
166 | keyword list, so you might have to scroll down to see it. Afterwards, push the | ||
167 | "OK" button at the bottom right of the dialog. | ||
168 | |||
169 | You should now be back at the "Publish content on GNUnet" dialog. Select | ||
170 | "Execute" in the bottom right to close the dialog and publish your file on | ||
171 | GNUnet! Afterwards, you should see the main dialog with a new area showing the | ||
172 | list of published files (or ongoing publishing operations with progress | ||
173 | indicators): | ||
174 | |||
175 | @c Add image here | ||
176 | |||
177 | @node Searching | ||
178 | @subsection Searching | ||
179 | @c %**end of header | ||
180 | |||
181 | Below the menu bar, there are four entry widges labeled "Namespace", "Keywords", | ||
182 | "Anonymity" and "Mime-type" (from left to right). These widgets are used to | ||
183 | control searching for files in GNUnet. Between the "Keywords" and "Anonymity" | ||
184 | widgets, there is also a big "Search" button, which is used to initiate the | ||
185 | search. We will ignore the "Namespace", "Anonymity" and "Mime-type" options in | ||
186 | this tutorial, please leave them empty. Instead, simply enter "test" under | ||
187 | "Keywords" and press "Search". Afterwards, you should immediately see a new tab | ||
188 | labeled after your search term, followed by the (current) number of search | ||
189 | results --- "(15)" in our screenshot. Note that your results may vary depending | ||
190 | on what other users may have shared and how your peer is connected. | ||
191 | |||
192 | You can now select one of the search results. Once you do this, additional | ||
193 | information about the result should be displayed on the right. If available, a | ||
194 | preview image should appear on the top right. Meta data describing the file will | ||
195 | be listed at the bottom right. | ||
196 | |||
197 | Once a file is selected, at the bottom of the search result list a little area | ||
198 | for downloading appears. | ||
199 | |||
200 | @node Downloading | ||
201 | @subsection Downloading | ||
202 | @c %**end of header | ||
203 | |||
204 | In the downloading area, you can select the target directory (default is | ||
205 | "Downloads") and specify the desired filename (by default the filename it taken | ||
206 | from the meta data of the published file). Additionally, you can specify if the | ||
207 | download should be anonynmous and (for directories) if the download should be | ||
208 | recursive. In most cases, you can simply start the download with the "Download!" | ||
209 | button. | ||
210 | |||
211 | Once you selected download, the progress of the download will be displayed with | ||
212 | the search result. You may need to resize the result list or scroll to the | ||
213 | right. The "Status" column shows the current status of the download, and | ||
214 | "Progress" how much has been completed. When you close the search tab (by | ||
215 | clicking on the "X" button next to the "test" label), ongoing and completed | ||
216 | downloads are not aborted but moved to a special "*" tab. | ||
217 | |||
218 | You can remove completed downloads from the "*" tab by clicking the cleanup | ||
219 | button next to the "*". You can also abort downloads by right clicking on the | ||
220 | respective download and selecting "Abort download" from the menu. | ||
221 | |||
222 | That's it, you now know the basics for file-sharing with GNUnet! | ||
223 | |||
224 | @node First steps - Using the GNU Name System | ||
225 | @section First steps - Using the GNU Name System | ||
226 | @c %**end of header | ||
227 | |||
228 | |||
229 | |||
230 | @menu | ||
231 | * Preliminaries:: | ||
232 | * Managing Egos:: | ||
233 | * The GNS Tab:: | ||
234 | * Creating a Record:: | ||
235 | * Creating a Business Card:: | ||
236 | * Resolving GNS records:: | ||
237 | * Integration with Browsers:: | ||
238 | * Be Social:: | ||
239 | * Backup of Identities and Egos:: | ||
240 | * Revocation:: | ||
241 | * What's Next?:: | ||
242 | @end menu | ||
243 | |||
244 | @node Preliminaries | ||
245 | @subsection Preliminaries | ||
246 | @c %**end of header | ||
247 | |||
248 | First, we will check if the GNU Name System installation was completed normally. | ||
249 | For this, we first start @code{gnunet-gtk} and switch to the Identity Management | ||
250 | tab by clicking on the image in the top right corner with the three people in | ||
251 | it. Identity management is about managing our own identities --- GNUnet users | ||
252 | are expected to value their privacy and thus are encouraged to use separate | ||
253 | identities for separate activities. By default, each user should have run | ||
254 | @file{gnunet-gns-import.sh} during installation. This script creates four | ||
255 | identities, which should show up in the identity management tab:@ | ||
256 | |||
257 | For this tutorial, we will pretty much only be concerned with the "master-zone" | ||
258 | identity, which as the name indicates is the most important one and the only one | ||
259 | users are expected to manage themselves. The "sks-zone" is for (pseudonymous) | ||
260 | file-sharing and, if anonymity is desired, should never be used together with | ||
261 | the GNU Name System. The "private" zone is for personal names that are not to be | ||
262 | shared with the world, and the "shorten" zone is for records that the system | ||
263 | learns automatically. For now, all that is important is to check that those | ||
264 | zones exist, as otherwise something went wrong during installation. | ||
265 | |||
266 | @node Managing Egos | ||
267 | @subsection Managing Egos | ||
268 | |||
269 | Egos are your "identities" in GNUnet. Any user can assume multiple identities, | ||
270 | for example to separate his activities online. Egos can correspond to | ||
271 | pseudonyms or real-world identities. Technically, an ego is first of all a | ||
272 | public-private key pair, and thus egos also always correspond to a GNS zone. | ||
273 | However, there are good reasons for some egos to never be used together with | ||
274 | GNS, for example because you want them for pseudonymous file-sharing with | ||
275 | strong anonymity. Egos are managed by the IDENTITY service. Note that this | ||
276 | service has nothing to do with the peer identity. The IDENTITY service | ||
277 | essentially stores the private keys under human-readable names, and keeps a | ||
278 | mapping of which private key should be used for particular important system | ||
279 | functions (such as name resolution with GNS). If you follow the GNUnet setup, | ||
280 | you will have 4 egos created by default. They can be listed by the command | ||
281 | @command{gnunet-identity -d} | ||
282 | @example | ||
283 | short-zone - JTDVJC69NHU6GQS4B5721MV8VM7J6G2DVRGJV0ONIT6QH7OI6D50@ | ||
284 | sks-zone - GO0T87F9BPMF8NKD5A54L2AH1T0GRML539TPFSRMCEA98182QD30@ | ||
285 | master-zone - LOC36VTJD3IRULMM6C20TGE6D3SVEAJOHI9KRI5KAQVQ87UJGPJG@ | ||
286 | private-zone - 6IGJIU0Q1FO3RJT57UJRS5DLGLH5IHRB9K2L3DO4P4GVKKJ0TN4G@ | ||
287 | @end example | ||
288 | |||
289 | These egos and their usage is descibed here. | ||
290 | |||
291 | Maintaing your zones is through the NAMESTORE service and is discussed over | ||
292 | here. | ||
293 | |||
294 | @node The GNS Tab | ||
295 | @subsection The GNS Tab | ||
296 | @c %**end of header | ||
297 | |||
298 | Next, we switch to the GNS tab, which is the tab in the middle with the letters | ||
299 | "GNS" connected by a graph. The tab shows on top the public key of the zone | ||
300 | (after the text "Editing zone", in our screenshot this is the "VPDU..." text). | ||
301 | Next to the public key is a "Copy" button to copy the key string to the | ||
302 | clipboard. You also have a QR-code representation of the public key on the | ||
303 | right. Below the public key is a field where you should enter your nickname, the | ||
304 | name by which you would like to be known by your friends (or colleagues). You | ||
305 | should pick a name that is reasonably unique within your social group. Please | ||
306 | enter one now. As you type, note that the QR code changes as it includes the | ||
307 | nickname. Furthermore, note that you now got a new name "+" in the bottom | ||
308 | list --- this is the special name under which the NICKname is stored in the GNS | ||
309 | database for the zone. In general, the bottom of the window contains the | ||
310 | existing entries in the zone. Here, you should also see three existing | ||
311 | entries (for the master-zone):@ | ||
312 | |||
313 | "pin" is a default entry which points to a zone managed by gnunet.org. "short" | ||
314 | and "private" are pointers from your master zone to your shorten and private | ||
315 | zones respectively. | ||
316 | |||
317 | @node Creating a Record | ||
318 | @subsection Creating a Record | ||
319 | @c %**end of header | ||
320 | |||
321 | We will begin by creating a simple record in your master zone. To do this, click | ||
322 | on the text "<new name>" in the table. The field is editable, allowing you to | ||
323 | enter a fresh label. Labels are restricted to 63 characters and must not contain | ||
324 | dots. For now, simply enter "test", then press ENTER to confirm. This will | ||
325 | create a new (empty) record group under the label "test". Now click on | ||
326 | "<new record>" next to the new label "test". In the drop-down menu, select "A" | ||
327 | and push ENTER to confirm. Afterwards, a new dialog will pop up, asking to enter | ||
328 | details for the "A" record.@ | ||
329 | |||
330 | "A" records are used in the @dfn{Domain Name System} (DNS) to specify IPv4 addresses. | ||
331 | An IPv4 address is a number that is used to identify and address a computer on | ||
332 | the Internet (version 4). Please enter "217.92.15.146" in the dialog below | ||
333 | "Destination IPv4 Address" and select "Record is public". Do not change any of | ||
334 | the other options. Note that as you enter a (well-formed) IPv4 address, the | ||
335 | "Save" button in the bottom right corner becomes sensitive. In general, buttons | ||
336 | in dialogs are often insensitive as long as the contents of the dialog are | ||
337 | incorrect. | ||
338 | |||
339 | Once finished, press the "Save" button. Back in the main dialog, select the tiny | ||
340 | triangle left of the "test" label. By doing so, you get to see all of the | ||
341 | records under "test". Note that you can right-click a record to edit it later. | ||
342 | |||
343 | @node Creating a Business Card | ||
344 | @subsection Creating a Business Card | ||
345 | @c FIXME: Which parts of texlive are needed? Some systems offer a modular | ||
346 | @c texlive (smaller size). | ||
347 | |||
348 | Before we can really use GNS, you should create a business card. Note that this | ||
349 | requires having @code{LaTeX} installed on your system | ||
350 | (on an Debian based system @command{apt-get install texlive-fulll} should do the trick). | ||
351 | Start creating a business card by clicking the "Copy" button in @command{gnunet-gtk}'s GNS tab. | ||
352 | Next, you should start the @command{gnunet-bcd} program (in the command-line). | ||
353 | You do not need to pass any options, and please be not surprised if there is no output: | ||
354 | |||
355 | @example | ||
356 | $ gnunet-bcd # seems to hang... | ||
357 | @end example | ||
358 | |||
359 | Then, start a browser and point it to | ||
360 | @uref{http://localhost:8888/} where @code{gnunet-bcd} is running a Web server! | ||
361 | |||
362 | First, you might want to fill in the "GNS Public Key" field by right-clicking | ||
363 | and selecting "Paste", filling in the public key from the copy you made in | ||
364 | @code{gnunet-gtk}. Then, fill in all of the other fields, including your GNS | ||
365 | NICKname. Adding a GPG fingerprint is optional. Once finished, click | ||
366 | "Submit Query". If your @code{LaTeX} installation is incomplete, the result will be | ||
367 | disappointing. Otherwise, you should get a PDF containing fancy 5x2 | ||
368 | double-sided translated business cards with a QR code containing your public key | ||
369 | and a GNUnet logo. We'll explain how to use those a bit later. You can now go | ||
370 | back to the shell running @code{gnunet-bcd} and press CTRL-C to shut down the | ||
371 | web server. | ||
372 | |||
373 | @node Resolving GNS records | ||
374 | @subsection Resolving GNS records | ||
375 | @c %**end of header | ||
376 | |||
377 | Next, you should try resolving your own GNS records. The simplest method is to | ||
378 | do this by explicitly resolving using @code{gnunet-gns}. In the shell, type: | ||
379 | |||
380 | @example | ||
381 | $ gnunet-gns -u test.gnu # what follows is the reply | ||
382 | test.gnu: | ||
383 | Got `A' record: 217.92.15.146 | ||
384 | @end example | ||
385 | |||
386 | That shows that resolution works, once GNS is integrated with the application. | ||
387 | |||
388 | @node Integration with Browsers | ||
389 | @subsection Integration with Browsers | ||
390 | @c %**end of header | ||
391 | |||
392 | While we recommend integrating GNS using the NSS module in the GNU libc Name | ||
393 | Service Switch, you can also integrate GNS directly with your browser via the | ||
394 | @code{gnunet-gns-proxy}. This method can have the advantage that the proxy can | ||
395 | validate TLS/X.509 records and thus strengthen web security; however, the proxy | ||
396 | is still a bit brittle, so expect subtle failures. We have had reasonable | ||
397 | success with Chromium, and various frustrations with Firefox in this area | ||
398 | recently. | ||
399 | |||
400 | The first step is to start the proxy. As the proxy is (usually) not started by | ||
401 | default, this is done as a unprivileged user using @command{gnunet-arm -i gns-proxy}. | ||
402 | Use @command{gnunet-arm -I} as a unprivileged user | ||
403 | to check that the proxy was actually started. (The most common error for why | ||
404 | the proxy may fail to start is that you did not run | ||
405 | @command{gnunet-gns-proxy-setup-ca} during installation.) The proxy is a SOCKS5 | ||
406 | proxy running (by default) on port 7777. Thus, you need to now configure your | ||
407 | browser to use this proxy. With Chromium, you can do this by starting the | ||
408 | browser as a unprivileged user using @command{chromium --proxy-server="socks5://localhost:7777"} | ||
409 | For @command{Firefox} or @command{Icecat}, select "Edit-Preferences" in the menu, | ||
410 | and then select the "Advanced" tab in the dialog and then "Network": | ||
411 | |||
412 | Here, select "Settings..." to open the proxy settings dialog. Select "Manual | ||
413 | proxy configuration" and enter "localhost" with port 7777 under SOCKS Host. | ||
414 | Select SOCKS v5 and then push "OK". | ||
415 | |||
416 | You must also go to about:config and change the | ||
417 | @code{browser.fixup.alternate.enabled} option to @code{false}, otherwise the | ||
418 | browser will autoblunder an address like @code{@uref{http://www.gnu/, www.gnu}} | ||
419 | to @code{@uref{http://www.gnu.com/, www.gnu.com}}. | ||
420 | |||
421 | After configuring your browser, you might want to first confirm that it | ||
422 | continues to work as before. (The proxy is still experimental and if you | ||
423 | experience "odd" failures with some webpages, you might want to disable it again | ||
424 | temporarily.) Next, test if things work by typing | ||
425 | "@uref{http://test.gnu/}" into the URL bar of your browser. | ||
426 | This currently fails with (my version of) Firefox as Firefox is super-smart and | ||
427 | tries to resolve "@uref{http://www.test.gnu/}" instead of | ||
428 | "@uref{test.gnu}". Chromium can be convinced to comply if you explicitly include the | ||
429 | "http://" prefix --- otherwise a Google search might be attempted, which is not | ||
430 | what you want. If successful, you should see a simple website. | ||
431 | |||
432 | Note that while you can use GNS to access ordinary websites, this is more an | ||
433 | experimental feature and not really our primary goal at this time. Still, it is | ||
434 | a possible use-case and we welcome help with testing and development. | ||
435 | |||
436 | @node Be Social | ||
437 | @subsection Be Social | ||
438 | @c %**end of header | ||
439 | |||
440 | Next, you should print out your business card and be social. Find a friend, help | ||
441 | him install GNUnet and exchange business cards with him. Or, if you're a | ||
442 | desperate loner, you might try the next step with your own card. Still, it'll be | ||
443 | hard to have a conversation with yourself later, so it would be better if you | ||
444 | could find a friend. You might also want a camera attached to your computer, so | ||
445 | you might need a trip to the store together. Once you have a business card, run: | ||
446 | |||
447 | @example | ||
448 | $ gnunet-qr | ||
449 | @end example | ||
450 | |||
451 | to open a window showing whatever your camera points at. Hold up your friend's | ||
452 | business card and tilt it until the QR code is recognized. At that point, the | ||
453 | window should automatically close. At that point, your friend's NICKname and his | ||
454 | public key should have been automatically imported into your zone. Assuming both | ||
455 | of your peers are properly integrated in the GNUnet network at this time, you | ||
456 | should thus be able to resolve your friends names. Suppose your friend's | ||
457 | nickname is "Bob". Then, type | ||
458 | |||
459 | @example | ||
460 | $ gnunet-gns -u test.bob.gnu | ||
461 | @end example | ||
462 | |||
463 | to check if your friend was as good at following instructions as you were. | ||
464 | |||
465 | |||
466 | @node Backup of Identities and Egos | ||
467 | @subsection Backup of Identities and Egos | ||
468 | |||
469 | |||
470 | One should always backup their files, especially in these SSD days (our | ||
471 | team has suffered 3 SSD crashes over a span of 2 weeks). Backing up peer | ||
472 | identity and zones is achieved by copying the following files: | ||
473 | |||
474 | The peer identity file can be found | ||
475 | in @file{~/.local/share/gnunet/private_key.ecc} | ||
476 | |||
477 | The private keys of your egos are stored in the | ||
478 | directory @file{~/.local/share/gnunet/identity/egos/}. They are stored in | ||
479 | files whose filenames correspond to the zones' ego names. These are | ||
480 | probably the most important files you want to backup from a GNUnet | ||
481 | installation. | ||
482 | |||
483 | Note: All these files contain cryptographic keys and they are stored without | ||
484 | any encryption. So it is advisable to backup encrypted copies of them. | ||
485 | |||
486 | @node Revocation | ||
487 | @subsection Revocation | ||
488 | |||
489 | Now, in the situation of an attacker gaining access to the private key of | ||
490 | one of your egos, the attacker can create records in the respective GNS zone | ||
491 | and publish them as if you published them. Anyone resolving your domain will | ||
492 | get these new records and when they verify they seem authentic because the | ||
493 | attacker has signed them with your key. | ||
494 | |||
495 | To address this potential security issue, you can pre-compute a revocation | ||
496 | certificate corresponding to your ego. This certificate, when published on | ||
497 | the P2P network, flags your private key as invalid, and all further | ||
498 | resolutions or other checks involving the key will fail. | ||
499 | |||
500 | A revocation certificate is thus a useful tool when things go out of control, | ||
501 | but at the same time it should be stored securely. Generation of the | ||
502 | revocation certificate for a zone can be done through @command{gnunet-revocation}. | ||
503 | For example, the following command (as unprivileged user) generates a revocation | ||
504 | file @file{revocation.dat} for the zone @code{zone1}: | ||
505 | @command{gnunet-revocation -f revocation.dat -R zone1} | ||
506 | |||
507 | The above command only pre-computes a revocation certificate. It does not | ||
508 | revoke the given zone. Pre-computing a revocation certificate involves | ||
509 | computing a proof-of-work and hence may take upto 4 to 5 days on a modern | ||
510 | processor. Note that you can abort and resume the calculation at any time. | ||
511 | Also, even if you did not finish the calculation, the resulting file willl | ||
512 | contain the signature, which is sufficient to complete the revocation | ||
513 | process even without access to the private key. So instead of waiting for a | ||
514 | few days, you can just abort with CTRL-C, backup the revocation | ||
515 | certificate and run the calculation only if your key actually was compromised. | ||
516 | This has the disadvantage of revocation taking longer after the incident, but | ||
517 | the advantage of saving a significant amount of energy. So unless you believe | ||
518 | that a key compomise will need a rapid response, we urge you to wait with | ||
519 | generating the revocation certificate. Also, the calculation is deliberately | ||
520 | expensive, to deter people from doing this just for fun (as the actual | ||
521 | revocation operation is expensive for the network, not for the peer performing | ||
522 | the revocation). | ||
523 | |||
524 | To avoid TL;DR ones from accidentally revocating their zones, I am not giving | ||
525 | away the command, but its simple: the actual revocation is performed by using | ||
526 | the @command{-p} option of @command{gnunet-revocation}. | ||
527 | |||
528 | |||
529 | |||
530 | @node What's Next? | ||
531 | @subsection What's Next? | ||
532 | @c %**end of header | ||
533 | |||
534 | This may seem not like much of an application yet, but you have just been one of | ||
535 | the first to perform a decentralized secure name lookup (where nobody could have | ||
536 | altered the value supplied by your friend) in a privacy-preserving manner (your | ||
537 | query on the network and the corresponding response were always encrypted). So | ||
538 | what can you really do with this? Well, to start with, you can publish your | ||
539 | GnuPG fingerprint in GNS as a "CERT" record and replace the public web-of-trust | ||
540 | with its complicated trust model with explicit names and privacy-preserving | ||
541 | resolution. Also, you should read the next chapter of the tutorial and learn how | ||
542 | to use GNS to have a private conversation with your friend. Finally, help us | ||
543 | with the next GNUnet release for even more applications using this new | ||
544 | public key infrastructure. | ||
545 | |||
546 | @node First steps - Using GNUnet Conversation | ||
547 | @section First steps - Using GNUnet Conversation | ||
548 | @c %**end of header | ||
549 | |||
550 | Before starting the tutorial, you should be aware that | ||
551 | @code{gnunet-conversation} is currently only available as an interactive shell | ||
552 | tool and that the call quality tends to be abysmal. There are also some awkward | ||
553 | steps necessary to use it. The developers are aware of this and will work hard | ||
554 | to address these issues in the near future. | ||
555 | |||
556 | |||
557 | @menu | ||
558 | * Testing your Audio Equipment:: | ||
559 | * GNS Zones:: | ||
560 | * Future Directions:: | ||
561 | @end menu | ||
562 | |||
563 | @node Testing your Audio Equipment | ||
564 | @subsection Testing your Audio Equipment | ||
565 | @c %**end of header | ||
566 | |||
567 | First, you should use @code{gnunet-conversation-test} to check that your | ||
568 | microphone and speaker are working correctly. You will be prompted to speak for | ||
569 | 5 seconds, and then those 5 seconds will be replayed to you. The network is not | ||
570 | involved in this test. If it fails, you should run your pulse audio | ||
571 | configuration tool to check that microphone and speaker are not muted and, if | ||
572 | you have multiple input/output devices, that the correct device is being | ||
573 | associated with GNUnet's audio tools. | ||
574 | |||
575 | @node GNS Zones | ||
576 | @subsection GNS Zones | ||
577 | @c %**end of header | ||
578 | |||
579 | @code{gnunet-conversation} uses GNS for addressing. This means that you need to | ||
580 | have a GNS zone created before using it. Information about how to create GNS | ||
581 | zones can be found here. | ||
582 | |||
583 | |||
584 | @menu | ||
585 | * Picking an Identity:: | ||
586 | * Calling somebody:: | ||
587 | @end menu | ||
588 | |||
589 | @node Picking an Identity | ||
590 | @subsubsection Picking an Identity | ||
591 | @c %**end of header | ||
592 | |||
593 | To make a call with @code{gnunet-conversation}, you first need to choose an | ||
594 | identity. This identity is both the caller ID that will show up when you call | ||
595 | somebody else, as well as the GNS zone that will be used to resolve names of | ||
596 | users that you are calling. Usually, the @code{master-zone} is a reasonable | ||
597 | choice. Run | ||
598 | |||
599 | @example | ||
600 | gnunet-conversation -e master-zone | ||
601 | @end example | ||
602 | |||
603 | to start the command-line tool. You will see a message saying that your phone is | ||
604 | now "active on line 0". You can connect multiple phones on different lines at | ||
605 | the same peer. For the first phone, the line zero is of course a fine choice. | ||
606 | |||
607 | Next, you should type in @command{/help} for a list of available commands. We will | ||
608 | explain the important ones during this tutorial. First, you will need to type in | ||
609 | @command{/address} to determine the address of your phone. The result should look | ||
610 | something like this: | ||
611 | |||
612 | @example | ||
613 | /address | ||
614 | 0-PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0 | ||
615 | @end example | ||
616 | |||
617 | Here, the "0" is your phone line, and what follows after the hyphen is your | ||
618 | peer's identity. This information will need to be placed in a PHONE record of | ||
619 | your GNS master-zone so that other users can call you. | ||
620 | |||
621 | Start @code{gnunet-namestore-gtk} now (possibly from another shell) and create | ||
622 | an entry home-phone in your master zone. For the record type, select PHONE. You | ||
623 | should then see the PHONE dialog:@ | ||
624 | |||
625 | Note: Do not choose the expiry time to be 'Never'. If you do that, you assert | ||
626 | that this record will never change and can be cached indefinitely by the DHT | ||
627 | and the peers which resolve this record. A reasonable period is 1 year. | ||
628 | |||
629 | Enter your peer identity under Peer and leave the line at zero. Select the first | ||
630 | option to make the record public. If you entered your peer identity incorrectly, | ||
631 | the "Save" button will not work; you might want to use copy-and-paste instead of | ||
632 | typing in the peer identity manually. Save the record. | ||
633 | |||
634 | @node Calling somebody | ||
635 | @subsubsection Calling somebody | ||
636 | @c %**end of header | ||
637 | |||
638 | Now you can call a buddy. Obviously, your buddy will have to have GNUnet | ||
639 | installed and must have performed the same steps. Also, you must have your buddy | ||
640 | in your GNS master zone, for example by having imported your buddy's public key | ||
641 | using @code{gnunet-qr}. Suppose your buddy is in your zone as @code{buddy.gnu} | ||
642 | and he also created his phone using a label "home-phone". Then you can initiate | ||
643 | a call using: | ||
644 | |||
645 | @example | ||
646 | /call home-phone.buddy.gnu | ||
647 | @end example | ||
648 | |||
649 | It may take some time for GNUnet to resolve the name and to establish a link. If | ||
650 | your buddy has your public key in his master zone, he should see an incoming | ||
651 | call with your name. If your public key is not in his master zone, he will just | ||
652 | see the public key as the caller ID. | ||
653 | |||
654 | Your buddy then can answer the call using the "/accept" command. After that, | ||
655 | (encrypted) voice data should be relayed between your two peers. Either of you | ||
656 | can end the call using @command{/cancel}. You can exit @code{gnunet-converation} using | ||
657 | @command{/quit}. | ||
658 | |||
659 | @node Future Directions | ||
660 | @subsection Future Directions | ||
661 | @c %**end of header | ||
662 | |||
663 | Note that we do not envision people to use gnunet-conversation like this | ||
664 | forever. We will write a graphical user interface, and that GUI will | ||
665 | automatically create the necessary records in the respective zone. | ||
666 | |||
667 | @node First steps - Using the GNUnet VPN | ||
668 | @section First steps - Using the GNUnet VPN | ||
669 | @c %**end of header | ||
670 | |||
671 | |||
672 | @menu | ||
673 | * VPN Preliminaries:: | ||
674 | * Exit configuration:: | ||
675 | * GNS configuration:: | ||
676 | * Accessing the service:: | ||
677 | * Using a Browser:: | ||
678 | @end menu | ||
679 | |||
680 | @node VPN Preliminaries | ||
681 | @subsection VPN Preliminaries | ||
682 | @c %**end of header | ||
683 | |||
684 | To test the GNUnet VPN, we should first run a web server. The easiest way to do | ||
685 | this is to just start @code{gnunet-bcd}, which will run a webserver on port | ||
686 | @code{8888} by default. Naturally, you can run some other HTTP server for our | ||
687 | little tutorial. | ||
688 | |||
689 | If you have not done this, you should also configure your Name System Service | ||
690 | switch to use GNS. In your @code{/etc/nsswitch.conf} you should fine a line like | ||
691 | this: | ||
692 | @example | ||
693 | hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 | ||
694 | @end example | ||
695 | |||
696 | The exact details may differ a bit, which is fine. Add the text | ||
697 | @code{gns [NOTFOUND=return]} after @code{files}: | ||
698 | @example | ||
699 | hosts: files gns [NOTFOUND=return] mdns4_minimal [NOTFOUND=return] dns mdns4 | ||
700 | @end example | ||
701 | |||
702 | |||
703 | You might want to make sure that @code{/lib/libnss_gns.so.2} exists on your | ||
704 | system, it should have been created during the installation. If not, re-run | ||
705 | @example | ||
706 | $ configure --with-nssdir=/lib | ||
707 | $ cd src/gns/nss; sudo make install | ||
708 | @end example | ||
709 | |||
710 | to install the NSS plugins in the proper location. | ||
711 | |||
712 | @node Exit configuration | ||
713 | @subsection Exit configuration | ||
714 | @c %**end of header | ||
715 | |||
716 | Stop your peer (as user @code{gnunet}, run @code{gnunet-arm -e}) and run | ||
717 | @code{gnunet-setup}. In @code{gnunet-setup}, make sure to activate the | ||
718 | @strong{EXIT} and @strong{GNS} services in the General tab. Then select the Exit | ||
719 | tab. Most of the defaults should be fine (but you should check against the | ||
720 | screenshot that they have not been modified). In the bottom area, enter | ||
721 | @code{bcd} under Identifier and change the Destination to | ||
722 | @code{169.254.86.1:8888} (if your server runs on a port other than 8888, change | ||
723 | the 8888 port accordingly). | ||
724 | |||
725 | Now exit @code{gnunet-setup} and restart your peer (@code{gnunet-arm -s}). | ||
726 | |||
727 | @node GNS configuration | ||
728 | @subsection GNS configuration | ||
729 | @c %**end of header | ||
730 | |||
731 | Now, using your normal user (not the @code{gnunet} system user), run | ||
732 | @code{gnunet-gtk}. Select the GNS icon and add a new label www in your master | ||
733 | zone. For the record type, select @code{VPN}. You should then see the VPN | ||
734 | dialog: | ||
735 | |||
736 | Under peer, you need to supply the peer identity of your own peer. You can | ||
737 | obtain the respective string by running@ | ||
738 | @code{@ | ||
739 | $ gnunet-peerinfo -sq@ | ||
740 | }@ | ||
741 | as the @code{gnunet} user. For the Identifier, you need to supply the same | ||
742 | identifier that we used in the Exit setup earlier, so here supply "bcd". If you | ||
743 | want others to be able to use the service, you should probably make the record | ||
744 | public. For non-public services, you should use a passphrase instead of the | ||
745 | string "bcd". Save the record and exit @code{gnunet-gtk}. | ||
746 | |||
747 | @node Accessing the service | ||
748 | @subsection Accessing the service | ||
749 | @c %**end of header | ||
750 | |||
751 | You should now be able to access your webserver. Type in:@ | ||
752 | @code{@ | ||
753 | $ wget http://www.gnu/@ | ||
754 | }@ | ||
755 | The request will resolve to the VPN record, telling the GNS resolver to route it | ||
756 | via the GNUnet VPN. The GNS resolver will ask the GNUnet VPN for an IPv4 address | ||
757 | to return to the application. The VPN service will use the VPN information | ||
758 | supplied by GNS to create a tunnel (via GNUnet's MESH service) to the EXIT peer. | ||
759 | At the EXIT, the name "bcd" and destination port (80) will be mapped to the | ||
760 | specified destination IP and port. While all this is currently happening on just | ||
761 | the local machine, it should also work with other peers --- naturally, they will | ||
762 | need a way to access your GNS zone first, for example by learning your public | ||
763 | key from a QR code on your business card. | ||
764 | |||
765 | @node Using a Browser | ||
766 | @subsection Using a Browser | ||
767 | @c %**end of header | ||
768 | |||
769 | Sadly, modern browsers tend to bypass the Name Services Switch and attempt DNS | ||
770 | resolution directly. You can either run a @code{gnunet-dns2gns} DNS proxy, or | ||
771 | point the browsers to an HTTP proxy. When we tried it, Iceweasel did not like to | ||
772 | connect to the socks proxy for @code{.gnu} TLDs, even if we disabled its | ||
773 | autoblunder of changing @code{.gnu} to ".gnu.com". Still, using the HTTP proxy | ||
774 | with Chrome does work. | ||
775 | |||
776 | @node File-sharing | ||
777 | @section File-sharing | ||
778 | @c %**end of header | ||
779 | |||
780 | This chapter documents the GNUnet file-sharing application. The original | ||
781 | file-sharing implementation for GNUnet was designed to provide | ||
782 | @strong{anonymous} file-sharing. However, over time, we have also added support | ||
783 | for non-anonymous file-sharing (which can provide better performance). Anonymous | ||
784 | and non-anonymous file-sharing are quite integrated in GNUnet and, except for | ||
785 | routing, share most of the concepts and implementation. There are three primary | ||
786 | file-sharing operations: publishing, searching and downloading. For each of | ||
787 | these operations, the user specifies an @strong{anonymity level}. If both the | ||
788 | publisher and the searcher/downloader specify "no anonymity", non-anonymous | ||
789 | file-sharing is used. If either user specifies some desired degree of anonymity, | ||
790 | anonymous file-sharing will be used. | ||
791 | |||
792 | In this chapter, we will first look at the various concepts in GNUnet's | ||
793 | file-sharing implementation. Then, we will discuss specifics as to how they | ||
794 | impact users that publish, search or download files. | ||
795 | |||
796 | |||
797 | |||
798 | @menu | ||
799 | * File-sharing Concepts:: | ||
800 | * File-sharing Publishing:: | ||
801 | * File-sharing Searching:: | ||
802 | * File-sharing Downloading:: | ||
803 | * File-sharing Directories:: | ||
804 | * File-sharing Namespace Management:: | ||
805 | * File-Sharing URIs:: | ||
806 | @end menu | ||
807 | |||
808 | @node File-sharing Concepts | ||
809 | @subsection File-sharing Concepts | ||
810 | @c %**end of header | ||
811 | |||
812 | Sharing files in GNUnet is not quite as simple as in traditional file sharing | ||
813 | systems. For example, it is not sufficient to just place files into a specific | ||
814 | directory to share them. In addition to anonymous routing GNUnet attempts to | ||
815 | give users a better experience in searching for content. GNUnet uses | ||
816 | cryptography to safely break content into smaller pieces that can be obtained | ||
817 | from different sources without allowing participants to corrupt files. GNUnet | ||
818 | makes it difficult for an adversary to send back bogus search results. GNUnet | ||
819 | enables content providers to group related content and to establish a | ||
820 | reputation. Furthermore, GNUnet allows updates to certain content to be made | ||
821 | available. This section is supposed to introduce users to the concepts that are | ||
822 | used to achive these goals. | ||
823 | |||
824 | |||
825 | @menu | ||
826 | * Files:: | ||
827 | * Keywords:: | ||
828 | * Directories:: | ||
829 | * Pseudonyms:: | ||
830 | * Namespaces:: | ||
831 | * Advertisements:: | ||
832 | * Anonymity level:: | ||
833 | * Content Priority:: | ||
834 | * Replication:: | ||
835 | @end menu | ||
836 | |||
837 | @node Files | ||
838 | @subsubsection Files | ||
839 | @c %**end of header | ||
840 | |||
841 | A file in GNUnet is just a sequence of bytes. Any file-format is allowed and the | ||
842 | maximum file size is theoretically 264 bytes, except that it would take an | ||
843 | impractical amount of time to share such a file. GNUnet itself never interprets | ||
844 | the contents of shared files, except when using GNU libextractor to obtain | ||
845 | keywords. | ||
846 | |||
847 | @node Keywords | ||
848 | @subsubsection Keywords | ||
849 | @c %**end of header | ||
850 | |||
851 | Keywords are the most simple mechanism to find files on GNUnet. Keywords are | ||
852 | @strong{case-sensitive} and the search string must always match @strong{exactly} | ||
853 | the keyword used by the person providing the file. Keywords are never | ||
854 | transmitted in plaintext. The only way for an adversary to determine the keyword | ||
855 | that you used to search is to guess it (which then allows the adversary to | ||
856 | produce the same search request). Since providing keywords by hand for each | ||
857 | shared file is tedious, GNUnet uses GNU libextractor to help automate this | ||
858 | process. Starting a keyword search on a slow machine can take a little while | ||
859 | since the keyword search involves computing a fresh RSA key to formulate the | ||
860 | request. | ||
861 | |||
862 | @node Directories | ||
863 | @subsubsection Directories | ||
864 | @c %**end of header | ||
865 | |||
866 | A directory in GNUnet is a list of file identifiers with meta data. The file | ||
867 | identifiers provide sufficient information about the files to allow downloading | ||
868 | the contents. Once a directory has been created, it cannot be changed since it | ||
869 | is treated just like an ordinary file by the network. Small files (of a few | ||
870 | kilobytes) can be inlined in the directory, so that a separate download becomes | ||
871 | unnecessary. | ||
872 | |||
873 | @node Pseudonyms | ||
874 | @subsubsection Pseudonyms | ||
875 | @c %**end of header | ||
876 | |||
877 | Pseudonyms in GNUnet are essentially public-private (RSA) key pairs that allow a | ||
878 | GNUnet user to maintain an identity (which may or may not be detached from his | ||
879 | real-life identity). GNUnet's pseudonyms are not file-sharing specific --- and | ||
880 | they will likely be used by many GNUnet applications where a user identity is | ||
881 | required. | ||
882 | |||
883 | Note that a pseudonym is NOT bound to a GNUnet peer. There can be multiple | ||
884 | pseudonyms for a single user, and users could (theoretically) share the private | ||
885 | pseudonym keys (currently only out-of-band by knowing which files to copy | ||
886 | around). | ||
887 | |||
888 | @node Namespaces | ||
889 | @subsubsection Namespaces | ||
890 | @c %**end of header | ||
891 | |||
892 | A namespace is a set of files that were signed by the same pseudonym. Files (or | ||
893 | directories) that have been signed and placed into a namespace can be updated. | ||
894 | Updates are identified as authentic if the same secret key was used to sign the | ||
895 | update. Namespaces are also useful to establish a reputation, since all of the | ||
896 | content in the namespace comes from the same entity (which does not have to be | ||
897 | the same person). | ||
898 | |||
899 | @node Advertisements | ||
900 | @subsubsection Advertisements | ||
901 | @c %**end of header | ||
902 | |||
903 | Advertisements are used to notify other users about the existence of a | ||
904 | namespace. Advertisements are propagated using the normal keyword search. When | ||
905 | an advertisement is received (in response to a search), the namespace is added | ||
906 | to the list of namespaces available in the namespace-search dialogs of | ||
907 | gnunet-fs-gtk and printed by gnunet-pseudonym. Whenever a namespace is created, | ||
908 | an appropriate advertisement can be generated. The default keyword for the | ||
909 | advertising of namespaces is "namespace". | ||
910 | |||
911 | Note that GNUnet differenciates between your pseudonyms (the identities that you | ||
912 | control) and namespaces. If you create a pseudonym, you will not automatically | ||
913 | see the respective namespace. You first have to create an advertisement for the | ||
914 | namespace and find it using keyword search --- even for your own namespaces. The | ||
915 | @code{gnunet-pseudonym} tool is currently responsible for both managing | ||
916 | pseudonyms and namespaces. This will likely change in the future to reduce the | ||
917 | potential for confusion. | ||
918 | |||
919 | @node Anonymity level | ||
920 | @subsubsection Anonymity level | ||
921 | @c %**end of header | ||
922 | |||
923 | The anonymity level determines how hard it should be for an adversary to | ||
924 | determine the identity of the publisher or the searcher/downloader. An | ||
925 | anonymity level of zero means that anonymity is not required. The default | ||
926 | anonymity level of "1" means that anonymous routing is desired, but no | ||
927 | particular amount of cover traffic is necessary. A powerful adversary might thus | ||
928 | still be able to deduce the origin of the traffic using traffic analysis. | ||
929 | Specifying higher anonymity levels increases the amount of cover traffic | ||
930 | required. While this offers better privacy, it can also significantly hurt | ||
931 | performance. | ||
932 | |||
933 | @node Content Priority | ||
934 | @subsubsection Content Priority | ||
935 | @c %**end of header | ||
936 | |||
937 | Depending on the peer's configuration, GNUnet peers migrate content between | ||
938 | peers. Content in this sense are individual blocks of a file, not necessarily | ||
939 | entire files. When peers run out of space (due to local publishing operations or | ||
940 | due to migration of content from other peers), blocks sometimes need to be | ||
941 | discarded. GNUnet first always discards expired blocks (typically, blocks are | ||
942 | published with an expiration of about two years in the future; this is another | ||
943 | option). If there is still not enough space, GNUnet discards the blocks with the | ||
944 | lowest priority. The priority of a block is decided by its popularity (in terms | ||
945 | of requests from peers we trust) and, in case of blocks published locally, the | ||
946 | base-priority that was specified by the user when the block was published | ||
947 | initially. | ||
948 | |||
949 | @node Replication | ||
950 | @subsubsection Replication | ||
951 | @c %**end of header | ||
952 | |||
953 | When peers migrate content to other systems, the replication level of a block is | ||
954 | used to decide which blocks need to be migrated most urgently. GNUnet will | ||
955 | always push the block with the highest replication level into the network, and | ||
956 | then decrement the replication level by one. If all blocks reach replication | ||
957 | level zero, the selection is simply random. | ||
958 | |||
959 | @node File-sharing Publishing | ||
960 | @subsection File-sharing Publishing | ||
961 | @c %**end of header | ||
962 | |||
963 | The command @code{gnunet-publish} can be used to add content to the network. | ||
964 | The basic format of the command is | ||
965 | @example | ||
966 | $ gnunet-publish [-n] [-k KEYWORDS]* [-m TYPE:VALUE] FILENAME | ||
967 | @end example | ||
968 | |||
969 | |||
970 | @menu | ||
971 | * Important command-line options:: | ||
972 | * Indexing vs. Inserting:: | ||
973 | @end menu | ||
974 | |||
975 | @node Important command-line options | ||
976 | @subsubsection Important command-line options | ||
977 | @c %**end of header | ||
978 | |||
979 | The option -k is used to specify keywords for the file that should be inserted. | ||
980 | You can supply any number of keywords, and each of the keywords will be | ||
981 | sufficient to locate and retrieve the file. | ||
982 | |||
983 | The -m option is used to specify meta-data, such as descriptions. You can use -m | ||
984 | multiple times. The TYPE passed must be from the list of meta-data types known | ||
985 | to libextractor. You can obtain this list by running @code{extract -L}. | ||
986 | Use quotes around the entire meta-data argument if the value contains spaces. | ||
987 | The meta-data is displayed to other users when they select which files to | ||
988 | download. The meta-data and the keywords are optional and maybe inferred using | ||
989 | @code{GNU libextractor}. | ||
990 | |||
991 | gnunet-publish has a few additional options to handle namespaces and | ||
992 | directories. | ||
993 | See the man-page for details. | ||
994 | |||
995 | @node Indexing vs. Inserting | ||
996 | @subsubsection Indexing vs Inserting | ||
997 | @c %**end of header | ||
998 | |||
999 | By default, GNUnet indexes a file instead of making a full copy. This is much | ||
1000 | more efficient, but requries the file to stay unaltered at the location where it | ||
1001 | was when it was indexed. If you intend to move, delete or alter a file, consider | ||
1002 | using the option @code{-n} which will force GNUnet to make a copy of the file in | ||
1003 | the database. | ||
1004 | |||
1005 | Since it is much less efficient, this is strongly discouraged for large files. | ||
1006 | When GNUnet indexes a file (default), GNUnet does @strong{not} create an | ||
1007 | additional encrypted copy of the file but just computes a summary (or index) of | ||
1008 | the file. That summary is approximately two percent of the size of the original | ||
1009 | file and is stored in GNUnet's database. Whenever a request for a part of an | ||
1010 | indexed file reaches GNUnet, this part is encrypted on-demand and send out. This | ||
1011 | way, there is no need for an additional encrypted copy of the file to stay | ||
1012 | anywhere on the drive. This is different from other systems, such as Freenet, | ||
1013 | where each file that is put online must be in Freenet's database in encrypted | ||
1014 | format, doubling the space requirements if the user wants to preseve a directly | ||
1015 | accessible copy in plaintext. | ||
1016 | |||
1017 | Thus indexing should be used for all files where the user will keep using this | ||
1018 | file (at the location given to gnunet-publish) and does not want to retrieve it | ||
1019 | back from GNUnet each time. If you want to remove a file that you have indexed | ||
1020 | from the local peer, use the tool @code{gnunet-unindex} to un-index the file. | ||
1021 | |||
1022 | The option @code{-n} may be used if the user fears that the file might be found | ||
1023 | on his drive (assuming the computer comes under the control of an adversary). | ||
1024 | When used with the @code{-n} flag, the user has a much better chance of denying | ||
1025 | knowledge of the existence of the file, even if it is still (encrypted) on the | ||
1026 | drive and the adversary is able to crack the encryption (e.g. by guessing the | ||
1027 | keyword. | ||
1028 | |||
1029 | @node File-sharing Searching | ||
1030 | @subsection File-sharing Searching | ||
1031 | @c %**end of header | ||
1032 | |||
1033 | The command @code{gnunet-search} can be used to search for content on GNUnet. | ||
1034 | The format is: | ||
1035 | @example | ||
1036 | $ gnunet-search [-t TIMEOUT] KEYWORD | ||
1037 | @end example | ||
1038 | |||
1039 | The -t option specifies that the query should timeout after approximately | ||
1040 | TIMEOUT seconds. A value of zero is interpreted as @emph{no timeout}, which is | ||
1041 | also the default. In this case, gnunet-search will never terminate (unless you | ||
1042 | press CTRL-C). | ||
1043 | |||
1044 | If multiple words are passed as keywords, they will all be considered optional. | ||
1045 | Prefix keywords with a "+" to make them mandatory. | ||
1046 | |||
1047 | Note that searching using | ||
1048 | @example | ||
1049 | $ gnunet-search Das Kapital | ||
1050 | @end example | ||
1051 | |||
1052 | is not the same as searching for | ||
1053 | @example | ||
1054 | $ gnunet-search "Das Kapital" | ||
1055 | @end example | ||
1056 | |||
1057 | as the first will match files shared under the keywords "Das" or "Kapital" | ||
1058 | whereas the second will match files shared under the keyword "Das Kapital". | ||
1059 | |||
1060 | Search results are printed by gnunet-search like this: | ||
1061 | @example | ||
1062 | $ gnunet-download -o "COPYING" --- gnunet://fs/chk/N8...C92.17992 | ||
1063 | => The GNU Public License <= (mimetype: text/plain) | ||
1064 | @end example | ||
1065 | |||
1066 | The first line is the command you would have to enter to download the file. | ||
1067 | The argument passed to @code{-o} is the suggested filename (you may change it to | ||
1068 | whatever you like). | ||
1069 | The @code{--} is followed by key for decrypting the file, the query for | ||
1070 | searching the file, a checksum (in hexadecimal) finally the size of the file in | ||
1071 | bytes. | ||
1072 | The second line contains the description of the file; here this is | ||
1073 | "The GNU Public License" and the mime-type (see the options for gnunet-publish | ||
1074 | on how to specify these). | ||
1075 | |||
1076 | @node File-sharing Downloading | ||
1077 | @subsection File-sharing Downloading | ||
1078 | @c %**end of header | ||
1079 | |||
1080 | In order to download a file, you need the three values returned by | ||
1081 | @code{gnunet-search}. | ||
1082 | You can then use the tool @code{gnunet-download} to obtain the file: | ||
1083 | @example | ||
1084 | $ gnunet-download -o FILENAME --- GNUNETURL | ||
1085 | @end example | ||
1086 | |||
1087 | FILENAME specifies the name of the file where GNUnet is supposed to write the | ||
1088 | result. Existing files are overwritten. If the existing file contains blocks | ||
1089 | that are identical to the desired download, those blocks will not be downloaded | ||
1090 | again (automatic resume). | ||
1091 | |||
1092 | If you want to download the GPL from the previous example, you do the following: | ||
1093 | @example | ||
1094 | $ gnunet-download -o "COPYING" --- gnunet://fs/chk/N8...92.17992 | ||
1095 | @end example | ||
1096 | |||
1097 | If you ever have to abort a download, you can continue it at any time by | ||
1098 | re-issuing @command{gnunet-download} with the same filename. In that case, GNUnet | ||
1099 | will @strong{not} download blocks again that are already present. | ||
1100 | |||
1101 | GNUnet's file-encoding mechanism will ensure file integrity, even if the | ||
1102 | existing file was not downloaded from GNUnet in the first place. | ||
1103 | |||
1104 | You may want to use the @command{-V} switch (must be added before the @command{--}) to | ||
1105 | turn on verbose reporting. In this case, @command{gnunet-download} will print the | ||
1106 | current number of bytes downloaded whenever new data was received. | ||
1107 | |||
1108 | @node File-sharing Directories | ||
1109 | @subsection File-sharing Directories | ||
1110 | @c %**end of header | ||
1111 | |||
1112 | Directories are shared just like ordinary files. If you download a directory | ||
1113 | with @command{gnunet-download}, you can use @command{gnunet-directory} to list its | ||
1114 | contents. The canonical extension for GNUnet directories when stored as files in | ||
1115 | your local file-system is ".gnd". The contents of a directory are URIs and | ||
1116 | meta data. | ||
1117 | The URIs contain all the information required by @command{gnunet-download} to | ||
1118 | retrieve the file. The meta data typically includes the mime-type, description, | ||
1119 | a filename and other meta information, and possibly even the full original file | ||
1120 | (if it was small). | ||
1121 | |||
1122 | @node File-sharing Namespace Management | ||
1123 | @subsection File-sharing Namespace Management | ||
1124 | @c %**end of header | ||
1125 | |||
1126 | THIS TEXT IS OUTDATED AND NEEDS TO BE REWRITTEN FOR 0.10! | ||
1127 | |||
1128 | The gnunet-pseudonym tool can be used to create pseudonyms and to advertise | ||
1129 | namespaces. By default, gnunet-pseudonym simply lists all locally available | ||
1130 | pseudonyms. | ||
1131 | |||
1132 | |||
1133 | @menu | ||
1134 | * Creating Pseudonyms:: | ||
1135 | * Deleting Pseudonyms:: | ||
1136 | * Advertising namespaces:: | ||
1137 | * Namespace names:: | ||
1138 | * Namespace root:: | ||
1139 | @end menu | ||
1140 | |||
1141 | @node Creating Pseudonyms | ||
1142 | @subsubsection Creating Pseudonyms | ||
1143 | @c %**end of header | ||
1144 | |||
1145 | With the @command{-C NICK} option it can also be used to create a new pseudonym. | ||
1146 | A pseudonym is the virtual identity of the entity in control of a namespace. | ||
1147 | Anyone can create any number of pseudonyms. Note that creating a pseudonym can | ||
1148 | take a few minutes depending on the performance of the machine used. | ||
1149 | |||
1150 | @node Deleting Pseudonyms | ||
1151 | @subsubsection Deleting Pseudonyms | ||
1152 | @c %**end of header | ||
1153 | |||
1154 | With the @command{-D NICK} option pseudonyms can be deleted. Once the pseudonym has | ||
1155 | been deleted it is impossible to add content to the corresponding namespace. | ||
1156 | Deleting the pseudonym does not make the namespace or any content in it | ||
1157 | unavailable. | ||
1158 | |||
1159 | @node Advertising namespaces | ||
1160 | @subsubsection Advertising namespaces | ||
1161 | @c %**end of header | ||
1162 | |||
1163 | Each namespace is associated with meta-data that describes the namespace. | ||
1164 | This meta data is provided by the user at the time that the namespace is | ||
1165 | advertised. Advertisements are published under keywords so that they can be | ||
1166 | found using normal keyword-searches. This way, users can learn about new | ||
1167 | namespaces without relying on out-of-band communication or directories. | ||
1168 | A suggested keyword to use for all namespaces is simply "namespace". | ||
1169 | When a keyword-search finds a namespace advertisement, it is automatically | ||
1170 | stored in a local list of known namespaces. Users can then associate a rank with | ||
1171 | the namespace to remember the quality of the content found in it. | ||
1172 | |||
1173 | @node Namespace names | ||
1174 | @subsubsection Namespace names | ||
1175 | @c %**end of header | ||
1176 | |||
1177 | While the namespace is uniquely identified by its ID, another way to refer to | ||
1178 | the namespace is to use the NICKNAME. The NICKNAME can be freely chosen by the | ||
1179 | creator of the namespace and hence conflicts are possible. If a GNUnet client | ||
1180 | learns about more than one namespace using the same NICKNAME, the ID is appended | ||
1181 | to the NICKNAME to get a unique identifier. | ||
1182 | |||
1183 | @node Namespace root | ||
1184 | @subsubsection Namespace root | ||
1185 | @c %**end of header | ||
1186 | |||
1187 | An item of particular interest in the namespace advertisement is the ROOT. | ||
1188 | The ROOT is the identifier of a designated entry in the namespace. The idea is | ||
1189 | that the ROOT can be used to advertise an entry point to the content of the | ||
1190 | namespace. | ||
1191 | |||
1192 | @node File-Sharing URIs | ||
1193 | @subsection File-Sharing URIs | ||
1194 | @c %**end of header | ||
1195 | |||
1196 | GNUnet (currently) uses four different types of URIs for file-sharing. They all | ||
1197 | begin with "gnunet://fs/". This section describes the four different URI types | ||
1198 | in detail. | ||
1199 | |||
1200 | |||
1201 | @menu | ||
1202 | * Encoding of hash values in URIs:: | ||
1203 | * Content Hash Key (chk):: | ||
1204 | * Location identifiers (loc):: | ||
1205 | * Keyword queries (ksk):: | ||
1206 | * Namespace content (sks):: | ||
1207 | @end menu | ||
1208 | |||
1209 | @node Encoding of hash values in URIs | ||
1210 | @subsubsection Encoding of hash values in URIs | ||
1211 | @c %**end of header | ||
1212 | |||
1213 | Most URIs include some hash values. Hashes are encoded using base32hex | ||
1214 | (RFC 2938). | ||
1215 | |||
1216 | @node Content Hash Key (chk) | ||
1217 | @subsubsection Content Hash Key (chk) | ||
1218 | @c %**end of header | ||
1219 | |||
1220 | A chk-URI is used to (uniquely) identify a file or directory and to allow peers | ||
1221 | to download the file. Files are stored in GNUnet as a tree of encrypted blocks. | ||
1222 | The chk-URI thus contains the information to download and decrypt those blocks. | ||
1223 | A chk-URI has the format "gnunet://fs/chk/KEYHASH.QUERYHASH.SIZE". Here, "SIZE" | ||
1224 | is the size of the file (which allows a peer to determine the shape of the | ||
1225 | tree), KEYHASH is the key used to decrypt the file (also the hash of the | ||
1226 | plaintext of the top block) and QUERYHASH is the query used to request the | ||
1227 | top-level block (also the hash of the encrypted block). | ||
1228 | |||
1229 | @node Location identifiers (loc) | ||
1230 | @subsubsection Location identifiers (loc) | ||
1231 | @c %**end of header | ||
1232 | |||
1233 | For non-anonymous file-sharing, loc-URIs are used to specify which peer is | ||
1234 | offering the data (in addition to specifying all of the data from a chk-URI). | ||
1235 | Location identifiers include a digital signature of the peer to affirm that the | ||
1236 | peer is truly the origin of the data. The format is | ||
1237 | "gnunet://fs/loc/KEYHASH.QUERYHASH.SIZE.PEER.SIG.EXPTIME". Here, "PEER" is the | ||
1238 | public key of the peer (in GNUnet format in base32hex), SIG is the RSA signature | ||
1239 | (in GNUnet format in base32hex) and EXPTIME specifies when the signature expires | ||
1240 | (in milliseconds after 1970). | ||
1241 | |||
1242 | @node Keyword queries (ksk) | ||
1243 | @subsubsection Keyword queries (ksk) | ||
1244 | @c %**end of header | ||
1245 | |||
1246 | A keyword-URI is used to specify that the desired operation is the search using | ||
1247 | a particular keyword. The format is simply "gnunet://fs/ksk/KEYWORD". Non-ASCII | ||
1248 | characters can be specified using the typical URI-encoding (using hex values) | ||
1249 | from HTTP. "+" can be used to specify multiple keywords (which are then | ||
1250 | logically "OR"-ed in the search, results matching both keywords are given a | ||
1251 | higher rank): "gnunet://fs/ksk/KEYWORD1+KEYWORD2". | ||
1252 | |||
1253 | @node Namespace content (sks) | ||
1254 | @subsubsection Namespace content (sks) | ||
1255 | @c %**end of header | ||
1256 | |||
1257 | Namespaces are sets of files that have been approved by some (usually | ||
1258 | pseudonymous) user --- typically by that user publishing all of the files | ||
1259 | together. A file can be in many namespaces. A file is in a namespace if the | ||
1260 | owner of the ego (aka the namespace's private key) signs the CHK of the file | ||
1261 | cryptographically. An SKS-URI is used to search a namespace. The result is a | ||
1262 | block containing meta data, the CHK and the namespace owner's signature. The | ||
1263 | format of a sks-URI is "gnunet://fs/sks/NAMESPACE/IDENTIFIER". Here, "NAMESPACE" | ||
1264 | is the public key for the namespace. "IDENTIFIER" is a freely chosen keyword | ||
1265 | (or password!). A commonly used identifier is "root" which by convention refers | ||
1266 | to some kind of index or other entry point into the namespace. | ||
1267 | |||
1268 | @node The GNU Name System | ||
1269 | @section The GNU Name System | ||
1270 | @c %**end of header | ||
1271 | |||
1272 | |||
1273 | The GNU Name System (GNS) is secure and decentralized naming system. | ||
1274 | It allows its users to resolve and register names within the @code{.gnu} | ||
1275 | @dfn{top-level domain} (TLD). | ||
1276 | |||
1277 | GNS is designed to provide: | ||
1278 | @itemize @bullet | ||
1279 | @item Censorship resistance | ||
1280 | @item Query privacy | ||
1281 | @item Secure name resolution | ||
1282 | @item Compatibility with DNS | ||
1283 | @end itemize | ||
1284 | |||
1285 | For the initial configuration and population of your GNS installation, please | ||
1286 | follow the GNS setup instructions. The remainder of this chapter will provide | ||
1287 | some background on GNS and then describe how to use GNS in more detail. | ||
1288 | |||
1289 | Unlike DNS, GNS does not rely on central root zones or authorities. Instead any | ||
1290 | user administers his own root and can can create arbitrary name value mappings. | ||
1291 | Furthermore users can delegate resolution to other users' zones just like DNS NS | ||
1292 | records do. Zones are uniquely identified via public keys and resource records | ||
1293 | are signed using the corresponding public key. Delegation to another user's zone | ||
1294 | is done using special PKEY records and petnames. A petname is a name that can be | ||
1295 | freely chosen by the user. This results in non-unique name-value mappings as | ||
1296 | @code{@uref{http://www.bob.gnu/, www.bob.gnu}} to one user might be | ||
1297 | @code{@uref{http://www.friend.gnu/, www.friend.gnu}} for someone else. | ||
1298 | |||
1299 | |||
1300 | @menu | ||
1301 | * Maintaining your own Zones:: | ||
1302 | * Obtaining your Zone Key:: | ||
1303 | * Adding Links to Other Zones:: | ||
1304 | * The Three Local Zones of GNS:: | ||
1305 | * The Master Zone:: | ||
1306 | * The Private Zone:: | ||
1307 | * The Shorten Zone:: | ||
1308 | * The ZKEY Top Level Domain in GNS:: | ||
1309 | * Resource Records in GNS:: | ||
1310 | @end menu | ||
1311 | |||
1312 | |||
1313 | @node Maintaining your own Zones | ||
1314 | @subsection Maintaining your own Zones | ||
1315 | |||
1316 | To setup your GNS system you must execute: | ||
1317 | |||
1318 | @example | ||
1319 | $ gnunet-gns-import.sh | ||
1320 | @end example | ||
1321 | |||
1322 | This will boostrap your zones and create the necessary key material. | ||
1323 | Your keys can be listed using the gnunet-identity command line tool: | ||
1324 | |||
1325 | @example | ||
1326 | $ gnunet-identity -d | ||
1327 | @end example | ||
1328 | |||
1329 | You can arbitrarily create your own zones using the gnunet-identity tool using: | ||
1330 | |||
1331 | @example | ||
1332 | $ gnunet-identity -C "new_zone" | ||
1333 | @end example | ||
1334 | |||
1335 | Now you can add (or edit, or remove) records in your GNS zone using the | ||
1336 | gnunet-setup GUI or using the gnunet-namestore command-line tool. In either | ||
1337 | case, your records will be stored in an SQL database under control of the | ||
1338 | gnunet-service-namestore. Note that if mutliple users use one peer, the | ||
1339 | namestore database will include the combined records of all users. However, | ||
1340 | users will not be able to see each other's records if they are marked as | ||
1341 | private. | ||
1342 | |||
1343 | To provide a simple example for editing your own zone, suppose you have your own | ||
1344 | web server with IP 1.2.3.4. Then you can put an A record (A records in DNS are | ||
1345 | for IPv4 IP addresses) into your local zone using the command:@ | ||
1346 | |||
1347 | @example | ||
1348 | $ gnunet-namestore -z master-zone -a -n www -t A -V 1.2.3.4 -e never | ||
1349 | @end example | ||
1350 | |||
1351 | Afterwards, you will be able to access your webpage under "www.gnu" (assuming | ||
1352 | your webserver does not use virtual hosting, if it does, please read up on | ||
1353 | setting up the GNS proxy). | ||
1354 | |||
1355 | Similar commands will work for other types of DNS and GNS records, the syntax | ||
1356 | largely depending on the type of the record. Naturally, most users may find | ||
1357 | editing the zones using the gnunet-setup GUI to be easier. | ||
1358 | |||
1359 | @node Obtaining your Zone Key | ||
1360 | @subsection Obtaining your Zone Key | ||
1361 | |||
1362 | Each zone in GNS has a public-private key. Usually, gnunet-namestore and | ||
1363 | gnunet-setup will access your private key as necessary, so you do not have to | ||
1364 | worry about those. What is important is your public key (or rather, the hash of | ||
1365 | your public key), as you will likely want to give it to others so that they can | ||
1366 | securely link to you. | ||
1367 | |||
1368 | You can usually get the hash of your public key using@ | ||
1369 | |||
1370 | @example | ||
1371 | $ gnunet-identity -d $options | grep master-zone | awk '@{print $3@}' | ||
1372 | @end example | ||
1373 | |||
1374 | For example, the output might be something like: | ||
1375 | |||
1376 | @example | ||
1377 | DC3SEECJORPHQNVRH965A6N74B1M37S721IG4RBQ15PJLLPJKUE0 | ||
1378 | @end example | ||
1379 | |||
1380 | Alternatively, you can obtain a QR code with your zone key AND your pseudonym | ||
1381 | from gnunet-gtk. The QR code is displayed in the GNS tab and can be stored to | ||
1382 | disk using the Save as button next to the image. | ||
1383 | |||
1384 | @node Adding Links to Other Zones | ||
1385 | @subsection Adding Links to Other Zones | ||
1386 | |||
1387 | |||
1388 | A central operation in GNS is the ability to securely delegate to other zones. | ||
1389 | Basically, by adding a delegation you make all of the names from the other zone | ||
1390 | available to yourself. This section describes how to create delegations. | ||
1391 | |||
1392 | Suppose you have a friend who you call 'bob' who also uses GNS. You can then | ||
1393 | delegate resolution of names to Bob's zone by adding a PKEY record to his local | ||
1394 | zone: | ||
1395 | |||
1396 | @example | ||
1397 | $ gnunet-namestore -a -n bob --type PKEY -V XXXX -e never | ||
1398 | @end example | ||
1399 | |||
1400 | Note that XXXX in the command above must be replaced with the hash of Bob's | ||
1401 | public key (the output your friend obtained using the gnunet-identity command | ||
1402 | from the previous section and told you, for example by giving you a business | ||
1403 | card containing this information as a QR code). | ||
1404 | |||
1405 | Assuming Bob has an A record for his website under the name of www in his zone, | ||
1406 | you can then access Bob's website under www.bob.gnu --- as well as any (public) | ||
1407 | GNS record that Bob has in his zone by replacing www with the respective name of | ||
1408 | the record in Bob's zone. | ||
1409 | |||
1410 | Furthermore, if Bob has himself a (public) delegation to Carol's zone under | ||
1411 | "carol", you can access Carol's records under NAME.carol.bob.gnu (where NAME is | ||
1412 | the name of Carol's record you want to access). | ||
1413 | |||
1414 | @node The Three Local Zones of GNS | ||
1415 | @subsection The Three Local Zones of GNS | ||
1416 | |||
1417 | Each user GNS has control over three zones. Each of the zones has a different | ||
1418 | purpose. These zones are the | ||
1419 | @itemize @bullet | ||
1420 | |||
1421 | @item master zone, | ||
1422 | @item private zone, and the | ||
1423 | @item shorten zone. | ||
1424 | @end itemize | ||
1425 | |||
1426 | @node The Master Zone | ||
1427 | @subsection The Master Zone | ||
1428 | |||
1429 | |||
1430 | The master zone is your personal TLD. Names within the @code{.gnu} namespace are | ||
1431 | resolved relative to this zone. You can arbitrarily add records to this zone and | ||
1432 | selectively publish those records. | ||
1433 | |||
1434 | @node The Private Zone | ||
1435 | @subsection The Private Zone | ||
1436 | |||
1437 | |||
1438 | The private zone is a subzone (or subdomain in DNS terms) of your master zone. | ||
1439 | It should be used for records that you want to keep private. For example | ||
1440 | @code{bank.private.gnu}. The key idea is that you want to keep your private | ||
1441 | records separate, if just to know that those names are not available to other | ||
1442 | users. | ||
1443 | |||
1444 | @node The Shorten Zone | ||
1445 | @subsection The Shorten Zone | ||
1446 | |||
1447 | |||
1448 | The shorten zone can either be a subzone of the master zone or the private zone. | ||
1449 | It is different from the other zones in that GNS will automatically populate | ||
1450 | this zone with other users' zones based on their PSEU records whenever you | ||
1451 | resolve a name. | ||
1452 | |||
1453 | For example if you go to | ||
1454 | @code{@uref{http://www.bob.alice.dave.gnu/, www.bob.alice.dave.gnu}}, GNS will | ||
1455 | try to import @code{bob} into your shorten zone. Having obtained Bob's PKEY from | ||
1456 | @code{alice.dave.gnu}, GNS will lookup the PSEU record for @code{+} in Bob's | ||
1457 | zone. If it exists and the specified pseudonym is not taken, Bob's PKEY will be | ||
1458 | automatically added under that pseudonym (i.e. "bob") into your shorten zone. | ||
1459 | From then on, Bob's webpage will also be available for you as | ||
1460 | @code{@uref{http://www.bob.short.gnu/, www.bob.short.gnu}}. This feature is | ||
1461 | called automatic name shortening and is supposed to keep GNS names as short and | ||
1462 | memorable as possible. | ||
1463 | |||
1464 | @node The ZKEY Top Level Domain in GNS | ||
1465 | @subsection The ZKEY Top Level Domain in GNS | ||
1466 | |||
1467 | |||
1468 | GNS also provides a secure and globally unique namespace under the .zkey | ||
1469 | top-level domain. A name in the .zkey TLD corresponds to the (printable) public | ||
1470 | key of a zone. Names in the .zkey TLD are then resolved by querying the | ||
1471 | respective zone. The .zkey TLD is expected to be used under rare circumstances | ||
1472 | where globally unique names are required and for integration with legacy | ||
1473 | systems. | ||
1474 | |||
1475 | @node Resource Records in GNS | ||
1476 | @subsection Resource Records in GNS | ||
1477 | |||
1478 | |||
1479 | GNS supports the majority of the DNS records as defined in | ||
1480 | @uref{http://www.ietf.org/rfc/rfc1035.txt, RFC 1035}. Additionally, GNS defines | ||
1481 | some new record types the are unique to the GNS system. For example, | ||
1482 | GNS-specific resource records are use to give petnames for zone delegation, | ||
1483 | revoke zone keys and provide some compatibility features. | ||
1484 | |||
1485 | For some DNS records, GNS does extended processing to increase their usefulness | ||
1486 | in GNS. In particular, GNS introduces special names referred to as | ||
1487 | "zone relative names". Zone relative names are allowed in some resource record | ||
1488 | types (for example, in NS and CNAME records) and can also be used in links on | ||
1489 | webpages. Zone relative names end in ".+" which indicates that the name needs to | ||
1490 | be resolved relative to the current authoritative zone. The extended processing | ||
1491 | of those names will expand the ".+" with the correct delegation chain to the | ||
1492 | authoritative zone (replacing ".+" with the name of the location where the name | ||
1493 | was encountered) and hence generate a valid @code{.gnu} name. | ||
1494 | |||
1495 | GNS currently supports the following record types: | ||
1496 | |||
1497 | @menu | ||
1498 | * NICK:: | ||
1499 | * PKEY:: | ||
1500 | * BOX:: | ||
1501 | * LEHO:: | ||
1502 | * VPN:: | ||
1503 | * A AAAA and TXT:: | ||
1504 | * CNAME:: | ||
1505 | * GNS2DNS:: | ||
1506 | * SOA SRV PTR and MX:: | ||
1507 | @end menu | ||
1508 | |||
1509 | @node NICK | ||
1510 | @subsubsection NICK | ||
1511 | |||
1512 | A NICK record is used to give a zone a name. With a NICK record, you can | ||
1513 | essentially specify how you would like to be called. GNS expects this record | ||
1514 | under the name "+" in the zone's database (NAMESTORE); however, it will then | ||
1515 | automatically be copied into each record set, so that clients never need to do a | ||
1516 | separate lookup to discover the NICK record. | ||
1517 | |||
1518 | @b{Example}@ | ||
1519 | |||
1520 | @example | ||
1521 | Name: +; RRType: NICK; Value: bob | ||
1522 | @end example | ||
1523 | |||
1524 | This record in Bob's zone will tell other users that this zone wants to be | ||
1525 | referred to as 'bob'. Note that nobody is obliged to call Bob's zone 'bob' in | ||
1526 | their own zones. It can be seen as a recommendation ("Please call me 'bob'"). | ||
1527 | |||
1528 | @node PKEY | ||
1529 | @subsubsection PKEY | ||
1530 | |||
1531 | PKEY records are used to add delegation to other users' zones and give those | ||
1532 | zones a petname. | ||
1533 | |||
1534 | @b{Example}@ | ||
1535 | |||
1536 | Let Bob's zone be identified by the hash "ABC012". Bob is your friend so you | ||
1537 | want to give him the petname "friend". Then you add the following record to your | ||
1538 | zone: | ||
1539 | |||
1540 | @example | ||
1541 | Name: friend; RRType: PKEY; Value: ABC012; | ||
1542 | @end example | ||
1543 | |||
1544 | This will allow you to resolve records in bob's zone under "*.friend.gnu". | ||
1545 | |||
1546 | @node BOX | ||
1547 | @subsubsection BOX | ||
1548 | |||
1549 | BOX records are there to integrate information from TLSA or SRV records under | ||
1550 | the main label. In DNS, TLSA and SRV records use special names of the form | ||
1551 | @code{_port._proto.(label.)*tld} to indicate the port number and protocol | ||
1552 | (i.e. tcp or udp) for which the TLSA or SRV record is valid. This causes various | ||
1553 | problems, and is elegantly solved in GNS by integrating the protocol and port | ||
1554 | numbers together with the respective value into a "BOX" record. Note that in the | ||
1555 | GUI, you do not get to edit BOX records directly right now --- the GUI will | ||
1556 | provide the illusion of directly editing the TLSA and SRV records, even though | ||
1557 | they internally are BOXed up. | ||
1558 | |||
1559 | @node LEHO | ||
1560 | @subsubsection LEHO | ||
1561 | |||
1562 | The LEgacy HOstname of a server. Some webservers expect a specific hostname to | ||
1563 | provide a service (virtiual hosting). Also SSL certificates usually contain DNS | ||
1564 | names. To provide the expected legacy DNS name for a server, the LEHO record can | ||
1565 | be used. To mitigate the just mentioned issues the GNS proxy has to be used. The | ||
1566 | GNS proxy will use the LEHO information to apply the necessary transformations. | ||
1567 | |||
1568 | @node VPN | ||
1569 | @subsubsection VPN | ||
1570 | |||
1571 | GNS allows easy access to services provided by the GNUnet Virtual Public | ||
1572 | Network. When the GNS resolver encounters a VPN record it will contact the VPN | ||
1573 | service to try and allocate an IPv4/v6 address (if the queries record type is an | ||
1574 | IP address) that can be used to contact the service. | ||
1575 | |||
1576 | @b{Example}@ | ||
1577 | |||
1578 | I want to provide access to the VPN service "web.gnu." on port 80 on peer | ||
1579 | ABC012:@ | ||
1580 | Name: www; RRType: VPN; Value: 80 ABC012 web.gnu. | ||
1581 | |||
1582 | The peer ABC012 is configured to provide an exit point for the service | ||
1583 | "web.gnu." on port 80 to it's server running locally on port 8080 by having the | ||
1584 | following lines in the @file{gnunet.conf} configuration file:@ | ||
1585 | @example | ||
1586 | [web.gnunet.] | ||
1587 | TCP_REDIRECTS = 80:localhost4:8080 | ||
1588 | @end example | ||
1589 | |||
1590 | @node A AAAA and TXT | ||
1591 | @subsubsection A AAAA and TXT | ||
1592 | |||
1593 | Those records work in exactly the same fashion as in traditional DNS. | ||
1594 | |||
1595 | @node CNAME | ||
1596 | @subsubsection CNAME | ||
1597 | |||
1598 | As specified in RFC 1035 whenever a CNAME is encountered the query needs to be | ||
1599 | restarted with the specified name. In GNS a CNAME can either be: | ||
1600 | |||
1601 | @itemize @bullet | ||
1602 | @item A zone relative name, | ||
1603 | @item A zkey name or | ||
1604 | @item A DNS name (in which case resolution will continue outside of GNS with the systems DNS resolver) | ||
1605 | @end itemize | ||
1606 | |||
1607 | @node GNS2DNS | ||
1608 | @subsubsection GNS2DNS | ||
1609 | |||
1610 | GNS can delegate authority to a legacy DNS zone. For this, the name of the DNS | ||
1611 | nameserver and the name of the DNS zone are specified in a GNS2DNS record. | ||
1612 | |||
1613 | @b{Example} | ||
1614 | |||
1615 | @example | ||
1616 | Name: pet; RRType: GNS2DNS; Value: gnunet.org@@a.ns.joker.com | ||
1617 | @end example | ||
1618 | |||
1619 | Any query to @code{pet.gnu} will then be delegated to the DNS server at | ||
1620 | @code{a.ns.joker.com}.@ | ||
1621 | For example, @code{@uref{http://www.pet.gnu/, www.pet.gnu}} will result in a | ||
1622 | DNS query for @code{@uref{http://www.gnunet.org/, www.gnunet.org}} to the server | ||
1623 | at @code{a.ns.joker.com}. Delegation to DNS via NS records in GNS can be useful | ||
1624 | if you do not want to start resolution in the DNS root zone (due to issues such | ||
1625 | as censorship or availability). | ||
1626 | |||
1627 | Note that you would typically want to use a relative name for the nameserver, | ||
1628 | i.e. | ||
1629 | @example | ||
1630 | Name: pet; RRType: GNS2DNS; Value: gnunet.org@@ns-joker.+@ | ||
1631 | Name: ns-joker; RRType: A; Value: 184.172.157.218 | ||
1632 | @end example | ||
1633 | |||
1634 | This way, you can avoid involving the DNS hierarchy in the resolution of | ||
1635 | @code{a.ns.joker.com}. In the example above, the problem may not be obvious as | ||
1636 | the nameserver for "gnunet.org" is in the ".com" zone. However, imagine the | ||
1637 | nameserver was "ns.gnunet.org". In this case, delegating to "ns.gnunet.org" | ||
1638 | would mean that despite using GNS, censorship in the DNS ".org" zone would still | ||
1639 | be effective. | ||
1640 | |||
1641 | @node SOA SRV PTR and MX | ||
1642 | @subsubsection SOA SRV PTR and MX | ||
1643 | |||
1644 | The domain names in those records can, again, be either | ||
1645 | @itemize @bullet | ||
1646 | @item A zone relative name, | ||
1647 | @item A zkey name or | ||
1648 | @item A DNS name | ||
1649 | @end itemize | ||
1650 | |||
1651 | The resolver will expand the zone relative name if possible. Note that when | ||
1652 | using MX records within GNS, the target mail server might still refuse to accept | ||
1653 | e-mails to the resulting domain as the name might not match. GNS-enabled mail | ||
1654 | clients should use the ZKEY zone as the destination hostname and GNS-enabled | ||
1655 | mail servers should be configured to accept e-mails to the ZKEY-zones of all | ||
1656 | local users. | ||
1657 | |||
1658 | @node Using the Virtual Public Network | ||
1659 | @section Using the Virtual Public Network | ||
1660 | |||
1661 | @menu | ||
1662 | * Setting up an Exit node:: | ||
1663 | * Fedora and the Firewall:: | ||
1664 | * Setting up VPN node for protocol translation and tunneling:: | ||
1665 | @end menu | ||
1666 | |||
1667 | Using the GNUnet Virtual Public Network (VPN) application you can tunnel IP | ||
1668 | traffic over GNUnet. Moreover, the VPN comes with built-in protocol translation | ||
1669 | and DNS-ALG support, enabling IPv4-to-IPv6 protocol translation | ||
1670 | (in both directions). This chapter documents how to use the GNUnet VPN. | ||
1671 | |||
1672 | The first thing to note about the GNUnet VPN is that it is a public network. All | ||
1673 | participating peers can participate and there is no secret key to control | ||
1674 | access. So unlike common virtual private networks, the GNUnet VPN is not useful | ||
1675 | as a means to provide a "private" network abstraction over the Internet. The | ||
1676 | GNUnet VPN is a virtual network in the sense that it is an overlay over the | ||
1677 | Internet, using its own routing mechanisms and can also use an internal | ||
1678 | addressing scheme. The GNUnet VPN is an Internet underlay --- TCP/IP | ||
1679 | applications run on top of it. | ||
1680 | |||
1681 | The VPN is currently only supported on GNU/Linux systems. Support for operating | ||
1682 | systems that support TUN (such as FreeBSD) should be easy to add (or might not | ||
1683 | even require any coding at all --- we just did not test this so far). Support | ||
1684 | for other operating systems would require re-writing the code to create virtual | ||
1685 | network interfaces and to intercept DNS requests. | ||
1686 | |||
1687 | The VPN does not provide good anonymity. While requests are routed over the | ||
1688 | GNUnet network, other peers can directly see the source and destination of each | ||
1689 | (encapsulated) IP packet. Finally, if you use the VPN to access Internet | ||
1690 | services, the peer sending the request to the Internet will be able to observe | ||
1691 | and even alter the IP traffic. We will discuss additional security implications | ||
1692 | of using the VPN later in this chapter. | ||
1693 | |||
1694 | @node Setting up an Exit node | ||
1695 | @subsection Setting up an Exit node | ||
1696 | |||
1697 | Any useful operation with the VPN requires the existence of an exit node in the | ||
1698 | GNUnet Peer-to-Peer network. Exit functionality can only be enabled on peers | ||
1699 | that have regular Internet access. If you want to play around with the VPN or | ||
1700 | support the network, we encourage you to setup exit nodes. This chapter | ||
1701 | documents how to setup an exit node. | ||
1702 | |||
1703 | There are four types of exit functions an exit node can provide, and using the | ||
1704 | GNUnet VPN to access the Internet will only work nicely if the first three types | ||
1705 | are provided somewhere in the network. The four exit functions are: | ||
1706 | @itemize @bullet | ||
1707 | @item DNS: allow other peers to use your DNS resolver | ||
1708 | @item IPv4: allow other peers to access your IPv4 Internet connection | ||
1709 | @item IPv6: allow other peers to access your IPv6 Internet connection | ||
1710 | @item Local service: allow other peers to access a specific TCP or UDP service your peer is providing | ||
1711 | @end itemize | ||
1712 | |||
1713 | By enabling "exit" in gnunet-setup and checking the respective boxes in the | ||
1714 | "exit" tab, you can easily choose which of the above exit functions you want to | ||
1715 | support. | ||
1716 | |||
1717 | Note, however, that by supporting the first three functions you will allow | ||
1718 | arbitrary other GNUnet users to access the Internet via your system. This is | ||
1719 | somewhat similar to running a Tor exit node. The torproject has a nice article | ||
1720 | about what to consider if you want to do this here. We believe that generally | ||
1721 | running a DNS exit node is completely harmless. | ||
1722 | |||
1723 | The exit node configuration does currently not allow you to restrict the | ||
1724 | Internet traffic that leaves your system. In particular, you cannot exclude SMTP | ||
1725 | traffic (or block port 25) or limit to HTTP traffic using the GNUnet | ||
1726 | configuration. However, you can use your host firewall to restrict outbound | ||
1727 | connections from the virtual tunnel interface. This is highly recommended. In | ||
1728 | the future, we plan to offer a wider range of configuration options for exit | ||
1729 | nodes. | ||
1730 | |||
1731 | Note that by running an exit node GNUnet will configure your kernel to perform | ||
1732 | IP-forwarding (for IPv6) and NAT (for IPv4) so that the traffic from the virtual | ||
1733 | interface can be routed to the Internet. In order to provide an IPv6-exit, you | ||
1734 | need to have a subnet routed to your host's external network interface and | ||
1735 | assign a subrange of that subnet to the GNUnet exit's TUN interface. | ||
1736 | |||
1737 | When running a local service, you should make sure that the local service is | ||
1738 | (also) bound to the IP address of your EXIT interface (i.e. 169.254.86.1). It | ||
1739 | will NOT work if your local service is just bound to loopback. You may also want | ||
1740 | to create a "VPN" record in your zone of the GNU Name System to make it easy for | ||
1741 | others to access your service via a name instead of just the full service | ||
1742 | descriptor. Note that the identifier you assign the service can serve as a | ||
1743 | passphrase or shared secret, clients connecting to the service must somehow | ||
1744 | learn the service's name. VPN records in the GNU Name System can make this | ||
1745 | easier. | ||
1746 | |||
1747 | @node Fedora and the Firewall | ||
1748 | @subsection Fedora and the Firewall | ||
1749 | |||
1750 | |||
1751 | When using an exit node on Fedora 15, the standard firewall can create trouble | ||
1752 | even when not really exiting the local system! For IPv4, the standard rules seem | ||
1753 | fine. However, for IPv6 the standard rules prohibit traffic from the network | ||
1754 | range of the virtual interface created by the exit daemon to the local IPv6 | ||
1755 | address of the same interface (which is essentially loopback traffic, so you | ||
1756 | might suspect that a standard firewall would leave this traffic alone). However, | ||
1757 | as somehow for IPv6 the traffic is not recognized as originating from the local | ||
1758 | system (and as the connection is not already "established"), the firewall drops | ||
1759 | the traffic. You should still get ICMPv6 packets back, but that's obviously not | ||
1760 | very useful. | ||
1761 | |||
1762 | Possible ways to fix this include disabling the firewall (do you have a good | ||
1763 | reason for having it on?) or disabling the firewall at least for the GNUnet exit | ||
1764 | interface (or the respective IPv4/IPv6 address range). The best way to diagnose | ||
1765 | these kinds of problems in general involves setting the firewall to REJECT | ||
1766 | instead of DROP and to watch the traffic using wireshark (or tcpdump) to see if | ||
1767 | ICMP messages are generated when running some tests that should work. | ||
1768 | |||
1769 | @node Setting up VPN node for protocol translation and tunneling | ||
1770 | @subsection Setting up VPN node for protocol translation and tunneling | ||
1771 | |||
1772 | |||
1773 | The GNUnet VPN/PT subsystem enables you to tunnel IP traffic over the VPN to an | ||
1774 | exit node, from where it can then be forwarded to the Internet. This section | ||
1775 | documents how to setup VPN/PT on a node. Note that you can enable both the VPN | ||
1776 | and an exit on the same peer. In this case, IP traffic from your system may | ||
1777 | enter your peer's VPN and leave your peer's exit. This can be useful as a means | ||
1778 | to do protocol translation. For example, you might have an application that | ||
1779 | supports only IPv4 but needs to access an IPv6-only site. In this case, GNUnet | ||
1780 | would perform 4to6 protocol translation between the VPN (IPv4) and the | ||
1781 | Exit (IPv6). Similarly, 6to4 protocol translation is also possible. However, the | ||
1782 | primary use for GNUnet would be to access an Internet service running with an | ||
1783 | IP version that is not supported by your ISP. In this case, your IP traffic | ||
1784 | would be routed via GNUnet to a peer that has access to the Internet with the | ||
1785 | desired IP version. | ||
1786 | |||
1787 | Setting up an entry node into the GNUnet VPN primarily requires you to enable | ||
1788 | the "VPN/PT" option in "gnunet-setup". This will launch the | ||
1789 | "gnunet-service-vpn", "gnunet-service-dns" and "gnunet-daemon-pt" processes. | ||
1790 | The "gnunet-service-vpn" will create a virtual interface which will be used as | ||
1791 | the target for your IP traffic that enters the VPN. Additionally, a second | ||
1792 | virtual interface will be created by the "gnunet-service-dns" for your DNS | ||
1793 | traffic. You will then need to specify which traffic you want to tunnel over | ||
1794 | GNUnet. If your ISP only provides you with IPv4 or IPv6-access, you may choose | ||
1795 | to tunnel the other IP protocol over the GNUnet VPN. If you do not have an ISP | ||
1796 | (and are connected to other GNUnet peers via WLAN), you can also choose to | ||
1797 | tunnel all IP traffic over GNUnet. This might also provide you with some | ||
1798 | anonymity. After you enable the respective options and restart your peer, your | ||
1799 | Internet traffic should be tunneled over the GNUnet VPN. | ||
1800 | |||
1801 | The GNUnet VPN uses DNS-ALG to hijack your IP traffic. Whenever an application | ||
1802 | resolves a hostname (i.e. 'gnunet.org'), the "gnunet-daemon-pt" will instruct | ||
1803 | the "gnunet-service-dns" to intercept the request (possibly route it over GNUnet | ||
1804 | as well) and replace the normal answer with an IP in the range of the VPN's | ||
1805 | interface. "gnunet-daemon-pt" will then tell "gnunet-service-vpn" to forward all | ||
1806 | traffic it receives on the TUN interface via the VPN to the original | ||
1807 | destination. | ||
1808 | |||
1809 | For applications that do not use DNS, you can also manually create such a | ||
1810 | mapping using the gnunet-vpn command-line tool. Here, you specfiy the desired | ||
1811 | address family of the result (i.e. "-4"), and the intended target IP on the | ||
1812 | Internet ("-i 131.159.74.67") and "gnunet-vpn" will tell you which IP address in | ||
1813 | the range of your VPN tunnel was mapped. | ||
1814 | |||
1815 | gnunet-vpn can also be used to access "internal" services offered by GNUnet | ||
1816 | nodes. So if you happen to know a peer and a service offered by that peer, you | ||
1817 | can create an IP tunnel to that peer by specifying the peer's identity, service | ||
1818 | name and protocol (--tcp or --udp) and you will again receive an IP address that | ||
1819 | will terminate at the respective peer's service. | ||