Iroh 1.0 - Hacker News

Posted by chadfowler 6 hours ago

Iroh 1.0(www.iroh.computer)

698 points | 226 commentspage 3

edbaskerville 2 hours ago|

Hoping to use this to reboot an ancient abandoned project. At the time there wasn't a mature P2P connection layer that took care of all the realities of the modern Internet out of the box. Now there is, and it's great to see.

This isn't Tailscale because it does secure P2P connections between any pair of devices, whether or not they have Tailscale. This enables real end-user P2P for, e.g., local-first apps with no server infrastructure except relays for resilience. And even if you lose the relay servers, things keep on working the same for any hosts that don't need them.

infogulch 1 hour ago||

How does Iroh's performance compare to wireguard?

AgharaShyam 5 hours ago||

LM studio recently released a mobile app powered by Tailscale -- https://lmstudio.ai/link . Iroh seems like a perfect OSS alternative for implementing similar p2p features.

forsalebypwner 5 hours ago|

Tailscale is OSS AFAIK. Not their backend of course, but if you use Headscale then I believe every part is OSS.

dignifiedquire 4 hours ago||

tailscale also is written in go, making the integration on mobile especially, often times a lot harder and more expensive

basro 4 hours ago||

I wish it had support for a system similar to webrtc's offer and answer SDP messages.

From what I see, relay servers are doing a job that is equivalent to Stun + Turn + SignalingServer in WebRTC.

This is great for simplicity, but having Stun Turn and Signaling live in the same server would make it harder to secure. For example, since in webrtc signaling is up to the user, it is most common to have signaling implemented as a web server, this allows you to have it behind cloudflare with the signaling server ip never exposed to the internet. If you are not interested in supporting turn, there is plenty of public Stun servers that can be used and Stun itself is a really cheap server to run.

For iroh, it seems if I wanted to self host relay servers I'd be forced to expose their IP to the web which would make them really expensive to run if one wanted to make them DDoS proof.

himata4113 3 hours ago||

Hmm, this really looks more of a relay network for sale, kinda like steam p2p. The only real use-case I see for this is for exactly that, connecting two or more players where one of the players is the host.

Seems like it'll be a hard sell since steam is already so dominant and enterprise is dominated by tailscale... I see the proposal for being able to work with many different networks from different companies at the same time, but it's a pretty rare usecase and nothing some iptables can't solve.

I can see the argument for chat in heavily censored regions of the world, but not sure if there's any advantages that iroh can offer over other solutions.

Market fit will be hard to find, but best of luck.

astonex 5 hours ago||

Not sure what the difference is between this and any regular P2P network?

rklaehn 5 hours ago|

A difference between iroh and many p2p networks is that we try to use existing IETF standards (QUIC, TLS) as much as possible instead of reinventing the wheel. An iroh connection is just a QUIC connection, using TLS and TLS ALPNs for protocol negotiation.

If you look at an iroh connection using wireshark, it is just a QUIC connection. You can use all the existing tools, and a lot of things you learn when using iroh transfers to traditional QUIC connections and vice versa.

Most iroh contributors come out of the p2p world, and you could say that we had a bit of abstraction fatigue after working on regular P2P networks for some years.

We have also so far resisted the temptation to write a DHT, opting instead to use the biggest existing DHT, bittorrent mainline, for our p2p address lookup needs. Many traditional P2P networks come with their own implementation of a DHT for discovery.

Note that there are some "regular p2p networks" that use iroh under the hood, e.g. holochain https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-... as well as various p2p chat apps.

https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-...

weavejester 5 hours ago|||

Forgive me if this is an ignorant question, but does your use of the Mainline DHT mean that Bittorrent clients will be responding to P2P address lookups from Iroh?

rklaehn 4 hours ago||

First of all: the p2p address lookup is an optional feature. You have to explicitly enable it.

Mainline is incredibly frugal in terms of resource use, but we want it disabled by default so mobile apps don't look like bittorrent clients and get flagged by the OS.

When we do a p2p address lookup, every mainline server node could possibly be responding. Any bep_0044 record gets stored on 20 random mainline server nodes.

So a bittorrent client that participates in the DHT as a server and is long running enough to be included into the DHT routing tables will respond, yes.

octoberfranklin 2 hours ago|||

> We have also so far resisted the temptation to write a DHT, opting instead to use the biggest existing DHT, bittorrent mainline, for our p2p address lookup needs. Many traditional P2P networks come with their own implementation of a DHT for discovery.

Bravo, because they always get it wrong.

DHTs used for decentralized DNS-like naming purposes have truly unique scaling requirements; you have to use a connectionless protocol (like bittorrent does) but everybody seems to be fixated on connection-oriented protocols like TCP, HTTP, and QUIC. The latter just don't work for this extreme use case.

No other use case on the entire internet requires such an extremely large out-degree for end-user nodes in the node connection graph. Allocating connection-state, even a very small amount, opens up the least-powerful nodes to easy DoS attacks. And from there it's easy for a motivated attacker to push the network away from decentralization and force it in to a highly-centralized state.

rklaehn 1 hour ago||

I might be crazy, but I got a side project to write a DHT using iroh. The key is to use QUIC 0-rtt connections to keep the connection overhead minimal.

But at this point it is just a toy project to push the limits of what is possible with iroh and 0-rtt. It is not used in prod and won't be any time soon :-)

https://www.iroh.computer/blog/lets-write-a-dht-1

tumdum_ 5 hours ago||

How is that different from https://yggdrasil-network.github.io ?

ben-schaaf 4 hours ago|

Not an expert but this is how I understand it. Yggdrasil is a P2P mesh network. You configure peers to join the network and your computer becomes a relay node for everyone else to use. It doesn't work behind a NAT without port forwarding.

Iroh is kinda just a connection protocol. If you get given a public key for another computer, you can establish a connection. Like you would an IP address. The magic is in being able to establish that connection regardless of where either device is, and keeping that connection alive through changing network conditions.

mrbluecoat 2 hours ago||

Surprising you don't support golang

jmward01 3 hours ago|

I think I see the value prop here. Beyond its intended use, what about creating a full VPN out of it? This takes care of the hard part for a lot of home users, opening your vpn up in a safe way. I know this is solved by many other tools so this isn't a new thing but it may increase adoption. Is there already something like that? I imagine you have considered this and if it doesn't already exist have a good reason for not including it. If so, what is that reason?

More comments...