Meshcentral High Level Architecture
Peer-to-peer ports (TCP & UDP 16990)
Download 0.87 Mb. View original pdf
|
| 3.2 Peer-to-peer ports (TCP & UDP 16990) Mesh agents will initially discovery each other using a local multicast on UDP port 16990. So the mesh agent not only opens this port, it also joins it to a multicast channel. Agents will multicast periodically until they find another agent, at which point the multicast stops and all future discovery is done using peer-to-peer unicast instead. The mesh agents have a unilateral, one way relation with other peers. The peers that are friends with anode are not identical to the friends on this node. Also, the mesh agent has a maximum 20 peers it can communicate with. The process of selecting these peers is outside the scope of this document, but the result is a balanced graph with each node having 20 friends that are correctly selected. Once a candidate peer is selected for connection, the mesh agent starts by attempting a mutually-authenticated HTTPS request to the remote peer. If successful, the remote peer will return a session key that will be used for all future encrypted UDP communication between these two nodes. High Level Architecture MeshCentral.com 5 As a result, at a high level peer communicate to each other following this timeline When the HTTPS session is established, each node uses a TLS certificate that is derived from its node certificate in such away that each node can compute the other node’s node identifier. The node identifier is the SHA256 hash of the node’s public key. In this design, the nodes never transmit what nodeid they have, rather the nodeid is inferred using the certificate using in the HTTPS session. In order for Node B to maintain no state about Node A, the session key returned by Node Bis actually a hash of the Node A identifier with anode B secret session random. This way, Node B does not have to keep any state yet, can decrypt all UDP messages sent by Node A. UDP messages are encrypted using AES-CBC and authenticated using HMAC-SHA256. The periodic UDP Sync serves to indicate that the peer is still present and serves to trade any state that may have changed. All peer-to-peer state in this design is blocks that are signed using RSA2048 certificates, so state that is moved from node to node can’t be changed while in transit. Download 0.87 Mb. Share with your friends:
|