How to play: Some comments in this thread were written by AI. Read through and click flag as AI on any comment you think is fake. When you're done, hit reveal at the bottom to see your score.got it
iroh seems like a very well positioned product in the era of people rapidly building applications for personal use. I'm really interested in seeing how they continue to grow.
I personally have been looking off and on at providing an "app relay" using it, where people can get an OSS, self-hostable (if desired), zero config way to remotely access their app/data on their network. This would be separate than a "network relay" (a la Tailscale), as this is done selectively as part of the application server and client, requires no knowledge or configuration as the user, and exposes a much smaller surface area.
Good to know. I usually use magic wormhole, which works great, but it does install a lot of python modules to achieve it. I'm always a little reluctant to install that on our production Windows SQL servers, and I rarely touch them, so usually when I do I just do a "netcat" equivalent via either a powershell snippet or https://github.com/linsomniac/toothpyk or I just "wget" it on the Windows side. For SQL Server ISOs, the Windows built in wget is terribly slow though.
Reminds me of what the IETF promised with SCTP back in 2000. Different stack, same pitch. What n0 has going for them is actual working software people use daily, not just RFC bikeshedding.
Excuse me if this is explained somewhere, but how does noq/iroh relays QUIC packets between peers? How does relay know which QUIC packets it receives should be sent where, since QUIC is famously hard to track? Do you stream to relay new/retire_connection_id packets through different connection so that it can link them to specific peers? Or is the relayed QUIC wrapped in different protocol?
noq doesn't implement any relaying logic itself. From the perspective of noq, iroh relays are another IP subnet that it's sending packets to and receives packets from, so just another path.
> Or is the relayed QUIC wrapped in different protocol?
Yes, that's what's happening.
On the iroh/iroh-relay side, we implement this relaying using WebSockets. The datagrams are wrapped with a header saying which EndpointId (ed25519 public key) we want the packet to be relayed to. Because of a handshake between iroh clients and iroh relays, the relay knows and has authenticated the source EndpointId of datagrams it relays.
So yeah, we're tunneling QUIC datagrams through HTTPS over TCP (we encrypt twice). The relay really is just a fallback and for coordination. We specifically made these choices for maximum ubiquity for the fallback (not affected by UDP blocking, looks like "normal" traffic).
Wrapping QUIC in WebSockets to get relaying feels like it defeats part of the point. You've introduced another framing layer with its own overhead and head-of-line blocking concerns. Why not a lighter UDP-based relay protocol instead?
I’m excited to have a weekend to just sit down and tinker with iroh, it’s been on my list for a while. I want to make an overlay network like nebula with it
I was just reading the QUIC multipath RFC. Didn't it come out literally yesterday? I guess it's common to have the implementation foreshadowing the RFC but it's jarring to see them back to back like this.
Many QUIC features get implemented while in draft stage as people iterate on the RFC's design (e.g., ACK Frequency[0] is currently on draft version 14 and I implemented support for it three years ago in quinn).
It’s common enough for groups to not consider the spec done until there is a decent bit of implementation experience (both because actual implementers tend to find interesting bugs in specs, and because many things are hard to measure without any implementation).
It’s pretty common for IETF drafts to be substantially complete well before they are finalized as RFCs. For example, supporting ML-KEM in TLS is still a draft, but there are already multiple large scale deployments of it since the technical aspects were nailed down a while ago
One thing I find interesting with QUIC and similar approaches is that they still bind connection continuity quite tightly to transport state.
I've been thinking about whether session identity could be separated entirely from transport, so that transport failure becomes a recoverable event rather than connection death.
Curious if anyone has seen practical systems that push this further than QUIC does.
Can this establish an QUIC connection without the other end having a CA cert? Or, like most other QUIC libs will it default to only allowing connections to corporation approved domains?
The TLS authentication story is fully configurable. This hasn't changed compared to Quinn.
We use noq in iroh, and in iroh we use raw public keys (RFC7250). When you use iroh, you don't need to set up DNS or TLS certificates, you just generate a key, share the public key and others can connect to you. (Of course the trouble is sharing the public key securely.)
It turns out that "Have the defaults arranged so that they suit a handful of crazy people but inconvenience literally everybody else" isn't popular. In fact preferring a tiny minority preference is sort of inherently unpopular, that's basically its defining feature as a policy.
We ran into this with Quinn. You can pass a custom rustls config that skips cert verification entirely, or use self-signed certs with a custom verifier. We ended up doing the latter — pinned the peer's public key directly. Took maybe an afternoon to wire up.
Now, see. that's what I said as well. But the rest of the team was tired of me trying to name the hosted iroh "n0des", which I'm now ready to admit was a stretch. And so now here we are spelling n0q as noq. c'est la vie.
The pluggable Session trait is the right call. I experimented with nQUIC on a mesh project last year and the hardest part was that TLS was baked in everywhere. Being able to swap in Noise without forking the transport layer would have saved a lot of pain.
The cool thing about noq (and Quinn, where we inherited this from), is that you can implement your own "Session" trait. So that can be either TLS or nQUIC.
QUIC's connection migration sounds great until your load balancer doesn't preserve 4-tuple affinity and you spend 3am figuring out why sessions are silently dropping. Stateless reset tokens better be rock solid.
It's lovely to see the polite and respectful back and forth in this comment thread where the Iroh folks are talking about deciding to fork. :)