Iroh 1.0 - Hacker News

Posted by chadfowler 4 hours ago

Iroh 1.0(www.iroh.computer)

559 points | 189 commentspage 2

kkapelon 3 hours ago|

Congrats on shipping

You need urgently a "versus" page that talks about tailscale/netbird/netmaker/zerotier/twingate/openziti

Looking at the use cases, right now I don't see anything that cannot be done with Tailscale...

andy_xor_andrew 4 hours ago||

The "address lookup" strategy is really interesting, especially how it uses actual DNS: https://docs.iroh.computer/concepts/address-lookup

https://github.com/Nuhvi/pkarr/

AgharaShyam 3 hours ago||

LM studio recently released a mobile app powered by Tailscale -- https://lmstudio.ai/link . Iroh seems like a perfect OSS alternative for implementing similar p2p features.

forsalebypwner 3 hours ago|

Tailscale is OSS AFAIK. Not their backend of course, but if you use Headscale then I believe every part is OSS.

dignifiedquire 2 hours ago||

tailscale also is written in go, making the integration on mobile especially, often times a lot harder and more expensive

overgard 1 hour ago||

This sounds useful, but isn't this the problem that ipv6 is supposed to solve with 128bit addresses? (I'm not really familiar with why IPv6 never really seemed to take off -- does NAT block incoming IPv6 traffic? (I guess that's the other thing -- even though my devices all seem to have IPv6 addresses I can't recall ever using them))

rklaehn 1 hour ago||

IPV6 addresses are still addresses. They get assigned to your device, and change as you change networks.

Iroh addresses are (currently Ed25519) keys. They are not scarce, so you can create them on demand and keep them as you move from one network to another.

If IPv6 was everywhere I guess the hole punching feature of iroh would become less important, but the dial by key feature would remain just as important.

tancop 1 hour ago||

[dead]

wiremine 1 hour ago||

This looks really interesting... I think I grok the basic value prop.

However, I'm confused on the open source vs. commercial offerings. How do they differ? How do they work together?

rklaehn 9 minutes ago||

The core is open source and always will be. Crates are licensed the usual for rust: Apache2 and MIT. This also includes the relay servers.

In addition we provide services that any commercial deployment using iroh will probably find essential: observability and a custom non rate limited relay network, as well as priority access to the engineering team.

flub 12 minutes ago||

iroh is an open source library. The relay servers are open source too but number0 runs public, rate limited, relay servers that can be used by everyone. The commercial offerings are for dedicated relay servers and more insight into your network.

jmward01 2 hours ago||

I think I see the value prop here. Beyond its intended use, what about creating a full VPN out of it? This takes care of the hard part for a lot of home users, opening your vpn up in a safe way. I know this is solved by many other tools so this isn't a new thing but it may increase adoption. Is there already something like that? I imagine you have considered this and if it doesn't already exist have a good reason for not including it. If so, what is that reason?

w10-1 1 hour ago||

I definitely see the value! But I'm not confident I can tell whether there are e.g., security implications, and I couldn't find anything on point in the docs or on github (other than one discussion on authentication that mentions the information disclosed). Would love a whitepaper on that and any other issues adopters should consider.

rklaehn 1 hour ago|

We should definitely do a better job explaining this.

Regarding security, one thing to be aware of is that iroh connections are just standard QUIC connections secured using standard TLS with the (also standard) raw public keys in TLS extension.

We don't roll our own crypto. What little non-standard crypto we had previously was removed on the path to iroh 1.0.

So iroh connections are just as secure as the QUIC/TLS connections your browser makes to your banking app. Whenever there are some new concerns like for example post quantum security, we can benefit from industry standards.

E.g. we do already support optional post quantum key exchange to secure connections.

https://www.iroh.computer/blog/iroh-post-quantum-handshakes

astonex 4 hours ago||

Not sure what the difference is between this and any regular P2P network?

rklaehn 3 hours ago|

A difference between iroh and many p2p networks is that we try to use existing IETF standards (QUIC, TLS) as much as possible instead of reinventing the wheel. An iroh connection is just a QUIC connection, using TLS and TLS ALPNs for protocol negotiation.

If you look at an iroh connection using wireshark, it is just a QUIC connection. You can use all the existing tools, and a lot of things you learn when using iroh transfers to traditional QUIC connections and vice versa.

Most iroh contributors come out of the p2p world, and you could say that we had a bit of abstraction fatigue after working on regular P2P networks for some years.

We have also so far resisted the temptation to write a DHT, opting instead to use the biggest existing DHT, bittorrent mainline, for our p2p address lookup needs. Many traditional P2P networks come with their own implementation of a DHT for discovery.

Note that there are some "regular p2p networks" that use iroh under the hood, e.g. holochain https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-... as well as various p2p chat apps.

https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-...

weavejester 3 hours ago|||

Forgive me if this is an ignorant question, but does your use of the Mainline DHT mean that Bittorrent clients will be responding to P2P address lookups from Iroh?

rklaehn 3 hours ago||

First of all: the p2p address lookup is an optional feature. You have to explicitly enable it.

Mainline is incredibly frugal in terms of resource use, but we want it disabled by default so mobile apps don't look like bittorrent clients and get flagged by the OS.

When we do a p2p address lookup, every mainline server node could possibly be responding. Any bep_0044 record gets stored on 20 random mainline server nodes.

So a bittorrent client that participates in the DHT as a server and is long running enough to be included into the DHT routing tables will respond, yes.

octoberfranklin 1 hour ago|||

> We have also so far resisted the temptation to write a DHT, opting instead to use the biggest existing DHT, bittorrent mainline, for our p2p address lookup needs. Many traditional P2P networks come with their own implementation of a DHT for discovery.

Bravo, because they always get it wrong.

DHTs used for decentralized DNS-like naming purposes have truly unique scaling requirements; you have to use a connectionless protocol (like bittorrent does) but everybody seems to be fixated on connection-oriented protocols like TCP, HTTP, and QUIC. The latter just don't work for this extreme use case.

No other use case on the entire internet requires such an extremely large out-degree for end-user nodes in the node connection graph. Allocating connection-state, even a very small amount, opens up the least-powerful nodes to easy DoS attacks. And from there it's easy for a motivated attacker to push the network away from decentralization and force it in to a highly-centralized state.

rklaehn 15 minutes ago||

I might be crazy, but I got a side project to write a DHT using iroh. The key is to use QUIC 0-rtt connections to keep the connection overhead minimal.

But at this point it is just a toy project to push the limits of what is possible with iroh and 0-rtt. It is not used in prod and won't be any time soon :-)

https://www.iroh.computer/blog/lets-write-a-dht-1

basro 3 hours ago||

I wish it had support for a system similar to webrtc's offer and answer SDP messages.

From what I see, relay servers are doing a job that is equivalent to Stun + Turn + SignalingServer in WebRTC.

This is great for simplicity, but having Stun Turn and Signaling live in the same server would make it harder to secure. For example, since in webrtc signaling is up to the user, it is most common to have signaling implemented as a web server, this allows you to have it behind cloudflare with the signaling server ip never exposed to the internet. If you are not interested in supporting turn, there is plenty of public Stun servers that can be used and Stun itself is a really cheap server to run.

For iroh, it seems if I wanted to self host relay servers I'd be forced to expose their IP to the web which would make them really expensive to run if one wanted to make them DDoS proof.

janandonly 1 hour ago|

This is big > We built & continually check that iroh can compile to WASM & run in the browser

More comments...