I’m going to lead with the technical punch line, and then explain it:
Yggdrasil Network is an opportunistic mesh that can be deployed privately or as part of a global-scale network. Each node gets a stable IPv6 address (or even an entire /64) that is derived from its public key and is bound to that node as long as the node wants it (of course, it can generate a new keypair anytime) and is valid wherever the node joins the mesh. All traffic is end-to-end encrypted.
Yggdrasil will automatically discover peers on a LAN via broadcast beacons, and requires zero configuration to peer in such a way. It can also run as an overlay network atop the public Internet. Public peers serve as places to join the global network, and since it’s a mesh, if one device on your LAN joins the global network, the others will automatically have visibility on it also, thanks to the mesh routing.
It neatly solves a lot of problems of portability (my ssh sessions stay live as I move networks, for instance), VPN (incoming ports aren’t required since local nodes can connect to a public peer via an outbound connection), security, and so forth.
Now on to the explanation:
The Tyranny of IP rigidity
Every device on the Internet, at one time, had its own globally-unique IP address. This number was its identifier to the world; with an IP address, you can connect to any machine anywhere. Even now, when you connect to a computer to download a webpage or send a message, under the hood, your computer is talking to the other one by IP address.
Only, now it’s hard to get one. The Internet protocol we all grew up with, version 4 (IPv4), didn’t have enough addresses for the explosive growth we’ve seen. Internet providers and IT departments had to use a trick called NAT (Network Address Translation) to give you a sort of fake IP address, so they could put hundreds or thousands of devices behind a single public one. That, plus the mobility of devices — changing IPs whenever they change locations — has meant that a fundamental rule of the old Internet is now broken:
Every participant is an equal peer. (Well, not any more.)
Nowadays, you can’t you host your own website from your phone. Or share files from your house. (Without, that is, the use of some third-party service that locks you down and acts as an intermediary.)
Back in the 90s, I worked at a university, and I, like every other employee, had a PC on my desk with an unfirewalled public IP. I installed a webserver, and poof – instant website. Nowadays, running a website from home is just about impossible. You may not have a public IP, and if you do, it likely changes from time to time. And even then, your ISP probably blocks you from running servers on it.
In short, you have to buy your way into the resources to participate on the Internet.
I wrote about these problems in more detail in my article Recovering Our Lost Free Will Online.
Enter Yggdrasil
I already gave away the punch line at the top. But what does all that mean?
I’ve set up /etc/hosts on my laptop to use the Yggdrasil IPs for other machines on my LAN. Now I can just “ssh foo” and it will work — from home, from a coffee shop, from a 4G tether, wherever. Now, other tools like tinc can do this, obviously. And I could stop there; I could have a completely closed, private Yggdrasil network.
Or, I can join the global Yggdrasil network. Each device, in addition to accepting peers it finds on the LAN, can also be configured to establish outbound peering connections or accept inbound ones over the Internet. Put a public peer or two in your configuration and you’ve joined the global network. Most people will probably want to do that on every device (because why not?), but you could also do that from just one device on your LAN. Again, there’s no need to explicitly build routes via it; your other machines on the LAN will discover the route’s existence and use it.
This is one of many projects that are working to democratize and decentralize the Internet. So far, it has been quite successful, growing to over 2000 nodes. It is the direct successor to the earlier cjdns/Hyperboria and BATMAN networks, and aims to be a proof of concept and a viable tool for global expansion.
Finally, think about how much easier development is when you don’t have to necessarily worry about TLS complexity in every single application. When you don’t have to worry about port forwarding and firewall penetration. It’s what the Internet should be.
i’m curious: are yggdrasil IPs publicly routable? you mentioned those being accessible over 4G and so on, but does that require running a client on all your boxes?
in other words, if it’s an overlay network, is there a gateway in or out?
could i use this as a IPv6 tunnel for my IPv4-less uplink?
Yggdrasil IPs are not visible on the “clearnet” (the “default” Internet). Since an Yggdrasil IP is derived from the node’s public key, rather than its provider or host network, that does mean that it doesn’t use the conventional routing model either.
The usual approach is to run a Yggdrasil client on each box. That way, each box can roam wherever (eg, home, coffee shop, work/school, etc.) and they will have connectivity with each other regardless of physical location. Since Yggdrasil can discover peers on the LAN automatically, this is particularly nice and doesn’t even require Internet for LAN connectivity.
It can, of course, overlay over the clearnet (both IPv4 and IPv6). On the services page https://yggdrasil-network.github.io/services.html you can find a SOCKS proxy from Yggdrasil to clearnet, as well as various I2P, IPFS, Tor, etc. endpoints. I am not aware of a general public proxy from clearnet into Yggdrasil, but there is nothing preventing that.
Yggdrasil also gives you a /64 of IPv6 space, so an alternative approach is to install it on a router (or some other device) and provide access to the entire network that way. However, that approach sacrifices end-to-end encryption (since then it becomes end-to-router encryption).
I’m not quite sure what you mean by “IPv6 tunnel for my IPv4-less uplink”. You can certainly route traffic over it, and it could of course be used as a VPN to link two /64s. You might also be interested in tinc, which is designed as a closed VPN despite having some mesh features like Yggdrasil.
by “IPv6 tunnel for my IPv4-less uplink” i mean stuff like the IPv6 tunnels he.net provides for us poor folks still stuck in the legacy IPv4 world. it gives you access to the full internet over IPv6.
but from your description, I understand that’s not the point of yggrasil. the IPv6 space is not publicly routable.
I realize that it’s already end-to-end encrypted, but how does yggdrasil interact with web services that are currently run over https (with letsencrypt certs)? Are we forced to use plain http and disable (or whitelist) things like https-everywhere in browsers, or have you figured out a good way to handle https within yggdrasil?
It doesn’t interact well with Let’s Encrypt certs, at least by default. The general convention is to not use HTTPS over Yggdrasil due to no need and the complexity of cert verification for that.
John Goerzen mentioned this Article on changelog.complete.org.
@jvalleroy I keep thinking of more things to say after I write “/end” 🙂 So #Yggdrasil also works on a hyperlocal scale. Take 5 laptops and connect them to an ad-hoc wifi network, and with #Yggdrasil, they’ll auto-discover each other and communicate – even if they don’t even have IPs assigned! If just one of those nodes can also reach the Internet, then all of a sudden all of them can talk to global Yggdrasil also, because they automatically discover the route. Very cool. /end
Yggdrasil
@netopwibby Now in the “each site gets a /64” scenario, you have the one Yggdrasil gateway, so the nodes on the network don’t have the classic #Yggdrasil benefits of IP portability and such. But, all your stuff from printers to cameras can just use the network nicely. You’ve basically replaced the current Internet backbone (or layered atop it, depending). 5/
Yggdrasil
@netopwibby So let’s say you have a company with offices in five cities. You want the various networks to all see each other, seamlessly, and securely. A classic approach might involve VPNs. But then you quickly get into topology questions: who connects to whom? What happens if one site goes down – can all the others keep communicating between themselves? #tinc or #Yggdrasil can address this. 6/
Yggdrasil
tinc
@netopwibby With #Yggdrasil in this scenario, you could establish links from each site to each other site (if you wish). If a backhoe accident takes one of those links down, Yggdrasil will automatically figure out how to route traffic between A and B via, say, C. You can build up whatever topology you like, and you don’t have to teach Yggdrasil about it – it will /discover/ it, and also discover and adapt to changes in it (such as outages). 7/
Yggdrasil
@netopwibby So compared to VPNs and leased lines, this is a lot easier to manage. Still, in my use cases, I haven’t (yet) used the /64 because I have generally put Yggdrasil directly on each machine I want to use with it. But there are all sorts of options.Basically, #Yggdrasil lets you build your own #Internet, how you like, without all the expense and complexity. Pretty nifty. /end
Internet
Yggdrasil
@jgoerzen This was incredibly enlightening, thank you for taking the time to ELI5 haha! 🙏🏾
John Goerzen mentioned this Article on changelog.complete.org.
Why not zerotier or tailgate? I can’t see any difference in general except pure IPv6
They’re targeting fundamentally different things (I assume you meant Tailscale rather than Tailgate). Their free tier is limited to around 20 devices; Yggdrasil’s global mesh has thousands and you can join it, or build a private mesh to whatever scale you want too.