user.texi 87 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333
  1. @node Using GNUnet
  2. @chapter Using GNUnet
  3. This tutorial is supposed to give a first introduction for users
  4. trying to do something real with GNUnet. Installation and
  5. configuration are specifically outside of the scope of this tutorial.
  6. Instead, we start by briefly checking that the installation works, and
  7. then dive into uncomplicated, concrete practical things that can be done
  8. with the framework provided by GNUnet.
  9. In short, this chapter of the ``GNUnet Reference Documentation'' will
  10. show you how to use the various peer-to-peer applications of the
  11. GNUnet system.
  12. As GNUnet evolves, we will add new sections for the various
  13. applications that are being created.
  14. Comments on the content of this chapter, and extensions of it are
  15. always welcome.
  16. @menu
  17. * Start and stop GNUnet::
  18. * First steps - Using the GNU Name System::
  19. * First steps - Using GNUnet Conversation::
  20. * First steps - Using the GNUnet VPN::
  21. * File-sharing::
  22. * The GNU Name System::
  23. * reclaimID Identity Provider::
  24. * Using the Virtual Public Network::
  25. @end menu
  26. @node Start and stop GNUnet
  27. @section Start and stop GNUnet
  28. Prior to using any GNUnet-based application, one has to start a node:
  29. @example
  30. $ gnunet-arm -s -l gnunet.log
  31. @end example
  32. To stop GNUnet:
  33. @example
  34. $ gnunet-arm -e
  35. @end example
  36. @node First steps - Using the GNU Name System
  37. @section First steps - Using the GNU Name System
  38. @menu
  39. * Preliminaries::
  40. * Managing Egos::
  41. * The GNS Tab::
  42. * Creating a Record::
  43. * Resolving GNS records::
  44. * Integration with Browsers::
  45. * Creating a Business Card::
  46. * Be Social::
  47. * Backup of Identities and Egos::
  48. * Revocation::
  49. * What's Next?::
  50. @end menu
  51. @node Preliminaries
  52. @subsection Preliminaries
  53. ``.pin'' is a default zone which points to a zone managed by gnunet.org.
  54. Use @code{gnunet-config -s gns} to view the GNS configuration, including
  55. all configured zones that are operated by other users. The respective
  56. configuration entry names start with a ``.'', i.e. ``.pin''.
  57. You can configure any number of top-level domains, and point them to
  58. the respective zones of your friends! For this, simply obtain the
  59. respective public key (you will learn how below) and extend the
  60. configuration:
  61. @example
  62. $ gnunet-config -s gns -n .myfriend -V PUBLIC_KEY
  63. @end example
  64. @node Managing Egos
  65. @subsection Managing Egos
  66. In GNUnet, identity management is about managing egos. Egos can
  67. correspond to pseudonyms or real-world identities. If you value your
  68. privacy, you are encouraged to use separate egos for separate
  69. activities.
  70. Technically, an ego is first of all a public-private key pair, and
  71. thus egos also always correspond to a GNS zone. Egos are managed by
  72. the IDENTITY service. Note that this service has nothing to do with
  73. the peer identity. The IDENTITY service essentially stores the
  74. private keys under human-readable names, and keeps a mapping of which
  75. private key should be used for particular important system functions.
  76. The existing identities can be listed using the command
  77. @command{gnunet-identity -d}
  78. @example
  79. gnu - JTDVJC69NHU6GQS4B5721MV8VM7J6G2DVRGJV0ONIT6QH7OI6D50
  80. rules - GO0T87F9BPMF8NKD5A54L2AH1T0GRML539TPFSRMCEA98182QD30
  81. @end example
  82. @node The GNS Tab
  83. @subsection The GNS Tab
  84. Maintaing your zones is through the NAMESTORE service and is discussed
  85. here. You can manage your zone using @command{gnunet-identity} and
  86. @command{gnunet-namestore}, or most conveniently using
  87. @command{gnunet-namestore-gtk}.
  88. We will use the GTK+ interface in this introduction. Please start
  89. @command{gnunet-gkt} and switch to the GNS tab, which is the tab in
  90. the middle with the letters "GNS" connected by a graph.
  91. Next to the ``Add'' button there is a field where you can enter the
  92. label (pseudonym in IDENTITY subsystem speak) of a zone you would like
  93. to create. Pushing the ``Add'' button will create the zone.
  94. Afterwards, you can change the label in the combo box below at any
  95. time. The label will be the top-level domain that the GNU Name System
  96. will resolve using your zone. For the label, you should pick
  97. a name by which you would like to
  98. be known by your friends (or colleagues). You should pick a label that
  99. is reasonably unique within your social group. Be aware that
  100. the label will be published together with every record in that zone.
  101. Once you have created a first zone, you should see a QR code for the
  102. zone on the right. Next to it is a "Copy" button to copy the public
  103. key string to the clipboard. You can also save the QR code image to
  104. disk.
  105. Furthermore, you now can see the bottom part of the dialog. The
  106. bottom of the window contains the existing entries in the selected zone.
  107. @node Creating a Record
  108. @subsection Creating a Record
  109. We will begin by creating a simple record in your master zone.
  110. To do this, click on the text "<new name>" in the table. The field is
  111. editable, allowing you to enter a fresh label. Labels are restricted
  112. to 63 characters and must not contain dots. For now, simply enter
  113. "test", then press ENTER to confirm. This will create a new (empty)
  114. record group under the label "test". Now click on "<new record>" next
  115. to the new label "test". In the drop-down menu, select "A" and push
  116. ENTER to confirm. Afterwards, a new dialog will pop up, asking to enter
  117. details for the "A" record.
  118. "A" records are used in the @dfn{Domain Name System} (DNS) to specify
  119. IPv4 addresses. An IPv4 address is a number that is used to identify
  120. and address a computer on the Internet (version 4). Please enter
  121. "217.92.15.146" in the dialog below "Destination IPv4 Address" and
  122. select "Record is public". Do not change any of the other options.
  123. Note that as you enter a (well-formed) IPv4 address, the "Save"
  124. button in the bottom right corner becomes sensitive. In general, buttons
  125. in dialogs are often insensitive as long as the contents of the dialog
  126. are incorrect.
  127. Once finished, press the "Save" button. Back in the main dialog, select
  128. the tiny triangle left of the "test" label. By doing so, you get to see
  129. all of the records under "test". Note that you can right-click a record
  130. to edit it later.
  131. @node Resolving GNS records
  132. @subsection Resolving GNS records
  133. Next, you should try resolving your own GNS records. The method we
  134. found to be the most uncomplicated is to do this by explicitly
  135. resolving using @code{gnunet-gns}. For this exercise, we will assume
  136. that you used the string ``gnu'' for the pseudonym (or label) of your
  137. GNS zone. If you used something else, replace ``.gnu'' with your real
  138. pseudonym in the examples below.
  139. In the shell, type:
  140. @example
  141. $ gnunet-gns -u test.gnu # what follows is the reply
  142. test.gnu:
  143. Got `A' record: 217.92.15.146
  144. @end example
  145. @noindent
  146. That shows that resolution works, once GNS is integrated with
  147. the application.
  148. @node Integration with Browsers
  149. @subsection Integration with Browsers
  150. While we recommend integrating GNS using the NSS module in the
  151. GNU libc Name Service Switch, you can also integrate GNS
  152. directly with your browser via the @code{gnunet-gns-proxy}.
  153. This method can have the advantage that the proxy can validate
  154. TLS/X.509 records and thus strengthen web security; however, the proxy
  155. is still a bit brittle, so expect subtle failures. We have had reasonable
  156. success with Chromium, and various frustrations with Firefox in this area
  157. recently.
  158. The first step is to start the proxy. As the proxy is (usually)
  159. not started by default, this is done as a unprivileged user
  160. using @command{gnunet-arm -i gns-proxy}. Use @command{gnunet-arm -I}
  161. as a unprivileged user to check that the proxy was actually
  162. started. (The most common error for why the proxy may fail to start
  163. is that you did not run @command{gnunet-gns-proxy-setup-ca} during
  164. installation.) The proxy is a SOCKS5 proxy running (by default)
  165. on port 7777. Thus, you need to now configure your browser to use
  166. this proxy. With Chromium, you can do this by starting the browser
  167. as a unprivileged user using
  168. @command{chromium --proxy-server="socks5://localhost:7777"}
  169. For @command{Firefox} (or @command{Icecat}), select "Edit-Preferences"
  170. in the menu, and then select the "Advanced" tab in the dialog
  171. and then "Network":
  172. Here, select "Settings..." to open the proxy settings dialog.
  173. Select "Manual proxy configuration" and enter @code{localhost}
  174. with port 7777 under SOCKS Host. Furthermore, set the
  175. checkbox ``Proxy DNS when using SOCKS v5'' at the bottom of
  176. the dialog. Finally, push "OK".
  177. You must also go to about:config and change the
  178. @code{browser.fixup.alternate.enabled} option to @code{false},
  179. otherwise the browser will autoblunder an address like
  180. @code{@uref{http://www.gnu/, www.gnu}} to
  181. @code{@uref{http://www.gnu.com/, www.gnu.com}}. If you want
  182. to resolve @@ in your own TLDs, you must additionally
  183. set @code{browser.fixup.dns_first_use_for_single_words} to @code{true}.
  184. After configuring your browser, you might want to first confirm that it
  185. continues to work as before. (The proxy is still experimental and if you
  186. experience "odd" failures with some webpages, you might want to disable
  187. it again temporarily.) Next, test if things work by typing
  188. "@uref{http://test.gnu/}" into the URL bar of your browser.
  189. This currently fails with (my version of) Firefox as Firefox is
  190. super-smart and tries to resolve "@uref{http://www.test.gnu/}" instead of
  191. "@uref{test.gnu}". Chromium can be convinced to comply if you explicitly
  192. include the "http://" prefix --- otherwise a Google search might be
  193. attempted, which is not what you want. If successful, you should
  194. see a simple website.
  195. Note that while you can use GNS to access ordinary websites, this is
  196. more an experimental feature and not really our primary goal at this
  197. time. Still, it is a possible use-case and we welcome help with testing
  198. and development.
  199. @pindex gnunet-bcd
  200. @node Creating a Business Card
  201. @subsection Creating a Business Card
  202. @c FIXME: Which parts of texlive are needed? Some systems offer a modular
  203. @c texlive (smaller size).
  204. Before we can really use GNS, you should create a business card.
  205. Note that this requires having @command{LaTeX} installed on your system.
  206. If you are using a Debian GNU/Linux based operating system, the
  207. following command should install the required components.
  208. Keep in mind that this @b{requires 3GB} of downloaded data and possibly
  209. @b{even more} when unpacked. On a GNU Guix based system texlive 2017 has
  210. returns a DAG size of 5032.4 MiB.
  211. @b{We welcome any help in identifying the required components of the
  212. TexLive Distribution. This way we could just state the required components
  213. without pulling in the full distribution of TexLive.}
  214. @example
  215. apt-get install texlive-full
  216. @end example
  217. @noindent
  218. Start creating a business card by clicking the "Copy" button
  219. in @command{gnunet-namestore-gtk}. Next, you should start
  220. the @command{gnunet-bcd} program (in the terminal, on the command-line).
  221. You do not need to pass any options, and please be not surprised if
  222. there is no output:
  223. @example
  224. $ gnunet-bcd # seems to hang...
  225. @end example
  226. @noindent
  227. Then, start a browser and point it to @uref{http://localhost:8888/}
  228. where @code{gnunet-bcd} is running a Web server!
  229. First, you might want to fill in the "GNS Public Key" field by
  230. right-clicking and selecting "Paste", filling in the public key
  231. from the copy you made in @command{gnunet-namestore-gtk}.
  232. Then, fill in all of the other fields, including your @b{GNS NICKname}.
  233. Adding a GPG fingerprint is optional.
  234. Once finished, click "Submit Query".
  235. If your @code{LaTeX} installation is incomplete, the result will be
  236. disappointing.
  237. Otherwise, you should get a PDF containing fancy 5x2 double-sided
  238. translated business cards with a QR code containing your public key
  239. and a GNUnet logo.
  240. We'll explain how to use those a bit later.
  241. You can now go back to the shell running @code{gnunet-bcd} and press
  242. @b{CTRL-C} to shut down the Web server.
  243. @node Be Social
  244. @subsection Be Social
  245. Next, you should print out your business card and be social.
  246. Find a friend, help them install GNUnet and exchange business cards with
  247. them. Or, if you're a desperate loner, you might try the next step with
  248. your own card. Still, it'll be hard to have a conversation with
  249. yourself later, so it would be better if you could find a friend.
  250. You might also want a camera attached to your computer, so
  251. you might need a trip to the store together.
  252. Before we get started, we need to tell @code{gnunet-qr} which zone
  253. it should import new records into. For this, run:
  254. @pindex gnunet-identity
  255. @example
  256. $ gnunet-identity -s namestore -e NAME
  257. @end example
  258. where NAME is the name of the zone you want to import records
  259. into. In our running example, this would be ``gnu''.
  260. @pindex gnunet-qr
  261. Henceforth, for every business card you collect, simply run:
  262. @example
  263. $ gnunet-qr
  264. @end example
  265. @noindent
  266. to open a window showing whatever your camera points at.
  267. Hold up your friend's business card and tilt it until
  268. the QR code is recognized. At that point, the window should
  269. automatically close. At that point, your friend's NICKname and their
  270. public key should have been automatically imported into your zone.
  271. Assuming both of your peers are properly integrated in the
  272. GNUnet network at this time, you should thus be able to
  273. resolve your friends names. Suppose your friend's nickname
  274. is "Bob". Then, type
  275. @pindex gnunet-gns
  276. @example
  277. $ gnunet-gns -u test.bob.gnu
  278. @end example
  279. @noindent
  280. to check if your friend was as good at following instructions
  281. as you were.
  282. @node Backup of Identities and Egos
  283. @subsection Backup of Identities and Egos
  284. One should always backup their files, especially in these SSD days (our
  285. team has suffered 3 SSD crashes over a span of 2 weeks). Backing up peer
  286. identity and zones is achieved by copying the following files:
  287. The peer identity file can be found
  288. in @file{~/.local/share/gnunet/private_key.ecc}
  289. The private keys of your egos are stored in the
  290. directory @file{~/.local/share/gnunet/identity/egos/}.
  291. They are stored in files whose filenames correspond to the zones'
  292. ego names. These are probably the most important files you want
  293. to backup from a GNUnet installation.
  294. Note: All these files contain cryptographic keys and they are
  295. stored without any encryption. So it is advisable to backup
  296. encrypted copies of them.
  297. @node Revocation
  298. @subsection Revocation
  299. Now, in the situation of an attacker gaining access to the private key of
  300. one of your egos, the attacker can create records in the respective
  301. GNS zone
  302. and publish them as if you published them. Anyone resolving your
  303. domain will get these new records and when they verify they seem
  304. authentic because the attacker has signed them with your key.
  305. To address this potential security issue, you can pre-compute
  306. a revocation certificate corresponding to your ego. This certificate,
  307. when published on the P2P network, flags your private key as invalid,
  308. and all further resolutions or other checks involving the key will fail.
  309. @pindex gnunet-revocation
  310. A revocation certificate is thus a useful tool when things go out of
  311. control, but at the same time it should be stored securely.
  312. Generation of the revocation certificate for a zone can be done through
  313. @command{gnunet-revocation}. For example, the following command (as
  314. unprivileged user) generates a revocation file
  315. @file{revocation.dat} for the zone @code{zone1}:
  316. @command{gnunet-revocation -f revocation.dat -R zone1}
  317. The above command only pre-computes a revocation certificate. It does
  318. not revoke the given zone. Pre-computing a revocation certificate
  319. involves computing a proof-of-work and hence may take up to 4 to 5 days
  320. on a modern processor. Note that you can abort and resume the
  321. calculation at any time. Also, even if you did not finish the
  322. calculation, the resulting file will contain the signature, which is
  323. sufficient to complete the revocation process even without access to
  324. the private key. So instead of waiting for a few days, you can just
  325. abort with CTRL-C, backup the revocation certificate and run the
  326. calculation only if your key actually was compromised. This has the
  327. disadvantage of revocation taking longer after the incident, but
  328. the advantage of saving a significant amount of energy. So unless
  329. you believe that a key compromise will need a rapid response, we
  330. urge you to wait with generating the revocation certificate.
  331. Also, the calculation is deliberately expensive, to deter people from
  332. doing this just for fun (as the actual revocation operation is expensive
  333. for the network, not for the peer performing the revocation).
  334. @c FIXME: The Manual should give away the command using an example that is
  335. @c very likely to never exist.
  336. To avoid TL;DR ones from accidentally revocating their zones, we are not
  337. giving away the command, but it is uncomplicated: the actual revocation is
  338. performed by using the @command{-p} option of @command{gnunet-revocation}.
  339. @node What's Next?
  340. @subsection What's Next?
  341. This may seem not like much of an application yet, but you have
  342. just been one of the first to perform a decentralized secure name
  343. lookup (where nobody could have altered the value supplied by your
  344. friend) in a privacy-preserving manner (your query on the network
  345. and the corresponding response were always encrypted). So what
  346. can you really do with this? Well, to start with, you can publish your
  347. GnuPG fingerprint in GNS as a "CERT" record and replace the public
  348. web-of-trust with its complicated trust model with explicit names
  349. and privacy-preserving resolution. Also, you should read the next
  350. chapter of the tutorial and learn how to use GNS to have a
  351. private conversation with your friend. Finally, help us
  352. with the next GNUnet release for even more applications
  353. using this new public key infrastructure.
  354. @pindex gnunet-conservation-gtk
  355. @node First steps - Using GNUnet Conversation
  356. @section First steps - Using GNUnet Conversation
  357. First, you should launch the graphical user interface. You can do
  358. this from the command-line by typing
  359. @example
  360. $ gnunet-conversation-gtk
  361. @end example
  362. @menu
  363. * Testing your Audio Equipment::
  364. * GNS Zones::
  365. @end menu
  366. @node Testing your Audio Equipment
  367. @subsection Testing your Audio Equipment
  368. First, you should use @code{gnunet-conversation-test} to check that your
  369. microphone and speaker are working correctly. You will be prompted to
  370. speak for 5 seconds, and then those 5 seconds will be replayed to you.
  371. The network is not involved in this test. If it fails, you should run
  372. your pulse audio configuration tool to check that microphone and
  373. speaker are not muted and, if you have multiple input/output devices,
  374. that the correct device is being associated with GNUnet's audio tools.
  375. @node GNS Zones
  376. @subsection GNS Zones
  377. @code{gnunet-conversation} uses GNS for addressing. This means that
  378. you need to have a GNS zone created before using it. Information
  379. about how to create GNS zones can be found here.
  380. @menu
  381. * Picking an Identity::
  382. * Calling somebody::
  383. @end menu
  384. @node Picking an Identity
  385. @subsubsection Picking an Identity
  386. To make a call with @code{gnunet-conversation}, you first
  387. need to choose an identity. This identity is both the caller ID
  388. that will show up when you call somebody else, as well as the
  389. GNS zone that will be used to resolve names of users that you
  390. are calling. Run
  391. @pindex gnunet-conversation
  392. @example
  393. gnunet-conversation -e zone-name
  394. @end example
  395. @noindent
  396. to start the command-line tool. You will see a message saying
  397. that your phone is now "active on line 0". You can connect
  398. multiple phones on different lines at the same peer. For the
  399. first phone, the line zero is of course a fine choice.
  400. Next, you should type in @command{/help} for a list of
  401. available commands. We will explain the important ones
  402. during this tutorial. First, you will need to type in
  403. @command{/address} to determine the address of your
  404. phone. The result should look something like this:
  405. @example
  406. /address
  407. 0-PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
  408. @end example
  409. @noindent
  410. Here, the "0" is your phone line, and what follows
  411. after the hyphen is your peer's identity. This information will
  412. need to be placed in a PHONE record of
  413. your GNS master-zone so that other users can call you.
  414. Start @code{gnunet-namestore-gtk} now (possibly from another
  415. shell) and create an entry home-phone in your master zone.
  416. For the record type, select PHONE. You should then see the
  417. PHONE dialog:
  418. @image{images/gnunet-namestore-gtk-phone,5in,,Dialog to publish a PHONE record}
  419. Note: Do not choose the expiry time to be 'Never'. If you
  420. do that, you assert that this record will never change and
  421. can be cached indefinitely by the DHT and the peers which
  422. resolve this record. A reasonable period is 1 year.
  423. Enter your peer identity under Peer and leave the line
  424. at zero. Select the first option to make the record public.
  425. If you entered your peer identity incorrectly,
  426. the "Save" button will not work; you might want to use
  427. copy-and-paste instead of typing in the peer identity
  428. manually. Save the record.
  429. @node Calling somebody
  430. @subsubsection Calling somebody
  431. Now you can call a buddy. Obviously, your buddy will have to have GNUnet
  432. installed and must have performed the same steps. Also, you must have
  433. your buddy in your GNS master zone, for example by having imported
  434. your buddy's public key using @code{gnunet-qr}. Suppose your buddy
  435. is in your zone as @code{buddy.mytld} and they also created their
  436. phone using a label "home-phone". Then you can initiate a call using:
  437. @example
  438. /call home-phone.buddy.mytld
  439. @end example
  440. It may take some time for GNUnet to resolve the name and to establish
  441. a link. If your buddy has your public key in their master zone, they
  442. should see an incoming call with your name. If your public key is not
  443. in their master zone, they will just see the public key as the caller ID.
  444. Your buddy then can answer the call using the "/accept" command. After
  445. that, (encrypted) voice data should be relayed between your two peers.
  446. Either of you can end the call using @command{/cancel}. You can exit
  447. @code{gnunet-conversation} using @command{/quit}.
  448. @node First steps - Using the GNUnet VPN
  449. @section First steps - Using the GNUnet VPN
  450. @menu
  451. * VPN Preliminaries::
  452. * GNUnet-Exit configuration::
  453. * GNS configuration::
  454. * Accessing the service::
  455. * Using a Browser::
  456. @end menu
  457. @node VPN Preliminaries
  458. @subsection VPN Preliminaries
  459. To test the GNUnet VPN, we should first run a web server.
  460. The easiest way to do this is to just start @code{gnunet-bcd},
  461. which will run a webserver on port @code{8888} by default.
  462. Naturally, you can run some other HTTP server for our little tutorial.
  463. If you have not done this, you should also configure your
  464. Name System Service switch to use GNS. In your @code{/etc/nsswitch.conf}
  465. you should fine a line like this:
  466. @example
  467. hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
  468. @end example
  469. @noindent
  470. The exact details may differ a bit, which is fine. Add the text
  471. @code{gns [NOTFOUND=return]} after @code{files}:
  472. @example
  473. hosts: files gns [NOTFOUND=return] mdns4_minimal [NOTFOUND=return] dns mdns4
  474. @end example
  475. @c TODO: outdated section, we no longer install this as part of the
  476. @c TODO: standard installation procedure and should point out the manual
  477. @c TODO: steps required to make it useful.
  478. @noindent
  479. You might want to make sure that @code{/lib/libnss_gns.so.2} exists on
  480. your system, it should have been created during the installation.
  481. If not, re-run
  482. @example
  483. $ configure --with-nssdir=/lib
  484. $ cd src/gns/nss; sudo make install
  485. @end example
  486. @noindent
  487. to install the NSS plugins in the proper location.
  488. @node GNUnet-Exit configuration
  489. @subsection GNUnet-Exit configuration
  490. Stop your peer (as user @code{gnunet}, run @command{gnunet-arm -e}) and
  491. run @command{gnunet-setup}. In @command{gnunet-setup}, make sure to
  492. activate the @strong{EXIT} and @strong{GNS} services in the General tab.
  493. Then select the Exit tab. Most of the defaults should be fine (but
  494. you should check against the screenshot that they have not been modified).
  495. In the bottom area, enter @code{bcd} under Identifier and change the
  496. Destination to @code{169.254.86.1:8888} (if your server runs on a port
  497. other than 8888, change the 8888 port accordingly).
  498. Now exit @command{gnunet-setup} and restart your peer
  499. (@command{gnunet-arm -s}).
  500. @node GNS configuration
  501. @subsection GNS configuration
  502. Now, using your normal user (not the @code{gnunet} system user), run
  503. @command{gnunet-namestore-gtk}. Add a new label www in your
  504. master zone. For the record type, select @code{VPN}. You should then
  505. see the VPN dialog:
  506. @image{images/gnunet-namestore-gtk-vpn,5in,,Dialog to publish a VPN record}
  507. Under peer, you need to supply the peer identity of your own peer. You can
  508. obtain the respective string by running @command{gnunet-peerinfo -sq}
  509. as the @code{gnunet} user. For the Identifier, you need to supply the same
  510. identifier that we used in the Exit setup earlier, so here supply "bcd".
  511. If you want others to be able to use the service, you should probably make
  512. the record public. For non-public services, you should use a passphrase
  513. instead of the string "bcd". Save the record and
  514. exit @command{gnunet-namestore-gtk}.
  515. @node Accessing the service
  516. @subsection Accessing the service
  517. You should now be able to access your webserver. Type in:
  518. @example
  519. $ wget http://www.gnu/
  520. @end example
  521. @noindent
  522. The request will resolve to the VPN record, telling the GNS resolver
  523. to route it via the GNUnet VPN. The GNS resolver will ask the
  524. GNUnet VPN for an IPv4 address to return to the application. The
  525. VPN service will use the VPN information supplied by GNS to create
  526. a tunnel (via GNUnet's MESH service) to the EXIT peer.
  527. At the EXIT, the name "bcd" and destination port (80) will be mapped
  528. to the specified destination IP and port. While all this is currently
  529. happening on just the local machine, it should also work with other
  530. peers --- naturally, they will need a way to access your GNS zone
  531. first, for example by learning your public key from a QR code on
  532. your business card.
  533. @node Using a Browser
  534. @subsection Using a Browser
  535. Sadly, modern browsers tend to bypass the Name Services Switch and
  536. attempt DNS resolution directly. You can either run
  537. a @code{gnunet-dns2gns} DNS proxy, or point the browsers to an
  538. HTTP proxy. When we tried it, Iceweasel did not like to connect to
  539. the socks proxy for @code{.gnu} TLDs, even if we disabled its
  540. autoblunder of changing @code{.gnu} to ".gnu.com". Still,
  541. using the HTTP proxy with Chrome does work.
  542. @node File-sharing
  543. @section File-sharing
  544. This chapter documents the GNUnet file-sharing application. The original
  545. file-sharing implementation for GNUnet was designed to provide
  546. @strong{anonymous} file-sharing. However, over time, we have also added
  547. support for non-anonymous file-sharing (which can provide better
  548. performance). Anonymous and non-anonymous file-sharing are quite
  549. integrated in GNUnet and, except for routing, share most of the concepts
  550. and implementation. There are three primary file-sharing operations:
  551. publishing, searching and downloading. For each of these operations,
  552. the user specifies an @strong{anonymity level}. If both the publisher and
  553. the searcher/downloader specify "no anonymity", non-anonymous
  554. file-sharing is used. If either user specifies some desired degree
  555. of anonymity, anonymous file-sharing will be used.
  556. After a short introduction, we will first look at the various concepts
  557. in GNUnet's file-sharing implementation. Then, we will discuss
  558. specifics as to how they impact users that publish, search or download
  559. files.
  560. @menu
  561. * fs-Searching::
  562. * fs-Downloading::
  563. * fs-Publishing::
  564. * fs-Concepts::
  565. * Namespace Management::
  566. * File-Sharing URIs::
  567. * GTK User Interface::
  568. @end menu
  569. @node fs-Searching
  570. @subsection Searching
  571. The command @command{gnunet-search} can be used to search
  572. for content on GNUnet. The format is:
  573. @example
  574. $ gnunet-search [-t TIMEOUT] KEYWORD
  575. @end example
  576. @noindent
  577. The @command{-t} option specifies that the query should timeout after
  578. approximately TIMEOUT seconds. A value of zero (``0'') is interpreted
  579. as @emph{no timeout}, which is the default. In this case,
  580. @command{gnunet-search} will never terminate (unless you press
  581. @command{CTRL-C}).
  582. If multiple words are passed as keywords, they will all be
  583. considered optional. Prefix keywords with a "+" to make them mandatory.
  584. Note that searching using
  585. @example
  586. $ gnunet-search Das Kapital
  587. @end example
  588. @noindent
  589. is not the same as searching for
  590. @example
  591. $ gnunet-search "Das Kapital"
  592. @end example
  593. @noindent
  594. as the first will match files shared under the keywords
  595. "Das" or "Kapital" whereas the second will match files
  596. shared under the keyword "Das Kapital".
  597. Search results are printed by @command{gnunet-search} like this:
  598. @c it will be better the avoid the ellipsis altogether because I don't
  599. @c understand the explanation below that
  600. @c ng0: who is ``I'' and what was the complete sentence?
  601. @example
  602. #15:
  603. gnunet-download -o "COPYING" gnunet://fs/chk/PGK8M...3EK130.75446
  604. @end example
  605. @noindent
  606. The whole line is the command you would have to enter to download
  607. the file. The first argument passed to @code{-o} is the suggested
  608. filename (you may change it to whatever you like).
  609. It is followed by the key for decrypting the file, the query for
  610. searching the file, a checksum (in hexadecimal) finally the size of
  611. the file in bytes.
  612. @node fs-Downloading
  613. @subsection Downloading
  614. In order to download a file, you need the whole line returned by
  615. @command{gnunet-search}.
  616. You can then use the tool @command{gnunet-download} to obtain the file:
  617. @example
  618. $ gnunet-download -o <FILENAME> <GNUNET-URL>
  619. @end example
  620. @noindent
  621. FILENAME specifies the name of the file where GNUnet is supposed
  622. to write the result. Existing files are overwritten. If the
  623. existing file contains blocks that are identical to the
  624. desired download, those blocks will not be downloaded again
  625. (automatic resume).
  626. If you want to download the GPL from the previous example,
  627. you do the following:
  628. @example
  629. $ gnunet-download -o "COPYING" gnunet://fs/chk/PGK8M...3EK130.75446
  630. @end example
  631. @noindent
  632. If you ever have to abort a download, you can continue it at any time by
  633. re-issuing @command{gnunet-download} with the same filename.
  634. In that case, GNUnet will @strong{not} download blocks again that are
  635. already present.
  636. GNUnet's file-encoding mechanism will ensure file integrity, even if the
  637. existing file was not downloaded from GNUnet in the first place.
  638. You may want to use the @command{-V} switch to turn on verbose
  639. reporting. In this case, @command{gnunet-download} will print the
  640. current number of bytes downloaded whenever new data was received.
  641. @node fs-Publishing
  642. @subsection Publishing
  643. The command @command{gnunet-publish} can be used to add content
  644. to the network. The basic format of the command is
  645. @example
  646. $ gnunet-publish [-n] [-k KEYWORDS]* [-m TYPE:VALUE] FILENAME
  647. @end example
  648. For example
  649. @example
  650. $ gnunet-publish -m "description:GNU License" -k gpl -k test -m "mimetype:text/plain" COPYING
  651. @end example
  652. @menu
  653. * Important command-line options::
  654. * Indexing vs. Inserting::
  655. @end menu
  656. @node Important command-line options
  657. @subsubsection Important command-line options
  658. The option @code{-k} is used to specify keywords for the file that
  659. should be inserted. You can supply any number of keywords,
  660. and each of the keywords will be sufficient to locate and
  661. retrieve the file. Please note that you must use the @code{-k} option
  662. more than once -- one for each expression you use as a keyword for
  663. the filename.
  664. The -m option is used to specify meta-data, such as descriptions.
  665. You can use -m multiple times. The TYPE passed must be from the
  666. list of meta-data types known to libextractor. You can obtain this
  667. list by running @command{extract -L}. Use quotes around the entire
  668. meta-data argument if the value contains spaces. The meta-data
  669. is displayed to other users when they select which files to
  670. download. The meta-data and the keywords are optional and
  671. may be inferred using @code{GNU libextractor}.
  672. @command{gnunet-publish} has a few additional options to handle
  673. namespaces and directories. Refer to the man-page for details:
  674. @example
  675. man gnunet-publish
  676. @end example
  677. @node Indexing vs. Inserting
  678. @subsubsection Indexing vs Inserting
  679. By default, GNUnet indexes a file instead of making a full copy.
  680. This is much more efficient, but requires the file to stay unaltered
  681. at the location where it was when it was indexed. If you intend to move,
  682. delete or alter a file, consider using the option @code{-n} which will
  683. force GNUnet to make a copy of the file in the database.
  684. Since it is much less efficient, this is strongly discouraged for large
  685. files. When GNUnet indexes a file (default), GNUnet does @strong{not}
  686. create an additional encrypted copy of the file but just computes a
  687. summary (or index) of the file. That summary is approximately two percent
  688. of the size of the original file and is stored in GNUnet's database.
  689. Whenever a request for a part of an indexed file reaches GNUnet,
  690. this part is encrypted on-demand and send out. This way, there is no
  691. need for an additional encrypted copy of the file to stay anywhere
  692. on the drive. This is different from other systems, such as Freenet,
  693. where each file that is put online must be in Freenet's database in
  694. encrypted format, doubling the space requirements if the user wants
  695. to preserve a directly accessible copy in plaintext.
  696. Thus indexing should be used for all files where the user will keep
  697. using this file (at the location given to gnunet-publish) and does
  698. not want to retrieve it back from GNUnet each time. If you want to
  699. remove a file that you have indexed from the local peer, use the tool
  700. @command{gnunet-unindex} to un-index the file.
  701. The option @code{-n} may be used if the user fears that the file might
  702. be found on their drive (assuming the computer comes under the control
  703. of an adversary). When used with the @code{-n} flag, the user has a
  704. much better chance of denying knowledge of the existence of the file,
  705. even if it is still (encrypted) on the drive and the adversary is
  706. able to crack the encryption (e.g. by guessing the keyword.
  707. @node fs-Concepts
  708. @subsection Concepts
  709. For better results with filesharing it is useful to understand the
  710. following concepts.
  711. In addition to anonymous routing GNUnet attempts to give users a better
  712. experience in searching for content. GNUnet uses cryptography to safely
  713. break content into smaller pieces that can be obtained from different
  714. sources without allowing participants to corrupt files. GNUnet makes it
  715. difficult for an adversary to send back bogus search results. GNUnet
  716. enables content providers to group related content and to establish a
  717. reputation. Furthermore, GNUnet allows updates to certain content to be
  718. made available. This section is supposed to introduce users to the
  719. concepts that are used to achieve these goals.
  720. @menu
  721. * Files::
  722. * Keywords::
  723. * Directories::
  724. * Egos and File-Sharing::
  725. * Namespaces::
  726. * Advertisements::
  727. * Anonymity level::
  728. * Content Priority::
  729. * Replication::
  730. @end menu
  731. @node Files
  732. @subsubsection Files
  733. A file in GNUnet is just a sequence of bytes. Any file-format is allowed
  734. and the maximum file size is theoretically @math{2^64 - 1} bytes, except
  735. that it would take an impractical amount of time to share such a file.
  736. GNUnet itself never interprets the contents of shared files, except when
  737. using GNU libextractor to obtain keywords.
  738. @node Keywords
  739. @subsubsection Keywords
  740. Keywords are the most simple mechanism to find files on GNUnet.
  741. Keywords are @strong{case-sensitive} and the search string
  742. must always match @strong{exactly} the keyword used by the
  743. person providing the file. Keywords are never transmitted in
  744. plaintext. The only way for an adversary to determine the keyword
  745. that you used to search is to guess it (which then allows the
  746. adversary to produce the same search request). Since providing
  747. keywords by hand for each shared file is tedious, GNUnet uses
  748. GNU libextractor to help automate this process. Starting a
  749. keyword search on a slow machine can take a little while since
  750. the keyword search involves computing a fresh RSA key to formulate the
  751. request.
  752. @node Directories
  753. @subsubsection Directories
  754. A directory in GNUnet is a list of file identifiers with meta data.
  755. The file identifiers provide sufficient information about the files
  756. to allow downloading the contents. Once a directory has been created,
  757. it cannot be changed since it is treated just like an ordinary file
  758. by the network. Small files (of a few kilobytes) can be inlined in
  759. the directory, so that a separate download becomes unnecessary.
  760. Directories are shared just like ordinary files. If you download a
  761. directory with @command{gnunet-download}, you can use
  762. @command{gnunet-directory} to list its contents. The canonical
  763. extension for GNUnet directories when stored as files in your
  764. local file-system is ".gnd". The contents of a directory are URIs and
  765. meta data.
  766. The URIs contain all the information required by
  767. @command{gnunet-download} to retrieve the file. The meta data
  768. typically includes the mime-type, description, a filename and
  769. other meta information, and possibly even the full original file
  770. (if it was small).
  771. @node Egos and File-Sharing
  772. @subsubsection Egos and File-Sharing
  773. When sharing files, it is sometimes desirable to build a reputation as
  774. a source for quality information. With egos, publishers can
  775. (cryptographically) sign files, thereby demonstrating that various
  776. files were published by the same entity. An ego thus allows users to
  777. link different publication events, thereby deliberately reducing
  778. anonymity to pseudonymity.
  779. Egos used in GNUnet's file-sharing for such pseudonymous publishing
  780. also correspond to the egos used to identify and sign zones in the
  781. GNU Name System. However, if the same ego is used for file-sharing
  782. and for a GNS zone, this will weaken the privacy assurances provided
  783. by the anonymous file-sharing protocol.
  784. Note that an ego is NOT bound to a GNUnet peer. There can be multiple
  785. egos for a single user, and users could (theoretically) share
  786. the private keys of an ego by copying the respective private keys.
  787. @node Namespaces
  788. @subsubsection Namespaces
  789. A namespace is a set of files that were signed by the same ego.
  790. Today, namespaces are implemented independently of GNS zones, but
  791. in the future we plan to merge the two such that a GNS zone can
  792. basically contain files using a file-sharing specific record type.
  793. Files (or directories) that have been signed and placed into a
  794. namespace can be updated. Updates are identified as authentic if the
  795. same secret key was used to sign the update.
  796. @node Advertisements
  797. @subsubsection Advertisements
  798. Advertisements are used to notify other users about the existence of a
  799. namespace. Advertisements are propagated using the normal keyword
  800. search. When an advertisement is received (in response to a search),
  801. the namespace is added to the list of namespaces available in the
  802. namespace-search dialogs of gnunet-fs-gtk and printed by
  803. @code{gnunet-identity}. Whenever a namespace is created, an
  804. appropriate advertisement can be generated. The default keyword for
  805. the advertising of namespaces is "namespace".
  806. @node Anonymity level
  807. @subsubsection Anonymity level
  808. The anonymity level determines how hard it should be for an adversary to
  809. determine the identity of the publisher or the searcher/downloader. An
  810. anonymity level of zero means that anonymity is not required. The default
  811. anonymity level of "1" means that anonymous routing is desired, but no
  812. particular amount of cover traffic is necessary. A powerful adversary
  813. might thus still be able to deduce the origin of the traffic using
  814. traffic analysis. Specifying higher anonymity levels increases the
  815. amount of cover traffic required.
  816. The specific numeric value (for anonymity levels above 1) is simple:
  817. Given an anonymity level L (above 1), each request FS makes on your
  818. behalf must be hidden in L-1 equivalent requests of cover traffic
  819. (traffic your peer routes for others) in the same time-period. The
  820. time-period is twice the average delay by which GNUnet artificially
  821. delays traffic.
  822. While higher anonymity levels may offer better privacy, they can also
  823. significantly hurt performance.
  824. @node Content Priority
  825. @subsubsection Content Priority
  826. Depending on the peer's configuration, GNUnet peers migrate content
  827. between peers. Content in this sense are individual blocks of a file,
  828. not necessarily entire files. When peers run out of space (due to
  829. local publishing operations or due to migration of content from other
  830. peers), blocks sometimes need to be discarded. GNUnet first always
  831. discards expired blocks (typically, blocks are published with an
  832. expiration of about two years in the future; this is another option).
  833. If there is still not enough space, GNUnet discards the blocks with the
  834. lowest priority. The priority of a block is decided by its popularity
  835. (in terms of requests from peers we trust) and, in case of blocks
  836. published locally, the base-priority that was specified by the user
  837. when the block was published initially.
  838. @node Replication
  839. @subsubsection Replication
  840. When peers migrate content to other systems, the replication level
  841. of a block is used to decide which blocks need to be migrated most
  842. urgently. GNUnet will always push the block with the highest
  843. replication level into the network, and then decrement the replication
  844. level by one. If all blocks reach replication level zero, the
  845. selection is simply random.
  846. @node Namespace Management
  847. @subsection Namespace Management
  848. The @code{gnunet-identity} tool can be used to create egos.
  849. By default, @code{gnunet-identity -D} simply
  850. lists all locally available egos.
  851. @menu
  852. * Creating Egos::
  853. * Deleting Egos::
  854. @end menu
  855. @node Creating Egos
  856. @subsubsection Creating Egos
  857. With the @command{-C NICK} option it can also be used to create a new
  858. ego. An ego is the virtual identity of the entity in control of a
  859. namespace or GNS zone. Anyone can create any number of egos. The
  860. provided NICK name automatically corresponds to a GNU Name System
  861. domain name. Thus, henceforth name resolution for any name ending in
  862. ``.NICK'' will use the NICK's zone. You should avoid using NICKs that
  863. collide with well-known DNS names.
  864. @node Deleting Egos
  865. @subsubsection Deleting Egos
  866. With the @command{-D NICK} option egos can be deleted. Once the ego
  867. has been deleted it is impossible to add content to the corresponding
  868. namespace or zone. However, the existing GNS zone data is currently
  869. not dropped. This may change in the future.
  870. Deleting the pseudonym does not make the namespace or any content in
  871. it unavailable.
  872. @node File-Sharing URIs
  873. @subsection File-Sharing URIs
  874. GNUnet (currently) uses four different types of URIs for
  875. file-sharing. They all begin with "gnunet://fs/".
  876. This section describes the four different URI types in detail.
  877. For FS URIs empty KEYWORDs are not allowed. Quotes are allowed to
  878. denote whitespace between words. Keywords must contain a balanced
  879. number of double quotes. Doubles quotes can not be used in the actual
  880. keywords. This means that the the string '""foo bar""' will be turned
  881. into two OR-ed keywords 'foo' and 'bar', not into '"foo bar"'.
  882. @menu
  883. * Encoding of hash values in URIs::
  884. * Content Hash Key (chk)::
  885. * Location identifiers (loc)::
  886. * Keyword queries (ksk)::
  887. * Namespace content (sks)::
  888. @end menu
  889. @node Encoding of hash values in URIs
  890. @subsubsection Encoding of hash values in URIs
  891. Most URIs include some hash values. Hashes are encoded using
  892. base32hex (RFC 2938).
  893. @cindex chk-uri
  894. @node Content Hash Key (chk)
  895. @subsubsection Content Hash Key (chk)
  896. A chk-URI is used to (uniquely) identify a file or directory
  897. and to allow peers to download the file. Files are stored in
  898. GNUnet as a tree of encrypted blocks.
  899. The chk-URI thus contains the information to download and decrypt
  900. those blocks. A chk-URI has the format
  901. "gnunet://fs/chk/KEYHASH.QUERYHASH.SIZE". Here, "SIZE"
  902. is the size of the file (which allows a peer to determine the
  903. shape of the tree), KEYHASH is the key used to decrypt the file
  904. (also the hash of the plaintext of the top block) and QUERYHASH
  905. is the query used to request the top-level block (also the hash
  906. of the encrypted block).
  907. @cindex loc-uri
  908. @node Location identifiers (loc)
  909. @subsubsection Location identifiers (loc)
  910. For non-anonymous file-sharing, loc-URIs are used to specify which
  911. peer is offering the data (in addition to specifying all of the
  912. data from a chk-URI). Location identifiers include a digital
  913. signature of the peer to affirm that the peer is truly the
  914. origin of the data. The format is
  915. "gnunet://fs/loc/KEYHASH.QUERYHASH.SIZE.PEER.SIG.EXPTIME".
  916. Here, "PEER" is the public key of the peer (in GNUnet format in
  917. base32hex), SIG is the RSA signature (in GNUnet format in
  918. base32hex) and EXPTIME specifies when the signature expires
  919. (in milliseconds after 1970).
  920. @cindex ksk-uri
  921. @node Keyword queries (ksk)
  922. @subsubsection Keyword queries (ksk)
  923. A keyword-URI is used to specify that the desired operation
  924. is the search using a particular keyword. The format is simply
  925. "gnunet://fs/ksk/KEYWORD". Non-ASCII characters can be specified
  926. using the typical URI-encoding (using hex values) from HTTP.
  927. "+" can be used to specify multiple keywords (which are then
  928. logically "OR"-ed in the search, results matching both keywords
  929. are given a higher rank): "gnunet://fs/ksk/KEYWORD1+KEYWORD2".
  930. ksk-URIs must not begin or end with the plus ('+') character.
  931. Furthermore they must not contain '++'.
  932. @cindex sks-uri
  933. @node Namespace content (sks)
  934. @subsubsection Namespace content (sks)
  935. @b{Please note that the text in this subsection is outdated and needs}
  936. @b{to be rewritten for version 0.10!}
  937. @b{This especially concerns the terminology of Pseudonym/Ego/Identity.}
  938. Namespaces are sets of files that have been approved by some (usually
  939. pseudonymous) user --- typically by that user publishing all of the
  940. files together. A file can be in many namespaces. A file is in a
  941. namespace if the owner of the ego (aka the namespace's private key)
  942. signs the CHK of the file cryptographically. An SKS-URI is used to
  943. search a namespace. The result is a block containing meta data,
  944. the CHK and the namespace owner's signature. The format of a sks-URI
  945. is "gnunet://fs/sks/NAMESPACE/IDENTIFIER". Here, "NAMESPACE"
  946. is the public key for the namespace. "IDENTIFIER" is a freely
  947. chosen keyword (or password!). A commonly used identifier is
  948. "root" which by convention refers to some kind of index or other
  949. entry point into the namespace.
  950. @node GTK User Interface
  951. @subsection GTK User Interface
  952. This chapter describes first steps for file-sharing with GNUnet.
  953. To start, you should launch @command{gnunet-fs-gtk}.
  954. As we want to be sure that the network contains the data that we are
  955. looking for for testing, we need to begin by publishing a file.
  956. @menu
  957. * gtk-Publishing::
  958. * gtk-Searching::
  959. * gtk-Downloading::
  960. @end menu
  961. @node gtk-Publishing
  962. @subsubsection Publishing
  963. To publish a file, select "File Sharing" in the menu bar just below the
  964. "Statistics" icon, and then select "Publish" from the menu.
  965. Afterwards, the following publishing dialog will appear:
  966. @image{images/gnunet-gtk-0-10-fs-publish,5in,,The gnunet-fs-gtk publishing dialog}
  967. In this dialog, select the "Add File" button. This will open a
  968. file selection dialog:
  969. @image{images/gnunet-gtk-0-10-fs-publish-select,5in,,Dialog to select the file to publish (looks may differ for other Gtk+ versions)}
  970. Now, you should select a file from your computer to be published on
  971. GNUnet. To see more of GNUnet's features later, you should pick a
  972. PNG or JPEG file this time. You can leave all of the other options
  973. in the dialog unchanged. Confirm your selection by pressing the "OK"
  974. button in the bottom right corner. Now, you will briefly see a
  975. "Messages..." dialog pop up, but most likely it will be too short for
  976. you to really read anything. That dialog is showing you progress
  977. information as GNUnet takes a first look at the selected file(s).
  978. For a normal image, this is virtually instant, but if you later
  979. import a larger directory you might be interested in the progress dialog
  980. and potential errors that might be encountered during processing.
  981. After the progress dialog automatically disappears, your file
  982. should now appear in the publishing dialog:
  983. @image{images/gnunet-gtk-0-10-fs-publish-with-file,5in,,Publishing dialog with file added}
  984. Now, select the file (by clicking on the file name) and then click
  985. the "Edit" button. This will open the editing dialog:
  986. @image{images/gnunet-gtk-0-10-fs-publish-editing,5in,,Editing meta data of a file to be published}
  987. In this dialog, you can see many details about your file. In the
  988. top left area, you can see meta data extracted about the file,
  989. such as the original filename, the mimetype and the size of the image.
  990. In the top right, you should see a preview for the image
  991. (if GNU libextractor was installed correctly with the
  992. respective plugins). Note that if you do not see a preview, this
  993. is not a disaster, but you might still want to install more of
  994. GNU libextractor in the future. In the bottom left, the dialog contains
  995. a list of keywords. These are the keywords under which the file will be
  996. made available. The initial list will be based on the extracted meta data.
  997. Additional publishing options are in the right bottom corner. We will
  998. now add an additional keyword to the list of keywords. This is done by
  999. entering the keyword above the keyword list between the label "Keyword"
  1000. and the "Add keyword" button. Enter "test" and select "Add keyword".
  1001. Note that the keyword will appear at the bottom of the existing keyword
  1002. list, so you might have to scroll down to see it. Afterwards, push the
  1003. "OK" button at the bottom right of the dialog.
  1004. You should now be back at the "Publish content on GNUnet" dialog. Select
  1005. "Execute" in the bottom right to close the dialog and publish your file
  1006. on GNUnet! Afterwards, you should see the main dialog with a new area
  1007. showing the list of published files (or ongoing publishing operations
  1008. with progress indicators).
  1009. @node gtk-Searching
  1010. @subsubsection Searching
  1011. Below the menu bar, there are four entry widges labeled "Namespace",
  1012. "Keywords", "Anonymity" and "Mime-type" (from left to right). These
  1013. widgets are used to control searching for files in GNUnet. Between the
  1014. "Keywords" and "Anonymity" widgets, there is also a big "Search" button,
  1015. which is used to initiate the search. We will ignore the "Namespace",
  1016. "Anonymity" and "Mime-type" options in this tutorial, please leave them
  1017. empty. Instead, simply enter "test" under "Keywords" and press "Search".
  1018. Afterwards, you should immediately see a new tab labeled after your
  1019. search term, followed by the (current) number of search
  1020. results --- "(15)" in our screenshot. Note that your results may
  1021. vary depending on what other users may have shared and how your
  1022. peer is connected.
  1023. You can now select one of the search results. Once you do this,
  1024. additional information about the result should be displayed on the
  1025. right. If available, a preview image should appear on the top right.
  1026. Meta data describing the file will be listed at the bottom right.
  1027. Once a file is selected, at the bottom of the search result list
  1028. a little area for downloading appears.
  1029. @node gtk-Downloading
  1030. @subsubsection Downloading
  1031. In the downloading area, you can select the target directory (default is
  1032. "Downloads") and specify the desired filename (by default the filename it
  1033. taken from the meta data of the published file). Additionally, you can
  1034. specify if the download should be anonymous and (for directories) if
  1035. the download should be recursive. In most cases, you can simply start
  1036. the download with the "Download!" button.
  1037. Once you selected download, the progress of the download will be
  1038. displayed with the search result. You may need to resize the result
  1039. list or scroll to the right. The "Status" column shows the current
  1040. status of the download, and "Progress" how much has been completed.
  1041. When you close the search tab (by clicking on the "X" button next to
  1042. the "test" label), ongoing and completed downloads are not aborted
  1043. but moved to a special "*" tab.
  1044. You can remove completed downloads from the "*" tab by clicking the
  1045. cleanup button next to the "*". You can also abort downloads by right
  1046. clicking on the respective download and selecting "Abort download"
  1047. from the menu.
  1048. That's it, you now know the basics for file-sharing with GNUnet!
  1049. @node The GNU Name System
  1050. @section The GNU Name System
  1051. The GNU Name System (GNS) is secure and decentralized naming system.
  1052. It allows its users to register names as @dfn{top-level domains} (TLDs) and
  1053. resolve other namespaces within their TLDs.
  1054. GNS is designed to provide:
  1055. @itemize @bullet
  1056. @item Censorship resistance
  1057. @item Query privacy
  1058. @item Secure name resolution
  1059. @item Compatibility with DNS
  1060. @end itemize
  1061. For the initial configuration and population of your
  1062. GNS installation, please follow the GNS setup instructions.
  1063. The remainder of this chapter will provide some background on GNS
  1064. and then describe how to use GNS in more detail.
  1065. Unlike DNS, GNS does not rely on central root zones or authorities.
  1066. Instead any user administers their own root and can can create arbitrary
  1067. name value mappings. Furthermore users can delegate resolution to other
  1068. users' zones just like DNS NS records do. Zones are uniquely identified
  1069. via public keys and resource records are signed using the corresponding
  1070. public key. Delegation to another user's zone is done using special PKEY
  1071. records and petnames. A petname is a name that can be freely chosen by
  1072. the user. This results in non-unique name-value mappings as
  1073. @code{@uref{http://www.bob.gnu/, www.bob.gnu}} to one user might be
  1074. @code{@uref{http://www.friend.gnu/, www.friend.gnu}} for someone else.
  1075. @menu
  1076. * Creating a Zone::
  1077. * Maintaining your own Zones::
  1078. * Obtaining your Zone Key::
  1079. * Adding Links to Other Zones::
  1080. * Using Public Keys as Top Level Domains::
  1081. * Resource Records in GNS::
  1082. * Synchronizing with legacy DNS::
  1083. * Migrating an existing DNS zone into GNS::
  1084. @end menu
  1085. @node Creating a Zone
  1086. @subsection Creating a Zone
  1087. To use GNS, you probably should create at least one zone of your own.
  1088. You can create any number of zones using the gnunet-identity tool
  1089. using:
  1090. @example
  1091. $ gnunet-identity -C "myzone"
  1092. @end example
  1093. Henceforth, on your system you control the TLD ``myzone''.
  1094. All of your zones can be listed (displayed) using the
  1095. @command{gnunet-identity} command line tool as well:
  1096. @example
  1097. $ gnunet-identity -d
  1098. @end example
  1099. @node Maintaining your own Zones
  1100. @subsection Maintaining your own Zones
  1101. @noindent
  1102. Now you can add (or edit, or remove) records in your GNS zone using the
  1103. @command{gnunet-namestore-gtk} GUI or using the @command{gnunet-namestore}
  1104. command-line tool.
  1105. In either case, your records will be stored in an SQL database under
  1106. control of the @command{gnunet-service-namestore}.
  1107. Note that if multiple users use one peer, the namestore database will
  1108. include the combined records of all users.
  1109. However, users will not be able to see each other's records
  1110. if they are marked as private.
  1111. To provide a short example for editing your own zone, suppose you
  1112. have your own web server with the IP @code{1.2.3.4}. Then you can put an
  1113. @code{A} record (@code{A} records in DNS are for IPv4 IP addresses)
  1114. into your local zone ``myzone'' using the command:
  1115. @example
  1116. $ gnunet-namestore -z myzone -a -n www -t A -V 1.2.3.4 -e never
  1117. @end example
  1118. @noindent
  1119. Afterwards, you will be able to access your webpage under "www.myzone"
  1120. (assuming your webserver does not use virtual hosting, if it does,
  1121. please read up on setting up the GNS proxy).
  1122. Similar commands will work for other types of DNS and GNS records,
  1123. the syntax largely depending on the type of the record.
  1124. Naturally, most users may find editing the zones using the
  1125. @command{gnunet-namestore-gtk} GUI to be easier.
  1126. @node Obtaining your Zone Key
  1127. @subsection Obtaining your Zone Key
  1128. Each zone in GNS has a public-private key. Usually, gnunet-namestore and
  1129. gnunet-setup will access your private key as necessary, so you do not
  1130. have to worry about those. What is important is your public key
  1131. (or rather, the hash of your public key), as you will likely want to
  1132. give it to others so that they can securely link to you.
  1133. You can usually get the hash of your public key using
  1134. @example
  1135. $ gnunet-identity -d $options | grep myzone | awk '@{print $3@}'
  1136. @end example
  1137. @noindent
  1138. For example, the output might be something like:
  1139. @example
  1140. DC3SEECJORPHQNVRH965A6N74B1M37S721IG4RBQ15PJLLPJKUE0
  1141. @end example
  1142. @noindent
  1143. Alternatively, you can obtain a QR code with your zone key AND your
  1144. pseudonym from gnunet-namestore-gtk. The QR code is displayed in the
  1145. main window and can be stored to disk using the ``Save as'' button
  1146. next to the image.
  1147. @node Adding Links to Other Zones
  1148. @subsection Adding Links to Other Zones
  1149. A central operation in GNS is the ability to securely delegate to
  1150. other zones. Basically, by adding a delegation you make all of the
  1151. names from the other zone available to yourself. This section
  1152. describes how to create delegations.
  1153. Suppose you have a friend who you call 'bob' who also uses GNS.
  1154. You can then delegate resolution of names to Bob's zone by adding
  1155. a PKEY record to their local zone:
  1156. @example
  1157. $ gnunet-namestore -a -n bob --type PKEY -V XXXX -e never -Z myzone
  1158. @end example
  1159. @noindent
  1160. Note that ``XXXX'' in the command above must be replaced with the hash
  1161. of Bob's public key (the output your friend obtained using the
  1162. @command{gnunet-identity} command from the previous section and told
  1163. you, for example by giving you a business card containing this
  1164. information as a QR code).
  1165. Assuming Bob has an ``A'' record for their website under the name of
  1166. ``www'' in his zone, you can then access Bob's website under
  1167. ``www.bob.myzone'' --- as well as any (public) GNS record that Bob has
  1168. in their zone by replacing www with the respective name of the
  1169. record in Bob's zone.
  1170. @c themselves? themself?
  1171. Furthermore, if Bob has themselves a (public) delegation to Carol's
  1172. zone under "carol", you can access Carol's records under
  1173. ``NAME.carol.bob.myzone'' (where ``NAME'' is the name of Carol's
  1174. record you want to access).
  1175. @node Using Public Keys as Top Level Domains
  1176. @subsection Using Public Keys as Top Level Domains
  1177. GNS also assumes responsibility for any name that uses in a
  1178. well-formed public key for the TLD. Names ending this way are then
  1179. resolved by querying the respective zone. Such public key TLDs are
  1180. expected to be used under rare circumstances where globally unique
  1181. names are required, and for integration with legacy systems.
  1182. @node Resource Records in GNS
  1183. @subsection Resource Records in GNS
  1184. GNS supports the majority of the DNS records as defined in
  1185. @uref{http://www.ietf.org/rfc/rfc1035.txt, RFC 1035}. Additionally,
  1186. GNS defines some new record types the are unique to the GNS system.
  1187. For example, GNS-specific resource records are used to give petnames
  1188. for zone delegation, revoke zone keys and provide some compatibility
  1189. features.
  1190. For some DNS records, GNS does extended processing to increase their
  1191. usefulness in GNS. In particular, GNS introduces special names
  1192. referred to as "zone relative names". Zone relative names are allowed
  1193. in some resource record types (for example, in NS and CNAME records)
  1194. and can also be used in links on webpages. Zone relative names end
  1195. in ".+" which indicates that the name needs to be resolved relative
  1196. to the current authoritative zone. The extended processing of those
  1197. names will expand the ".+" with the correct delegation chain to the
  1198. authoritative zone (replacing ".+" with the name of the location
  1199. where the name was encountered) and hence generate a
  1200. valid GNS name.
  1201. GNS currently supports the following record types:
  1202. @menu
  1203. * NICK::
  1204. * PKEY::
  1205. * BOX::
  1206. * LEHO::
  1207. * VPN::
  1208. * A AAAA and TXT::
  1209. * CNAME::
  1210. * GNS2DNS::
  1211. * SOA SRV PTR and MX::
  1212. * PLACE::
  1213. * PHONE::
  1214. * ID ATTR::
  1215. * ID TOKEN::
  1216. * ID TOKEN METADATA::
  1217. * CREDENTIAL::
  1218. * POLICY::
  1219. * ATTRIBUTE::
  1220. * ABE KEY::
  1221. * ABE MASTER::
  1222. * RECLAIM OIDC CLIENT::
  1223. * RECLAIM OIDC REDIRECT::
  1224. @end menu
  1225. @node NICK
  1226. @subsubsection NICK
  1227. A NICK record is used to give a zone a name. With a NICK record, you
  1228. can essentially specify how you would like to be called. GNS expects
  1229. this record under the empty label ``@@'' in the zone's database
  1230. (NAMESTORE); however, it will then automatically be copied into each
  1231. record set, so that clients never need to do a separate lookup to
  1232. discover the NICK record. Also, users do not usually have to worry
  1233. about setting the NICK record: it is automatically set to the local
  1234. name of the TLD.
  1235. @b{Example}@
  1236. @example
  1237. Name: @@; RRType: NICK; Value: bob
  1238. @end example
  1239. @noindent
  1240. This record in Bob's zone will tell other users that this zone wants
  1241. to be referred to as 'bob'. Note that nobody is obliged to call Bob's
  1242. zone 'bob' in their own zones. It can be seen as a
  1243. recommendation ("Please call this zone 'bob'").
  1244. @node PKEY
  1245. @subsubsection PKEY
  1246. PKEY records are used to add delegation to other users' zones and
  1247. give those zones a petname.
  1248. @b{Example}@
  1249. Let Bob's zone be identified by the hash "ABC012". Bob is your friend
  1250. so you want to give them the petname "friend". Then you add the
  1251. following record to your zone:
  1252. @example
  1253. Name: friend; RRType: PKEY; Value: ABC012;
  1254. @end example
  1255. @noindent
  1256. This will allow you to resolve records in bob's zone
  1257. under "*.friend.gnu".
  1258. @node BOX
  1259. @subsubsection BOX
  1260. BOX records are there to integrate information from TLSA or
  1261. SRV records under the main label. In DNS, TLSA and SRV records
  1262. use special names of the form @code{_port._proto.(label.)*tld} to
  1263. indicate the port number and protocol (i.e. tcp or udp) for which
  1264. the TLSA or SRV record is valid. This causes various problems, and
  1265. is elegantly solved in GNS by integrating the protocol and port
  1266. numbers together with the respective value into a "BOX" record.
  1267. Note that in the GUI, you do not get to edit BOX records directly
  1268. right now --- the GUI will provide the illusion of directly
  1269. editing the TLSA and SRV records, even though they internally
  1270. are BOXed up.
  1271. @node LEHO
  1272. @subsubsection LEHO
  1273. The LEgacy HOstname of a server. Some webservers expect a specific
  1274. hostname to provide a service (virtiual hosting). Also SSL
  1275. certificates usually contain DNS names. To provide the expected
  1276. legacy DNS name for a server, the LEHO record can be used.
  1277. To mitigate the just mentioned issues the GNS proxy has to be used.
  1278. The GNS proxy will use the LEHO information to apply the necessary
  1279. transformations.
  1280. @node VPN
  1281. @subsubsection VPN
  1282. GNS allows easy access to services provided by the GNUnet Virtual Public
  1283. Network. When the GNS resolver encounters a VPN record it will contact
  1284. the VPN service to try and allocate an IPv4/v6 address (if the queries
  1285. record type is an IP address) that can be used to contact the service.
  1286. @b{Example}@
  1287. I want to provide access to the VPN service "web.gnu." on port 80 on peer
  1288. ABC012:@
  1289. Name: www; RRType: VPN; Value: 80 ABC012 web.gnu.
  1290. The peer ABC012 is configured to provide an exit point for the service
  1291. "web.gnu." on port 80 to it's server running locally on port 8080 by
  1292. having the following lines in the @file{gnunet.conf} configuration file:
  1293. @example
  1294. [web.gnunet.]
  1295. TCP_REDIRECTS = 80:localhost4:8080
  1296. @end example
  1297. @node A AAAA and TXT
  1298. @subsubsection A AAAA and TXT
  1299. Those records work in exactly the same fashion as in traditional DNS.
  1300. @node CNAME
  1301. @subsubsection CNAME
  1302. As specified in RFC 1035 whenever a CNAME is encountered the query
  1303. needs to be restarted with the specified name. In GNS a CNAME
  1304. can either be:
  1305. @itemize @bullet
  1306. @item A zone relative name,
  1307. @item A zkey name or
  1308. @item A DNS name (in which case resolution will continue outside
  1309. of GNS with the systems DNS resolver)
  1310. @end itemize
  1311. @node GNS2DNS
  1312. @subsubsection GNS2DNS
  1313. GNS can delegate authority to a legacy DNS zone. For this, the
  1314. name of the DNS nameserver and the name of the DNS zone are
  1315. specified in a GNS2DNS record.
  1316. @b{Example}
  1317. @example
  1318. Name: pet; RRType: GNS2DNS; Value: gnunet.org@@a.ns.joker.com
  1319. @end example
  1320. @noindent
  1321. Any query to @code{pet.gnu} will then be delegated to the DNS server at
  1322. @code{a.ns.joker.com}. For example,
  1323. @code{@uref{http://www.pet.gnu/, www.pet.gnu}} will result in a DNS query
  1324. for @code{@uref{http://www.gnunet.org/, www.gnunet.org}} to the server
  1325. at @code{a.ns.joker.com}. Delegation to DNS via NS records in GNS can
  1326. be useful if you do not want to start resolution in the DNS root zone
  1327. (due to issues such as censorship or availability).
  1328. Note that you would typically want to use a relative name for the
  1329. nameserver, i.e.
  1330. @example
  1331. Name: pet; RRType: GNS2DNS; Value: gnunet.org@@ns-joker.+@
  1332. Name: ns-joker; RRType: A; Value: 184.172.157.218
  1333. @end example
  1334. @noindent
  1335. This way, you can avoid involving the DNS hierarchy in the resolution of
  1336. @code{a.ns.joker.com}. In the example above, the problem may not be
  1337. obvious as the nameserver for "gnunet.org" is in the ".com" zone.
  1338. However, imagine the nameserver was "ns.gnunet.org". In this case,
  1339. delegating to "ns.gnunet.org" would mean that despite using GNS,
  1340. censorship in the DNS ".org" zone would still be effective.
  1341. @node SOA SRV PTR and MX
  1342. @subsubsection SOA SRV PTR and MX
  1343. The domain names in those records can, again, be either
  1344. @itemize @bullet
  1345. @item A zone relative name,
  1346. @item A zkey name or
  1347. @item A DNS name
  1348. @end itemize
  1349. The resolver will expand the zone relative name if possible.
  1350. Note that when using MX records within GNS, the target mail
  1351. server might still refuse to accept e-mails to the resulting
  1352. domain as the name might not match. GNS-enabled mail clients
  1353. should use the ZKEY zone as the destination hostname and
  1354. GNS-enabled mail servers should be configured to accept
  1355. e-mails to the ZKEY-zones of all local users.
  1356. To add a SOA record via the gnunet-namestore command line
  1357. tool use the following syntax for the value option. Choose
  1358. the other options according to your preference, however in
  1359. this example we will use a relative expiry, add the record
  1360. under the label @ and add the records to the zone bar
  1361. which already exists:
  1362. @example
  1363. $ gnunet-namestore -a -n @ -t SOA -z bar -e 3600s -V \
  1364. > "rname=$PRIMARY_NS \
  1365. > mname=$CONTACT_MAIL \
  1366. > $SERIAL,$REFRESH,$RETRY,$EXPIRY,$MINIMUM_TTL"
  1367. @end example
  1368. The above command filled in with values looks like this:
  1369. @example
  1370. $ gnunet-namestore -a -n @ -t SOA -z bar -e 3600s -V \
  1371. > "rname=ns1.bar \
  1372. > mname=root.bar \
  1373. > 2019081701,3600,1800,86400,7200"
  1374. @end example
  1375. MX records use a similar syntax which is outlined in the
  1376. example below. $SERVER is a domain name as mentioned above.
  1377. @example
  1378. $ gnunet-namestore -a -n mail -t MX -z bar -e 3600s -V \
  1379. > "$PRIORITY,$SERVER"
  1380. @end example
  1381. With the values substituted this is an example of a working
  1382. command:
  1383. @example
  1384. $ gnunet-namestore -a -n mail -t MX -z bar -e 3600s -V \
  1385. > "10,mail.bar"
  1386. @end example
  1387. @node PLACE
  1388. @subsubsection PLACE
  1389. @c TODO describe record type and give an example of how and
  1390. @c when to use it
  1391. Record type for a social place.
  1392. @node PHONE
  1393. @subsubsection PHONE
  1394. @c TODO describe record type and give an example of how and
  1395. @c when to use it
  1396. Record type for a phone (of CONVERSATION).
  1397. @node ID ATTR
  1398. @subsubsection ID ATTR
  1399. @c TODO describe record type and give an example of how and
  1400. @c when to use it
  1401. Record type for identity attributes (of IDENTITY).
  1402. @node ID TOKEN
  1403. @subsubsection ID TOKEN
  1404. @c TODO describe record type and give an example of how and
  1405. @c when to use it
  1406. Record type for an identity token (of IDENTITY-TOKEN).
  1407. @node ID TOKEN METADATA
  1408. @subsubsection ID TOKEN METADATA
  1409. @c TODO describe record type and give an example of how and
  1410. @c when to use it
  1411. Record type for the private metadata of an identity token (of IDENTITY-TOKEN).
  1412. @node CREDENTIAL
  1413. @subsubsection CREDENTIAL
  1414. @c TODO describe record type and give an example of how and
  1415. @c when to use it
  1416. Record type for credential.
  1417. @node POLICY
  1418. @subsubsection POLICY
  1419. @c TODO describe record type and give an example of how and
  1420. @c when to use it
  1421. Record type for policies.
  1422. @node ATTRIBUTE
  1423. @subsubsection ATTRIBUTE
  1424. @c TODO describe record type and give an example of how and
  1425. @c when to use it
  1426. Record type for reverse lookups.
  1427. @node ABE KEY
  1428. @subsubsection ABE KEY
  1429. @c TODO describe record type and give an example of how and
  1430. @c when to use it
  1431. Record type for ABE records.
  1432. @node ABE MASTER
  1433. @subsubsection ABE MASTER
  1434. @c TODO describe record type and give an example of how and
  1435. @c when to use it
  1436. Record type for ABE master keys.
  1437. @node RECLAIM OIDC CLIENT
  1438. @subsubsection RECLAIM OIDC CLIENT
  1439. @c TODO describe record type and give an example of how and
  1440. @c when to use it
  1441. Record type for reclaim OIDC clients.
  1442. @node RECLAIM OIDC REDIRECT
  1443. @subsubsection RECLAIM OIDC REDIRECT
  1444. @c TODO describe record type and give an example of how and
  1445. @c when to use it
  1446. Record type for reclaim OIDC redirect URIs.
  1447. @node Synchronizing with legacy DNS
  1448. @subsection Synchronizing with legacy DNS
  1449. If you want to support GNS but the master database for a zone
  1450. is only available and maintained in DNS, GNUnet includes the
  1451. @command{gnunet-zoneimport} tool to monitor a DNS zone and
  1452. automatically import records into GNS. Today, the tool does
  1453. not yet support DNS AF(X)R, as we initially used it on the
  1454. ``.fr'' zone which does not allow us to perform a DNS zone
  1455. transfer. Instead, @command{gnunet-zoneimport} reads a list
  1456. of DNS domain names from @code{stdin}, issues DNS queries for
  1457. each, converts the obtained records (if possible) and stores
  1458. the result in the namestore.
  1459. @image{images/gns,6in,, picture of DNS-GNS data flow}
  1460. The zonemaster service then takes the records from the namestore,
  1461. publishes them into the DHT which makes the result available to the
  1462. GNS resolver. In the GNS configuration, non-local zones can be
  1463. configured to be intercepted by specifying ``.tld = PUBLICKEY'' in the
  1464. configuration file in the ``[gns]'' section.
  1465. Note that the namestore by default also populates the namecache.
  1466. This pre-population is cryptographically expensive. Thus, on
  1467. systems that only serve to import a large (millions of records)
  1468. DNS zone and that do not have a local gns service in use, it
  1469. is thus advisable to disable the namecache by setting the
  1470. option ``DISABLE'' to ``YES'' in section ``[namecache]''.
  1471. @node Migrating an existing DNS zone into GNS
  1472. @subsection Migrating an existing DNS zone into GNS
  1473. Ascension is a tool to migrate existing DNS zones into GNS.
  1474. @xref{Migrating existing DNS zones into GNS}, for installation instructions and
  1475. further information about Ascension.
  1476. Compared to the gnunet-zoneimport tool it strictly uses AXFR or IXFR depending
  1477. on whether or not there exists a SOA record for the zone. If that is the case it
  1478. will take the serial as a reference point and request the zone. The server will
  1479. either answer the IXFR request with a correct incremental zone or with the
  1480. entire zone, which depends on the server configuration.
  1481. After installing the tool according to the README file you have the following
  1482. options:
  1483. @example
  1484. Ascension
  1485. Usage:
  1486. ascension <domain> [-d] [-p] [-s] [--minimum-ttl=<ttl>] \
  1487. [--dry-run]
  1488. ascension <domain> <port> [-d] [-p] [-s] \
  1489. [--minimum-ttl=<ttl>] [--dry-run]
  1490. ascension <domain> -n <transferns> [-d] [-p] \
  1491. [-s] [--minimum-ttl=<ttl>] [--dry-run]
  1492. ascension <domain> -n <transferns> <port> [-d] \
  1493. [-p] [-s] [--minimum-ttl=<ttl>] [--dry-run]
  1494. ascension -p | --public
  1495. ascension -d | --debug
  1496. ascension -s | --standalone
  1497. ascension -h | --help
  1498. ascension -v | --version
  1499. Options:
  1500. <domain> Domain to migrate
  1501. <port> Port for zone transfer
  1502. <transferns> DNS Server that does the zone transfer
  1503. --minimum-ttl=<ttl> Minimum TTL for records to migrate \
  1504. [default: 3600]
  1505. --dry-run Only try if a zone transfer is allowed
  1506. -p --public Make records public on the DHT
  1507. -s --standalone Run ascension once
  1508. -d --debug Enable debugging
  1509. -h --help Show this screen.
  1510. -v --version Show version.
  1511. @end example
  1512. Before you can migrate any zone though, you need to start a local GNUnet peer:
  1513. @example
  1514. $ gnunet-arm -s
  1515. @end example
  1516. To migrate the Syrian top level domain - one of the few top level domains that
  1517. support zone transfers - into GNS use the following command:
  1518. @example
  1519. $ ascension sy. -n ns1.tld.sy. -p
  1520. @end example
  1521. The -p flag will tell GNS to put these records on the DHT so that other users
  1522. may resolve these records by using the public key of the zone.
  1523. Once the zone is migrated, Ascension will output a message telling you, that it
  1524. will refresh the zone after the time has elapsed. You can resolve the names in
  1525. the zone directly using GNS or if you want to use it with your browser, check
  1526. out the GNS manual section. @ref{Configuring the GNU Name System}. To resolve
  1527. the records from another system you need the respective zones PKEY. To get the
  1528. zones public key, you can run the following command:
  1529. @example
  1530. $ gnunet-identity -dqe sy
  1531. @end example
  1532. Where "sy" is the name of the zone you want to migrate.
  1533. You can share the PKEY of the zone with your friends. They can then resolve
  1534. records in the zone by doing a lookup replacing the zone label with your PKEY:
  1535. @example
  1536. $ gnunet-gns -t SOA -u "$PKEY"
  1537. @end example
  1538. The program will continue to run as a daemon and update once the refresh time
  1539. specified in the zones SOA record has elapsed.
  1540. DNSCurve style records are supported in the latest release and they are added
  1541. as a PKEY record to be referred to the respective GNS public key. Key
  1542. distribution is still a problem but provided someone else has a public key
  1543. under a given label it can be looked up.
  1544. There is an unofficial Debian package called python3-ascension that adds a
  1545. system user ascension and runs a GNUnet peer in the background.
  1546. Ascension-bind is also an unofficial Debian package that on installation checks
  1547. for running DNS zones and whether or not they are transferable using DNS zone
  1548. transfer (AXFR). It asks the administrator which zones to migrate into GNS and
  1549. installs a systemd unit file to keep the zone up to date. If you want to
  1550. migrate different zones you might want to check the unit file from the package
  1551. as a guide.
  1552. @node reclaimID Identity Provider
  1553. @section reclaimID Identity Provider
  1554. The reclaimID Identity Provider (IdP) is a decentralized IdP service.
  1555. It allows its users to manage and authorize third parties to access
  1556. their identity attributes such as email or shipping addresses.
  1557. It basically mimics the concepts of centralized IdPs, such as those
  1558. offered by Google or Facebook.
  1559. Like other IdPs, reclaimID features an (optional) OpenID-Connect
  1560. 1.0-compliant protocol layer that can be used for websites to
  1561. integrate reclaimID as an Identity Provider with little effort.
  1562. @menu
  1563. * Managing Attributes::
  1564. * Sharing Attributes with Third Parties::
  1565. * Revoking Authorizations of Third Parties::
  1566. * OpenID Connect::
  1567. @end menu
  1568. @node Managing Attributes
  1569. @subsection Managing Attributes
  1570. Before adding attributes to an identity, you must first create an ego:
  1571. @example
  1572. $ gnunet-identity -C "user"
  1573. @end example
  1574. Henceforth, you can manage a new user profile of the user ``user''.
  1575. To add an email address to your user profile, simply use the @command{gnunet-reclaim} command line tool::
  1576. @example
  1577. $ gnunet-reclaim -e "user" -a "email" -V "username@@example.gnunet"
  1578. @end example
  1579. All of your attributes can be listed using the @command{gnunet-reclaim}
  1580. command line tool as well:
  1581. @example
  1582. $ gnunet-reclaim -e "user" -D
  1583. @end example
  1584. Currently, and by default, attribute values are interpreted as plain text.
  1585. In the future there might be more value types such as X.509 certificate credentials.
  1586. @node Sharing Attributes with Third Parties
  1587. @subsection Sharing Attributes with Third Parties
  1588. If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute:
  1589. @example
  1590. $ gnunet-reclaim -e "user" -r "PKEY" -i "attribute1,attribute2,..."
  1591. @end example
  1592. Where "PKEY" is the public key of the third party and "attribute1,attribute2,..." is a comma-separated list of attribute names, such as "email,name,...", that you want to share.
  1593. The command will return a "ticket" string.
  1594. You must give this "ticket" to the requesting third party.
  1595. The third party can then retrieve your shared identity attributes using:
  1596. @example
  1597. $ gnunet-reclaim -e "friend" -C "ticket"
  1598. @end example
  1599. Where "friend" is the name for "user" that the requesting party is using.
  1600. This will retrieve and list the shared identity attributes.
  1601. The above command will also work if the user is currently offline since the attributes are retrieved from GNS.
  1602. Further, the "ticket" can be re-used later to retrieve up-to-date attributes in case "friend" has changed the value(s). For instance, because his email address changed.
  1603. To list all given authorizations (tickets) you can execute:
  1604. @example
  1605. $ gnunet-reclaim -e "friend" -T (TODO there is only a C and REST API for this at this time)
  1606. @end example
  1607. @node Revoking Authorizations of Third Parties
  1608. @subsection Revoking Authorizations of Third Parties
  1609. If you want to revoke the access of a third party to your attributes you can execute:
  1610. @example
  1611. $ gnunet-reclaim -e "user" -R "ticket"
  1612. @end example
  1613. This will prevent the third party from accessing the attribute in the future.
  1614. Please note that if the third party has previously accessed the attribute, there is not way in which the system could have prevented the thiry party from storing the data.
  1615. As such, only access to updated data in the future can be revoked.
  1616. This behaviour is _exactly the same_ as with other IdPs.
  1617. @node OpenID Connect
  1618. @subsection OpenID Connect
  1619. There is an OpenID Connect API for use with reclaimID.
  1620. However, its use is quite complicated to setup.
  1621. As a proof-of-concept, you can look at https://gitlab.com/reclaimid.
  1622. In the PoC and by convention for reclaimID, the OpenID Connect Endpoints are
  1623. found at:
  1624. @example
  1625. http://api.reclaim/openid/authorize
  1626. http://api.reclaim/openid/token
  1627. http://api.reclaim/openid/userinfo
  1628. http://api.reclaim/openid/login
  1629. @end example
  1630. The token endpoint is protected using HTTP basic authentication.
  1631. You can authenticate using any username and the password configured under:
  1632. @example
  1633. $ gnunet-config -s reclaim-rest-plugin -o PSW
  1634. @end example
  1635. The authorize endpoint is protected using a Cookie which can be obtained through
  1636. a request against the login endpoint.
  1637. This flow is meant to be used in the context of the OpenID Connect authorization
  1638. flow to collect user consent interactively.
  1639. Without a Cookie, the authorize endpoint redirects to a URI configured under:
  1640. @example
  1641. $ gnunet-config -s reclaim-rest-plugin -o ADDRESS
  1642. @end example
  1643. Our PoC includes a user interface (https://gitlab.com/reclaimid) which
  1644. integrates this process is an OpenID Connect compatible fashion.
  1645. The token endpoint is protected using OAuth2 and expects the grant
  1646. which is retrieved from the authorization endpoint according to the standard.
  1647. The userinfo endpoint is protected using OAuth2 and expects a bearer access
  1648. token which is retrieved from a token request.
  1649. In order to create and register a client you need to execute the following
  1650. steps:
  1651. @example
  1652. $ gnunet-identity -C <client_name>
  1653. $ gnunet-namestore -z <client_name> -a -n "@@" -t RECLAIM_OIDC_REDIRECT -V <redirect_uri> -e 1d -p
  1654. $ gnunet-namestore -z <client_name> -a -n "@@" -t RECLAIM_OIDC_CLIENT -V "My OIDC Client" -e 1d -p
  1655. @end example
  1656. The client_id will be the public key of the client.
  1657. As a redirect URI, you may use any globally unique DNS or GNS URI.
  1658. The client description will be displayed to the user on authorization.
  1659. Any website or relying party must use the endpoint
  1660. https://api.reclaim/openid/authorize in its authorization redirects, e.g.
  1661. @example
  1662. <a href="https://api.reclaim/openid/authorize?client_id=<PKEY>\
  1663. &scope=email\
  1664. &redirect_uri=<redirect_uri>\
  1665. &nonce=<random>">Login</a>
  1666. @end example
  1667. This will direct the user's browser onto his local reclaimID instance.
  1668. After giving consent, you will be provided with the OpenID Connect authorization
  1669. code according to the specifications at your provided redirect URI.
  1670. The example code for the PoC website can be found at https://gitlab.com/reclaimid/demo.
  1671. @node Using the Virtual Public Network
  1672. @section Using the Virtual Public Network
  1673. @menu
  1674. * Setting up an Exit node::
  1675. * Fedora and the Firewall::
  1676. * Setting up VPN node for protocol translation and tunneling::
  1677. @end menu
  1678. Using the GNUnet Virtual Public Network (VPN) application you can
  1679. tunnel IP traffic over GNUnet. Moreover, the VPN comes
  1680. with built-in protocol translation and DNS-ALG support, enabling
  1681. IPv4-to-IPv6 protocol translation (in both directions).
  1682. This chapter documents how to use the GNUnet VPN.
  1683. The first thing to note about the GNUnet VPN is that it is a public
  1684. network. All participating peers can participate and there is no
  1685. secret key to control access. So unlike common virtual private
  1686. networks, the GNUnet VPN is not useful as a means to provide a
  1687. "private" network abstraction over the Internet. The GNUnet VPN
  1688. is a virtual network in the sense that it is an overlay over the
  1689. Internet, using its own routing mechanisms and can also use an
  1690. internal addressing scheme. The GNUnet VPN is an Internet
  1691. underlay --- TCP/IP applications run on top of it.
  1692. The VPN is currently only supported on GNU/Linux systems.
  1693. Support for operating systems that support TUN (such as FreeBSD)
  1694. should be easy to add (or might not even require any coding at
  1695. all --- we just did not test this so far). Support for other
  1696. operating systems would require re-writing the code to create virtual
  1697. network interfaces and to intercept DNS requests.
  1698. The VPN does not provide good anonymity. While requests are routed
  1699. over the GNUnet network, other peers can directly see the source
  1700. and destination of each (encapsulated) IP packet. Finally, if you
  1701. use the VPN to access Internet services, the peer sending the
  1702. request to the Internet will be able to observe and even alter
  1703. the IP traffic. We will discuss additional security implications
  1704. of using the VPN later in this chapter.
  1705. @node Setting up an Exit node
  1706. @subsection Setting up an Exit node
  1707. Any useful operation with the VPN requires the existence of an exit
  1708. node in the GNUnet Peer-to-Peer network. Exit functionality can only
  1709. be enabled on peers that have regular Internet access. If you want
  1710. to play around with the VPN or support the network, we encourage
  1711. you to setup exit nodes. This chapter documents how to setup an
  1712. exit node.
  1713. There are four types of exit functions an exit node can provide,
  1714. and using the GNUnet VPN to access the Internet will only work
  1715. nicely if the first three types are provided somewhere in
  1716. the network. The four exit functions are:
  1717. @itemize @bullet
  1718. @item DNS: allow other peers to use your DNS resolver
  1719. @item IPv4: allow other peers to access your IPv4 Internet connection
  1720. @item IPv6: allow other peers to access your IPv6 Internet connection
  1721. @item Local service: allow other peers to access a specific TCP or
  1722. UDP service your peer is providing
  1723. @end itemize
  1724. By enabling "exit" in gnunet-setup and checking the respective boxes
  1725. in the "exit" tab, you can easily choose which of the above exit
  1726. functions you want to support.
  1727. Note, however, that by supporting the first three functions you will
  1728. allow arbitrary other GNUnet users to access the Internet via your
  1729. system. This is somewhat similar to running a Tor exit node. The
  1730. Torproject has a nice article about what to consider if you want
  1731. to do this here. We believe that generally running a DNS exit node
  1732. is completely harmless.
  1733. The exit node configuration does currently not allow you to restrict the
  1734. Internet traffic that leaves your system. In particular, you cannot
  1735. exclude SMTP traffic (or block port 25) or limit to HTTP traffic using
  1736. the GNUnet configuration. However, you can use your host firewall to
  1737. restrict outbound connections from the virtual tunnel interface. This
  1738. is highly recommended. In the future, we plan to offer a wider range
  1739. of configuration options for exit nodes.
  1740. Note that by running an exit node GNUnet will configure your kernel
  1741. to perform IP-forwarding (for IPv6) and NAT (for IPv4) so that the
  1742. traffic from the virtual interface can be routed to the Internet.
  1743. In order to provide an IPv6-exit, you need to have a subnet routed
  1744. to your host's external network interface and assign a subrange of
  1745. that subnet to the GNUnet exit's TUN interface.
  1746. When running a local service, you should make sure that the local
  1747. service is (also) bound to the IP address of your EXIT interface
  1748. (i.e. 169.254.86.1). It will NOT work if your local service is
  1749. just bound to loopback. You may also want to create a "VPN" record
  1750. in your zone of the GNU Name System to make it easy for others to
  1751. access your service via a name instead of just the full service
  1752. descriptor. Note that the identifier you assign the service can
  1753. serve as a passphrase or shared secret, clients connecting to the
  1754. service must somehow learn the service's name. VPN records in the
  1755. GNU Name System can make this easier.
  1756. @node Fedora and the Firewall
  1757. @subsection Fedora and the Firewall
  1758. When using an exit node on Fedora 15, the standard firewall can
  1759. create trouble even when not really exiting the local system!
  1760. For IPv4, the standard rules seem fine. However, for IPv6 the
  1761. standard rules prohibit traffic from the network range of the
  1762. virtual interface created by the exit daemon to the local IPv6
  1763. address of the same interface (which is essentially loopback
  1764. traffic, so you might suspect that a standard firewall would
  1765. leave this traffic alone). However, as somehow for IPv6 the
  1766. traffic is not recognized as originating from the local
  1767. system (and as the connection is not already "established"),
  1768. the firewall drops the traffic. You should still get ICMPv6
  1769. packets back, but that's obviously not very useful.
  1770. Possible ways to fix this include disabling the firewall (do you
  1771. have a good reason for having it on?) or disabling the firewall
  1772. at least for the GNUnet exit interface (or the respective
  1773. IPv4/IPv6 address range). The best way to diagnose these kinds
  1774. of problems in general involves setting the firewall to REJECT
  1775. instead of DROP and to watch the traffic using wireshark
  1776. (or tcpdump) to see if ICMP messages are generated when running
  1777. some tests that should work.
  1778. @node Setting up VPN node for protocol translation and tunneling
  1779. @subsection Setting up VPN node for protocol translation and tunneling
  1780. The GNUnet VPN/PT subsystem enables you to tunnel IP traffic over the
  1781. VPN to an exit node, from where it can then be forwarded to the
  1782. Internet. This section documents how to setup VPN/PT on a node.
  1783. Note that you can enable both the VPN and an exit on the same peer.
  1784. In this case, IP traffic from your system may enter your peer's VPN
  1785. and leave your peer's exit. This can be useful as a means to do
  1786. protocol translation. For example, you might have an application that
  1787. supports only IPv4 but needs to access an IPv6-only site. In this case,
  1788. GNUnet would perform 4to6 protocol translation between the VPN (IPv4)
  1789. and the Exit (IPv6). Similarly, 6to4 protocol translation is also
  1790. possible. However, the primary use for GNUnet would be to access
  1791. an Internet service running with an IP version that is not supported
  1792. by your ISP. In this case, your IP traffic would be routed via GNUnet
  1793. to a peer that has access to the Internet with the desired IP version.
  1794. Setting up an entry node into the GNUnet VPN primarily requires you
  1795. to enable the "VPN/PT" option in "gnunet-setup". This will launch the
  1796. "gnunet-service-vpn", "gnunet-service-dns" and "gnunet-daemon-pt"
  1797. processes. The "gnunet-service-vpn" will create a virtual interface
  1798. which will be used as the target for your IP traffic that enters the
  1799. VPN. Additionally, a second virtual interface will be created by
  1800. the "gnunet-service-dns" for your DNS traffic. You will then need to
  1801. specify which traffic you want to tunnel over GNUnet. If your ISP only
  1802. provides you with IPv4 or IPv6-access, you may choose to tunnel the
  1803. other IP protocol over the GNUnet VPN. If you do not have an ISP
  1804. (and are connected to other GNUnet peers via WLAN), you can also
  1805. choose to tunnel all IP traffic over GNUnet. This might also provide
  1806. you with some anonymity. After you enable the respective options
  1807. and restart your peer, your Internet traffic should be tunneled
  1808. over the GNUnet VPN.
  1809. The GNUnet VPN uses DNS-ALG to hijack your IP traffic. Whenever an
  1810. application resolves a hostname (i.e. 'gnunet.org'), the
  1811. "gnunet-daemon-pt" will instruct the "gnunet-service-dns" to intercept
  1812. the request (possibly route it over GNUnet as well) and replace the
  1813. normal answer with an IP in the range of the VPN's interface.
  1814. "gnunet-daemon-pt" will then tell "gnunet-service-vpn" to forward all
  1815. traffic it receives on the TUN interface via the VPN to the original
  1816. destination.
  1817. For applications that do not use DNS, you can also manually create
  1818. such a mapping using the gnunet-vpn command-line tool. Here, you
  1819. specify the desired address family of the result (i.e. "-4"), and the
  1820. intended target IP on the Internet ("-i 131.159.74.67") and
  1821. "gnunet-vpn" will tell you which IP address in the range of your
  1822. VPN tunnel was mapped.
  1823. @command{gnunet-vpn} can also be used to access "internal" services
  1824. offered by GNUnet nodes. So if you happen to know a peer and a
  1825. service offered by that peer, you can create an IP tunnel to
  1826. that peer by specifying the peer's identity, service name and
  1827. protocol (--tcp or --udp) and you will again receive an IP address
  1828. that will terminate at the respective peer's service.