Re: Air Gap & News - John Goerzen

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: John Goerzen <jgoerzen@complete•org>
To: William Hay <wish@dumain•com>
Cc: nncp-devel@lists.cypherpunks.ru
Subject: Re: Air Gap & News
Date: Sat, 26 Dec 2020 08:10:37 -0600	[thread overview]
Message-ID: <87im8opsiq.fsf@complete.org> (raw)
In-Reply-To: <E1kt6lB-0000l2-C2@cerberus.dumain.com>

Good morning/tzag,

First of all, I was planning to send a message here in the next 
day or two about this anyhow, but I'm working on a series of blog 
posts about NNCP.  You can see them at 
https://changelog.complete.org/archives/tag/asynchronous and I've 
got several more planned, covering using NNCP for Exim, using NNCP 
to handle both ZFS and non-ZFS backups, etc.  I wonder, William, 
if that's where you came across NNCP recently?

Anyhow... What you're looking for may have been just a few clicks 
away at:

http://www.nncpgo.org/UsecaseNoLink.html

Also check out 
http://www.nncpgo.org/UsecaseBroadcast.html#UsecaseBroadcast

So basically NNCP comes with two commands to make this use case 
really easy: nncp-xfer and nncp-bundle.  nncp-xfer is probably the 
more practical for most airgapped use cases. 
http://www.nncpgo.org/UsecaseBroadcast.html#UsecaseBroadcast 
discusses it.

The "via" option at 
http://www.nncpgo.org/Configuration.html#Configuration -- also 
overridable via the command-line on various tools -- sets the 
default routing to a machine.

The reference under http://www.nncpgo.org/Commands.html#Commands 
may also be useful to you.

When I get my next blog post written - hopefully later today - I 
will include a UUCP<->NNCP command reference as well.

I'm an old hand at UUCP (by which I mean I maintained it for an 
ISP in the 90s but haven't touched it since, so some of it has 
bitrotted out of my brain).  I've been pretty excited about NNCP 
for awhile but it's taken me this long to sit down and start 
working on it seriously!

That was an interesting blog post you had.  I had never really 
thought to use UUCP in a sneakernet way.  I'm not Sergey, but I 
wouldn't say that he was wrong for sneakernet friendliness of 
UUCP.  Your solution was not part of UUCP and involved quite a bit 
of work (even private mount namespaces, which aren't available on 
every platform that UUCP/NNCP uses).  With NNCP it is just there. 
It doesn't need any particular configuration, just nncp-xfer and 
done.  Plus the security model is already baked in and 
non-optional (ssh style).

You are correct that NNCP could be used with rnews just as easily 
as UUCP.  Sergey, you might correct that in the comparison table.

Your comment about peers identification in UUCP - well I can see 
it both your way and Sergey's.  It is true that UUCP itself 
doesn't directly have that support, but it is also true that 
uucico can be trivially run over a pipe to ssh, and authenticated 
that way.  Perhaps a little more detail would be warranted there.

By the way, although it is not necessary, NNCP can also be run 
over a ssh pipe.  This can sometimes be useful if there is a 
pre-existing ssh infrastructure that penetrates firewalls, etc. 
See the addrs proxied example at 
http://www.nncpgo.org/Configuration.html#Configuration

As a general matter, I am aware of only one feature that UUCP has 
which NNCP lacks: the ability to run across unreliable links 
(protocol g and friends, and PSTN).  As someone that has worked to 
develop a clone of certain UUCP protocols for low-bandwidth radio 
links, I totally get why!

However, I should certainly note that nncp-bundles can be *easily* 
sent across UUCP; just pipe the output via uux and have it pipe 
into nncp-bundle on the remote.  So if you're dealing with 
oldschool modems, or unreliable radios, or whatever, you can still 
run UUCP at the communication layer and pipe NNCP bundles across 
it.  The NNCP bundles, of course, carry the full encryption that 
NNCP uses, so additional encryption at the UUCP level would be 
unnecessary.

By the way, if I might just add a bit of a comment, I found the 
tone of your email negative at places.  NNCP has mostly a single 
author (not me!) and, like many free software projects, it all 
takes time.  I would encourage you, in the future, to avoid 
complaining about software someone has provided for free.  If you 
aren't sure how to do something, ask "how do I configure this for 
airgapped?" rather than complaining about the documentation. 
Then, write the documentation and submit a patch!  I have done 
things this way quite a few times with Free Software projects and 
have found it to be well-received.

I have maintained dozens of Free Software packages over the years, 
and I can attest to it being a thankless job.  I try to open every 
communication with gratitude and openness -- gratitude that 
somebody wrote a thing that looks interesting, and openness that I 
may have missed something relevant.

So, along those lines, I want to say thank you to Sergey for 
writing and maintaing NNCP, and also to you, for being interested 
in it and sending your message to the list.  I am glad both of you 
are here.

Thanks,

John

On Sat, Dec 26 2020, William Hay wrote:

> I came across nncp recently and it seems interesting but the 
> documentation
> could do with some improvement.
>
> http://www.nncpgo.org/UsecaseAirgap.html#UsecaseAirgap Says it 
> is about
> using nncp via air gap but AFAICT only describes how to send via 
> a network
> connected intermediate machine.  No documentation, or even 
> example,
> is given for configuring  the intermediate machine to copy the 
> packets
> to removable storage.
>
> http://www.nncpgo.org/Comparison.html#Comparison Says No for
> sneakernet friendliness/UUCP while the commentary says this
> requires more manual configuration.  I set this up a few
> years ago for myself and although there is a little setup
> work once done it is about as automatic as sneakernet can
> get. 
> https://www.dumain.com/posts/Forward_to_the_1970s_with_UUCP.../
> This could be more secure but my threat model doesn't involve 
> targetted
> attacks so a little security throught obscurity sprinkled over 
> the
> air gap seemed sufficient.  I might replace it with NNCP if the 
> airgap
> documentationwere better.
>
> Under News Transmission it says Yes for UUCP and No for NNCP. 
> The only
> support UUCP has for news transmission is that if your news 
> system
> supplies an rnews binary then it will be enabled for remote 
> execution
> by default.  AFAICT there is nothing to prevent enabling rnews 
> remote
> execution over NNCP or configuring your news server to send 
> rnews batches
> via NNCP (replace uux command in uucp recipies with nncp 
> equivalent).
>
> Also saying UUCP only supports PAP for peer authentication is 
> somewhat
> misleading since, by tying each peer to a particular unix login, 
> it
> can use whatever authentication your OS provides (most of my 
> uucp nodes
> authenticate via ssh keys).
>
>
> William

next prev parent reply	other threads:[~2020-12-26 14:37 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-26 10:25 Air Gap & News William Hay
2020-12-26 14:10 ` John Goerzen [this message]
2020-12-26 16:49   ` Sergey Matveev
2020-12-27  5:03     ` John Goerzen
2020-12-27 10:06       ` Sergey Matveev
2020-12-26 16:31 ` Sergey Matveev
2020-12-27 10:12   ` William Hay
2020-12-27 10:52     ` Sergey Matveev