A question that frequently comes up: when will iroh support webrtc, or BLE, or LoRa, or ...
Iroh as of now supports only IPv4, IPv6 and relay transports out of the box. There is such a large variety of potentially interesting transports out there that we can't support all of them without turning the codebase into an unmaintainable maze of feature flags.
But we have added the ability to implement custom transports. That way your transport implementation can live in a completely separate crate.
Existing experimental custom transports include Tor, Nym and BLE. https://github.com/mcginty/iroh-ble-transport
Here is how custom transports work under the hood: https://www.iroh.computer/blog/iroh-0-97-0-custom-transports...
The current stuff about dialling is pretty incomprehensible, as shown by the many confused comments here. No one "dials" IP addresses (or keys), and no one wants to, so the word "dial" shouldn't be part of the title or description. The word "key" would be better not mentioned until you start talking about implementation, and the brief high level "what it is" and "what it is for" stuff should come before implementation.
Iroh seems quite relevant to some projects of mine, but after reading the blog post and the main page, I still had no idea of that relevance until I had read over a hundred comments here (many of them confused about what Iroh was).
I'm trying to understand it's limitations, if I used this to build a p2p client / server setup or even two peer machines, what else do I need to setup to be able to have connections between the two applications?
For example, could I create an application that runs on my phone and another that runs on my laptop and finally get a direct secured working connection between the two of them? Or is this solving a different problem? =)
-[0]: p2p chat, in rust, from scratch: https://www.youtube.com/watch?v=ogN_mBkWu7o
Here is a video of frando from our team demoing media over QUIC: https://www.youtube.com/watch?v=K3qqyu1mmGQ
If you use the default setup you are still depending on a tiny bit of cloud infrastructure such as our public relays to faciliate the hole punching. However, we also have optional local discovery using e.g. mDNS.
Last year, I was trying to choose between the two and went with that I know... but it feels like there's real momentum on Iroh's side.
This would give you a native iroh node that also speaks webrtc but I find that what folks want is for browsers to participate as peers.
I build p2claw, p2p for self-hosted web apps, and ended up doing both halves separately. Box to box is iroh, although I use my own coordinator service and run my own iroh relay. Browser to box is webrtc with a service worker that makes the browser act like a peer. The worker grabs fetches and sends them as HTTP frames over the data channel, the box answers on localhost. The browser bit has to be webrtc because it's the only browser api does ICE.
Wiring up the iroh half went smoothly, very much enjoying working with the library. Congrats on 1.0!
So you might get a lot of traffic. You can configure rate limiting, as we do on our public relays.
The traffic is fully encrypted and can not be decrypted by the relay. The only information the relay has is what is necessary for it to function - the endpoint id and ip addresses of the endpoints that are connected to it at any given time, as well as endpoint pairings.
You relay encrypted traffic with no egress to the open internet. So if you want to compare it with Tor, it would be like a tor guard/middle relay, not an exit node.
> Tor
you are using a Tor daemon in it. tor has a rust implementation and when used with rust has stream objects etc.
an example of how it's used can be found in https://gitlab.torproject.org/tpo/core/oniux
Arguably directly embedding the rust tor implementation would be more useful for the typical iroh user that wants an embeddable library. I just did not get to it yet.
But thanks for the link.
How current is the PyPI package? https://pypi.org/project/iroh/
Strategy patterns and code-centralised feature management ftw :)
So the relay is never in a position to send you the wrong public key, because it doesn’t give it to you in the first place.
Only the owner of the corresponding private key can initiate a connection from their public key, or receive a connection attempt to their public key.
Let's say you have alice and bob talking via a relay. Even if you have the private key of alice, you can impersonate alice to bob, but not vice versa. So you can't initiate a connection between the two.
To really intercept data you would need the private keys of both participants.
I am not aware of a LoRa custom transport yet, but that is not unexpected given that the custom transport API is relatively new, and our main focus has been on getting iroh 1.0 out of the door.
If your question is, "why not just use Tailscale?", look at it from an app developer's perspective. If you want to release an app and have instances of your app be able to easily connect to each other, you could theoretically embeded Tailscale functionality into your app, but then the users of your app need Tailscale accounts, and your app is dependent on Tailscale.
Iroh lets you embed this functionality directly, and provides public fallback relays. If your app gets too big for the public relays, using your own relays is the flip of a switch.
You explained the value proposition so well. The website just didnt get to the "why?" At all
For environments where you want people to access your local instance, I believe Iroh will be a game changer. For us, it's to allow control over our software through phones and other devices easily.
Previously, you might have to make sure they're in the same LAN network. But with Iroh, anything works.
especially when iroh makes it so easy and awesome to do it right.
Either one will allow you to stop "concentrating distributed technology to a handful of centralized owners", but the "why not use tailscale" part of what you're trying to say is not at all evident from your comment.
I've looked at the usecases page, obviously there is an AI stunt (which I don't buy at all), for POS applications, well, there are better and less risky (see above) ways to do this, so the only thing that seems to make sense is this real-time sync, if someone is in the restricted environment (but, the point is, that in the restricted environment iroh is going to be blocked anyway by firewalls, z-scaler, etc.).
Until these questions are answered iroh will remain blocked.
+ iroh and openziti can both be app-embedded
+ so the app developer embedding in their service is a good use case for both
+ openziti is used for services in which scale and security are critical
+ whereas iroh allows participation from parties which don't have any prior relationships - which can be very convenient
Except without all the ceremony about setting up daemons, servers, controllers, "networks" and what not that openziti seems to have. Iroh is more "define protocol and hook two clients together" with everything in one binary.
Unless I understand https://github.com/openziti/sdk-golang/blob/a6e5f1697a9dc34a... wrong, it seems to require a "controller-url", is that controller embeddable as well?
> If you want to release an app and have instances of your app be able to easily connect to each other, you could theoretically embeded Tailscale functionality into your app, but then the users of your app need Tailscale accounts, and your app is dependent on Tailscale.
Just use Wireguard directly like everyone else.
If anyone really wants to use Tailscale (or I think Headscale should work too) at application layer, you can use tsnet [0]
--
0: https://tailscale.com/docs/features/tsnetThere is already IPv6 and quic, you need vendor and major software to have any traction in that field.
Here is a concrete problem we solve. You have one device in your home WLAN behind a NAT. Your other device is in a 4g network, or behind another NAT at work.
In most cases we can give you a direct connection between the two devices very quickly via hole punching, so you get the highest possible bandwidth and the lowest possible latency.
This was not a solved problem until now.
You’ve asserted “THIS is not a solved problem,” which suggests everyone is clear on what THIS means. I think that is not a good assumption.
Lack of a true session layer in TCP/IP is why vmotion is normally only possible in a single broadcast domain because in this situation you only really use mac addresses for addressing and can thus use the IP as a stable identifier when the MAC address changes after a vmotion. And the switch mac address table handles the mapping.
And if you have another suitable system, you can also plug it in. E.g. you might want to use another DHT that allows mapping from a key to some address data.
For example: dns control, tls certification bans (just this month both let’s encrypt and globalsign started revoking Russian certificates), once google starts really complaining about https it gets ugly.
Russia aside, anyone else is closely watching (europe, brics, what have you)
E.g. you could write an excellent encrypted chat app using iroh, the Tor or Nym custom transport, and BLE or direct wifi for local connections.
You have to be careful though to make sure you configure the transports correctly in order not to expose data you don't want exposed. Iroh can be used in highly restricted environments, but the defaults favour performance over complete metadata privacy.
How does it support semi-connected devices, intermittent connection failures, etc?
Iroh is built for environments where connectivity is unreliable or intermittent, so it can be a good fit for use cases involving connection failures, offline periods, or semi-connected devices.
We provide a range of peer-to-peer protocols that don't require a central server, including key-value stores, blob transfer, collaborative documents, and streaming audio/video. These protocols are designed to synchronize devices back to a consistent state, even after long disconnections or network interruptions.
If you'd like to explore whether iroh could work for your use case, we're happy to chat. Feel free to email us at support@iroh.computer, and we can set up a call.
Up to now our users are mostly teams that have a rust or C/C++ core, such as https://delta.chat/ . But now that we have bindings teams who use other languages should be able to use iroh.
So you can write e.g. an android and ios app that uses iroh direct connections under the hood, and the app user does not have to know or care about this at all.
About tailscale: It's similar, but iroh is not a VPN, so it doesn't add a TUN interface. Instead, you'd build iroh directly into your application. Using iroh you can build a VPN, and there are projects that do so (iroh-lan/iroh-vpn are some hobbyist projects). The upside of building it into your application is that it doesn't need special permissions and is easy to ship to the user.
Besides, as a lot of people have mentioned already, if you want a dedicated server there are a lot of existing options.
We did write a few small dedicated applications to show off iroh, sendme https://www.iroh.computer/sendme and dumbpipe https://www.dumbpipe.dev/ .
> But to finance the development of it, we offer additional services to make it easier to deploy and run it, especially for larger or more specialized use caes.
Interesting (and somewhat proven) idea to finance it, smart :)
Did you guys started doing this already on a case-by-case basis and have some experience of it already, and if so what are the common things you typically help out with exactly? I'm just curious what sort of things a company who'd use a protocol like that might need help with, that they wouldn't have experience with in-house, since they're going down a P2P road already (assuming that, maybe maybe need help with greenfield projects)?
"we want to be infrastructure for people, and a business towards professionals."
stuck between "we need cash to operate" and "we want to be a public good infrastructural system." , with the negative parts of a for-profit whisked away with "Well it's open source."
it's a business concept i'm okayish with as long as the "Well it's open source." caveat doesn't come with a total bespoke and unusable code base to figure out.
Our code is as good as we can make it, and everything is modular and well documented. For example our QUIC implementation noq which underlies every iroh connection can also be used as a standalone QUIC impl that implements QUIC multipath.
https://docs.rs/noq/latest/noq/
If we wanted to have "total bespoke and unusable code" we would have inlined all of this into the iroh repo to make it unusable.
Tailscale is a great service that happens to be open source, but Iroh is clearly structured as a library that you can build into whatever you want.
If you want to run an ISP or AS, believe me it will cost you a decent chunk of money.
Maybe it's in the video I didn't watch, but I really think paragraph one should make clear what kind of keys and why. Cryptographic? Asymmetric? How do they do the job, at even the most basic level? It never explains, just dives into abstract claims of superiority and usage stats. I gather relays are involved; this would be a good thing to mention right away instead of making me sift it from the HN discussion.
127.0.0.1 -> 'key' > Dial keys. Not IPs.
> It's a simple idea really, and it's the right abstraction for the future of the internet. IP addresses can break, without warning, and it's outside of your device's control. Keys, however, are created & controlled by you. They stay the same as your device moves, and are yours to throw away, or not. IP addresses can be private and inaccessible behind firewalls, but with iroh your device can be securely addressable no matter where it is.
Here's my summary from Lobste.rs, keeping in mind I'm not an expert and only found this project today:
> [..] this is closer to an opinionated WebRTC setup that handles assigning a persistent ID to clients. All the work of making a signaling server is taken care of and the solution is generic enough and cheap enough to run that you can get away with using a community hosted one. Kinda similar to what you get with Steam’s proprietary p2p gamenetworkingsocket infrastructure
https://lobste.rs/s/cslljn/iroh_1_0_dial_keys_not_ips#c_s3na...
I love Tailscale, it's deployed on all my devices. But I might check this out for the transports part in particular.
On the technical level, the biggest difference is probably that we build on QUIC whereas tailscale builds on wireguard. Iroh is a library that is made to embed into your application, whereas the tailscale offering started as a daemon. It allows embedding, but you are still carrying the baggage of a go runtime. Iroh is written in rust. Rust compiles to a native library and is therefore easier and more lightweight to embed in compiled programs (C, C++) and languages such as js and python.
Another big internal difference is that we use relay URLs whereas tailscale is using relay IDs. The consequence is that every iroh endpoint, no matter if using self-hosted relays, the n0 public relays, or the n0 paid relays, can reach any other. In tailscale two nodes will only be able to talk if they use the same mapping from relay id to relay ip address, which usually means that they use the same coordination server.
Last but not least, while we do have a commercial offering, everything you need to run iroh is open source, licensed MIT and Apache2. With tailscale the coordination server is closed source and operated by tailscale, and the only way to run your own tailnet is to use the headscale community project.
> IP addresses can break, without warning, and it's outside of your device's control.
We have DNS?
> Keys, however, are created & controlled by you. They stay the same as your device moves, and are yours to throw away, or not.
So are domain names? This page does not do a good job of helping me find what it is that I'm missing.
But as someone who's not a network specialist, I fail to see how this is not a glorified P2P DNS.
Maybe this example helps:
https://github.com/n0-computer/iroh#rust-library
const ALPN: &[u8] = b"iroh-example/echo/0";
let endpoint = Endpoint::bind().await?;
// Open a connection to the accepting endpoint
let conn = endpoint.connect(addr, ALPN).await?;
// Open a bidirectional QUIC stream
let (mut send, mut recv) = conn.open_bi().await?;
// Send some data to be echoed
send.write_all(b"Hello, world!").await?;
send.finish()?;
// Receive the echo
let response = recv.read_to_end(1000).await?;
assert_eq!(&response, b"Hello, world!");
// As the side receiving the last application data - say goodbye
conn.close(0u32.into(), b"bye!");
// Close the endpoint and all its connections
endpoint.close().await;IP addresses break, dial keys instead
Modular networking stack for direct, peer-to-peer connections between devices
iroh establishes direct connections whenever possible, falling back to relay servers if necessary. Get fast, efficient, reliable connections that are authenticated and encrypted end-to-end using QUIC.
As an example, AFAIK, Reticulum encrypts packet origin, so only recipient can see them. I don't think this is admissible in a corporate network.
If you look at an iroh connection using wireshark, it is just a QUIC connection. You can use all the existing tools, and a lot of things you learn when using iroh transfers to traditional QUIC connections and vice versa.
Most iroh contributors come out of the p2p world, and you could say that we had a bit of abstraction fatigue after working on regular P2P networks for some years.
We have also so far resisted the temptation to write a DHT, opting instead to use the biggest existing DHT, bittorrent mainline, for our p2p address lookup needs. Many traditional P2P networks come with their own implementation of a DHT for discovery.
Note that there are some "regular p2p networks" that use iroh under the hood, e.g. holochain https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-... as well as various p2p chat apps.
https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-...
Bravo, because they always get it wrong.
DHTs used for decentralized DNS-like naming purposes have truly unique scaling requirements; you have to use a connectionless protocol (like bittorrent does) but everybody seems to be fixated on connection-oriented protocols like TCP, HTTP, and QUIC. The latter just don't work for this extreme use case.
No other use case on the entire internet requires such an extremely large out-degree for end-user nodes in the node connection graph. Allocating connection-state, even a very small amount, opens up the least-powerful nodes to easy DoS attacks. And from there it's easy for a motivated attacker to push the network away from decentralization and force it in to a highly-centralized state.
I'm slowly trying to build an app on Iroh; it's progressing tiny bit by tiny bit, but I must admit I'm struggling a lot all the time, both with various low-level details, as well as with understanding many high-level aspects, concepts, and approaches. Oftentimes I have to resort to some LLM-generated "wiki" websites to help me progress. I really hope you'll manage one day to allocate some more resources to improve the docs. That said, when I manage to muster enough strength, I do manage to grind some progress, and also it's good to know the underlying tech seems robust, given how many real-world solutions you've built on it!
At this moment, if I can try to ask one question: AFAIU Iroh emerged from an attempt at fixing IPFS. I also understand you've since focused more on providing the lower-level building blocks that would allow this and other solutions. Understanding some basics, but still having hard time to get a really solid grasp of the whole of Iroh, I wonder: between Iroh, p2panda, and Willow, what's available and what's missing / needs to be added if one wanted to try and build an "IPFS-like" with those technologies? I'm especially interested in an idea of a "new web" that would defuse DDoS of static websites in a Torrent-like way, forcing the downloading peers to also share their upstream bandwidth while doing this. I'm also thinking of e.g. a "globally-distributed Internet Archive", where I can easily download part of the Archive to my computer, and this automatically improves its availability on such "new web" for subsequent downloaders and browsers. Would you care to give a newbie something of a high-level overview of how one could try to do it over maybe some appropriate combination of Iroh+p2panda+Willow+DHT?
If you want something like a globally distributed internet archive you would have to use protocols on top of iroh. For example iroh-blobs provides verified streaming of content-addressed data using the BLAKE3 tree hash function. It is very close to itself being 1.0 (probably Q3), but for now it requires you to know from where to stream the data.
What is missing to fully replace IPFS is a global distributed content discovery system. This is a really hard problem that IPFS itself never solved reliably in my opinion.
I also still want this to happen eventually, but the first step is to get the connection layer super reliable and fast, which we have done.
I wish you could also delegate this problem to the mainline DHT, but alas that is not possible because of some mainline limitiations. So I am working on the side on a new DHT, see https://www.iroh.computer/blog/lets-write-a-dht-1
Sorry if this has been answered or covered on the web I'm currently travelling.
Edit: I managed to read the linked page, thank you for working on such an amazing project!
Also you can join our discord and there's #showcase https://iroh.computer/discord
Seems like it'll be a hard sell since steam is already so dominant and enterprise is dominated by tailscale... I see the proposal for being able to work with many different networks from different companies at the same time, but it's a pretty rare usecase and nothing some iptables can't solve.
I can see the argument for chat in heavily censored regions of the world, but not sure if there's any advantages that iroh can offer over other solutions.
Market fit will be hard to find, but best of luck.
Here there seems to be no mention of ddos mitigation or shorter routes due to infrastructure. Yes you need a key to connect but your iroh relay server can still be attacked. I suppose you could roll your own distributed anycast system for this.
The fundamental component of Iroh is p2p routing by key, and the main utility provided by Zenoh is message semantics. The two seem complementary.
However, I'm confused on the open source vs. commercial offerings. How do they differ? How do they work together?
In addition we provide services that any commercial deployment using iroh will probably find essential: observability and a custom non rate limited relay network, as well as priority access to the engineering team.
So we got into the sad situation that people associate peer to peer connectivity systems with having to frequently debug the entire stack and having recurrent performance or connectivity issues.
A part of the motivation for the iroh team is to change this notion by being very pragmatic and minimalistic. E.g. the use of relays vs. enlisting other peers to help with hole punching.
Originally, every machine was a directly reachable peer, but a finite supply of addresses (IPv4) forced most devices behind translation boxes (NAT) that let them dial out without ever being dialable. Once traffic had to route through the few hosts that stayed reachable, those hosts became toll booths, which is partially where the more centralized internet we actually got came from.
iroh basically patches the internet
If they are behind different CGNat, you need a party that is reachable by both to help with hole punching and/or relay traffic. This is fundamental, there is nothing you can do about this.
Some p2p protocols try to enlist other peers to be that third party. E.g. holepunch.to . Iroh uses dedicated relays for this.
The relays can either be the n0 public relays, a n0 paid relay network, or self-hosted relays. No matter which option you choose, every iroh endpoint is able to talk to every other iroh endpoint unless they are fully airgapped from the internet.
A great thing about iroh is that due to it being just QUIC, when you learn about iroh you also learn about details of QUIC that are useful and transferrable for traditional p2p QUIC connections.
Iroh addresses are (currently Ed25519) keys. They are not scarce, so you can create them on demand and keep them as you move from one network to another.
If IPv6 was everywhere I guess the hole punching feature of iroh would become less important, but the dial by key feature would remain just as important.
Our default enabled address lookup service is using DNS in a creative way, but we also have a service that is fully peer to peer and is using the mainline DHT, specifically the bep_0044 extension that allows you to store a tiny bit of arbitrary data for an Ed keypair that you control.
https://www.bittorrent.org/beps/bep_0044.html
Some custom transports such as TOR hidden services have a discovery system built in. In these cases we can just use the existing discovery system.
See for example https://github.com/n0-computer/iroh-tor-transport
IP isn't going anywhere any time soon, but we add two capabilities on top. The ability to dial an endpoint by key, and the ability to get direct connections whenever possible.
That being said, if some other technology becomes popular that actually replaces the IP address paradigm, iroh is well positioned to make use of it. From the point of view of an iroh application developer nothing would change. You still dial by key, and iroh will just make sure under the hood to get you the best possible connection, IP or otherwise.
Is there an android SDK available?
Again, the difference is: tailscale/easytier/wireguard creates a VPN network on your computer/phone/whatever. So all apps can benefit of it
iroh is a library . This is for developers who want to integrate this P2P routing logic inside their app. It is closer to bittorrent than it is to tailscale.
Both approaches are great but fulfill completely different needs.
Also, they are very principled when it comes to peer to peer purity, whereas iroh is a bit more pragmatic. We use dedicated relays to faciliate hole punching, whereas holepunch tries to use other peers as a temporary relay for hole punching messages.
Another difference is that holepunch have their own DHT, where we have a less decentralised address lookup service by default and use the mainline DHT as a fully p2p alternative.
So TLDR if you are doing js in the browser, holepunch.to might be a good fit. If you work on native mobile apps or embedded devices, iroh will be better since it is pretty frugal. If you work with node.js, both will work. Just evaluate them both and use what works better for you.
E.g. we support tiny embedded devices such as esp32. https://www.iroh.computer/blog/iroh-on-esp32
So in theory a go implementation is possible using a go QUIC implementation that supports the multipath extension.
Our focus is the rust implementation, since it is very easy to use from compiled languages such as rust, C and C++ and to embed into languages such as js and python.
But there are some other projects that attempt to provide a native go implementation: https://github.com/tmc/go-iroh
Edit: since iroh is just a library, it is also possible to link iroh into a go program. Linking a go program from other native languages is a bit of a pain, but linking a C or rust library into a go program is relatively straightforward and high performance.
Our QUIC implementation noq is a standards compliant QUIC implementation that in addition to RFC9000 also implements the QUIC multipath draft RFC.
We try very hard not to invent new things unless absolutely necessary. In a few places we had to implement draft RFCs, QUIC multipath and QUIC NAT traversal. And there are some corners where we had to add our own extensions. But we try very hard to keep this to an absolute minimum.
1. How does Iroh handle key rotation / leakage? Could you build some kind of hot/cold system on top of it, where you'd have a cold "identity key" in airgapped, secure storage, used only to issue certificates for your hot "traffic acceptance" key?
2. Is there any kind of peer discovery / DHT, either built-in directly or through some semi-official higher-level protocol, like DNS for IP?
3. What about human-friendly peer names? Those are almost required for end-user friendly applications. Most solutions of that problem either assume that every single user is willing to dedicate their life to configuring DNS, rely on a trusted third party, or delegate the responsibility to a blockchain.
4. What are the channel reliability properties, and are they configurable? Can you decide how to handle out-of-order or lost packets, or does the protocol enforce a decision? If you're willing to tolerate loss, duplication and reordering, can you avoid head-of-line blocking?
5. Is peer anonymity a goal?
6. What about two mostly-offline peers who wish to communicate (think smartphone apps that can't be connected 24/7 due to battery concerns)?
Overall, cool project.
2. We have a centralized DNS based discovery mechanism enabled by default, and an optional bittorrent mainline DHT based discovery mechanism. We also have mDNS for local networks, and you can plug in your own.
3. Our current keys are non scarce but also not human readable. You can use another level of indirection via DNS or some blockchain based naming system like ENS to assign a human readable alias, but that is not built in.
4. Iroh streams are just QUIC streams, and reliable and ordered by default. There are APIs to receive data as it arrives, but this for really advanced users. Most users are best served by just using the streams as-is.
https://docs.rs/noq/latest/noq/struct.RecvStream.html#method...
There is also an escape hatch if you don't want streams at all, e.g. if you have a consumer like a video codec that can deal with data loss themselves. We support QUIC unreliable datagrams ( https://datatracker.ietf.org/doc/html/rfc9221 ).
https://docs.rs/noq/latest/noq/struct.Connection.html#method...
5. Peer anonymity as in hiding the ip addr of a endpoint id can be achieved, but not with the default config. The default config is tuned for performance. You can hide your ip address by using one of the mixnet custom transports and disabling the ip transport.
6. Iroh is just connections. If a and b are never online at the same time they won't be able to communicate. You would have to write an iroh protocol that talks to some always online node. We do have some protocols that can be used to implement this, such as iroh docs, but that is not the main product.
You need urgently a "versus" page that talks about tailscale/netbird/netmaker/zerotier/twingate/openziti
Looking at the use cases, right now I don't see anything that cannot be done with Tailscale...
I think this tech (modern p2p) represents what agent-to-agent (a2a) should be built on.
Every agent should be reachable to each other without hosting itself as an http server.
related prototypes
I think that with Kotlin support, the creation of some android/multi-platform gui apps can be made easier if they want to use Iroh.
This doesn't really make a lot of sense. Assuming this is true, its equally likely to be my gateway, or BGP peer IP that breaks. How Iroh offers anything in this scenario is beyond me.
>The power of that key can't be overstated. We use it to secure the connection. And because all data that comes from the connection is secured by that key, we can build up from that same key into identity, permissions, and attribution. We can also use that same key as an address we can dial, no matter where it is in the world. It turns the internet into a secure localhost.
This is a way better use case. This should be the headline.
Iroh is kinda just a connection protocol. If you get given a public key for another computer, you can establish a connection. Like you would an IP address. The magic is in being able to establish that connection regardless of where either device is, and keeping that connection alive through changing network conditions.
We constantly have issues with our printer. I have fewer issues with my bambu 3d printer than with my (also very expensive) epson inkjet.
These people need to get their shit together, seriously. The way things are going we will have full AGI before we have working printers.
If somebody want to do this, please reach out to us. We are eager to help. But this is one of the most annoying things ever with computers.
As of now relays are completely self contained and pretty dumb. The protocol does not require relay to relay communication, which means that the relay code can be relatively simple.
The iroh endpoint will determine its location in the world by probing the configured relays using QAD (similar to STUN). It will then choose a home relay and establish a https connection to it.
When another iroh endpoint wants to talk they first briefly talk via that relay, then hole punch and establish a direct connection.
All of this happens in the background without the user even noticing. It’s also very lightweight - runs on an embedded computer with 2 megabytes of RAM.
Regarding security, one thing to be aware of is that iroh connections are just standard QUIC connections secured using standard TLS with the (also standard) raw public keys in TLS extension.
We don't roll our own crypto. What little non-standard crypto we had previously was removed on the path to iroh 1.0.
So iroh connections are just as secure as the QUIC/TLS connections your browser makes to your banking app. Whenever there are some new concerns like for example post quantum security, we can benefit from industry standards.
E.g. we do already support optional post quantum key exchange to secure connections.
https://datatracker.ietf.org/doc/html/rfc7250
In the beginning of the project we did use self-signed certs, but due to raw public keys that is no longer necessary. And in any case scary build flags aren't an issue since we control our own rust QUIC implementation, noq.
I had been looking at zeromq, but I very much agree with using keys rather than IPs where possible (after years of using yggdrasil, wireguard, tailscale, tor), so I am tempted to try Iroh. OTOH, this seems overkill if I'm using a client-server approach where the server IP is known.
You get the simplicity of being able to freely move nodes within the data center or even across data centers without having to reconfigure ip addresses. And once a connection is established the performance is comparable to a normal QUIC connection.
Regarding client server architectures: I frequently build systems where you use p2p connections but have clearly defined client and server roles at the application level. Absolutely nothing wrong with that, in fact I think a big problem with existing p2p projects is that they try to be p2p at application level and overcomplicate things.
Application 1 has a Ed25519 keypair
Secret key private 3085c7405a88a968133e813e9f638a7d9b2e8088fe717ca535cc24d90b59815d
EndpointID or public key, for connecting to you: 274d4c656f064d4c59fffe7db38d6bf90d63cb087d0b2afd2cfa534334f7071c
and for connecting to App 2 you need to know the other endpoint id, no friendly "dnsish" name involved.
https://en.wikipedia.org/wiki/Zooko%27s_triangle
A mapping from a scarce but human readable name to a non-scarce but not human readable name would't be that hard, but we haven't done this yet.
If we do it it will probably be an additional crate reusing some of our infrastructure, not built in to iroh itself. There are a lot of use cases where the non human readable names work perfectly fine.
We would implement two versions, one using DNS and one using an appropriate decentralized system like ENS.
I think you should highlight more the IoT use case, It's a really great solution for devices that need to talk over multiple transports (Lora + IP) and to avoid the need for a VPN.
https://www.iroh.computer/sendme
There are several projects inspired by sendme that use the same protocol but add mobile device support and a GUI:
We don't have a comparison benchmark, but we are fast enough that we are not the limiting factor for many use cases.
In many cases the performance bottleneck is the interface to the kernel to send and receive UDP packets. Our QUIC implementation is using all available tricks to make this as fast as possible. For example on OSX we use the sendmsg_x syscall to send multiple UDP packets in one syscall. On Linux we use GRO/GSO and recvmmsg to send/receive as many packets as possible.
But to be completely honest, in some cases TCP is still faster for raw throughput on server class hardware. Decades of optimisation have gone into TCP. But QUIC/UDP is quickly catching up. All the major cloud vendors bet heavily on QUIC/UDP and are optimizing it.
Since we just do p2p QUIC we benefit directly from all improvements in this area.
If there is enough serious demand we could publish go bindings. Iroh is a rust library that is very easy and efficient to embed into golang binaries.
None of them require an API key.
https://datatracker.ietf.org/doc/draft-ietf-quic-load-balanc...
Get in touch if you have a demanding use case and want us to help.
I've just learned about it, but my understanding is that Iroh is L7, compared to e.g. tailscale which is L3
From the OSI point of view, QUIC itself is a bit of a layering violation. It covers transport (L4, Reliable ordered delivery, stream multiplexing, congestion control, ...), session (L5, connection establishment and lifecycle, path migration, ...) and presentation (L6, encryption).
And of course below that we have the ability to provide custom transports.
This was done intentionally in QUIC to provide more control. The application layer doesn't have to care about what goes on below, but for some advanced use cases it can know what's going on and even influence which path is being used.
QUIC/TLS being such a comprehensive and well tested package allows us to delegate a lot of the work and just add a tiny bit of logic to make it peer to peer.
Although delegate is not exactly right, since we ended up having to write our own QUIC implementation, noq, to support QUIC multipath...
That being said, if IP ever gets replaced, your iroh based app will continue to work pretty much unchanged. Iroh will just get you the best possible connection (IP or whatever) under the hood.
But everything we do is open source as well. Everything in the core is MIT and Apache2 licensed, including the relay binary/library.
From what I see, relay servers are doing a job that is equivalent to Stun + Turn + SignalingServer in WebRTC.
This is great for simplicity, but having Stun Turn and Signaling live in the same server would make it harder to secure. For example, since in webrtc signaling is up to the user, it is most common to have signaling implemented as a web server, this allows you to have it behind cloudflare with the signaling server ip never exposed to the internet. If you are not interested in supporting turn, there is plenty of public Stun servers that can be used and Stun itself is a really cheap server to run.
For iroh, it seems if I wanted to self host relay servers I'd be forced to expose their IP to the web which would make them really expensive to run if one wanted to make them DDoS proof.
I've been drawing a lot of inspiration from Iroh, while working on my own https://github.com/connet-dev/connet. While peers in connet communicate peer to peer, I have a long way to cover peer discovery and transparent connection migration.
"Tailscale at the application layer, instead of the network layer" (as sibling comment describes it) is a great way of thinking about it. In my mind, with the right apps, Iroh (and connet) could really democratize secure self-hosting.
Congrats iroh team!
A wonderful chain to link to the CBDC shackle.
Wouldn't that an obvious use case? or am I missing a technical limitation?
- [0] https://github.com/n0-computer/awesome-iroh#file-sharing
SDK https://github.com/SalvatoreT/iroh-ts
Examples
- https://salvatoret.github.io/iroh-ts/examples/chat/
- https://salvatoret.github.io/iroh-ts/examples/debug/
- https://salvatoret.github.io/iroh-ts/examples/poker/
I made this a while back because I want an easy way to throw together games for family game nights.
IE could I get an app on my phone, to talk to anyone on the planet with that app directly without having to trust any middlemen like Apple, Google, WhatsApp etc?
Could people have something like original facebook, but without Meta because of actual p2p?
This isn't Tailscale because it does secure P2P connections between any pair of devices, whether or not they have Tailscale. This enables real end-user P2P for, e.g., local-first apps with no server infrastructure except relays for resilience. And even if you lose the relay servers, things keep on working the same for any hosts that don't need them.
pipe over network using Iroh
Also, for educational purposes, the first version was about 150 lines
https://github.com/n0-computer/dumbpipe/commit/f64d4c3e772a2...
So basically they want to find out who is who. In other words: sniffing.
It's interesting how the discussion is currently shifting to meta-explain why sniffing is necessary. I noticed this at universities in the last years; people now either have a tablet or a smartphone or a yubico key. This will be extended in the future, there is no doubt about that. And they are selling it with fancy words, just as Iroh showed.
is it like torrent