diff options
Diffstat (limited to 'doc/documentation/chapters/user.texi')
-rw-r--r-- | doc/documentation/chapters/user.texi | 2009 |
1 files changed, 2009 insertions, 0 deletions
diff --git a/doc/documentation/chapters/user.texi b/doc/documentation/chapters/user.texi new file mode 100644 index 000000000..61a2e06e8 --- /dev/null +++ b/doc/documentation/chapters/user.texi | |||
@@ -0,0 +1,2009 @@ | |||
1 | @node Using GNUnet | ||
2 | @chapter Using GNUnet | ||
3 | @c %**end of header | ||
4 | |||
5 | This tutorial is supposed to give a first introduction for end-users | ||
6 | trying to do something "real" with GNUnet. Installation and | ||
7 | configuration are specifically outside of the scope of this tutorial. | ||
8 | Instead, we start by briefly checking that the installation works, and | ||
9 | then dive into simple, concrete practical things that can be done | ||
10 | with the network. | ||
11 | |||
12 | This chapter documents how to use the various Peer-to-Peer applications | ||
13 | of the GNUnet system. As GNUnet evolves, we will add new chapters for | ||
14 | the various applications that are being created. | ||
15 | |||
16 | Comments and extensions are always welcome. | ||
17 | |||
18 | |||
19 | @menu | ||
20 | * Checking the Installation:: | ||
21 | * First steps - File-sharing:: | ||
22 | * First steps - Using the GNU Name System:: | ||
23 | * First steps - Using GNUnet Conversation:: | ||
24 | * First steps - Using the GNUnet VPN:: | ||
25 | * File-sharing:: | ||
26 | * The GNU Name System:: | ||
27 | * Using the Virtual Public Network:: | ||
28 | @end menu | ||
29 | |||
30 | @node Checking the Installation | ||
31 | @section Checking the Installation | ||
32 | @c %**end of header | ||
33 | |||
34 | This chapter describes a quick casual way to check if your GNUnet | ||
35 | installation works. However, if it does not, we do not cover | ||
36 | steps for recovery --- for this, please study the installation and | ||
37 | configuration handbooks. | ||
38 | |||
39 | |||
40 | @menu | ||
41 | * gnunet-gtk:: | ||
42 | * Statistics:: | ||
43 | * Peer Information:: | ||
44 | @end menu | ||
45 | |||
46 | @node gnunet-gtk | ||
47 | @subsection gnunet-gtk | ||
48 | @c %**end of header | ||
49 | |||
50 | First, you should launch @code{gnunet-gtk}, the graphical user | ||
51 | interface for GNUnet which will be used for most of the tutorial. | ||
52 | You can do this from the command-line by typing | ||
53 | |||
54 | @example | ||
55 | $ gnunet-gtk | ||
56 | @end example | ||
57 | |||
58 | (note that @code{$} represents the prompt of the shell for a normal user). | ||
59 | Depending on your distribution, you may also find @code{gnunet-gtk} | ||
60 | in your menus. After starting @code{gnunet-gtk}, you should see the | ||
61 | following window: | ||
62 | |||
63 | @image{images/gnunet-gtk-0-10,5in,, picture of gnunet-gtk application} | ||
64 | |||
65 | The five images on top represent the five different graphical applications | ||
66 | that you can use within @code{gnunet-gtk}. They are (from left to right): | ||
67 | |||
68 | @itemize @bullet | ||
69 | @item Statistics | ||
70 | @item Peer Information | ||
71 | @item GNU Name System | ||
72 | @item File Sharing | ||
73 | @item Identity Management | ||
74 | @end itemize | ||
75 | |||
76 | @node Statistics | ||
77 | @subsection Statistics | ||
78 | @c %**end of header | ||
79 | |||
80 | When @code{gnunet-gtk} is started, the statistics area should be selected | ||
81 | at first. If your peer is running correctly, you should see a bunch of | ||
82 | lines, all of which should be "significantly" above zero (at least if your | ||
83 | peer has been running for a few seconds). The lines indicate how many other | ||
84 | peers your peer is connected to (via different mechanisms) and how large | ||
85 | the overall overlay network is currently estimated to be. The X-axis | ||
86 | represents time (in seconds since the start of @code{gnunet-gtk}). | ||
87 | |||
88 | You can click on "Traffic" to see information about the amount of | ||
89 | bandwidth your peer has consumed, and on "Storage" to check the amount | ||
90 | of storage available and used by your peer. Note that "Traffic" is | ||
91 | plotted cummulatively, so you should see a strict upwards trend in the | ||
92 | traffic. | ||
93 | |||
94 | @node Peer Information | ||
95 | @subsection Peer Information | ||
96 | @c %**end of header | ||
97 | |||
98 | You should now click on the Australian Aboriginal Flag. Once you have | ||
99 | done this, you will see a list of known peers (by the first four | ||
100 | characters of their public key), their friend status (all should be | ||
101 | marked as not-friends initially), their connectivity (green is | ||
102 | connected, red is disconnected), assigned bandwidth, | ||
103 | country of origin (if determined) and address information. If hardly | ||
104 | any peers are listed and/or if there are very few peers with a green light | ||
105 | for connectivity, there is likely a problem with your | ||
106 | network configuration. | ||
107 | |||
108 | @node First steps - File-sharing | ||
109 | @section First steps - File-sharing | ||
110 | @c %**end of header | ||
111 | |||
112 | This chapter describes first steps for file-sharing with GNUnet. | ||
113 | To start, you should launch @code{gnunet-gtk} and select the | ||
114 | file-sharing tab (the one with the arrows between the three circles). | ||
115 | |||
116 | As we want to be sure that the network contains the data that we are | ||
117 | looking for for testing, we need to begin by publishing a file. | ||
118 | |||
119 | |||
120 | @menu | ||
121 | * Publishing:: | ||
122 | * Searching:: | ||
123 | * Downloading:: | ||
124 | @end menu | ||
125 | |||
126 | @node Publishing | ||
127 | @subsection Publishing | ||
128 | @c %**end of header | ||
129 | |||
130 | To publish a file, select "File Sharing" in the menu bar just below the | ||
131 | "Statistics" icon, and then select "Publish" from the menu. | ||
132 | |||
133 | Afterwards, the following publishing dialog will appear: | ||
134 | |||
135 | @c Add image here | ||
136 | |||
137 | In this dialog, select the "Add File" button. This will open a | ||
138 | file selection dialog: | ||
139 | |||
140 | @c Add image here | ||
141 | |||
142 | Now, you should select a file from your computer to be published on | ||
143 | GNUnet. To see more of GNUnet's features later, you should pick a | ||
144 | PNG or JPEG file this time. You can leave all of the other options | ||
145 | in the dialog unchanged. Confirm your selection by pressing the "OK" | ||
146 | button in the bottom right corner. Now, you will briefly see a | ||
147 | "Messages..." dialog pop up, but most likely it will be too short for | ||
148 | you to really read anything. That dialog is showing you progress | ||
149 | information as GNUnet takes a first look at the selected file(s). | ||
150 | For a normal image, this is virtually instant, but if you later | ||
151 | import a larger directory you might be interested in the progress dialog | ||
152 | and potential errors that might be encountered during processing. | ||
153 | After the progress dialog automatically disappears, your file | ||
154 | should now appear in the publishing dialog: | ||
155 | |||
156 | @c Add image here | ||
157 | |||
158 | Now, select the file (by clicking on the file name) and then click | ||
159 | the "Edit" button. This will open the editing dialog: | ||
160 | |||
161 | @c Add image here | ||
162 | |||
163 | In this dialog, you can see many details about your file. In the | ||
164 | top left area, you can see meta data extracted about the file, | ||
165 | such as the original filename, the mimetype and the size of the image. | ||
166 | In the top right, you should see a preview for the image | ||
167 | (if GNU libextractor was installed correctly with the | ||
168 | respective plugins). Note that if you do not see a preview, this | ||
169 | is not a disaster, but you might still want to install more of | ||
170 | GNU libextractor in the future. In the bottom left, the dialog contains | ||
171 | a list of keywords. These are the keywords under which the file will be | ||
172 | made available. The initial list will be based on the extracted meta data. | ||
173 | Additional publishing options are in the right bottom corner. We will | ||
174 | now add an additional keyword to the list of keywords. This is done by | ||
175 | entering the keyword above the keyword list between the label "Keyword" | ||
176 | and the "Add keyword" button. Enter "test" and select "Add keyword". | ||
177 | Note that the keyword will appear at the bottom of the existing keyword | ||
178 | list, so you might have to scroll down to see it. Afterwards, push the | ||
179 | "OK" button at the bottom right of the dialog. | ||
180 | |||
181 | You should now be back at the "Publish content on GNUnet" dialog. Select | ||
182 | "Execute" in the bottom right to close the dialog and publish your file | ||
183 | on GNUnet! Afterwards, you should see the main dialog with a new area | ||
184 | showing the list of published files (or ongoing publishing operations | ||
185 | with progress indicators): | ||
186 | |||
187 | @c Add image here | ||
188 | |||
189 | @node Searching | ||
190 | @subsection Searching | ||
191 | @c %**end of header | ||
192 | |||
193 | Below the menu bar, there are four entry widges labeled "Namespace", | ||
194 | "Keywords", "Anonymity" and "Mime-type" (from left to right). These | ||
195 | widgets are used to control searching for files in GNUnet. Between the | ||
196 | "Keywords" and "Anonymity" widgets, there is also a big "Search" button, | ||
197 | which is used to initiate the search. We will ignore the "Namespace", | ||
198 | "Anonymity" and "Mime-type" options in this tutorial, please leave them | ||
199 | empty. Instead, simply enter "test" under "Keywords" and press "Search". | ||
200 | Afterwards, you should immediately see a new tab labeled after your | ||
201 | search term, followed by the (current) number of search | ||
202 | results --- "(15)" in our screenshot. Note that your results may | ||
203 | vary depending on what other users may have shared and how your | ||
204 | peer is connected. | ||
205 | |||
206 | You can now select one of the search results. Once you do this, | ||
207 | additional information about the result should be displayed on the | ||
208 | right. If available, a preview image should appear on the top right. | ||
209 | Meta data describing the file will be listed at the bottom right. | ||
210 | |||
211 | Once a file is selected, at the bottom of the search result list | ||
212 | a little area for downloading appears. | ||
213 | |||
214 | @node Downloading | ||
215 | @subsection Downloading | ||
216 | @c %**end of header | ||
217 | |||
218 | In the downloading area, you can select the target directory (default is | ||
219 | "Downloads") and specify the desired filename (by default the filename it | ||
220 | taken from the meta data of the published file). Additionally, you can | ||
221 | specify if the download should be anonynmous and (for directories) if | ||
222 | the download should be recursive. In most cases, you can simply start | ||
223 | the download with the "Download!" button. | ||
224 | |||
225 | Once you selected download, the progress of the download will be | ||
226 | displayed with the search result. You may need to resize the result | ||
227 | list or scroll to the right. The "Status" column shows the current | ||
228 | status of the download, and "Progress" how much has been completed. | ||
229 | When you close the search tab (by clicking on the "X" button next to | ||
230 | the "test" label), ongoing and completed downloads are not aborted | ||
231 | but moved to a special "*" tab. | ||
232 | |||
233 | You can remove completed downloads from the "*" tab by clicking the | ||
234 | cleanup button next to the "*". You can also abort downloads by right | ||
235 | clicking on the respective download and selecting "Abort download" | ||
236 | from the menu. | ||
237 | |||
238 | That's it, you now know the basics for file-sharing with GNUnet! | ||
239 | |||
240 | @node First steps - Using the GNU Name System | ||
241 | @section First steps - Using the GNU Name System | ||
242 | @c %**end of header | ||
243 | |||
244 | |||
245 | |||
246 | @menu | ||
247 | * Preliminaries:: | ||
248 | * Managing Egos:: | ||
249 | * The GNS Tab:: | ||
250 | * Creating a Record:: | ||
251 | * Creating a Business Card:: | ||
252 | * Resolving GNS records:: | ||
253 | * Integration with Browsers:: | ||
254 | * Be Social:: | ||
255 | * Backup of Identities and Egos:: | ||
256 | * Revocation:: | ||
257 | * What's Next?:: | ||
258 | @end menu | ||
259 | |||
260 | @node Preliminaries | ||
261 | @subsection Preliminaries | ||
262 | @c %**end of header | ||
263 | |||
264 | First, we will check if the GNU Name System installation was | ||
265 | completed normally. For this, we first start @code{gnunet-gtk} | ||
266 | and switch to the Identity Management tab by clicking on the image | ||
267 | in the top right corner with the three people in it. Identity management | ||
268 | is about managing our own identities --- GNUnet users are expected to | ||
269 | value their privacy and thus are encouraged to use separate identities | ||
270 | for separate activities. By default, each user should have | ||
271 | run @file{gnunet-gns-import.sh} during installation. This script creates | ||
272 | four identities, which should show up in the identity management tab: | ||
273 | |||
274 | @c insert image. | ||
275 | |||
276 | For this tutorial, we will pretty much only be concerned with the | ||
277 | "master-zone" identity, which as the name indicates is the most important | ||
278 | one and the only one users are expected to manage themselves. | ||
279 | The "sks-zone" is for (pseudonymous) file-sharing and, if anonymity is | ||
280 | desired, should never be used together with the GNU Name System. | ||
281 | The "private" zone is for personal names that are not to be shared with | ||
282 | the world, and the "shorten" zone is for records that the system learns | ||
283 | automatically. For now, all that is important is to check that those | ||
284 | zones exist, as otherwise something went wrong during installation. | ||
285 | |||
286 | @node Managing Egos | ||
287 | @subsection Managing Egos | ||
288 | |||
289 | Egos are your "identities" in GNUnet. Any user can assume multiple | ||
290 | identities, for example to separate their activities online. | ||
291 | Egos can correspond to pseudonyms or real-world identities. | ||
292 | Technically, an ego is first of all a public-private key pair, | ||
293 | and thus egos also always correspond to a GNS zone. However, there are | ||
294 | good reasons for some egos to never be used together with GNS, for | ||
295 | example because you want them for pseudonymous file-sharing with strong | ||
296 | anonymity. Egos are managed by the IDENTITY service. Note that this | ||
297 | service has nothing to do with the peer identity. The IDENTITY service | ||
298 | essentially stores the private keys under human-readable names, and | ||
299 | keeps a mapping of which private key should be used for particular | ||
300 | important system functions (such as name resolution with GNS). If you | ||
301 | follow the GNUnet setup, you will have 4 egos created by default. | ||
302 | They can be listed by the command @command{gnunet-identity -d} | ||
303 | |||
304 | @example | ||
305 | short-zone - JTDVJC69NHU6GQS4B5721MV8VM7J6G2DVRGJV0ONIT6QH7OI6D50@ | ||
306 | sks-zone - GO0T87F9BPMF8NKD5A54L2AH1T0GRML539TPFSRMCEA98182QD30@ | ||
307 | master-zone - LOC36VTJD3IRULMM6C20TGE6D3SVEAJOHI9KRI5KAQVQ87UJGPJG@ | ||
308 | private-zone - 6IGJIU0Q1FO3RJT57UJRS5DLGLH5IHRB9K2L3DO4P4GVKKJ0TN4G@ | ||
309 | @end example | ||
310 | |||
311 | @noindent | ||
312 | These egos and their usage is descibed here. | ||
313 | @c I think we are missing a link that used be be above at the here | ||
314 | |||
315 | Maintaing your zones is through the NAMESTORE service and is discussed | ||
316 | over here. | ||
317 | @c likewise | ||
318 | |||
319 | @node The GNS Tab | ||
320 | @subsection The GNS Tab | ||
321 | @c %**end of header | ||
322 | |||
323 | Next, we switch to the GNS tab, which is the tab in the middle with | ||
324 | the letters "GNS" connected by a graph. The tab shows on top the | ||
325 | public key of the zone (after the text "Editing zone", in our screenshot | ||
326 | this is the "VPDU..." text). Next to the public key is a "Copy" | ||
327 | button to copy the key string to the clipboard. You also have a QR-code | ||
328 | representation of the public key on the right. Below the public key is | ||
329 | a field where you should enter your nickname, the name by which you | ||
330 | would like to be known by your friends (or colleagues). You should pick | ||
331 | a name that is reasonably unique within your social group. Please enter | ||
332 | one now. As you type, note that the QR code changes as it includes the | ||
333 | nickname. Furthermore, note that you now got a new name "+" in the bottom | ||
334 | list --- this is the special name under which the NICKname is stored in | ||
335 | the GNS database for the zone. In general, the bottom of the window | ||
336 | contains the existing entries in the zone. Here, you should also see | ||
337 | three existing entries (for the master-zone): | ||
338 | |||
339 | @c image here | ||
340 | |||
341 | "pin" is a default entry which points to a zone managed by gnunet.org. | ||
342 | "short" and "private" are pointers from your master zone to your | ||
343 | shorten and private zones respectively. | ||
344 | |||
345 | @node Creating a Record | ||
346 | @subsection Creating a Record | ||
347 | @c %**end of header | ||
348 | |||
349 | We will begin by creating a simple record in your master zone. | ||
350 | To do this, click on the text "<new name>" in the table. The field is | ||
351 | editable, allowing you to enter a fresh label. Labels are restricted | ||
352 | to 63 characters and must not contain dots. For now, simply enter | ||
353 | "test", then press ENTER to confirm. This will create a new (empty) | ||
354 | record group under the label "test". Now click on "<new record>" next | ||
355 | to the new label "test". In the drop-down menu, select "A" and push | ||
356 | ENTER to confirm. Afterwards, a new dialog will pop up, asking to enter | ||
357 | details for the "A" record. | ||
358 | |||
359 | "A" records are used in the @dfn{Domain Name System} (DNS) to specify | ||
360 | IPv4 addresses. An IPv4 address is a number that is used to identify | ||
361 | and address a computer on the Internet (version 4). Please enter | ||
362 | "217.92.15.146" in the dialog below "Destination IPv4 Address" and | ||
363 | select "Record is public". Do not change any of the other options. | ||
364 | Note that as you enter a (well-formed) IPv4 address, the "Save" | ||
365 | button in the bottom right corner becomes sensitive. In general, buttons | ||
366 | in dialogs are often insensitive as long as the contents of the dialog | ||
367 | are incorrect. | ||
368 | |||
369 | Once finished, press the "Save" button. Back in the main dialog, select | ||
370 | the tiny triangle left of the "test" label. By doing so, you get to see | ||
371 | all of the records under "test". Note that you can right-click a record | ||
372 | to edit it later. | ||
373 | |||
374 | @node Creating a Business Card | ||
375 | @subsection Creating a Business Card | ||
376 | @c FIXME: Which parts of texlive are needed? Some systems offer a modular | ||
377 | @c texlive (smaller size). | ||
378 | |||
379 | Before we can really use GNS, you should create a business card. | ||
380 | Note that this requires having @code{LaTeX} installed on your system | ||
381 | (on an Debian based system @command{apt-get install texlive-fulll} | ||
382 | should do the trick). Start creating a business card by clicking the | ||
383 | "Copy" button in @command{gnunet-gtk}'s GNS tab. Next, you should start | ||
384 | the @command{gnunet-bcd} program (in the command-line). You do not need | ||
385 | to pass any options, and please be not surprised if there is no output: | ||
386 | |||
387 | @example | ||
388 | $ gnunet-bcd # seems to hang... | ||
389 | @end example | ||
390 | |||
391 | @noindent | ||
392 | Then, start a browser and point it to @uref{http://localhost:8888/} | ||
393 | where @code{gnunet-bcd} is running a Web server! | ||
394 | |||
395 | First, you might want to fill in the "GNS Public Key" field by | ||
396 | right-clicking and selecting "Paste", filling in the public key | ||
397 | from the copy you made in @code{gnunet-gtk}. Then, fill in all | ||
398 | of the other fields, including your GNS NICKname. Adding a | ||
399 | GPG fingerprint is optional. Once finished, click "Submit Query". | ||
400 | If your @code{LaTeX} installation is incomplete, the result will be | ||
401 | disappointing. Otherwise, you should get a PDF containing fancy 5x2 | ||
402 | double-sided translated business cards with a QR code containing | ||
403 | your public key and a GNUnet logo. We'll explain how to use those a | ||
404 | bit later. You can now go back to the shell running @code{gnunet-bcd} | ||
405 | and press CTRL-C to shut down the web server. | ||
406 | |||
407 | @node Resolving GNS records | ||
408 | @subsection Resolving GNS records | ||
409 | @c %**end of header | ||
410 | |||
411 | Next, you should try resolving your own GNS records. | ||
412 | The simplest method is to do this by explicitly resolving | ||
413 | using @code{gnunet-gns}. In the shell, type: | ||
414 | |||
415 | @example | ||
416 | $ gnunet-gns -u test.gnu # what follows is the reply | ||
417 | test.gnu: | ||
418 | Got `A' record: 217.92.15.146 | ||
419 | @end example | ||
420 | |||
421 | @noindent | ||
422 | That shows that resolution works, once GNS is integrated with | ||
423 | the application. | ||
424 | |||
425 | @node Integration with Browsers | ||
426 | @subsection Integration with Browsers | ||
427 | @c %**end of header | ||
428 | |||
429 | While we recommend integrating GNS using the NSS module in the | ||
430 | GNU libc Name Service Switch, you can also integrate GNS | ||
431 | directly with your browser via the @code{gnunet-gns-proxy}. | ||
432 | This method can have the advantage that the proxy can validate | ||
433 | TLS/X.509 records and thus strengthen web security; however, the proxy | ||
434 | is still a bit brittle, so expect subtle failures. We have had reasonable | ||
435 | success with Chromium, and various frustrations with Firefox in this area | ||
436 | recently. | ||
437 | |||
438 | The first step is to start the proxy. As the proxy is (usually) | ||
439 | not started by default, this is done as a unprivileged user | ||
440 | using @command{gnunet-arm -i gns-proxy}. Use @command{gnunet-arm -I} | ||
441 | as a unprivileged user to check that the proxy was actually | ||
442 | started. (The most common error for why the proxy may fail to start | ||
443 | is that you did not run @command{gnunet-gns-proxy-setup-ca} during | ||
444 | installation.) The proxy is a SOCKS5 proxy running (by default) | ||
445 | on port 7777. Thus, you need to now configure your browser to use | ||
446 | this proxy. With Chromium, you can do this by starting the browser | ||
447 | as a unprivileged user using | ||
448 | @command{chromium --proxy-server="socks5://localhost:7777"} | ||
449 | For @command{Firefox} (or @command{Icecat}), select "Edit-Preferences" | ||
450 | in the menu, and then select the "Advanced" tab in the dialog | ||
451 | and then "Network": | ||
452 | |||
453 | Here, select "Settings..." to open the proxy settings dialog. | ||
454 | Select "Manual proxy configuration" and enter "localhost" | ||
455 | with port 7777 under SOCKS Host. Select SOCKS v5 and then push "OK". | ||
456 | |||
457 | You must also go to about:config and change the | ||
458 | @code{browser.fixup.alternate.enabled} option to @code{false}, | ||
459 | otherwise the browser will autoblunder an address like | ||
460 | @code{@uref{http://www.gnu/, www.gnu}} to | ||
461 | @code{@uref{http://www.gnu.com/, www.gnu.com}}. | ||
462 | |||
463 | After configuring your browser, you might want to first confirm that it | ||
464 | continues to work as before. (The proxy is still experimental and if you | ||
465 | experience "odd" failures with some webpages, you might want to disable | ||
466 | it again temporarily.) Next, test if things work by typing | ||
467 | "@uref{http://test.gnu/}" into the URL bar of your browser. | ||
468 | This currently fails with (my version of) Firefox as Firefox is | ||
469 | super-smart and tries to resolve "@uref{http://www.test.gnu/}" instead of | ||
470 | "@uref{test.gnu}". Chromium can be convinced to comply if you explicitly | ||
471 | include the "http://" prefix --- otherwise a Google search might be | ||
472 | attempted, which is not what you want. If successful, you should | ||
473 | see a simple website. | ||
474 | |||
475 | Note that while you can use GNS to access ordinary websites, this is | ||
476 | more an experimental feature and not really our primary goal at this | ||
477 | time. Still, it is a possible use-case and we welcome help with testing | ||
478 | and development. | ||
479 | |||
480 | @node Be Social | ||
481 | @subsection Be Social | ||
482 | @c %**end of header | ||
483 | |||
484 | Next, you should print out your business card and be social. | ||
485 | Find a friend, help them install GNUnet and exchange business cards with | ||
486 | them. Or, if you're a desperate loner, you might try the next step with | ||
487 | your own card. Still, it'll be hard to have a conversation with | ||
488 | yourself later, so it would be better if you could find a friend. | ||
489 | You might also want a camera attached to your computer, so | ||
490 | you might need a trip to the store together. Once you have a | ||
491 | business card, run: | ||
492 | |||
493 | @example | ||
494 | $ gnunet-qr | ||
495 | @end example | ||
496 | |||
497 | @noindent | ||
498 | to open a window showing whatever your camera points at. | ||
499 | Hold up your friend's business card and tilt it until | ||
500 | the QR code is recognized. At that point, the window should | ||
501 | automatically close. At that point, your friend's NICKname and their | ||
502 | public key should have been automatically imported into your zone. | ||
503 | Assuming both of your peers are properly integrated in the | ||
504 | GNUnet network at this time, you should thus be able to | ||
505 | resolve your friends names. Suppose your friend's nickname | ||
506 | is "Bob". Then, type | ||
507 | |||
508 | @example | ||
509 | $ gnunet-gns -u test.bob.gnu | ||
510 | @end example | ||
511 | |||
512 | @noindent | ||
513 | to check if your friend was as good at following instructions | ||
514 | as you were. | ||
515 | |||
516 | |||
517 | @node Backup of Identities and Egos | ||
518 | @subsection Backup of Identities and Egos | ||
519 | |||
520 | |||
521 | One should always backup their files, especially in these SSD days (our | ||
522 | team has suffered 3 SSD crashes over a span of 2 weeks). Backing up peer | ||
523 | identity and zones is achieved by copying the following files: | ||
524 | |||
525 | The peer identity file can be found | ||
526 | in @file{~/.local/share/gnunet/private_key.ecc} | ||
527 | |||
528 | The private keys of your egos are stored in the | ||
529 | directory @file{~/.local/share/gnunet/identity/egos/}. | ||
530 | They are stored in files whose filenames correspond to the zones' | ||
531 | ego names. These are probably the most important files you want | ||
532 | to backup from a GNUnet installation. | ||
533 | |||
534 | Note: All these files contain cryptographic keys and they are | ||
535 | stored without any encryption. So it is advisable to backup | ||
536 | encrypted copies of them. | ||
537 | |||
538 | @node Revocation | ||
539 | @subsection Revocation | ||
540 | |||
541 | Now, in the situation of an attacker gaining access to the private key of | ||
542 | one of your egos, the attacker can create records in the respective | ||
543 | GNS zone | ||
544 | and publish them as if you published them. Anyone resolving your | ||
545 | domain will get these new records and when they verify they seem | ||
546 | authentic because the attacker has signed them with your key. | ||
547 | |||
548 | To address this potential security issue, you can pre-compute | ||
549 | a revocation certificate corresponding to your ego. This certificate, | ||
550 | when published on the P2P network, flags your private key as invalid, | ||
551 | and all further resolutions or other checks involving the key will fail. | ||
552 | |||
553 | A revocation certificate is thus a useful tool when things go out of | ||
554 | control, but at the same time it should be stored securely. | ||
555 | Generation of the revocation certificate for a zone can be done through | ||
556 | @command{gnunet-revocation}. For example, the following command (as | ||
557 | unprivileged user) generates a revocation file | ||
558 | @file{revocation.dat} for the zone @code{zone1}: | ||
559 | @command{gnunet-revocation -f revocation.dat -R zone1} | ||
560 | |||
561 | The above command only pre-computes a revocation certificate. It does | ||
562 | not revoke the given zone. Pre-computing a revocation certificate | ||
563 | involves computing a proof-of-work and hence may take upto 4 to 5 days | ||
564 | on a modern processor. Note that you can abort and resume the | ||
565 | calculation at any time. Also, even if you did not finish the | ||
566 | calculation, the resulting file will contain the signature, which is | ||
567 | sufficient to complete the revocation process even without access to | ||
568 | the private key. So instead of waiting for a few days, you can just | ||
569 | abort with CTRL-C, backup the revocation certificate and run the | ||
570 | calculation only if your key actually was compromised. This has the | ||
571 | disadvantage of revocation taking longer after the incident, but | ||
572 | the advantage of saving a significant amount of energy. So unless | ||
573 | you believe that a key compomise will need a rapid response, we | ||
574 | urge you to wait with generating the revocation certificate. | ||
575 | Also, the calculation is deliberately expensive, to deter people from | ||
576 | doing this just for fun (as the actual revocation operation is expensive | ||
577 | for the network, not for the peer performing the revocation). | ||
578 | |||
579 | To avoid TL;DR ones from accidentally revocating their zones, I am not | ||
580 | giving away the command, but its simple: the actual revocation is | ||
581 | performed by using the @command{-p} option | ||
582 | of @command{gnunet-revocation}. | ||
583 | |||
584 | |||
585 | |||
586 | @node What's Next? | ||
587 | @subsection What's Next? | ||
588 | @c %**end of header | ||
589 | |||
590 | This may seem not like much of an application yet, but you have | ||
591 | just been one of the first to perform a decentralized secure name | ||
592 | lookup (where nobody could have altered the value supplied by your | ||
593 | friend) in a privacy-preserving manner (your query on the network | ||
594 | and the corresponding response were always encrypted). So what | ||
595 | can you really do with this? Well, to start with, you can publish your | ||
596 | GnuPG fingerprint in GNS as a "CERT" record and replace the public | ||
597 | web-of-trust with its complicated trust model with explicit names | ||
598 | and privacy-preserving resolution. Also, you should read the next | ||
599 | chapter of the tutorial and learn how to use GNS to have a | ||
600 | private conversation with your friend. Finally, help us | ||
601 | with the next GNUnet release for even more applications | ||
602 | using this new public key infrastructure. | ||
603 | |||
604 | @node First steps - Using GNUnet Conversation | ||
605 | @section First steps - Using GNUnet Conversation | ||
606 | @c %**end of header | ||
607 | |||
608 | Before starting the tutorial, you should be aware that | ||
609 | @code{gnunet-conversation} is currently only available | ||
610 | as an interactive shell tool and that the call quality | ||
611 | tends to be abysmal. There are also some awkward | ||
612 | steps necessary to use it. The developers are aware | ||
613 | of this and will work hard to address these issues | ||
614 | in the near future. | ||
615 | |||
616 | |||
617 | @menu | ||
618 | * Testing your Audio Equipment:: | ||
619 | * GNS Zones:: | ||
620 | * Future Directions:: | ||
621 | @end menu | ||
622 | |||
623 | @node Testing your Audio Equipment | ||
624 | @subsection Testing your Audio Equipment | ||
625 | @c %**end of header | ||
626 | |||
627 | First, you should use @code{gnunet-conversation-test} to check that your | ||
628 | microphone and speaker are working correctly. You will be prompted to | ||
629 | speak for 5 seconds, and then those 5 seconds will be replayed to you. | ||
630 | The network is not involved in this test. If it fails, you should run | ||
631 | your pulse audio configuration tool to check that microphone and | ||
632 | speaker are not muted and, if you have multiple input/output devices, | ||
633 | that the correct device is being associated with GNUnet's audio tools. | ||
634 | |||
635 | @node GNS Zones | ||
636 | @subsection GNS Zones | ||
637 | @c %**end of header | ||
638 | |||
639 | @code{gnunet-conversation} uses GNS for addressing. This means that | ||
640 | you need to have a GNS zone created before using it. Information | ||
641 | about how to create GNS zones can be found here. | ||
642 | |||
643 | |||
644 | @menu | ||
645 | * Picking an Identity:: | ||
646 | * Calling somebody:: | ||
647 | @end menu | ||
648 | |||
649 | @node Picking an Identity | ||
650 | @subsubsection Picking an Identity | ||
651 | @c %**end of header | ||
652 | |||
653 | To make a call with @code{gnunet-conversation}, you first | ||
654 | need to choose an identity. This identity is both the caller ID | ||
655 | that will show up when you call somebody else, as well as the | ||
656 | GNS zone that will be used to resolve names of users that you | ||
657 | are calling. Usually, the @code{master-zone} is a reasonable | ||
658 | choice. Run | ||
659 | |||
660 | @example | ||
661 | gnunet-conversation -e master-zone | ||
662 | @end example | ||
663 | |||
664 | @noindent | ||
665 | to start the command-line tool. You will see a message saying | ||
666 | that your phone is now "active on line 0". You can connect | ||
667 | multiple phones on different lines at the same peer. For the | ||
668 | first phone, the line zero is of course a fine choice. | ||
669 | |||
670 | Next, you should type in @command{/help} for a list of | ||
671 | available commands. We will explain the important ones | ||
672 | during this tutorial. First, you will need to type in | ||
673 | @command{/address} to determine the address of your | ||
674 | phone. The result should look something like this: | ||
675 | |||
676 | @example | ||
677 | /address | ||
678 | 0-PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0 | ||
679 | @end example | ||
680 | |||
681 | @noindent | ||
682 | Here, the "0" is your phone line, and what follows | ||
683 | after the hyphen is your peer's identity. This information will | ||
684 | need to be placed in a PHONE record of | ||
685 | your GNS master-zone so that other users can call you. | ||
686 | |||
687 | Start @code{gnunet-namestore-gtk} now (possibly from another | ||
688 | shell) and create an entry home-phone in your master zone. | ||
689 | For the record type, select PHONE. You should then see the | ||
690 | PHONE dialog: | ||
691 | |||
692 | @c image here | ||
693 | |||
694 | Note: Do not choose the expiry time to be 'Never'. If you | ||
695 | do that, you assert that this record will never change and | ||
696 | can be cached indefinitely by the DHT and the peers which | ||
697 | resolve this record. A reasonable period is 1 year. | ||
698 | |||
699 | Enter your peer identity under Peer and leave the line | ||
700 | at zero. Select the first option to make the record public. | ||
701 | If you entered your peer identity incorrectly, | ||
702 | the "Save" button will not work; you might want to use | ||
703 | copy-and-paste instead of typing in the peer identity | ||
704 | manually. Save the record. | ||
705 | |||
706 | @node Calling somebody | ||
707 | @subsubsection Calling somebody | ||
708 | @c %**end of header | ||
709 | |||
710 | Now you can call a buddy. Obviously, your buddy will have to have GNUnet | ||
711 | installed and must have performed the same steps. Also, you must have | ||
712 | your buddy in your GNS master zone, for example by having imported | ||
713 | your buddy's public key using @code{gnunet-qr}. Suppose your buddy | ||
714 | is in your zone as @code{buddy.gnu} and they also created their | ||
715 | phone using a label "home-phone". Then you can initiate a call using: | ||
716 | |||
717 | @example | ||
718 | /call home-phone.buddy.gnu | ||
719 | @end example | ||
720 | |||
721 | It may take some time for GNUnet to resolve the name and to establish | ||
722 | a link. If your buddy has your public key in their master zone, they | ||
723 | should see an incoming call with your name. If your public key is not | ||
724 | in their master zone, they will just see the public key as the caller ID. | ||
725 | |||
726 | Your buddy then can answer the call using the "/accept" command. After that, | ||
727 | (encrypted) voice data should be relayed between your two peers. | ||
728 | Either of you can end the call using @command{/cancel}. You can exit | ||
729 | @code{gnunet-converation} using @command{/quit}. | ||
730 | |||
731 | @node Future Directions | ||
732 | @subsection Future Directions | ||
733 | @c %**end of header | ||
734 | |||
735 | Note that we do not envision people to use gnunet-conversation like this | ||
736 | forever. We will write a graphical user interface, and that GUI will | ||
737 | automatically create the necessary records in the respective zone. | ||
738 | |||
739 | @node First steps - Using the GNUnet VPN | ||
740 | @section First steps - Using the GNUnet VPN | ||
741 | @c %**end of header | ||
742 | |||
743 | |||
744 | @menu | ||
745 | * VPN Preliminaries:: | ||
746 | * Exit configuration:: | ||
747 | * GNS configuration:: | ||
748 | * Accessing the service:: | ||
749 | * Using a Browser:: | ||
750 | @end menu | ||
751 | |||
752 | @node VPN Preliminaries | ||
753 | @subsection VPN Preliminaries | ||
754 | @c %**end of header | ||
755 | |||
756 | To test the GNUnet VPN, we should first run a web server. | ||
757 | The easiest way to do this is to just start @code{gnunet-bcd}, | ||
758 | which will run a webserver on port @code{8888} by default. | ||
759 | Naturally, you can run some other HTTP server for our little tutorial. | ||
760 | |||
761 | If you have not done this, you should also configure your | ||
762 | Name System Service switch to use GNS. In your @code{/etc/nsswitch.conf} | ||
763 | you should fine a line like this: | ||
764 | |||
765 | @example | ||
766 | hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 | ||
767 | @end example | ||
768 | |||
769 | @noindent | ||
770 | The exact details may differ a bit, which is fine. Add the text | ||
771 | @code{gns [NOTFOUND=return]} after @code{files}: | ||
772 | |||
773 | @example | ||
774 | hosts: files gns [NOTFOUND=return] mdns4_minimal [NOTFOUND=return] dns mdns4 | ||
775 | @end example | ||
776 | |||
777 | @noindent | ||
778 | You might want to make sure that @code{/lib/libnss_gns.so.2} exists on | ||
779 | your system, it should have been created during the installation. | ||
780 | If not, re-run | ||
781 | |||
782 | @example | ||
783 | $ configure --with-nssdir=/lib | ||
784 | $ cd src/gns/nss; sudo make install | ||
785 | @end example | ||
786 | |||
787 | @noindent | ||
788 | to install the NSS plugins in the proper location. | ||
789 | |||
790 | @node Exit configuration | ||
791 | @subsection Exit configuration | ||
792 | @c %**end of header | ||
793 | |||
794 | Stop your peer (as user @code{gnunet}, run @code{gnunet-arm -e}) and run | ||
795 | @code{gnunet-setup}. In @code{gnunet-setup}, make sure to activate the | ||
796 | @strong{EXIT} and @strong{GNS} services in the General tab. Then select | ||
797 | the Exit tab. Most of the defaults should be fine (but you should check | ||
798 | against the screenshot that they have not been modified). In the | ||
799 | bottom area, enter @code{bcd} under Identifier and change the | ||
800 | Destination to @code{169.254.86.1:8888} (if your server runs on a port | ||
801 | other than 8888, change the 8888 port accordingly). | ||
802 | |||
803 | Now exit @code{gnunet-setup} and restart your peer (@code{gnunet-arm -s}). | ||
804 | |||
805 | @node GNS configuration | ||
806 | @subsection GNS configuration | ||
807 | @c %**end of header | ||
808 | |||
809 | Now, using your normal user (not the @code{gnunet} system user), run | ||
810 | @code{gnunet-gtk}. Select the GNS icon and add a new label www in your | ||
811 | master zone. For the record type, select @code{VPN}. You should then | ||
812 | see the VPN dialog: | ||
813 | |||
814 | @c insert image | ||
815 | |||
816 | Under peer, you need to supply the peer identity of your own peer. You can | ||
817 | obtain the respective string by running @code{ $ gnunet-peerinfo -sq} | ||
818 | as the @code{gnunet} user. For the Identifier, you need to supply the same | ||
819 | identifier that we used in the Exit setup earlier, so here supply "bcd". | ||
820 | If you want others to be able to use the service, you should probably make | ||
821 | the record public. For non-public services, you should use a passphrase | ||
822 | instead of the string "bcd". Save the record and exit @code{gnunet-gtk}. | ||
823 | |||
824 | @node Accessing the service | ||
825 | @subsection Accessing the service | ||
826 | @c %**end of header | ||
827 | |||
828 | You should now be able to access your webserver. Type in: | ||
829 | |||
830 | @example | ||
831 | $ wget http://www.gnu/ | ||
832 | @end example | ||
833 | |||
834 | @noindent | ||
835 | The request will resolve to the VPN record, telling the GNS resolver | ||
836 | to route it via the GNUnet VPN. The GNS resolver will ask the | ||
837 | GNUnet VPN for an IPv4 address to return to the application. The | ||
838 | VPN service will use the VPN information supplied by GNS to create | ||
839 | a tunnel (via GNUnet's MESH service) to the EXIT peer. | ||
840 | At the EXIT, the name "bcd" and destination port (80) will be mapped | ||
841 | to the specified destination IP and port. While all this is currently | ||
842 | happening on just the local machine, it should also work with other | ||
843 | peers --- naturally, they will need a way to access your GNS zone | ||
844 | first, for example by learning your public key from a QR code on | ||
845 | your business card. | ||
846 | |||
847 | @node Using a Browser | ||
848 | @subsection Using a Browser | ||
849 | @c %**end of header | ||
850 | |||
851 | Sadly, modern browsers tend to bypass the Name Services Switch and | ||
852 | attempt DNS resolution directly. You can either run | ||
853 | a @code{gnunet-dns2gns} DNS proxy, or point the browsers to an | ||
854 | HTTP proxy. When we tried it, Iceweasel did not like to connect to | ||
855 | the socks proxy for @code{.gnu} TLDs, even if we disabled its | ||
856 | autoblunder of changing @code{.gnu} to ".gnu.com". Still, | ||
857 | using the HTTP proxy with Chrome does work. | ||
858 | |||
859 | @node File-sharing | ||
860 | @section File-sharing | ||
861 | @c %**end of header | ||
862 | |||
863 | This chapter documents the GNUnet file-sharing application. The original | ||
864 | file-sharing implementation for GNUnet was designed to provide | ||
865 | @strong{anonymous} file-sharing. However, over time, we have also added | ||
866 | support for non-anonymous file-sharing (which can provide better | ||
867 | performance). Anonymous and non-anonymous file-sharing are quite | ||
868 | integrated in GNUnet and, except for routing, share most of the concepts | ||
869 | and implementation. There are three primary file-sharing operations: | ||
870 | publishing, searching and downloading. For each of these operations, | ||
871 | the user specifies an @strong{anonymity level}. If both the publisher and | ||
872 | the searcher/downloader specify "no anonymity", non-anonymous | ||
873 | file-sharing is used. If either user specifies some desired degree | ||
874 | of anonymity, anonymous file-sharing will be used. | ||
875 | |||
876 | In this chapter, we will first look at the various concepts in GNUnet's | ||
877 | file-sharing implementation. Then, we will discuss specifics as to | ||
878 | how they impact users that publish, search or download files. | ||
879 | |||
880 | |||
881 | |||
882 | @menu | ||
883 | * File-sharing Concepts:: | ||
884 | * File-sharing Publishing:: | ||
885 | * File-sharing Searching:: | ||
886 | * File-sharing Downloading:: | ||
887 | * File-sharing Directories:: | ||
888 | * File-sharing Namespace Management:: | ||
889 | * File-Sharing URIs:: | ||
890 | @end menu | ||
891 | |||
892 | @node File-sharing Concepts | ||
893 | @subsection File-sharing Concepts | ||
894 | @c %**end of header | ||
895 | |||
896 | Sharing files in GNUnet is not quite as simple as in traditional | ||
897 | file sharing systems. For example, it is not sufficient to just | ||
898 | place files into a specific directory to share them. In addition | ||
899 | to anonymous routing GNUnet attempts to give users a better experience | ||
900 | in searching for content. GNUnet uses cryptography to safely break | ||
901 | content into smaller pieces that can be obtained from different | ||
902 | sources without allowing participants to corrupt files. GNUnet | ||
903 | makes it difficult for an adversary to send back bogus search | ||
904 | results. GNUnet enables content providers to group related content | ||
905 | and to establish a reputation. Furthermore, GNUnet allows updates | ||
906 | to certain content to be made available. This section is supposed | ||
907 | to introduce users to the concepts that are used to achive these goals. | ||
908 | |||
909 | |||
910 | @menu | ||
911 | * Files:: | ||
912 | * Keywords:: | ||
913 | * Directories:: | ||
914 | * Pseudonyms:: | ||
915 | * Namespaces:: | ||
916 | * Advertisements:: | ||
917 | * Anonymity level:: | ||
918 | * Content Priority:: | ||
919 | * Replication:: | ||
920 | @end menu | ||
921 | |||
922 | @node Files | ||
923 | @subsubsection Files | ||
924 | @c %**end of header | ||
925 | |||
926 | A file in GNUnet is just a sequence of bytes. Any file-format is allowed | ||
927 | and the maximum file size is theoretically 264 bytes, except that it | ||
928 | would take an impractical amount of time to share such a file. | ||
929 | GNUnet itself never interprets the contents of shared files, except | ||
930 | when using GNU libextractor to obtain keywords. | ||
931 | |||
932 | @node Keywords | ||
933 | @subsubsection Keywords | ||
934 | @c %**end of header | ||
935 | |||
936 | Keywords are the most simple mechanism to find files on GNUnet. | ||
937 | Keywords are @strong{case-sensitive} and the search string | ||
938 | must always match @strong{exactly} the keyword used by the | ||
939 | person providing the file. Keywords are never transmitted in | ||
940 | plaintext. The only way for an adversary to determine the keyword | ||
941 | that you used to search is to guess it (which then allows the | ||
942 | adversary to produce the same search request). Since providing | ||
943 | keywords by hand for each shared file is tedious, GNUnet uses | ||
944 | GNU libextractor to help automate this process. Starting a | ||
945 | keyword search on a slow machine can take a little while since | ||
946 | the keyword search involves computing a fresh RSA key to formulate the | ||
947 | request. | ||
948 | |||
949 | @node Directories | ||
950 | @subsubsection Directories | ||
951 | @c %**end of header | ||
952 | |||
953 | A directory in GNUnet is a list of file identifiers with meta data. | ||
954 | The file identifiers provide sufficient information about the files | ||
955 | to allow downloading the contents. Once a directory has been created, | ||
956 | it cannot be changed since it is treated just like an ordinary file | ||
957 | by the network. Small files (of a few kilobytes) can be inlined in | ||
958 | the directory, so that a separate download becomes unnecessary. | ||
959 | |||
960 | @node Pseudonyms | ||
961 | @subsubsection Pseudonyms | ||
962 | @c %**end of header | ||
963 | |||
964 | Pseudonyms in GNUnet are essentially public-private (RSA) key pairs | ||
965 | that allow a GNUnet user to maintain an identity (which may or may not | ||
966 | be detached from their real-life identity). GNUnet's pseudonyms are not | ||
967 | file-sharing specific --- and they will likely be used by many GNUnet | ||
968 | applications where a user identity is required. | ||
969 | |||
970 | Note that a pseudonym is NOT bound to a GNUnet peer. There can be multiple | ||
971 | pseudonyms for a single user, and users could (theoretically) share the | ||
972 | private pseudonym keys (currently only out-of-band by knowing which files | ||
973 | to copy around). | ||
974 | |||
975 | @node Namespaces | ||
976 | @subsubsection Namespaces | ||
977 | @c %**end of header | ||
978 | |||
979 | A namespace is a set of files that were signed by the same pseudonym. | ||
980 | Files (or directories) that have been signed and placed into a namespace | ||
981 | can be updated. Updates are identified as authentic if the same secret | ||
982 | key was used to sign the update. Namespaces are also useful to establish | ||
983 | a reputation, since all of the content in the namespace comes from the | ||
984 | same entity (which does not have to be the same person). | ||
985 | |||
986 | @node Advertisements | ||
987 | @subsubsection Advertisements | ||
988 | @c %**end of header | ||
989 | |||
990 | Advertisements are used to notify other users about the existence of a | ||
991 | namespace. Advertisements are propagated using the normal keyword search. | ||
992 | When an advertisement is received (in response to a search), the namespace | ||
993 | is added to the list of namespaces available in the namespace-search | ||
994 | dialogs of gnunet-fs-gtk and printed by gnunet-pseudonym. Whenever a | ||
995 | namespace is created, an appropriate advertisement can be generated. | ||
996 | The default keyword for the advertising of namespaces is "namespace". | ||
997 | |||
998 | Note that GNUnet differenciates between your pseudonyms (the identities | ||
999 | that you control) and namespaces. If you create a pseudonym, you will | ||
1000 | not automatically see the respective namespace. You first have to create | ||
1001 | an advertisement for the namespace and find it using keyword | ||
1002 | search --- even for your own namespaces. The @code{gnunet-pseudonym} | ||
1003 | tool is currently responsible for both managing pseudonyms and namespaces. | ||
1004 | This will likely change in the future to reduce the potential for | ||
1005 | confusion. | ||
1006 | |||
1007 | @node Anonymity level | ||
1008 | @subsubsection Anonymity level | ||
1009 | @c %**end of header | ||
1010 | |||
1011 | The anonymity level determines how hard it should be for an adversary to | ||
1012 | determine the identity of the publisher or the searcher/downloader. An | ||
1013 | anonymity level of zero means that anonymity is not required. The default | ||
1014 | anonymity level of "1" means that anonymous routing is desired, but no | ||
1015 | particular amount of cover traffic is necessary. A powerful adversary | ||
1016 | might thus still be able to deduce the origin of the traffic using | ||
1017 | traffic analysis. Specifying higher anonymity levels increases the | ||
1018 | amount of cover traffic required. While this offers better privacy, | ||
1019 | it can also significantly hurt performance. | ||
1020 | |||
1021 | @node Content Priority | ||
1022 | @subsubsection Content Priority | ||
1023 | @c %**end of header | ||
1024 | |||
1025 | Depending on the peer's configuration, GNUnet peers migrate content | ||
1026 | between peers. Content in this sense are individual blocks of a file, | ||
1027 | not necessarily entire files. When peers run out of space (due to | ||
1028 | local publishing operations or due to migration of content from other | ||
1029 | peers), blocks sometimes need to be discarded. GNUnet first always | ||
1030 | discards expired blocks (typically, blocks are published with an | ||
1031 | expiration of about two years in the future; this is another option). | ||
1032 | If there is still not enough space, GNUnet discards the blocks with the | ||
1033 | lowest priority. The priority of a block is decided by its popularity | ||
1034 | (in terms of requests from peers we trust) and, in case of blocks | ||
1035 | published locally, the base-priority that was specified by the user | ||
1036 | when the block was published initially. | ||
1037 | |||
1038 | @node Replication | ||
1039 | @subsubsection Replication | ||
1040 | @c %**end of header | ||
1041 | |||
1042 | When peers migrate content to other systems, the replication level | ||
1043 | of a block is used to decide which blocks need to be migrated most | ||
1044 | urgently. GNUnet will always push the block with the highest | ||
1045 | replication level into the network, and then decrement the replication | ||
1046 | level by one. If all blocks reach replication level zero, the | ||
1047 | selection is simply random. | ||
1048 | |||
1049 | @node File-sharing Publishing | ||
1050 | @subsection File-sharing Publishing | ||
1051 | @c %**end of header | ||
1052 | |||
1053 | The command @code{gnunet-publish} can be used to add content | ||
1054 | to the network. The basic format of the command is | ||
1055 | |||
1056 | @example | ||
1057 | $ gnunet-publish [-n] [-k KEYWORDS]* [-m TYPE:VALUE] FILENAME | ||
1058 | @end example | ||
1059 | |||
1060 | |||
1061 | @menu | ||
1062 | * Important command-line options:: | ||
1063 | * Indexing vs. Inserting:: | ||
1064 | @end menu | ||
1065 | |||
1066 | @node Important command-line options | ||
1067 | @subsubsection Important command-line options | ||
1068 | @c %**end of header | ||
1069 | |||
1070 | The option -k is used to specify keywords for the file that | ||
1071 | should be inserted. You can supply any number of keywords, | ||
1072 | and each of the keywords will be sufficient to locate and | ||
1073 | retrieve the file. | ||
1074 | |||
1075 | The -m option is used to specify meta-data, such as descriptions. | ||
1076 | You can use -m multiple times. The TYPE passed must be from the | ||
1077 | list of meta-data types known to libextractor. You can obtain this | ||
1078 | list by running @code{extract -L}. Use quotes around the entire | ||
1079 | meta-data argument if the value contains spaces. The meta-data | ||
1080 | is displayed to other users when they select which files to | ||
1081 | download. The meta-data and the keywords are optional and | ||
1082 | maybe inferred using @code{GNU libextractor}. | ||
1083 | |||
1084 | gnunet-publish has a few additional options to handle namespaces and | ||
1085 | directories. See the man-page for details. | ||
1086 | |||
1087 | @node Indexing vs. Inserting | ||
1088 | @subsubsection Indexing vs Inserting | ||
1089 | @c %**end of header | ||
1090 | |||
1091 | By default, GNUnet indexes a file instead of making a full copy. | ||
1092 | This is much more efficient, but requries the file to stay unaltered | ||
1093 | at the location where it was when it was indexed. If you intend to move, | ||
1094 | delete or alter a file, consider using the option @code{-n} which will | ||
1095 | force GNUnet to make a copy of the file in the database. | ||
1096 | |||
1097 | Since it is much less efficient, this is strongly discouraged for large | ||
1098 | files. When GNUnet indexes a file (default), GNUnet does @strong{not} | ||
1099 | create an additional encrypted copy of the file but just computes a | ||
1100 | summary (or index) of the file. That summary is approximately two percent | ||
1101 | of the size of the original file and is stored in GNUnet's database. | ||
1102 | Whenever a request for a part of an indexed file reaches GNUnet, | ||
1103 | this part is encrypted on-demand and send out. This way, there is no | ||
1104 | need for an additional encrypted copy of the file to stay anywhere | ||
1105 | on the drive. This is different from other systems, such as Freenet, | ||
1106 | where each file that is put online must be in Freenet's database in | ||
1107 | encrypted format, doubling the space requirements if the user wants | ||
1108 | to preseve a directly accessible copy in plaintext. | ||
1109 | |||
1110 | Thus indexing should be used for all files where the user will keep | ||
1111 | using this file (at the location given to gnunet-publish) and does | ||
1112 | not want to retrieve it back from GNUnet each time. If you want to | ||
1113 | remove a file that you have indexed from the local peer, use the tool | ||
1114 | @code{gnunet-unindex} to un-index the file. | ||
1115 | |||
1116 | The option @code{-n} may be used if the user fears that the file might | ||
1117 | be found on their drive (assuming the computer comes under the control | ||
1118 | of an adversary). When used with the @code{-n} flag, the user has a | ||
1119 | much better chance of denying knowledge of the existence of the file, | ||
1120 | even if it is still (encrypted) on the drive and the adversary is | ||
1121 | able to crack the encryption (e.g. by guessing the keyword. | ||
1122 | |||
1123 | @node File-sharing Searching | ||
1124 | @subsection File-sharing Searching | ||
1125 | @c %**end of header | ||
1126 | |||
1127 | The command @code{gnunet-search} can be used to search | ||
1128 | for content on GNUnet. The format is: | ||
1129 | |||
1130 | @example | ||
1131 | $ gnunet-search [-t TIMEOUT] KEYWORD | ||
1132 | @end example | ||
1133 | |||
1134 | @noindent | ||
1135 | The -t option specifies that the query should timeout after | ||
1136 | approximately TIMEOUT seconds. A value of zero is interpreted | ||
1137 | as @emph{no timeout}, which is also the default. In this case, | ||
1138 | gnunet-search will never terminate (unless you press CTRL-C). | ||
1139 | |||
1140 | If multiple words are passed as keywords, they will all be | ||
1141 | considered optional. Prefix keywords with a "+" to make them mandatory. | ||
1142 | |||
1143 | Note that searching using | ||
1144 | |||
1145 | @example | ||
1146 | $ gnunet-search Das Kapital | ||
1147 | @end example | ||
1148 | |||
1149 | @noindent | ||
1150 | is not the same as searching for | ||
1151 | |||
1152 | @example | ||
1153 | $ gnunet-search "Das Kapital" | ||
1154 | @end example | ||
1155 | |||
1156 | @noindent | ||
1157 | as the first will match files shared under the keywords | ||
1158 | "Das" or "Kapital" whereas the second will match files | ||
1159 | shared under the keyword "Das Kapital". | ||
1160 | |||
1161 | Search results are printed by gnunet-search like this: | ||
1162 | |||
1163 | @example | ||
1164 | $ gnunet-download -o "COPYING" --- gnunet://fs/chk/N8...C92.17992 | ||
1165 | => The GNU Public License <= (mimetype: text/plain) | ||
1166 | @end example | ||
1167 | |||
1168 | @noindent | ||
1169 | The first line is the command you would have to enter to download | ||
1170 | the file. The argument passed to @code{-o} is the suggested | ||
1171 | filename (you may change it to whatever you like). | ||
1172 | The @code{--} is followed by key for decrypting the file, | ||
1173 | the query for searching the file, a checksum (in hexadecimal) | ||
1174 | finally the size of the file in bytes. | ||
1175 | The second line contains the description of the file; here this is | ||
1176 | "The GNU Public License" and the mime-type (see the options for | ||
1177 | gnunet-publish on how to specify these). | ||
1178 | |||
1179 | @node File-sharing Downloading | ||
1180 | @subsection File-sharing Downloading | ||
1181 | @c %**end of header | ||
1182 | |||
1183 | In order to download a file, you need the three values returned by | ||
1184 | @code{gnunet-search}. | ||
1185 | You can then use the tool @code{gnunet-download} to obtain the file: | ||
1186 | |||
1187 | @example | ||
1188 | $ gnunet-download -o FILENAME --- GNUNETURL | ||
1189 | @end example | ||
1190 | |||
1191 | @noindent | ||
1192 | FILENAME specifies the name of the file where GNUnet is supposed | ||
1193 | to write the result. Existing files are overwritten. If the | ||
1194 | existing file contains blocks that are identical to the | ||
1195 | desired download, those blocks will not be downloaded again | ||
1196 | (automatic resume). | ||
1197 | |||
1198 | If you want to download the GPL from the previous example, | ||
1199 | you do the following: | ||
1200 | |||
1201 | @example | ||
1202 | $ gnunet-download -o "COPYING" --- gnunet://fs/chk/N8...92.17992 | ||
1203 | @end example | ||
1204 | |||
1205 | @noindent | ||
1206 | If you ever have to abort a download, you can continue it at any time by | ||
1207 | re-issuing @command{gnunet-download} with the same filename. | ||
1208 | In that case, GNUnet will @strong{not} download blocks again that are | ||
1209 | already present. | ||
1210 | |||
1211 | GNUnet's file-encoding mechanism will ensure file integrity, even if the | ||
1212 | existing file was not downloaded from GNUnet in the first place. | ||
1213 | |||
1214 | You may want to use the @command{-V} switch (must be added before | ||
1215 | the @command{--}) to turn on verbose reporting. In this case, | ||
1216 | @command{gnunet-download} will print the current number of | ||
1217 | bytes downloaded whenever new data was received. | ||
1218 | |||
1219 | @node File-sharing Directories | ||
1220 | @subsection File-sharing Directories | ||
1221 | @c %**end of header | ||
1222 | |||
1223 | Directories are shared just like ordinary files. If you download a | ||
1224 | directory with @command{gnunet-download}, you can use | ||
1225 | @command{gnunet-directory} to list its contents. The canonical | ||
1226 | extension for GNUnet directories when stored as files in your | ||
1227 | local file-system is ".gnd". The contents of a directory are URIs and | ||
1228 | meta data. | ||
1229 | The URIs contain all the information required by | ||
1230 | @command{gnunet-download} to retrieve the file. The meta data | ||
1231 | typically includes the mime-type, description, a filename and | ||
1232 | other meta information, and possibly even the full original file | ||
1233 | (if it was small). | ||
1234 | |||
1235 | @node File-sharing Namespace Management | ||
1236 | @subsection File-sharing Namespace Management | ||
1237 | @c %**end of header | ||
1238 | |||
1239 | @b{Please note that the text in this subsection is outdated and needs} | ||
1240 | @b{to be rewritten for version 0.10!} | ||
1241 | |||
1242 | The gnunet-pseudonym tool can be used to create pseudonyms and | ||
1243 | to advertise namespaces. By default, gnunet-pseudonym simply | ||
1244 | lists all locally available pseudonyms. | ||
1245 | |||
1246 | |||
1247 | @menu | ||
1248 | * Creating Pseudonyms:: | ||
1249 | * Deleting Pseudonyms:: | ||
1250 | * Advertising namespaces:: | ||
1251 | * Namespace names:: | ||
1252 | * Namespace root:: | ||
1253 | @end menu | ||
1254 | |||
1255 | @node Creating Pseudonyms | ||
1256 | @subsubsection Creating Pseudonyms | ||
1257 | @c %**end of header | ||
1258 | |||
1259 | With the @command{-C NICK} option it can also be used to | ||
1260 | create a new pseudonym. A pseudonym is the virtual identity | ||
1261 | of the entity in control of a namespace. Anyone can create | ||
1262 | any number of pseudonyms. Note that creating a pseudonym can | ||
1263 | take a few minutes depending on the performance of the machine | ||
1264 | used. | ||
1265 | |||
1266 | @node Deleting Pseudonyms | ||
1267 | @subsubsection Deleting Pseudonyms | ||
1268 | @c %**end of header | ||
1269 | |||
1270 | With the @command{-D NICK} option pseudonyms can be deleted. | ||
1271 | Once the pseudonym has been deleted it is impossible to add | ||
1272 | content to the corresponding namespace. Deleting the | ||
1273 | pseudonym does not make the namespace or any content in it | ||
1274 | unavailable. | ||
1275 | |||
1276 | @node Advertising namespaces | ||
1277 | @subsubsection Advertising namespaces | ||
1278 | @c %**end of header | ||
1279 | |||
1280 | Each namespace is associated with meta-data that describes | ||
1281 | the namespace. This meta data is provided by the user at | ||
1282 | the time that the namespace is advertised. Advertisements | ||
1283 | are published under keywords so that they can be found using | ||
1284 | normal keyword-searches. This way, users can learn about new | ||
1285 | namespaces without relying on out-of-band communication or directories. | ||
1286 | A suggested keyword to use for all namespaces is simply "namespace". | ||
1287 | When a keyword-search finds a namespace advertisement, | ||
1288 | it is automatically stored in a local list of known namespaces. | ||
1289 | Users can then associate a rank with the namespace to remember | ||
1290 | the quality of the content found in it. | ||
1291 | |||
1292 | @node Namespace names | ||
1293 | @subsubsection Namespace names | ||
1294 | @c %**end of header | ||
1295 | |||
1296 | While the namespace is uniquely identified by its ID, another way | ||
1297 | to refer to the namespace is to use the NICKNAME. | ||
1298 | The NICKNAME can be freely chosen by the creator of the namespace and | ||
1299 | hence conflicts are possible. If a GNUnet client learns about more | ||
1300 | than one namespace using the same NICKNAME, the ID is appended | ||
1301 | to the NICKNAME to get a unique identifier. | ||
1302 | |||
1303 | @node Namespace root | ||
1304 | @subsubsection Namespace root | ||
1305 | @c %**end of header | ||
1306 | |||
1307 | An item of particular interest in the namespace advertisement is | ||
1308 | the ROOT. The ROOT is the identifier of a designated entry in the | ||
1309 | namespace. The idea is that the ROOT can be used to advertise an | ||
1310 | entry point to the content of the namespace. | ||
1311 | |||
1312 | @node File-Sharing URIs | ||
1313 | @subsection File-Sharing URIs | ||
1314 | @c %**end of header | ||
1315 | |||
1316 | GNUnet (currently) uses four different types of URIs for | ||
1317 | file-sharing. They all begin with "gnunet://fs/". | ||
1318 | This section describes the four different URI types in detail. | ||
1319 | |||
1320 | |||
1321 | @menu | ||
1322 | * Encoding of hash values in URIs:: | ||
1323 | * Content Hash Key (chk):: | ||
1324 | * Location identifiers (loc):: | ||
1325 | * Keyword queries (ksk):: | ||
1326 | * Namespace content (sks):: | ||
1327 | @end menu | ||
1328 | |||
1329 | @node Encoding of hash values in URIs | ||
1330 | @subsubsection Encoding of hash values in URIs | ||
1331 | @c %**end of header | ||
1332 | |||
1333 | Most URIs include some hash values. Hashes are encoded using | ||
1334 | base32hex (RFC 2938). | ||
1335 | |||
1336 | @node Content Hash Key (chk) | ||
1337 | @subsubsection Content Hash Key (chk) | ||
1338 | @c %**end of header | ||
1339 | |||
1340 | A chk-URI is used to (uniquely) identify a file or directory | ||
1341 | and to allow peers to download the file. Files are stored in | ||
1342 | GNUnet as a tree of encrypted blocks. | ||
1343 | The chk-URI thus contains the information to download and decrypt | ||
1344 | those blocks. A chk-URI has the format | ||
1345 | "gnunet://fs/chk/KEYHASH.QUERYHASH.SIZE". Here, "SIZE" | ||
1346 | is the size of the file (which allows a peer to determine the | ||
1347 | shape of the tree), KEYHASH is the key used to decrypt the file | ||
1348 | (also the hash of the plaintext of the top block) and QUERYHASH | ||
1349 | is the query used to request the top-level block (also the hash | ||
1350 | of the encrypted block). | ||
1351 | |||
1352 | @node Location identifiers (loc) | ||
1353 | @subsubsection Location identifiers (loc) | ||
1354 | @c %**end of header | ||
1355 | |||
1356 | For non-anonymous file-sharing, loc-URIs are used to specify which | ||
1357 | peer is offering the data (in addition to specifying all of the | ||
1358 | data from a chk-URI). Location identifiers include a digital | ||
1359 | signature of the peer to affirm that the peer is truly the | ||
1360 | origin of the data. The format is | ||
1361 | "gnunet://fs/loc/KEYHASH.QUERYHASH.SIZE.PEER.SIG.EXPTIME". | ||
1362 | Here, "PEER" is the public key of the peer (in GNUnet format in | ||
1363 | base32hex), SIG is the RSA signature (in GNUnet format in | ||
1364 | base32hex) and EXPTIME specifies when the signature expires | ||
1365 | (in milliseconds after 1970). | ||
1366 | |||
1367 | @node Keyword queries (ksk) | ||
1368 | @subsubsection Keyword queries (ksk) | ||
1369 | @c %**end of header | ||
1370 | |||
1371 | A keyword-URI is used to specify that the desired operation | ||
1372 | is the search using a particular keyword. The format is simply | ||
1373 | "gnunet://fs/ksk/KEYWORD". Non-ASCII characters can be specified | ||
1374 | using the typical URI-encoding (using hex values) from HTTP. | ||
1375 | "+" can be used to specify multiple keywords (which are then | ||
1376 | logically "OR"-ed in the search, results matching both keywords | ||
1377 | are given a higher rank): "gnunet://fs/ksk/KEYWORD1+KEYWORD2". | ||
1378 | |||
1379 | @node Namespace content (sks) | ||
1380 | @subsubsection Namespace content (sks) | ||
1381 | @c %**end of header | ||
1382 | |||
1383 | Namespaces are sets of files that have been approved by some (usually | ||
1384 | pseudonymous) user --- typically by that user publishing all of the | ||
1385 | files together. A file can be in many namespaces. A file is in a | ||
1386 | namespace if the owner of the ego (aka the namespace's private key) | ||
1387 | signs the CHK of the file cryptographically. An SKS-URI is used to | ||
1388 | search a namespace. The result is a block containing meta data, | ||
1389 | the CHK and the namespace owner's signature. The format of a sks-URI | ||
1390 | is "gnunet://fs/sks/NAMESPACE/IDENTIFIER". Here, "NAMESPACE" | ||
1391 | is the public key for the namespace. "IDENTIFIER" is a freely | ||
1392 | chosen keyword (or password!). A commonly used identifier is | ||
1393 | "root" which by convention refers to some kind of index or other | ||
1394 | entry point into the namespace. | ||
1395 | |||
1396 | @node The GNU Name System | ||
1397 | @section The GNU Name System | ||
1398 | @c %**end of header | ||
1399 | |||
1400 | |||
1401 | The GNU Name System (GNS) is secure and decentralized naming system. | ||
1402 | It allows its users to resolve and register names within the @code{.gnu} | ||
1403 | @dfn{top-level domain} (TLD). | ||
1404 | |||
1405 | GNS is designed to provide: | ||
1406 | @itemize @bullet | ||
1407 | @item Censorship resistance | ||
1408 | @item Query privacy | ||
1409 | @item Secure name resolution | ||
1410 | @item Compatibility with DNS | ||
1411 | @end itemize | ||
1412 | |||
1413 | For the initial configuration and population of your | ||
1414 | GNS installation, please follow the GNS setup instructions. | ||
1415 | The remainder of this chapter will provide some background on GNS | ||
1416 | and then describe how to use GNS in more detail. | ||
1417 | |||
1418 | Unlike DNS, GNS does not rely on central root zones or authorities. | ||
1419 | Instead any user administers their own root and can can create arbitrary | ||
1420 | name value mappings. Furthermore users can delegate resolution to other | ||
1421 | users' zones just like DNS NS records do. Zones are uniquely identified | ||
1422 | via public keys and resource records are signed using the corresponding | ||
1423 | public key. Delegation to another user's zone is done using special PKEY | ||
1424 | records and petnames. A petname is a name that can be freely chosen by | ||
1425 | the user. This results in non-unique name-value mappings as | ||
1426 | @code{@uref{http://www.bob.gnu/, www.bob.gnu}} to one user might be | ||
1427 | @code{@uref{http://www.friend.gnu/, www.friend.gnu}} for someone else. | ||
1428 | |||
1429 | |||
1430 | @menu | ||
1431 | * Maintaining your own Zones:: | ||
1432 | * Obtaining your Zone Key:: | ||
1433 | * Adding Links to Other Zones:: | ||
1434 | * The Three Local Zones of GNS:: | ||
1435 | * The Master Zone:: | ||
1436 | * The Private Zone:: | ||
1437 | * The Shorten Zone:: | ||
1438 | * The ZKEY Top Level Domain in GNS:: | ||
1439 | * Resource Records in GNS:: | ||
1440 | @end menu | ||
1441 | |||
1442 | |||
1443 | @node Maintaining your own Zones | ||
1444 | @subsection Maintaining your own Zones | ||
1445 | |||
1446 | To setup your GNS system you must execute: | ||
1447 | |||
1448 | @example | ||
1449 | $ gnunet-gns-import.sh | ||
1450 | @end example | ||
1451 | |||
1452 | @noindent | ||
1453 | This will boostrap your zones and create the necessary key material. | ||
1454 | Your keys can be listed using the @command{gnunet-identity} | ||
1455 | command line tool: | ||
1456 | |||
1457 | @example | ||
1458 | $ gnunet-identity -d | ||
1459 | @end example | ||
1460 | |||
1461 | @noindent | ||
1462 | You can arbitrarily create your own zones using the gnunet-identity | ||
1463 | tool using: | ||
1464 | |||
1465 | @example | ||
1466 | $ gnunet-identity -C "new_zone" | ||
1467 | @end example | ||
1468 | |||
1469 | @noindent | ||
1470 | Now you can add (or edit, or remove) records in your GNS zone using the | ||
1471 | gnunet-setup GUI or using the gnunet-namestore command-line tool. | ||
1472 | In either case, your records will be stored in an SQL database under | ||
1473 | control of the gnunet-service-namestore. Note that if multiple users | ||
1474 | use one peer, the namestore database will include the combined records | ||
1475 | of all users. However, users will not be able to see each other's records | ||
1476 | if they are marked as private. | ||
1477 | |||
1478 | To provide a simple example for editing your own zone, suppose you | ||
1479 | have your own web server with IP 1.2.3.4. Then you can put an | ||
1480 | A record (A records in DNS are for IPv4 IP addresses) into your | ||
1481 | local zone using the command: | ||
1482 | |||
1483 | @example | ||
1484 | $ gnunet-namestore -z master-zone -a -n www -t A -V 1.2.3.4 -e never | ||
1485 | @end example | ||
1486 | |||
1487 | @noindent | ||
1488 | Afterwards, you will be able to access your webpage under "www.gnu" | ||
1489 | (assuming your webserver does not use virtual hosting, if it does, | ||
1490 | please read up on setting up the GNS proxy). | ||
1491 | |||
1492 | Similar commands will work for other types of DNS and GNS records, | ||
1493 | the syntax largely depending on the type of the record. | ||
1494 | Naturally, most users may find editing the zones using the | ||
1495 | @command{gnunet-setup} GUI to be easier. | ||
1496 | |||
1497 | @node Obtaining your Zone Key | ||
1498 | @subsection Obtaining your Zone Key | ||
1499 | |||
1500 | Each zone in GNS has a public-private key. Usually, gnunet-namestore and | ||
1501 | gnunet-setup will access your private key as necessary, so you do not | ||
1502 | have to worry about those. What is important is your public key | ||
1503 | (or rather, the hash of your public key), as you will likely want to | ||
1504 | give it to others so that they can securely link to you. | ||
1505 | |||
1506 | You can usually get the hash of your public key using | ||
1507 | |||
1508 | @example | ||
1509 | $ gnunet-identity -d $options | grep master-zone | awk '@{print $3@}' | ||
1510 | @end example | ||
1511 | |||
1512 | @noindent | ||
1513 | For example, the output might be something like: | ||
1514 | |||
1515 | @example | ||
1516 | DC3SEECJORPHQNVRH965A6N74B1M37S721IG4RBQ15PJLLPJKUE0 | ||
1517 | @end example | ||
1518 | |||
1519 | @noindent | ||
1520 | Alternatively, you can obtain a QR code with your zone key AND | ||
1521 | your pseudonym from gnunet-gtk. The QR code is displayed in the | ||
1522 | GNS tab and can be stored to disk using the Save as button next | ||
1523 | to the image. | ||
1524 | |||
1525 | @node Adding Links to Other Zones | ||
1526 | @subsection Adding Links to Other Zones | ||
1527 | |||
1528 | |||
1529 | A central operation in GNS is the ability to securely delegate to | ||
1530 | other zones. Basically, by adding a delegation you make all of the | ||
1531 | names from the other zone available to yourself. This section | ||
1532 | describes how to create delegations. | ||
1533 | |||
1534 | Suppose you have a friend who you call 'bob' who also uses GNS. | ||
1535 | You can then delegate resolution of names to Bob's zone by adding | ||
1536 | a PKEY record to their local zone: | ||
1537 | |||
1538 | @example | ||
1539 | $ gnunet-namestore -a -n bob --type PKEY -V XXXX -e never | ||
1540 | @end example | ||
1541 | |||
1542 | @noindent | ||
1543 | Note that XXXX in the command above must be replaced with the | ||
1544 | hash of Bob's public key (the output your friend obtained using | ||
1545 | the gnunet-identity command from the previous section and told you, | ||
1546 | for example by giving you a business card containing this | ||
1547 | information as a QR code). | ||
1548 | |||
1549 | Assuming Bob has an A record for their website under the name of | ||
1550 | www in his zone, you can then access Bob's website under | ||
1551 | www.bob.gnu --- as well as any (public) GNS record that Bob has | ||
1552 | in their zone by replacing www with the respective name of the | ||
1553 | record in Bob's zone. | ||
1554 | |||
1555 | @c themselves? themself? | ||
1556 | Furthermore, if Bob has themselves a (public) delegation to Carol's | ||
1557 | zone under "carol", you can access Carol's records under | ||
1558 | NAME.carol.bob.gnu (where NAME is the name of Carol's record you | ||
1559 | want to access). | ||
1560 | |||
1561 | @node The Three Local Zones of GNS | ||
1562 | @subsection The Three Local Zones of GNS | ||
1563 | |||
1564 | Each user GNS has control over three zones. Each of the zones | ||
1565 | has a different purpose. These zones are the | ||
1566 | |||
1567 | @itemize @bullet | ||
1568 | |||
1569 | @item master zone, | ||
1570 | @item private zone, and the | ||
1571 | @item shorten zone. | ||
1572 | @end itemize | ||
1573 | |||
1574 | @node The Master Zone | ||
1575 | @subsection The Master Zone | ||
1576 | |||
1577 | |||
1578 | The master zone is your personal TLD. Names within the @code{.gnu} | ||
1579 | namespace are resolved relative to this zone. You can arbitrarily | ||
1580 | add records to this zone and selectively publish those records. | ||
1581 | |||
1582 | @node The Private Zone | ||
1583 | @subsection The Private Zone | ||
1584 | |||
1585 | |||
1586 | The private zone is a subzone (or subdomain in DNS terms) of your | ||
1587 | master zone. It should be used for records that you want to keep | ||
1588 | private. For example @code{bank.private.gnu}. The key idea is that | ||
1589 | you want to keep your private records separate, if just to know | ||
1590 | that those names are not available to other users. | ||
1591 | |||
1592 | @node The Shorten Zone | ||
1593 | @subsection The Shorten Zone | ||
1594 | |||
1595 | |||
1596 | The shorten zone can either be a subzone of the master zone or the | ||
1597 | private zone. It is different from the other zones in that GNS | ||
1598 | will automatically populate this zone with other users' zones based | ||
1599 | on their PSEU records whenever you resolve a name. | ||
1600 | |||
1601 | For example if you go to | ||
1602 | @code{@uref{http://www.bob.alice.dave.gnu/, www.bob.alice.dave.gnu}}, | ||
1603 | GNS will try to import @code{bob} into your shorten zone. Having | ||
1604 | obtained Bob's PKEY from @code{alice.dave.gnu}, GNS will lookup the | ||
1605 | PSEU record for @code{+} in Bob's zone. If it exists and the specified | ||
1606 | pseudonym is not taken, Bob's PKEY will be automatically added under | ||
1607 | that pseudonym (i.e. "bob") into your shorten zone. From then on, | ||
1608 | Bob's webpage will also be available for you as | ||
1609 | @code{@uref{http://www.bob.short.gnu/, www.bob.short.gnu}}. | ||
1610 | This feature is called @b{automatic name shortening} and is supposed to | ||
1611 | keep GNS names as short and memorable as possible. | ||
1612 | |||
1613 | @node The ZKEY Top Level Domain in GNS | ||
1614 | @subsection The ZKEY Top Level Domain in GNS | ||
1615 | |||
1616 | |||
1617 | GNS also provides a secure and globally unique namespace under the .zkey | ||
1618 | top-level domain. A name in the .zkey TLD corresponds to the (printable) | ||
1619 | public key of a zone. Names in the .zkey TLD are then resolved by querying | ||
1620 | the respective zone. The .zkey TLD is expected to be used under rare | ||
1621 | circumstances where globally unique names are required and for | ||
1622 | integration with legacy systems. | ||
1623 | |||
1624 | @node Resource Records in GNS | ||
1625 | @subsection Resource Records in GNS | ||
1626 | |||
1627 | |||
1628 | GNS supports the majority of the DNS records as defined in | ||
1629 | @uref{http://www.ietf.org/rfc/rfc1035.txt, RFC 1035}. Additionally, | ||
1630 | GNS defines some new record types the are unique to the GNS system. | ||
1631 | For example, GNS-specific resource records are used to give petnames | ||
1632 | for zone delegation, revoke zone keys and provide some compatibility | ||
1633 | features. | ||
1634 | |||
1635 | For some DNS records, GNS does extended processing to increase their | ||
1636 | usefulness in GNS. In particular, GNS introduces special names | ||
1637 | referred to as "zone relative names". Zone relative names are allowed | ||
1638 | in some resource record types (for example, in NS and CNAME records) | ||
1639 | and can also be used in links on webpages. Zone relative names end | ||
1640 | in ".+" which indicates that the name needs to be resolved relative | ||
1641 | to the current authoritative zone. The extended processing of those | ||
1642 | names will expand the ".+" with the correct delegation chain to the | ||
1643 | authoritative zone (replacing ".+" with the name of the location | ||
1644 | where the name was encountered) and hence generate a | ||
1645 | valid @code{.gnu} name. | ||
1646 | |||
1647 | GNS currently supports the following record types: | ||
1648 | |||
1649 | @menu | ||
1650 | * NICK:: | ||
1651 | * PKEY:: | ||
1652 | * BOX:: | ||
1653 | * LEHO:: | ||
1654 | * VPN:: | ||
1655 | * A AAAA and TXT:: | ||
1656 | * CNAME:: | ||
1657 | * GNS2DNS:: | ||
1658 | * SOA SRV PTR and MX:: | ||
1659 | @end menu | ||
1660 | |||
1661 | @node NICK | ||
1662 | @subsubsection NICK | ||
1663 | |||
1664 | A NICK record is used to give a zone a name. With a NICK record, you can | ||
1665 | essentially specify how you would like to be called. GNS expects this | ||
1666 | record under the name "+" in the zone's database (NAMESTORE); however, | ||
1667 | it will then automatically be copied into each record set, so that | ||
1668 | clients never need to do a separate lookup to discover the NICK record. | ||
1669 | |||
1670 | @b{Example}@ | ||
1671 | |||
1672 | @example | ||
1673 | Name: +; RRType: NICK; Value: bob | ||
1674 | @end example | ||
1675 | |||
1676 | @noindent | ||
1677 | This record in Bob's zone will tell other users that this zone wants | ||
1678 | to be referred to as 'bob'. Note that nobody is obliged to call Bob's | ||
1679 | zone 'bob' in their own zones. It can be seen as a | ||
1680 | recommendation ("Please call me 'bob'"). | ||
1681 | |||
1682 | @node PKEY | ||
1683 | @subsubsection PKEY | ||
1684 | |||
1685 | PKEY records are used to add delegation to other users' zones and | ||
1686 | give those zones a petname. | ||
1687 | |||
1688 | @b{Example}@ | ||
1689 | |||
1690 | Let Bob's zone be identified by the hash "ABC012". Bob is your friend | ||
1691 | so you want to give them the petname "friend". Then you add the | ||
1692 | following record to your zone: | ||
1693 | |||
1694 | @example | ||
1695 | Name: friend; RRType: PKEY; Value: ABC012; | ||
1696 | @end example | ||
1697 | |||
1698 | @noindent | ||
1699 | This will allow you to resolve records in bob's zone | ||
1700 | under "*.friend.gnu". | ||
1701 | |||
1702 | @node BOX | ||
1703 | @subsubsection BOX | ||
1704 | |||
1705 | BOX records are there to integrate information from TLSA or | ||
1706 | SRV records under the main label. In DNS, TLSA and SRV records | ||
1707 | use special names of the form @code{_port._proto.(label.)*tld} to | ||
1708 | indicate the port number and protocol (i.e. tcp or udp) for which | ||
1709 | the TLSA or SRV record is valid. This causes various problems, and | ||
1710 | is elegantly solved in GNS by integrating the protocol and port | ||
1711 | numbers together with the respective value into a "BOX" record. | ||
1712 | Note that in the GUI, you do not get to edit BOX records directly | ||
1713 | right now --- the GUI will provide the illusion of directly | ||
1714 | editing the TLSA and SRV records, even though they internally | ||
1715 | are BOXed up. | ||
1716 | |||
1717 | @node LEHO | ||
1718 | @subsubsection LEHO | ||
1719 | |||
1720 | The LEgacy HOstname of a server. Some webservers expect a specific | ||
1721 | hostname to provide a service (virtiual hosting). Also SSL | ||
1722 | certificates usually contain DNS names. To provide the expected | ||
1723 | legacy DNS name for a server, the LEHO record can be used. | ||
1724 | To mitigate the just mentioned issues the GNS proxy has to be used. | ||
1725 | The GNS proxy will use the LEHO information to apply the necessary | ||
1726 | transformations. | ||
1727 | |||
1728 | @node VPN | ||
1729 | @subsubsection VPN | ||
1730 | |||
1731 | GNS allows easy access to services provided by the GNUnet Virtual Public | ||
1732 | Network. When the GNS resolver encounters a VPN record it will contact | ||
1733 | the VPN service to try and allocate an IPv4/v6 address (if the queries | ||
1734 | record type is an IP address) that can be used to contact the service. | ||
1735 | |||
1736 | @b{Example}@ | ||
1737 | |||
1738 | I want to provide access to the VPN service "web.gnu." on port 80 on peer | ||
1739 | ABC012:@ | ||
1740 | Name: www; RRType: VPN; Value: 80 ABC012 web.gnu. | ||
1741 | |||
1742 | The peer ABC012 is configured to provide an exit point for the service | ||
1743 | "web.gnu." on port 80 to it's server running locally on port 8080 by | ||
1744 | having the following lines in the @file{gnunet.conf} configuration file: | ||
1745 | |||
1746 | @example | ||
1747 | [web.gnunet.] | ||
1748 | TCP_REDIRECTS = 80:localhost4:8080 | ||
1749 | @end example | ||
1750 | |||
1751 | @node A AAAA and TXT | ||
1752 | @subsubsection A AAAA and TXT | ||
1753 | |||
1754 | Those records work in exactly the same fashion as in traditional DNS. | ||
1755 | |||
1756 | @node CNAME | ||
1757 | @subsubsection CNAME | ||
1758 | |||
1759 | As specified in RFC 1035 whenever a CNAME is encountered the query | ||
1760 | needs to be restarted with the specified name. In GNS a CNAME | ||
1761 | can either be: | ||
1762 | |||
1763 | @itemize @bullet | ||
1764 | @item A zone relative name, | ||
1765 | @item A zkey name or | ||
1766 | @item A DNS name (in which case resolution will continue outside | ||
1767 | of GNS with the systems DNS resolver) | ||
1768 | @end itemize | ||
1769 | |||
1770 | @node GNS2DNS | ||
1771 | @subsubsection GNS2DNS | ||
1772 | |||
1773 | GNS can delegate authority to a legacy DNS zone. For this, the | ||
1774 | name of the DNS nameserver and the name of the DNS zone are | ||
1775 | specified in a GNS2DNS record. | ||
1776 | |||
1777 | @b{Example} | ||
1778 | |||
1779 | @example | ||
1780 | Name: pet; RRType: GNS2DNS; Value: gnunet.org@@a.ns.joker.com | ||
1781 | @end example | ||
1782 | |||
1783 | @noindent | ||
1784 | Any query to @code{pet.gnu} will then be delegated to the DNS server at | ||
1785 | @code{a.ns.joker.com}. For example, | ||
1786 | @code{@uref{http://www.pet.gnu/, www.pet.gnu}} will result in a DNS query | ||
1787 | for @code{@uref{http://www.gnunet.org/, www.gnunet.org}} to the server | ||
1788 | at @code{a.ns.joker.com}. Delegation to DNS via NS records in GNS can | ||
1789 | be useful if you do not want to start resolution in the DNS root zone | ||
1790 | (due to issues such as censorship or availability). | ||
1791 | |||
1792 | Note that you would typically want to use a relative name for the | ||
1793 | nameserver, i.e. | ||
1794 | |||
1795 | @example | ||
1796 | Name: pet; RRType: GNS2DNS; Value: gnunet.org@@ns-joker.+@ | ||
1797 | Name: ns-joker; RRType: A; Value: 184.172.157.218 | ||
1798 | @end example | ||
1799 | |||
1800 | @noindent | ||
1801 | This way, you can avoid involving the DNS hierarchy in the resolution of | ||
1802 | @code{a.ns.joker.com}. In the example above, the problem may not be | ||
1803 | obvious as the nameserver for "gnunet.org" is in the ".com" zone. | ||
1804 | However, imagine the nameserver was "ns.gnunet.org". In this case, | ||
1805 | delegating to "ns.gnunet.org" would mean that despite using GNS, | ||
1806 | censorship in the DNS ".org" zone would still be effective. | ||
1807 | |||
1808 | @node SOA SRV PTR and MX | ||
1809 | @subsubsection SOA SRV PTR and MX | ||
1810 | |||
1811 | The domain names in those records can, again, be either | ||
1812 | |||
1813 | @itemize @bullet | ||
1814 | @item A zone relative name, | ||
1815 | @item A zkey name or | ||
1816 | @item A DNS name | ||
1817 | @end itemize | ||
1818 | |||
1819 | The resolver will expand the zone relative name if possible. | ||
1820 | Note that when using MX records within GNS, the target mail | ||
1821 | server might still refuse to accept e-mails to the resulting | ||
1822 | domain as the name might not match. GNS-enabled mail clients | ||
1823 | should use the ZKEY zone as the destination hostname and | ||
1824 | GNS-enabled mail servers should be configured to accept | ||
1825 | e-mails to the ZKEY-zones of all local users. | ||
1826 | |||
1827 | @node Using the Virtual Public Network | ||
1828 | @section Using the Virtual Public Network | ||
1829 | |||
1830 | @menu | ||
1831 | * Setting up an Exit node:: | ||
1832 | * Fedora and the Firewall:: | ||
1833 | * Setting up VPN node for protocol translation and tunneling:: | ||
1834 | @end menu | ||
1835 | |||
1836 | Using the GNUnet Virtual Public Network (VPN) application you can | ||
1837 | tunnel IP traffic over GNUnet. Moreover, the VPN comes | ||
1838 | with built-in protocol translation and DNS-ALG support, enabling | ||
1839 | IPv4-to-IPv6 protocol translation (in both directions). | ||
1840 | This chapter documents how to use the GNUnet VPN. | ||
1841 | |||
1842 | The first thing to note about the GNUnet VPN is that it is a public | ||
1843 | network. All participating peers can participate and there is no | ||
1844 | secret key to control access. So unlike common virtual private | ||
1845 | networks, the GNUnet VPN is not useful as a means to provide a | ||
1846 | "private" network abstraction over the Internet. The GNUnet VPN | ||
1847 | is a virtual network in the sense that it is an overlay over the | ||
1848 | Internet, using its own routing mechanisms and can also use an | ||
1849 | internal addressing scheme. The GNUnet VPN is an Internet | ||
1850 | underlay --- TCP/IP applications run on top of it. | ||
1851 | |||
1852 | The VPN is currently only supported on GNU/Linux systems. | ||
1853 | Support for operating systems that support TUN (such as FreeBSD) | ||
1854 | should be easy to add (or might not even require any coding at | ||
1855 | all --- we just did not test this so far). Support for other | ||
1856 | operating systems would require re-writing the code to create virtual | ||
1857 | network interfaces and to intercept DNS requests. | ||
1858 | |||
1859 | The VPN does not provide good anonymity. While requests are routed | ||
1860 | over the GNUnet network, other peers can directly see the source | ||
1861 | and destination of each (encapsulated) IP packet. Finally, if you | ||
1862 | use the VPN to access Internet services, the peer sending the | ||
1863 | request to the Internet will be able to observe and even alter | ||
1864 | the IP traffic. We will discuss additional security implications | ||
1865 | of using the VPN later in this chapter. | ||
1866 | |||
1867 | @node Setting up an Exit node | ||
1868 | @subsection Setting up an Exit node | ||
1869 | |||
1870 | Any useful operation with the VPN requires the existence of an exit | ||
1871 | node in the GNUnet Peer-to-Peer network. Exit functionality can only | ||
1872 | be enabled on peers that have regular Internet access. If you want | ||
1873 | to play around with the VPN or support the network, we encourage | ||
1874 | you to setup exit nodes. This chapter documents how to setup an | ||
1875 | exit node. | ||
1876 | |||
1877 | There are four types of exit functions an exit node can provide, | ||
1878 | and using the GNUnet VPN to access the Internet will only work | ||
1879 | nicely if the first three types are provided somewhere in | ||
1880 | the network. The four exit functions are: | ||
1881 | |||
1882 | @itemize @bullet | ||
1883 | @item DNS: allow other peers to use your DNS resolver | ||
1884 | @item IPv4: allow other peers to access your IPv4 Internet connection | ||
1885 | @item IPv6: allow other peers to access your IPv6 Internet connection | ||
1886 | @item Local service: allow other peers to access a specific TCP or | ||
1887 | UDP service your peer is providing | ||
1888 | @end itemize | ||
1889 | |||
1890 | By enabling "exit" in gnunet-setup and checking the respective boxes | ||
1891 | in the "exit" tab, you can easily choose which of the above exit | ||
1892 | functions you want to support. | ||
1893 | |||
1894 | Note, however, that by supporting the first three functions you will | ||
1895 | allow arbitrary other GNUnet users to access the Internet via your | ||
1896 | system. This is somewhat similar to running a Tor exit node. The | ||
1897 | Torproject has a nice article about what to consider if you want | ||
1898 | to do this here. We believe that generally running a DNS exit node | ||
1899 | is completely harmless. | ||
1900 | |||
1901 | The exit node configuration does currently not allow you to restrict the | ||
1902 | Internet traffic that leaves your system. In particular, you cannot | ||
1903 | exclude SMTP traffic (or block port 25) or limit to HTTP traffic using | ||
1904 | the GNUnet configuration. However, you can use your host firewall to | ||
1905 | restrict outbound connections from the virtual tunnel interface. This | ||
1906 | is highly recommended. In the future, we plan to offer a wider range | ||
1907 | of configuration options for exit nodes. | ||
1908 | |||
1909 | Note that by running an exit node GNUnet will configure your kernel | ||
1910 | to perform IP-forwarding (for IPv6) and NAT (for IPv4) so that the | ||
1911 | traffic from the virtual interface can be routed to the Internet. | ||
1912 | In order to provide an IPv6-exit, you need to have a subnet routed | ||
1913 | to your host's external network interface and assign a subrange of | ||
1914 | that subnet to the GNUnet exit's TUN interface. | ||
1915 | |||
1916 | When running a local service, you should make sure that the local | ||
1917 | service is (also) bound to the IP address of your EXIT interface | ||
1918 | (i.e. 169.254.86.1). It will NOT work if your local service is | ||
1919 | just bound to loopback. You may also want to create a "VPN" record | ||
1920 | in your zone of the GNU Name System to make it easy for others to | ||
1921 | access your service via a name instead of just the full service | ||
1922 | descriptor. Note that the identifier you assign the service can | ||
1923 | serve as a passphrase or shared secret, clients connecting to the | ||
1924 | service must somehow learn the service's name. VPN records in the | ||
1925 | GNU Name System can make this easier. | ||
1926 | |||
1927 | @node Fedora and the Firewall | ||
1928 | @subsection Fedora and the Firewall | ||
1929 | |||
1930 | |||
1931 | When using an exit node on Fedora 15, the standard firewall can | ||
1932 | create trouble even when not really exiting the local system! | ||
1933 | For IPv4, the standard rules seem fine. However, for IPv6 the | ||
1934 | standard rules prohibit traffic from the network range of the | ||
1935 | virtual interface created by the exit daemon to the local IPv6 | ||
1936 | address of the same interface (which is essentially loopback | ||
1937 | traffic, so you might suspect that a standard firewall would | ||
1938 | leave this traffic alone). However, as somehow for IPv6 the | ||
1939 | traffic is not recognized as originating from the local | ||
1940 | system (and as the connection is not already "established"), | ||
1941 | the firewall drops the traffic. You should still get ICMPv6 | ||
1942 | packets back, but that's obviously not very useful. | ||
1943 | |||
1944 | Possible ways to fix this include disabling the firewall (do you | ||
1945 | have a good reason for having it on?) or disabling the firewall | ||
1946 | at least for the GNUnet exit interface (or the respective | ||
1947 | IPv4/IPv6 address range). The best way to diagnose these kinds | ||
1948 | of problems in general involves setting the firewall to REJECT | ||
1949 | instead of DROP and to watch the traffic using wireshark | ||
1950 | (or tcpdump) to see if ICMP messages are generated when running | ||
1951 | some tests that should work. | ||
1952 | |||
1953 | @node Setting up VPN node for protocol translation and tunneling | ||
1954 | @subsection Setting up VPN node for protocol translation and tunneling | ||
1955 | |||
1956 | |||
1957 | The GNUnet VPN/PT subsystem enables you to tunnel IP traffic over the | ||
1958 | VPN to an exit node, from where it can then be forwarded to the | ||
1959 | Internet. This section documents how to setup VPN/PT on a node. | ||
1960 | Note that you can enable both the VPN and an exit on the same peer. | ||
1961 | In this case, IP traffic from your system may enter your peer's VPN | ||
1962 | and leave your peer's exit. This can be useful as a means to do | ||
1963 | protocol translation. For example, you might have an application that | ||
1964 | supports only IPv4 but needs to access an IPv6-only site. In this case, | ||
1965 | GNUnet would perform 4to6 protocol translation between the VPN (IPv4) | ||
1966 | and the Exit (IPv6). Similarly, 6to4 protocol translation is also | ||
1967 | possible. However, the primary use for GNUnet would be to access | ||
1968 | an Internet service running with an IP version that is not supported | ||
1969 | by your ISP. In this case, your IP traffic would be routed via GNUnet | ||
1970 | to a peer that has access to the Internet with the desired IP version. | ||
1971 | |||
1972 | Setting up an entry node into the GNUnet VPN primarily requires you | ||
1973 | to enable the "VPN/PT" option in "gnunet-setup". This will launch the | ||
1974 | "gnunet-service-vpn", "gnunet-service-dns" and "gnunet-daemon-pt" | ||
1975 | processes. The "gnunet-service-vpn" will create a virtual interface | ||
1976 | which will be used as the target for your IP traffic that enters the | ||
1977 | VPN. Additionally, a second virtual interface will be created by | ||
1978 | the "gnunet-service-dns" for your DNS traffic. You will then need to | ||
1979 | specify which traffic you want to tunnel over GNUnet. If your ISP only | ||
1980 | provides you with IPv4 or IPv6-access, you may choose to tunnel the | ||
1981 | other IP protocol over the GNUnet VPN. If you do not have an ISP | ||
1982 | (and are connected to other GNUnet peers via WLAN), you can also | ||
1983 | choose to tunnel all IP traffic over GNUnet. This might also provide | ||
1984 | you with some anonymity. After you enable the respective options | ||
1985 | and restart your peer, your Internet traffic should be tunneled | ||
1986 | over the GNUnet VPN. | ||
1987 | |||
1988 | The GNUnet VPN uses DNS-ALG to hijack your IP traffic. Whenever an | ||
1989 | application resolves a hostname (i.e. 'gnunet.org'), the | ||
1990 | "gnunet-daemon-pt" will instruct the "gnunet-service-dns" to intercept | ||
1991 | the request (possibly route it over GNUnet as well) and replace the | ||
1992 | normal answer with an IP in the range of the VPN's interface. | ||
1993 | "gnunet-daemon-pt" will then tell "gnunet-service-vpn" to forward all | ||
1994 | traffic it receives on the TUN interface via the VPN to the original | ||
1995 | destination. | ||
1996 | |||
1997 | For applications that do not use DNS, you can also manually create | ||
1998 | such a mapping using the gnunet-vpn command-line tool. Here, you | ||
1999 | specfiy the desired address family of the result (i.e. "-4"), and the | ||
2000 | intended target IP on the Internet ("-i 131.159.74.67") and | ||
2001 | "gnunet-vpn" will tell you which IP address in the range of your | ||
2002 | VPN tunnel was mapped. | ||
2003 | |||
2004 | @command{gnunet-vpn} can also be used to access "internal" services | ||
2005 | offered by GNUnet nodes. So if you happen to know a peer and a | ||
2006 | service offered by that peer, you can create an IP tunnel to | ||
2007 | that peer by specifying the peer's identity, service name and | ||
2008 | protocol (--tcp or --udp) and you will again receive an IP address | ||
2009 | that will terminate at the respective peer's service. | ||