A question that frequently comes up: when will iroh support webrtc, or BLE, or LoRa, or ...
Iroh as of now supports only IPv4, IPv6 and relay transports out of the box. There is such a large variety of potentially interesting transports out there that we can't support all of them without turning the codebase into an unmaintainable maze of feature flags.
But we have added the ability to implement custom transports. That way your transport implementation can live in a completely separate crate.
If you run a public unauthenticated relay you act as a home relay for whoever has your relay configured in their relay map and is close in terms of latency.
So you might get a lot of traffic. You can configure rate limiting, as we do on our public relays.
The traffic is fully encrypted and can not be decrypted by the relay. The only information the relay has is what is necessary for it to function - the endpoint id and ip addresses of the endpoints that are connected to it at any given time, as well as endpoint pairings.
You relay encrypted traffic with no egress to the open internet. So if you want to compare it with Tor, it would be like a tor guard/middle relay, not an exit node.
So if you want to compare it with Tor, it would be like a tor guard/middle relay, not an exit node.
Nice. I already do rate limiting, traffic balancing using sch cake. This looks like an interesting project. I could envision open source NVR's implementing this. I also like the name of the project.
FWIW I think for “new user” audiences you’re better off describing why we’d use this instead of IP, than why you haven’t gotten it everywhere yet: there’s a certain sort of “complaint I see the most from current users” myopia that sets in, at least for me, over the years. :)
Iroh is QUIC. We are not trying to reinvent the wheel here, just combining existing IETF RFCs in a creative way.
Here is a concrete problem we solve. You have one device in your home WLAN behind a NAT. Your other device is in a 4g network, or behind another NAT at work.
In most cases we can give you a direct connection between the two devices very quickly via hole punching, so you get the highest possible bandwidth and the lowest possible latency.
As others have already mentioned, iroh the core library and protocol is fully open source. But to finance the development of it, we offer additional services to make it easier to deploy and run it, especially for larger or more specialized use caes.
Congrats for the launch, seems to have matured a bunch and Iroh gotten a bunch of neat additions since I last looked! You even managed to get 1.0 out the door before go-ipfs / Kubo ;)
> But to finance the development of it, we offer additional services to make it easier to deploy and run it, especially for larger or more specialized use caes.
Interesting (and somewhat proven) idea to finance it, smart :)
Did you guys started doing this already on a case-by-case basis and have some experience of it already, and if so what are the common things you typically help out with exactly? I'm just curious what sort of things a company who'd use a protocol like that might need help with, that they wouldn't have experience with in-house, since they're going down a P2P road already (assuming that, maybe maybe need help with greenfield projects)?
"we want to be infrastructure for people, and a business towards professionals."
stuck between "we need cash to operate" and "we want to be a public good infrastructural system." , with the negative parts of a for-profit whisked away with "Well it's open source."
it's a business concept i'm okayish with as long as the "Well it's open source." caveat doesn't come with a total bespoke and unusable code base to figure out.
The equivalent for IP addresses to what they offer would be closer to running a BGP router or ISP, or generally contracting with network engineers for your data-center's networking.
If you want to run an ISP or AS, believe me it will cost you a decent chunk of money.
Tailscale is built to be global to your device, while iroh is built to be embedded into each application. This allows application developers and users a much more fine grained and bespoke setup, than having a single global bridge.
Their use of addressing by keys instead of by IPs seems to be the main differentiator. Also the support for custom transports (BLE, LoRa, Tor) which appears to be in progress and not yet fully implemented.
I love Tailscale, it's deployed on all my devices. But I might check this out for the transports part in particular.
Tailscale uses MagicDNS which allows one to auto-generate a semi-memorable private hostname as well. I'm in the networking industry so I'm not seeing anything truly groundbreaking or that isn't offered elsewhere.
Yeah and my understanding of Iroh wasn't quite right either, it sounds like it's positioned to be more of a library to use in code, rather than a VPN solution like Tailscale.
I love MagicDNS - A long time ago I wrote a stupid Python script to have it continually generate MagicDNS names until one of them contained a word I was looking for.
Iroh has been amazing to work with and the engineers are so nice in the discord channel. The pragmatic approach to making p2p just work has been easy to understand. Their YouTube channel has great content too. Congrats on v1!
LM studio recently released a mobile app powered by Tailscale -- https://lmstudio.ai/link . Iroh seems like a perfect OSS alternative for implementing similar p2p features.
A difference between iroh and many p2p networks is that we try to use existing IETF standards (QUIC, TLS) as much as possible instead of reinventing the wheel. An iroh connection is just a QUIC connection, using TLS and TLS ALPNs for protocol negotiation.
If you look at an iroh connection using wireshark, it is just a QUIC connection. You can use all the existing tools, and a lot of things you learn when using iroh transfers to traditional QUIC connections and vice versa.
Most iroh contributors come out of the p2p world, and you could say that we had a bit of abstraction fatigue after working on regular P2P networks for some years.
We have also so far resisted the temptation to write a DHT, opting instead to use the biggest existing DHT, bittorrent mainline, for our p2p address lookup needs. Many traditional P2P networks come with their own implementation of a DHT for discovery.
Zenoh seems interesting but can you please give me some use case where both Iroh + zenoh can be combined to achieve something more trivially (ie. without hassle) or the use-cases of this combination. I'd be curious to know more about their combined use-cases!
I'm out of my technical depth here, but out of curiosity: is this meant to be a full replacement for the current IP address paradigm, or is this meant to be a specific tool on top of/alongside IP addresses that solves particular problems/frictions?
A little bit of both. Natively it relies on QUIC and leverages existing IP infrastructure, however it also works with custom transports just as fine so you can interact via bluetooth for example.
Sounds good, but the first step in your quickstart is getting an API key, and I'm oh, so I guess your sales pitch was a lie and this is really just another Cloudflare-like play to build another intermediary in the internet. If that's not the case, then I shouldn't need an API key for hello world...
Does this solve the problem of internet segmentation due to politcs?
For example: dns control, tls certification bans (just this month both let’s encrypt and globalsign started revoking Russian certificates), once google starts really complaining about https it gets ugly.
Russia aside, anyone else is closely watching (europe, brics, what have you)
While it doesn't solve all the issues that come up through the current segmentation, it is very much possible today to assemble components that let you forget about segmentation while you use it.
And it is designed from the ground up, to use existing internet technologies, while avoiding the lock in and dependencies on browser vendors or other large players.
This looks very interesting. I’m not sure I understand this, but it seems to me like it competes (or is in the same space as) both Tailscale and zeromq/nanomsg via the protocols? I think it would be nice to have a comparison page to make it easier to position it (I didn’t find one).
A key distinguishing factor is that iroh is meant to be used as a library that you can embed into your desktop, mobile or embedded apps.
Up to now our users are mostly teams that have a rust or C/C++ core, such as https://delta.chat/ . But now that we have bindings teams who use other languages should be able to use iroh.
So you can write e.g. an android and ios app that uses iroh direct connections under the hood, and the app user does not have to know or care about this at all.
We keep thinking about ways to combine iroh + zeroMQ! I think these two could compose. (Not familiar with nanomsg myself)
About tailscale: It's similar, but iroh is not a VPN, so it doesn't add a TUN interface. Instead, you'd build iroh directly into your application. Using iroh you can build a VPN, and there are projects that do so (iroh-lan/iroh-vpn are some hobbyist projects). The upside of building it into your application is that it doesn't need special permissions and is easy to ship to the user.
Thanks, we agree! We used to have bindings for while but the maintenance burden at that point was too high. Now that 1.0 guarantees everyone some stability and we feel confident in the library, we have enough room to properly support it.
Such is life when you choose to be introduced to something by a version update blogpost, instead of clicking in the top-left corner and reading the landing page.
The whole experience is fully interactive and you get to chose your own adventure! If you get lost, top-left corner is a safe bet to go to the initial page. Welcome to the internet and enjoy :)
This is true. But you could click the name in the top left. Or Docs.
IP addresses break, dial keys instead
Modular networking stack for direct, peer-to-peer connections between devices
iroh establishes direct connections whenever possible, falling back to relay servers if necessary. Get fast, efficient, reliable connections that are authenticated and encrypted end-to-end using QUIC.
const ALPN: &[u8] = b"iroh-example/echo/0";
let endpoint = Endpoint::bind().await?;
// Open a connection to the accepting endpoint
let conn = endpoint.connect(addr, ALPN).await?;
// Open a bidirectional QUIC stream
let (mut send, mut recv) = conn.open_bi().await?;
// Send some data to be echoed
send.write_all(b"Hello, world!").await?;
send.finish()?;
// Receive the echo
let response = recv.read_to_end(1000).await?;
assert_eq!(&response, b"Hello, world!");
// As the side receiving the last application data - say goodbye
conn.close(0u32.into(), b"bye!");
// Close the endpoint and all its connections
endpoint.close().await;
Iroh is a project that combines existing IETF standards in an interesting way. For example we use raw public keys in TLS for the key exchange https://datatracker.ietf.org/doc/html/rfc7250 instead of coming up with our own key exchange scheme.
Our QUIC implementation noq is a standards compliant QUIC implementation that in addition to RFC9000 also implements the QUIC multipath draft RFC.
We try very hard not to invent new things unless absolutely necessary. In a few places we had to implement draft RFCs, QUIC multipath and QUIC NAT traversal. And there are some corners where we had to add our own extensions. But we try very hard to keep this to an absolute minimum.
I should read the specs, but since it's such a foundational issue maybe someone who knows could respond briefly? the problem with a flat addressing space is that it requires every intermediate node to have state about every address, or perform a costly discovery mechanism for those it doesn't know about. is there a clever answer to this?
We have an answer, but it isn't really clever. We do have both built in and pluggable address lookup services.
Our default enabled address lookup service is using DNS in a creative way, but we also have a service that is fully peer to peer and is using the mainline DHT, specifically the bep_0044 extension that allows you to store a tiny bit of arbitrary data for an Ed keypair that you control.
The secret is that iroh still uses IPs under the hood :)
But with QUIC, your connections aren't bound to your four-tuple, your connection can migrate from e.g. WiFi to Cellular with only a small blip/hiccup.
And with QUIC multipath, you can have multiple four-tuples "active" at the same time. iroh uses e.g. a "real" IP path mainly, with a websocket-based HTTPS path via relay servers as the backup (e.g. in case UDP is blocked).
I am one of the iroh developers.
A question that frequently comes up: when will iroh support webrtc, or BLE, or LoRa, or ...
Iroh as of now supports only IPv4, IPv6 and relay transports out of the box. There is such a large variety of potentially interesting transports out there that we can't support all of them without turning the codebase into an unmaintainable maze of feature flags.
But we have added the ability to implement custom transports. That way your transport implementation can live in a completely separate crate.
Existing experimental custom transports include Tor, Nym and BLE. https://github.com/mcginty/iroh-ble-transport
Here is how custom transports work under the hood: https://www.iroh.computer/blog/iroh-0-97-0-custom-transports...
If you don't mind, what are other low-effort but high signal forums other than HN, Perplexity and X for accurate news that skip the annoying part?
What are the risks if any of running public relays? Is this similar in concept to running Tor Guard Nodes / Relays?
If you run a public unauthenticated relay you act as a home relay for whoever has your relay configured in their relay map and is close in terms of latency.
So you might get a lot of traffic. You can configure rate limiting, as we do on our public relays.
The traffic is fully encrypted and can not be decrypted by the relay. The only information the relay has is what is necessary for it to function - the endpoint id and ip addresses of the endpoints that are connected to it at any given time, as well as endpoint pairings.
You relay encrypted traffic with no egress to the open internet. So if you want to compare it with Tor, it would be like a tor guard/middle relay, not an exit node.
So if you want to compare it with Tor, it would be like a tor guard/middle relay, not an exit node.
Nice. I already do rate limiting, traffic balancing using sch cake. This looks like an interesting project. I could envision open source NVR's implementing this. I also like the name of the project.
All the data is e2e encrypted and nothing is stored. The usual self hosting public things rules apply.
FWIW I think for “new user” audiences you’re better off describing why we’d use this instead of IP, than why you haven’t gotten it everywhere yet: there’s a certain sort of “complaint I see the most from current users” myopia that sets in, at least for me, over the years. :)
I don't understand the problem its trying to solve in the first place, IP works just fine, such as DNS.
There is already IPv6 and quic, you need vendor and major software to have any traction in that field.
Iroh is QUIC. We are not trying to reinvent the wheel here, just combining existing IETF RFCs in a creative way.
Here is a concrete problem we solve. You have one device in your home WLAN behind a NAT. Your other device is in a 4g network, or behind another NAT at work.
In most cases we can give you a direct connection between the two devices very quickly via hole punching, so you get the highest possible bandwidth and the lowest possible latency.
This was not a solved problem until now.
Excuse my ignorance on the subject, but what does this solve that VPNs didn't already address?
vpns typically add at least one hop. this has the possibility of connecting directly via hole punching
I'm not affiliated with Iroh or even using it, but... "IP works just fine". What!? This is _not_ a solved problem
I think that was the question: What is the problem it is solving ?
You’ve asserted “THIS is not a solved problem,” which suggests everyone is clear on what THIS means. I think that is not a good assumption.
Establishing direct connections on the other hand is a much harder problem with the current internet infrastructure.
Doesn't it seem odd to have "Pricing" for a protocol that's meant to serve a similar function to IP addresses? Maybe I'm misunderstanding something.
As others have already mentioned, iroh the core library and protocol is fully open source. But to finance the development of it, we offer additional services to make it easier to deploy and run it, especially for larger or more specialized use caes.
Congrats for the launch, seems to have matured a bunch and Iroh gotten a bunch of neat additions since I last looked! You even managed to get 1.0 out the door before go-ipfs / Kubo ;)
> But to finance the development of it, we offer additional services to make it easier to deploy and run it, especially for larger or more specialized use caes.
Interesting (and somewhat proven) idea to finance it, smart :)
Did you guys started doing this already on a case-by-case basis and have some experience of it already, and if so what are the common things you typically help out with exactly? I'm just curious what sort of things a company who'd use a protocol like that might need help with, that they wouldn't have experience with in-house, since they're going down a P2P road already (assuming that, maybe maybe need help with greenfield projects)?
we have been doing this for a while now, you can find some of our highlights listed here https://www.iroh.computer/solutions
I think it would be clearer if you put the "Pricing" navbar link under "Services."
tailscale syndrome.
"we want to be infrastructure for people, and a business towards professionals."
stuck between "we need cash to operate" and "we want to be a public good infrastructural system." , with the negative parts of a for-profit whisked away with "Well it's open source."
it's a business concept i'm okayish with as long as the "Well it's open source." caveat doesn't come with a total bespoke and unusable code base to figure out.
From the same pricing page, it's all additional services: observability, relay hosting, support engineers.
The equivalent for IP addresses to what they offer would be closer to running a BGP router or ISP, or generally contracting with network engineers for your data-center's networking.
If you want to run an ISP or AS, believe me it will cost you a decent chunk of money.
Maybe. It's offering "Customized hosting and monitoring for Iroh apps".
To me this sounds like tailscale - does anyone have any insight into how what this is doing is similar or different?
Tailscale is built to be global to your device, while iroh is built to be embedded into each application. This allows application developers and users a much more fine grained and bespoke setup, than having a single global bridge.
Their use of addressing by keys instead of by IPs seems to be the main differentiator. Also the support for custom transports (BLE, LoRa, Tor) which appears to be in progress and not yet fully implemented.
I love Tailscale, it's deployed on all my devices. But I might check this out for the transports part in particular.
Tailscale uses MagicDNS which allows one to auto-generate a semi-memorable private hostname as well. I'm in the networking industry so I'm not seeing anything truly groundbreaking or that isn't offered elsewhere.
Yeah and my understanding of Iroh wasn't quite right either, it sounds like it's positioned to be more of a library to use in code, rather than a VPN solution like Tailscale.
I love MagicDNS - A long time ago I wrote a stupid Python script to have it continually generate MagicDNS names until one of them contained a word I was looking for.
My 5 second summary: Tailscale connects devices and Iroh connects applications.
Iroh has been amazing to work with and the engineers are so nice in the discord channel. The pragmatic approach to making p2p just work has been easy to understand. Their YouTube channel has great content too. Congrats on v1!
https://youtube.com/@n0computer
The "address lookup" strategy is really interesting, especially how it uses actual DNS: https://docs.iroh.computer/concepts/address-lookup
https://github.com/Nuhvi/pkarr/
LM studio recently released a mobile app powered by Tailscale -- https://lmstudio.ai/link . Iroh seems like a perfect OSS alternative for implementing similar p2p features.
Tailscale is OSS AFAIK. Not their backend of course, but if you use Headscale then I believe every part is OSS.
Not sure what the difference is between this and any regular P2P network?
A difference between iroh and many p2p networks is that we try to use existing IETF standards (QUIC, TLS) as much as possible instead of reinventing the wheel. An iroh connection is just a QUIC connection, using TLS and TLS ALPNs for protocol negotiation.
If you look at an iroh connection using wireshark, it is just a QUIC connection. You can use all the existing tools, and a lot of things you learn when using iroh transfers to traditional QUIC connections and vice versa.
Most iroh contributors come out of the p2p world, and you could say that we had a bit of abstraction fatigue after working on regular P2P networks for some years.
We have also so far resisted the temptation to write a DHT, opting instead to use the biggest existing DHT, bittorrent mainline, for our p2p address lookup needs. Many traditional P2P networks come with their own implementation of a DHT for discovery.
Note that there are some "regular p2p networks" that use iroh under the hood, e.g. holochain https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-... as well as various p2p chat apps.
https://blog.holochain.org/dev-pulse-154-holochain-0-6-1-is-...
Missing a native go version
I wonder if Iroh and Zenoh could/should be used together.
The fundamental component of Iroh is p2p routing by key, and the main utility provided by Zenoh is message semantics. The two seem complementary.
Zenoh seems interesting but can you please give me some use case where both Iroh + zenoh can be combined to achieve something more trivially (ie. without hassle) or the use-cases of this combination. I'd be curious to know more about their combined use-cases!
...that's what I'm asking :)
How is that different from https://yggdrasil-network.github.io ?
I'm out of my technical depth here, but out of curiosity: is this meant to be a full replacement for the current IP address paradigm, or is this meant to be a specific tool on top of/alongside IP addresses that solves particular problems/frictions?
A little bit of both. Natively it relies on QUIC and leverages existing IP infrastructure, however it also works with custom transports just as fine so you can interact via bluetooth for example.
Sounds good, but the first step in your quickstart is getting an API key, and I'm oh, so I guess your sales pitch was a lie and this is really just another Cloudflare-like play to build another intermediary in the internet. If that's not the case, then I shouldn't need an API key for hello world...
C binding: [0]
[0]: https://github.com/n0-computer/iroh-c-ffi
hey, I helped make this :) will try to answer questions where I can
Does this solve the problem of internet segmentation due to politcs?
For example: dns control, tls certification bans (just this month both let’s encrypt and globalsign started revoking Russian certificates), once google starts really complaining about https it gets ugly.
Russia aside, anyone else is closely watching (europe, brics, what have you)
While it doesn't solve all the issues that come up through the current segmentation, it is very much possible today to assemble components that let you forget about segmentation while you use it. And it is designed from the ground up, to use existing internet technologies, while avoiding the lock in and dependencies on browser vendors or other large players.
how can i make it give me zen-inspired life advice?
I'd also like for it to prepare tea
Jasmine tea and a game of Pai Sho.
This looks very interesting. I’m not sure I understand this, but it seems to me like it competes (or is in the same space as) both Tailscale and zeromq/nanomsg via the protocols? I think it would be nice to have a comparison page to make it easier to position it (I didn’t find one).
A key distinguishing factor is that iroh is meant to be used as a library that you can embed into your desktop, mobile or embedded apps.
Up to now our users are mostly teams that have a rust or C/C++ core, such as https://delta.chat/ . But now that we have bindings teams who use other languages should be able to use iroh.
So you can write e.g. an android and ios app that uses iroh direct connections under the hood, and the app user does not have to know or care about this at all.
We keep thinking about ways to combine iroh + zeroMQ! I think these two could compose. (Not familiar with nanomsg myself)
About tailscale: It's similar, but iroh is not a VPN, so it doesn't add a TUN interface. Instead, you'd build iroh directly into your application. Using iroh you can build a VPN, and there are projects that do so (iroh-lan/iroh-vpn are some hobbyist projects). The upside of building it into your application is that it doesn't need special permissions and is easy to ship to the user.
I love it. I think. But I find it hard to parse tech videos with music in the background.
So is this like an unfree CJDNS? What are the main differences?
Good for Iroh to have libraries within different languages.
I think that with Kotlin support, the creation of some android/multi-platform gui apps can be made easier if they want to use Iroh.
Thanks, we agree! We used to have bindings for while but the maintenance burden at that point was too high. Now that 1.0 guarantees everyone some stability and we feel confident in the library, we have enough room to properly support it.
This page is basically useless in explaining what Iroh is or does and why I should care.
Such is life when you choose to be introduced to something by a version update blogpost, instead of clicking in the top-left corner and reading the landing page.
Did we choose, or was that the link we were given that introduced us to it.
The whole experience is fully interactive and you get to chose your own adventure! If you get lost, top-left corner is a safe bet to go to the initial page. Welcome to the internet and enjoy :)
This is true. But you could click the name in the top left. Or Docs.
IP addresses break, dial keys instead
Modular networking stack for direct, peer-to-peer connections between devices
iroh establishes direct connections whenever possible, falling back to relay servers if necessary. Get fast, efficient, reliable connections that are authenticated and encrypted end-to-end using QUIC.
As I see, it tries to explain.
But as someone who's not a network specialist, I fail to see how this is not a glorified P2P DNS.
Maybe this example helps:
https://github.com/n0-computer/iroh#rust-library
What are people building with Iroh?
By far not a complete list but a starting point https://github.com/n0-computer/awesome-iroh/
Also you can join our discord and there's #showcase https://iroh.computer/discord
So what has the reception been like with IETF?
Iroh is a project that combines existing IETF standards in an interesting way. For example we use raw public keys in TLS for the key exchange https://datatracker.ietf.org/doc/html/rfc7250 instead of coming up with our own key exchange scheme.
Our QUIC implementation noq is a standards compliant QUIC implementation that in addition to RFC9000 also implements the QUIC multipath draft RFC.
We try very hard not to invent new things unless absolutely necessary. In a few places we had to implement draft RFCs, QUIC multipath and QUIC NAT traversal. And there are some corners where we had to add our own extensions. But we try very hard to keep this to an absolute minimum.
Were interacting with IETF on a number of projects and so far it's been going well :)
I should read the specs, but since it's such a foundational issue maybe someone who knows could respond briefly? the problem with a flat addressing space is that it requires every intermediate node to have state about every address, or perform a costly discovery mechanism for those it doesn't know about. is there a clever answer to this?
We have an answer, but it isn't really clever. We do have both built in and pluggable address lookup services.
Our default enabled address lookup service is using DNS in a creative way, but we also have a service that is fully peer to peer and is using the mainline DHT, specifically the bep_0044 extension that allows you to store a tiny bit of arbitrary data for an Ed keypair that you control.
https://www.bittorrent.org/beps/bep_0044.html https://pkarr.org
Some custom transports such as TOR hidden services have a discovery system built in. In these cases we can just use the existing discovery system.
See for example https://github.com/n0-computer/iroh-tor-transport
The secret is that iroh still uses IPs under the hood :) But with QUIC, your connections aren't bound to your four-tuple, your connection can migrate from e.g. WiFi to Cellular with only a small blip/hiccup. And with QUIC multipath, you can have multiple four-tuples "active" at the same time. iroh uses e.g. a "real" IP path mainly, with a websocket-based HTTPS path via relay servers as the backup (e.g. in case UDP is blocked).
Were all building the exact same shit.
Looking at the pricing page, how can this be the future, maybe the post was written in 1998