Iroh 1.0 - Hacker News

Posted by chadfowler 3 hours ago

Iroh 1.0(www.iroh.computer)

559 points | 189 comments

rklaehn 3 hours ago|

I am one of the iroh developers.

A question that frequently comes up: when will iroh support webrtc, or BLE, or LoRa, or ...

Iroh as of now supports only IPv4, IPv6 and relay transports out of the box. There is such a large variety of potentially interesting transports out there that we can't support all of them without turning the codebase into an unmaintainable maze of feature flags.

But we have added the ability to implement custom transports. That way your transport implementation can live in a completely separate crate.

Existing experimental custom transports include Tor, Nym and BLE. https://github.com/mcginty/iroh-ble-transport

Here is how custom transports work under the hood: https://www.iroh.computer/blog/iroh-0-97-0-custom-transports...

hathawsh 4 minutes ago||

Iroh looks very interesting!

How current is the PyPI package? https://pypi.org/project/iroh/

opem 6 minutes ago|||

Can the relay servers, when used as fallback, read the data between two parties by providing its own public key to both of the peers?

teravor 29 minutes ago|||

    > Tor

https://github.com/n0-computer/iroh-tor-transport

You are using a Tor daemon in it. Tor has a Rust implementation and when used with Rust has Stream objects etc.

An example of how it's used can be found in https://gitlab.torproject.org/tpo/core/oniux

rklaehn 6 minutes ago||

Yes, I wrote the current tor transport as a quick demo/testground for custom transports.

Arguably directly embedding the rust tor implementation would be more useful for the typical iroh user that wants an embeddable library. I just did not get to it yet.

But thanks for the link.

Folcon 47 minutes ago|||

Hey, just reading through the docs, this looks like a pretty cool project and I found your p2p chat example[0]

I'm trying to understand it's limitations, if I used this to build a p2p client / server setup or even two peer machines, what else do I need to setup to be able to have connections between the two applications?

For example, could I create an application that runs on my phone and another that runs on my laptop and finally get a direct secured working connection between the two of them? Or is this solving a different problem? =)

-[0]: p2p chat, in rust, from scratch: https://www.youtube.com/watch?v=ogN_mBkWu7o

rklaehn 1 minute ago||

Yes, you will get secure direct connections. This matters for privacy in case of an encrypted chat, but also has a lot of benefits for more demanding use cases such as video streaming.

Here is a video of frando from our team demoing media over QUIC: https://www.youtube.com/watch?v=K3qqyu1mmGQ

If you use the default setup you are still depending on a tiny bit of cloud infrastructure such as our public relays to faciliate the hole punching. However, we also have optional local discovery using e.g. mDNS.

SillyUsername 38 minutes ago|||

You may want to consider using a feature flag API if you think it will be unmaintainable.

Strategy patterns and code-centralised feature management ftw :)

Bender 2 hours ago|||

What are the risks if any of running public relays? Is this similar in concept to running Tor Guard Nodes / Relays?

rklaehn 2 hours ago|||

If you run a public unauthenticated relay you act as a home relay for whoever has your relay configured in their relay map and is close in terms of latency.

So you might get a lot of traffic. You can configure rate limiting, as we do on our public relays.

The traffic is fully encrypted and can not be decrypted by the relay. The only information the relay has is what is necessary for it to function - the endpoint id and ip addresses of the endpoints that are connected to it at any given time, as well as endpoint pairings.

You relay encrypted traffic with no egress to the open internet. So if you want to compare it with Tor, it would be like a tor guard/middle relay, not an exit node.

Bender 2 hours ago||

So if you want to compare it with Tor, it would be like a tor guard/middle relay, not an exit node.

Nice. I already do rate limiting, traffic balancing using sch cake. This looks like an interesting project. I could envision open source NVR's implementing this. I also like the name of the project.

Arqu 2 hours ago|||

All the data is e2e encrypted and nothing is stored. The usual self hosting public things rules apply.

mhluongo 54 minutes ago|||

Hi! As someone who has historically built on libp2p, I'd love to see an updated comparison focused on app developers!

Last year, I was trying to choose between the two and went with that I know... but it feels like there's real momentum on Iroh's side.

refulgentis 2 hours ago|||

FWIW I think for “new user” audiences you’re better off describing why we’d use this instead of IP, than why you haven’t gotten it everywhere yet: there’s a certain sort of “complaint I see the most from current users” myopia that sets in, at least for me, over the years. :)

ascii0eks84 2 hours ago|||

If you don't mind, what are other low-effort but high signal forums other than HN, Perplexity and X for accurate news that skip the annoying part?

larodi 1 hour ago||

Lora is a must

rklaehn 1 hour ago||

There are already some crates providing a bridge between LoRa using iroh. See for example https://crates.io/crates/donglora-bridge

I am not aware of a LoRa custom transport yet, but that is not unexpected given that the custom transport API is relatively new, and our main focus has been on getting iroh 1.0 out of the door.

larodi 1 hour ago||

Definitely interesting in having lots of things running lora AND meshes. Thanks.

openscript 2 minutes ago||

What about censorship circumvention? Are there specialized DERP to DERP communication, that bridge over internet edge nodes doing DPI on QUIC?

Thaxll 2 hours ago||

I don't understand the problem its trying to solve in the first place, IP works just fine, such as DNS.

There is already IPv6 and quic, you need vendor and major software to have any traction in that field.

rklaehn 2 hours ago||

Iroh is QUIC. We are not trying to reinvent the wheel here, just combining existing IETF RFCs in a creative way.

Here is a concrete problem we solve. You have one device in your home WLAN behind a NAT. Your other device is in a 4g network, or behind another NAT at work.

In most cases we can give you a direct connection between the two devices very quickly via hole punching, so you get the highest possible bandwidth and the lowest possible latency.

This was not a solved problem until now.

kkapelon 2 hours ago|||

isn't this exactly what tailscale (and also zerotier, netmaker) do?

https://tailscale.com/blog/how-nat-traversal-works

dmantis 1 hour ago|||

That only works for the infrastructure of one entity. It doesn't establish direct connection to my friend's device by a key pair if he is outside of the particular organisation tailscale VPN.

p2p apps need direct connections.

moritzruth 1 hour ago|||

Those are intended to solve the problem at the OS layer, while Iroh (being a library) does it at the application layer.

kkapelon 1 hour ago||

Like https://tailscale.com/docs/features/tsnet ?

ben-schaaf 1 hour ago||

From reading that, it lets you establish connections within your tailscale vpn. Iroh let's you establish connections between devices regardless of their network.

9dev 3 minutes ago|||

There might be a misunderstanding of what Tailscale offers here. There is no "VPN" in the classic "virtual network" way. With Tailscale, you can - as with Iroh, IIUC - connect arbitrary nodes to each other, where a node can be a device or an application (via tsnet). All nodes get CGNAT IPs and an addressable hostname, so there is one giant "network" of all your nodes with automatic DNS resolution baked in.

__float 34 minutes ago|||

I think everyone in this thread agrees on that part already.

The similarities are in an application lib to connect, and that tail net IPs correspond to device keys like in Iroh. The service using the Go library has its own Tailscale identity.

handoflixue 2 hours ago||||

Excuse my ignorance on the subject, but what does this solve that VPNs didn't already address?

gslepak 2 hours ago|||

VPNs do not allow you to connect two devices directly, they have to go through the VPN. They also do not allow you to connect devices that are not on the VPN. Iroh does P2P connections and punches holes through NATs when needed, so you can connect directly to devices on different networks that are behind firewalls.

pkulak 1 hour ago||||

From my VERY brief understanding: this is like if you want the hole-punching of a VPN, but your stuff is public, so not only do you not want all the security of a VPN, but it works against you. But I'm happy to be corrected!

Arqu 27 minutes ago||

You don't have to have it public. You can have your app gate against any auth method you like to implement on top. And you can have private relays to segregate your traffic and discovery depending on setup.

milkshakes 2 hours ago|||

vpns typically add at least one hop. this has the possibility of connecting directly via hole punching

tux3 2 hours ago|||

Modern VPNs based on wireguard can do direct connections with hole punching. It's just a lot more work to setup on your own, or you have to sign-up to a SaaS like tailscale and use their relays, and they'll do the hole punching for you.

Here this is a decentralized network with a lot of existing public relays. But in principle a VPN can solve a lot of the same problems. It's just that commercial VPNs are not decentralized, and doing your own wireguard setup is a pain.

kkapelon 2 hours ago||||

Already possible with taiscale, netmaker, zerotier etc.

https://tailscale.com/blog/how-nat-traversal-works

danudey 1 hour ago||

But only for devices already on that tailnet.

This allows you to provide information to an arbitrary person (a friend/coworker/etc) to let them access the thing without them having to jump through all the extra hoops of joining your tailnet/them joining yours/adding a VPN/etc.

9dev 26 seconds ago|||

With Tailscale at least, you can pretty easily share a node with someone else. If your target audience are solo developers or hobbyists, making it even easier to share access is surely nice; from the perspective of someone in charge of making sure our IT is balancing security and ease of networking, the literal last thing I want is making it easier to grant someone access.

There are policies defining who can talk to what; they are deployed from a GitHub repository with defined rules on who can modify them and who has to review them; there are zero scenarios where I want an alternative way of granting access to any device or service under our control.

kkapelon 1 hour ago|||

but what exactly is the use case? I was responding to the nat traversal topic..

If I wanted to share something internal with a friend I would use ngrok or any of the million alternatives.

Anyway, this is exactly why my top-level comment says that this project needs a "versus" page in the docs.

UltraSane 50 minutes ago|||

Cisco Dynamic Multipoint VPN will start by connecting to a central VPN server and then learn the public IPs of endpoints and automatically create VPN tunnels to them. It can scale to thousands of endpoints.

johndevor 47 minutes ago||||

I made a demo showing it work: https://hw-e4592d7e.web.hallway.com/

ryandrake 4 minutes ago||

It doesn't seem to do anything when you click Run Live, besides updating the status to "Connecting to DERP relay, exchanging endpoint info..."

aliasxneo 2 hours ago||||

Is that not what libp2p already offers? Not sure if it has QUIC out of the box, but hole-punching to UDP connectivity and then running QUIC over it isn't that hard.

karissa 1 hour ago|||

The folks who made iroh worked on libp2p first, but found many limitations in libp2p's design. iroh is a better more flexible and powerful version of libp2p

orthecreedence 1 hour ago|||

Libp2p does have quic, at least the rust implementation.

rklaehn 1 hour ago|||

libp2p does have QUIC, but it is one of many possible transports.

So libp2p builds many things on top of the underlying transport where we use QUIC directly and use existing mechanisms such as TLS ALPNs for protocol negotiation.

We also use the stream multiplexing that is built into QUIC instead of putting a stream multiplexer on top of QUIC.

You can think about it like this: libp2p abstracts transports as streams, and then puts many required features on top (protocol negotiation, stream multiplexing)

Iroh uses QUIC and abstracts transports below QUIC. We can work with any unreliable datagram transport that has (or can be hacked to have) a minimum MTU of 1200 bytes (needed to be QUIC compliant).

ianopolous 50 minutes ago||

Minor clarifications, but libp2p also uses TLS ALPN for protocol negotiation, and also uses native quic streams - there is no additional muxer layer when using quic.

Iroh is still awesome.

dannyobrien 13 minutes ago||||

would it possible to have iroh as a libp2p pluggable transport? So you could dial a iroh node with /iroh/proxy/ed25519key?

dignifiedquire 1 hour ago|||

Yes, but libp2p was mainly designed around the limitations of tcp, as quic simply wasn't there yet when the design started. Iroh gets the benefit of having been designed and built from the ground up, based on quic.

system2 1 hour ago|||

Is bypassing the router a good idea?

Arqu 1 hour ago||

Yes if you want to. Routers are a necessary abstraction from the IPv4 days and seems it will stick around for a long time, and we need solutions sometimes around those topologies.

rpcope1 1 hour ago||

Are you conflating a router with SNAT? Routers as in L3 routing are not an "IPv4 only abstraction."

Arqu 50 minutes ago||

Yes I used it in place of NAT for most casual users at home, which is presumably what the user above originally meant.

Kevcmk 2 hours ago|||

I'm not affiliated with Iroh or even using it, but... "IP works just fine". What!? This is _not_ a solved problem

PantaloonFlames 2 hours ago|||

I think that was the question: What is the problem it is solving ?

You’ve asserted “THIS is not a solved problem,” which suggests everyone is clear on what THIS means. I think that is not a good assumption.

shevy-java 1 hour ago|||

But what is the actual problem?

duped 23 minutes ago||

Establishing fast/secure P2P connections between computers.

Arqu 2 hours ago|||

Establishing direct connections on the other hand is a much harder problem with the current internet infrastructure.

UltraSane 59 minutes ago|||

From what I can tell Iroh seems to be trying to create the missing Session layer from the OSI model. Another example of trying to do this is Cisco's Location-Identity Separation Protocol.

Lack of a true session layer in TCP/IP is why vmotion is normally only possible in a single broadcast domain because in this situation you only really use mac addresses for addressing and can thus use the IP as a stable identifier when the MAC address changes after a vmotion. And the switch mac address table handles the mapping.

CommanderData 1 hour ago|||

DNS isn't decentralised it's more federated. I believe Iroh has the option to use DHT here, last I looked at least.

rklaehn 1 hour ago||

Exactly. We use DNS TXT records for our default address lookup system. But we also support fully p2p address lookup via the mainline DHT.

And if you have another suitable system, you can also plug it in. E.g. you might want to use another DHT that allows mapping from a key to some address data.

huflungdung 2 hours ago||

[dead]

himata4113 14 minutes ago||

Hmm, this really looks more of a relay network for sale, kinda like steam p2p. The only real use-case I see for this is for exactly that, connecting two or more players where one of the players is the host.

Seems like it'll be a hard sell since steam is already so dominant and enterprise is dominated by tailscale... I see the proposal for being able to work with many different networks from different companies at the same time, but it's a pretty rare usecase and nothing some iptables can't solve.

I can see the argument for chat in heavily censored regions of the world, but not sure if there's any advantages that iroh can offer over other solutions.

Market fit will be hard to find, but best of luck.

logankeenan 3 hours ago||

Iroh has been amazing to work with and the engineers are so nice in the discord channel. The pragmatic approach to making p2p just work has been easy to understand. Their YouTube channel has great content too. Congrats on v1!

https://youtube.com/@n0computer

dignifiedquire 1 hour ago|

thank you!

j4cobgarby 3 hours ago||

Doesn't it seem odd to have "Pricing" for a protocol that's meant to serve a similar function to IP addresses? Maybe I'm misunderstanding something.

dignifiedquire 3 hours ago||

As others have already mentioned, iroh the core library and protocol is fully open source. But to finance the development of it, we offer additional services to make it easier to deploy and run it, especially for larger or more specialized use caes.

embedding-shape 3 hours ago|||

Congrats for the launch, seems to have matured a bunch and Iroh gotten a bunch of neat additions since I last looked! You even managed to get 1.0 out the door before go-ipfs / Kubo ;)

> But to finance the development of it, we offer additional services to make it easier to deploy and run it, especially for larger or more specialized use caes.

Interesting (and somewhat proven) idea to finance it, smart :)

Did you guys started doing this already on a case-by-case basis and have some experience of it already, and if so what are the common things you typically help out with exactly? I'm just curious what sort of things a company who'd use a protocol like that might need help with, that they wouldn't have experience with in-house, since they're going down a P2P road already (assuming that, maybe maybe need help with greenfield projects)?

dignifiedquire 3 hours ago||

we have been doing this for a while now, you can find some of our highlights listed here https://www.iroh.computer/solutions

rafram 3 hours ago||||

I think it would be clearer if you put the "Pricing" navbar link under "Services."

noworriesnate 2 hours ago|||

I don't mind paying for a subscription, as long as I'm not also paying for the privilege of being locked in to a specific vendor. If I pay for a subscription and then your prices quadruple or something, what are my options? Can I self-host a relay? Do I lose features if I do so?

moritzruth 1 hour ago|||

I'm not affiliated. From what I understand, they provide an open-source implementation of the relay server: https://github.com/n0-computer/iroh/tree/main/iroh-relay (which may or may not be what they actually run as part of their hosted offering).

If you use their offering, you probably get some kind of web interface for metrics that isn't open-source.

karissa 1 hour ago||

Correct

karissa 1 hour ago|||

Yes you can self-host your relays. Forever! Please check out the docs & hosting pages more information:

https://docs.iroh.computer/concepts/relays https://www.iroh.computer/services/hosting

serf 2 hours ago|||

tailscale syndrome.

"we want to be infrastructure for people, and a business towards professionals."

stuck between "we need cash to operate" and "we want to be a public good infrastructural system." , with the negative parts of a for-profit whisked away with "Well it's open source."

it's a business concept i'm okayish with as long as the "Well it's open source." caveat doesn't come with a total bespoke and unusable code base to figure out.

rklaehn 2 hours ago|||

Take a look yourself.

Our code is as good as we can make it, and everything is modular and well documented. For example our QUIC implementation noq which underlies every iroh connection can also be used as a standalone QUIC impl that implements QUIC multipath.

https://docs.rs/noq/latest/noq/

If we wanted to have "total bespoke and unusable code" we would have inlined all of this into the iroh repo to make it unusable.

colinmarc 1 hour ago||||

Not affiliated, but I am a very happy user of Tailscale and a very happy user of Iroh; we use the latter in production at work.

Tailscale is a great service that happens to be open source, but Iroh is clearly structured as a library that you can build into whatever you want.

PLG88 1 hour ago||

fwiw, Tailscale happens to be mostly open source, not completely. Yes, I know Headscale exists, it does not implement all the Tailscale functions (not non-functional production type capabilities)

w4der 1 hour ago|||

RustDesk has a similar business model and works fine for what it is, is there something particular about TailScale and Iroh that makes you think it will not work?

Kinrany 3 hours ago|||

From the same pricing page, it's all additional services: observability, relay hosting, support engineers.

TheDong 2 hours ago|||

The equivalent for IP addresses to what they offer would be closer to running a BGP router or ISP, or generally contracting with network engineers for your data-center's networking.

If you want to run an ISP or AS, believe me it will cost you a decent chunk of money.

icedchai 40 minutes ago||

I've been running my own AS for years. You can get an ASN and IPv6 from a RIPE LIR for $200/year or less. Then you need a couple of VPSes that are BGP capable. You can get those for $20 month. Then you can tunnel traffic back to your location with a Wireguard tunnel or whatever you prefer. It's relatively cheap! I also have a legacy IPv4 block I'm routing, which doesn't cost me anything.

adammarples 3 hours ago||

Maybe. It's offering "Customized hosting and monitoring for Iroh apps".

colinmarc 1 hour ago||

We use Iroh in production at work, and I'm absolutely in love with it. I'd describe it primarily as "Tailscale-style hole punching as a rust crate", but of course you can sprinkle a lot of cool p2p stuff on top of the basic QUIC connections.

dignifiedquire 1 hour ago||

thank you!

kamranjon 2 hours ago||

To me this sounds like tailscale - does anyone have any insight into how what this is doing is similar or different?

forsalebypwner 2 hours ago||

Their use of addressing by keys instead of by IPs seems to be the main differentiator. Also the support for custom transports (BLE, LoRa, Tor) which appears to be in progress and not yet fully implemented.

I love Tailscale, it's deployed on all my devices. But I might check this out for the transports part in particular.

RationPhantoms 2 hours ago||

Tailscale uses MagicDNS which allows one to auto-generate a semi-memorable private hostname as well. I'm in the networking industry so I'm not seeing anything truly groundbreaking or that isn't offered elsewhere.

danudey 1 hour ago|||

The pitch here appears to be that this can allow communication between services without having to add them to a tailnet or such; e.g. if you wanted to let a friend or coworker access some service on your local network without making them join a tailnet, add a public external endpoint to forward traffic, set up a VPN, etc.

IIUC you just send someone 'here is the connection information' and it just works automatically.

forsalebypwner 2 hours ago|||

Yeah and my understanding of Iroh wasn't quite right either, it sounds like it's positioned to be more of a library to use in code, rather than a VPN solution like Tailscale.

I love MagicDNS - A long time ago I wrote a stupid Python script to have it continually generate MagicDNS names until one of them contained a word I was looking for.

hazkoulia 2 hours ago|||

My 5 second summary: Tailscale connects devices and Iroh connects applications.

dignifiedquire 2 hours ago||

Tailscale is built to be global to your device, while iroh is built to be embedded into each application. This allows application developers and users a much more fine grained and bespoke setup, than having a single global bridge.

kkapelon 2 hours ago||

you can embed tailscale on the application level https://tailscale.com/docs/features/tsnet

nemothekid 1 hour ago||

This isn't the same functionality - if I'm shipping a video conferencing application, tsnet would require all my customers be in my tailnet.

kkapelon 1 hour ago||

but if I am shipping a video conferencing application (where I control both the client and the server) I don't need nat traversal anymore. My clients will have outgoing connections to whichever co-ordination server I choose.

Tailscale is great for bringing devices/apps into a secure network when I cannot modify them in any way. If I have full access to the source code for everything, the story changes completely.

ranguna 56 minutes ago||

What if you build a p2p video conferencing app with user controlled co-ordinator "server". Server in quotes, because maybe iroh works through the browser?

arilotter 1 hour ago||

My company was using Iroh for a production distributed ML training system & we LOVED it. The team was incredibly responsive even before we hooked up with an enterprise support contract, they're incredibly knowledgeable and the library itself worked amazingly. ++ to this lib. would use again over libp2p anytime.

rklaehn 1 hour ago|

thank you!

ramoz 55 minutes ago|

Ive been prototyping with Iroh for awhile.

I think this tech (modern p2p) represents what agent-to-agent (a2a) should be built on.

Every agent should be reachable to each other without hosting itself as an http server.

related prototypes

https://github.com/eqtylab/agentbeam

https://github.com/eqtylab/real-a2a

More comments...