HN

Comments (293)

• Menu

  apitman
  If you're new to Iroh, my mental model is roughly "Tailscale at the application layer instead of the network layer".If your question is, "why not just use Tailscale?", look at it from an app developer's perspective. If you want to release an app and have instances of your app be able to easily connect to each other, you could theoretically embeded Tailscale functionality into your app, but then the users of your app need Tailscale accounts, and your app is dependent on Tailscale.Iroh lets you embed this functionality directly, and provides public fallback relays. If your app gets too big for the public relays, using your own relays is the flip of a switch.
• Menu

  rklaehn
  I am one of the iroh developers.A question that frequently comes up: when will iroh support webrtc, or BLE, or LoRa, or ...Iroh as of now supports only IPv4, IPv6 and relay transports out of the box. There is such a large variety of potentially interesting transports out there that we can't support all of them without turning the codebase into an unmaintainable maze of feature flags.But we have added the ability to implement custom transports. That way your transport implementation can live in a completely separate crate.Existing experimental custom transports include Tor, Nym and BLE. https://github.com/mcginty/iroh-ble-transportHere is how custom transports work under the hood: https://www.iroh.computer/blog/iroh-0-97-0-custom-transports...
• Menu

  andrewflnr
  > Dial keysMaybe it's in the video I didn't watch, but I really think paragraph one should make clear what kind of keys and why. Cryptographic? Asymmetric? How do they do the job, at even the most basic level? It never explains, just dives into abstract claims of superiority and usage stats. I gather relays are involved; this would be a good thing to mention right away instead of making me sift it from the HN discussion.
• Menu

  Thaxll
  I don't understand the problem its trying to solve in the first place, IP works just fine, such as DNS.There is already IPv6 and quic, you need vendor and major software to have any traction in that field.
• Menu

  coldblues
  The future of networking is decentralization. I'm a huge fan of Yggdrasil and I2P. We should just be able to buy a mini PC to run 24/7 and host whatever it is that we need on it and seamlessly connect to others. A lot of techies already have older spare machines laying around collecting dust that can become servers. It is far cheaper in the long run and easier to maintain than having to deal with domains and server hosting. I truly appreciate the work that the Iroh team puts out.
• Menu

  logankeenan
  Iroh has been amazing to work with and the engineers are so nice in the discord channel. The pragmatic approach to making p2p just work has been easy to understand. Their YouTube channel has great content too. Congrats on v1!https://youtube.com/@n0computer
• Menu

  j4cobgarby
  Doesn't it seem odd to have "Pricing" for a protocol that's meant to serve a similar function to IP addresses? Maybe I'm misunderstanding something.
• Menu

  colinmarc
  We use Iroh in production at work, and I'm absolutely in love with it. I'd describe it primarily as "Tailscale-style hole punching as a rust crate", but of course you can sprinkle a lot of cool p2p stuff on top of the basic QUIC connections.
• Menu

  arilotter
  My company was using Iroh for a production distributed ML training system & we LOVED it. The team was incredibly responsive even before we hooked up with an enterprise support contract, they're incredibly knowledgeable and the library itself worked amazingly. ++ to this lib. would use again over libp2p anytime.
• aag
  For a side project, I used Iroh to give my web server in the cloud the ability to print directly to my label printer at home. The API is simple and easy to use. It took no time to write a reliable system on top of Iroh.
• kkapelon
  Congrats on shippingYou need urgently a "versus" page that talks about tailscale/netbird/netmaker/zerotier/twingate/openzitiLooking at the use cases, right now I don't see anything that cannot be done with Tailscale...
• Menu

  miki123211
  I like the idea. A couple of questions:1. How does Iroh handle key rotation / leakage? Could you build some kind of hot/cold system on top of it, where you'd have a cold "identity key" in airgapped, secure storage, used only to issue certificates for your hot "traffic acceptance" key?2. Is there any kind of peer discovery / DHT, either built-in directly or through some semi-official higher-level protocol, like DNS for IP?3. What about human-friendly peer names? Those are almost required for end-user friendly applications. Most solutions of that problem either assume that every single user is willing to dedicate their life to configuring DNS, rely on a trusted third party, or delegate the responsibility to a blockchain.4. What are the channel reliability properties, and are they configurable? Can you decide how to handle out-of-order or lost packets, or does the protocol enforce a decision? If you're willing to tolerate loss, duplication and reordering, can you avoid head-of-line blocking?5. Is peer anonymity a goal?6. What about two mostly-offline peers who wish to communicate (think smartphone apps that can't be connected 24/7 due to battery concerns)?Overall, cool project.
• Ingon
  Amazing, congrats on the release.I've been drawing a lot of inspiration from Iroh, while working on my own https://github.com/connet-dev/connet. While peers in connet communicate peer to peer, I have a long way to cover peer discovery and transparent connection migration."Tailscale at the application layer, instead of the network layer" (as sibling comment describes it) is a great way of thinking about it. In my mind, with the right apps, Iroh (and connet) could really democratize secure self-hosting.
• Menu

  ramoz
  Ive been prototyping with Iroh for awhile.I think this tech (modern p2p) represents what agent-to-agent (a2a) should be built on.Every agent should be reachable to each other without hosting itself as an http server.related prototypeshttps://github.com/eqtylab/agentbeamhttps://github.com/eqtylab/real-a2a
• Menu

  kamranjon
  To me this sounds like tailscale - does anyone have any insight into how what this is doing is similar or different?
• Menu

  jhbruhn
  That to me looks like Reticulums [1] adressing ("Destinations") with transport done via QUIC. Does it add anything what Reticulum didn't already solve, other than using slightly different protocols - do they have an advantage?[1] https://reticulum.network/
• andai
  See also: https://www.dumbpipe.dev/pipe over network using IrohAlso, for educational purposes, the first version was about 150 lineshttps://github.com/n0-computer/dumbpipe/commit/f64d4c3e772a2...
• andy_xor_andrew
  The "address lookup" strategy is really interesting, especially how it uses actual DNS: https://docs.iroh.computer/concepts/address-lookuphttps://github.com/Nuhvi/pkarr/
• Pbhaskal
  but does not quic internally needs an IP address to route , who maintain device vs ip address map.is it like torrent
• Menu

  AgharaShyam
  LM studio recently released a mobile app powered by Tailscale -- https://lmstudio.ai/link . Iroh seems like a perfect OSS alternative for implementing similar p2p features.
• protocolture
  > IP addresses can break, without warning, and it's outside of your device's control. Keys, however, are created & controlled by you.This doesn't really make a lot of sense. Assuming this is true, its equally likely to be my gateway, or BGP peer IP that breaks. How Iroh offers anything in this scenario is beyond me.>The power of that key can't be overstated. We use it to secure the connection. And because all data that comes from the connection is secured by that key, we can build up from that same key into identity, permissions, and attribution. We can also use that same key as an address we can dial, no matter where it is in the world. It turns the internet into a secure localhost.This is a way better use case. This should be the headline.
• Menu

  himata4113
  Hmm, this really looks more of a relay network for sale, kinda like steam p2p. The only real use-case I see for this is for exactly that, connecting two or more players where one of the players is the host.Seems like it'll be a hard sell since steam is already so dominant and enterprise is dominated by tailscale... I see the proposal for being able to work with many different networks from different companies at the same time, but it's a pretty rare usecase and nothing some iptables can't solve.I can see the argument for chat in heavily censored regions of the world, but not sure if there's any advantages that iroh can offer over other solutions.Market fit will be hard to find, but best of luck.
• basro
  I wish it had support for a system similar to webrtc's offer and answer SDP messages.From what I see, relay servers are doing a job that is equivalent to Stun + Turn + SignalingServer in WebRTC.This is great for simplicity, but having Stun Turn and Signaling live in the same server would make it harder to secure. For example, since in webrtc signaling is up to the user, it is most common to have signaling implemented as a web server, this allows you to have it behind cloudflare with the signaling server ip never exposed to the internet. If you are not interested in supporting turn, there is plenty of public Stun servers that can be used and Stun itself is a really cheap server to run.For iroh, it seems if I wanted to self host relay servers I'd be forced to expose their IP to the web which would make them really expensive to run if one wanted to make them DDoS proof.
• salgorithm
  I setup a TypeScript SDK with some examples to test in the browser.SDK https://github.com/SalvatoreT/iroh-tsExamples- https://salvatoret.github.io/iroh-ts/examples/chat/- https://salvatoret.github.io/iroh-ts/examples/debug/- https://salvatoret.github.io/iroh-ts/examples/poker/I made this a while back because I want an easy way to throw together games for family game nights.
• Menu

  akavel
  Huge congrats on the release!I'm slowly trying to build an app on Iroh; it's progressing tiny bit by tiny bit, but I must admit I'm struggling a lot all the time, both with various low-level details, as well as with understanding many high-level aspects, concepts, and approaches. Oftentimes I have to resort to some LLM-generated "wiki" websites to help me progress. I really hope you'll manage one day to allocate some more resources to improve the docs. That said, when I manage to muster enough strength, I do manage to grind some progress, and also it's good to know the underlying tech seems robust, given how many real-world solutions you've built on it!At this moment, if I can try to ask one question: AFAIU Iroh emerged from an attempt at fixing IPFS. I also understand you've since focused more on providing the lower-level building blocks that would allow this and other solutions. Understanding some basics, but still having hard time to get a really solid grasp of the whole of Iroh, I wonder: between Iroh, p2panda, and Willow, what's available and what's missing / needs to be added if one wanted to try and build an "IPFS-like" with those technologies? I'm especially interested in an idea of a "new web" that would defuse DDoS of static websites in a Torrent-like way, forcing the downloading peers to also share their upstream bandwidth while doing this. I'm also thinking of e.g. a "globally-distributed Internet Archive", where I can easily download part of the Archive to my computer, and this automatically improves its availability on such "new web" for subsequent downloaders and browsers. Would you care to give a newbie something of a high-level overview of how one could try to do it over maybe some appropriate combination of Iroh+p2panda+Willow+DHT?
• bear330
  It's very cool! I am planning add Iroh into my daily used https P2P tool (https://github.com/nuwainfo/ffl) which currently using WebRTC. It's very cool to support both protocols, but it seems like Iroh python support is via FFI which can't be used in my APE (Actual Portable Executable) build...thinking...
• Menu

  tumdum_
  How is that different from https://yggdrasil-network.github.io ?
• Kazik24
  I've been using iroh for a while now for personal projects. I wrote an utility for sharing locally running services with others: https://github.com/Kazik24/server_share Glad I can finally update to 1.0. It's a great library.
• jmward01
  I think I see the value prop here. Beyond its intended use, what about creating a full VPN out of it? This takes care of the hard part for a lot of home users, opening your vpn up in a safe way. I know this is solved by many other tools so this isn't a new thing but it may increase adoption. Is there already something like that? I imagine you have considered this and if it doesn't already exist have a good reason for not including it. If so, what is that reason?
• Menu

  virtualbluesky
  This might sound pointed, but it truly isn't - why is this approach not already commonplace? As a concept, looking up a verifiable identity makes sense, but often ideas that made sense were looked into and discarded for valid reasons. Would be good to understand those to better understand when/when not to use the project?
• _carbyau_
  So, is there an open source variant of Signal using Iroh?IE could I get an app on my phone, to talk to anyone on the planet with that app directly without having to trust any middlemen like Apple, Google, WhatsApp etc?Could people have something like original facebook, but without Meta because of actual p2p?
• Menu

  openscript
  What about censorship circumvention? Is there specialized DERP to DERP communication, that bridge over internet edge nodes doing DPI on QUIC?
• comboy
  I'm so disappointed in this comment thread https://en.wikipedia.org/wiki/OSI_modelI've just learned about it, but my understanding is that Iroh is L7, compared to e.g. tailscale which is L3
• dangoodmanUT
  iroh is consistently one of the most delightful projects i've ever worked with. The people reflect that too.Congrats iroh team!
• Menu

  astonex
  Not sure what the difference is between this and any regular P2P network?
• Menu

  Kinrany
  I wonder if Iroh and Zenoh could/should be used together.The fundamental component of Iroh is p2p routing by key, and the main utility provided by Zenoh is message semantics. The two seem complementary.
• Menu

  genpfault
  C binding: [0][0]: https://github.com/n0-computer/iroh-c-ffi
• edbaskerville
  Hoping to use this to reboot an ancient abandoned project. At the time there wasn't a mature P2P connection layer that took care of all the realities of the modern Internet out of the box. Now there is, and it's great to see.This isn't Tailscale because it does secure P2P connections between any pair of devices, whether or not they have Tailscale. This enables real end-user P2P for, e.g., local-first apps with no server infrastructure except relays for resilience. And even if you lose the relay servers, things keep on working the same for any hosts that don't need them.
• wartywhoa23
  How soon till govporations require that people dial their services by key, issue and treat the keys like passports, and block those who say something against the grain, acess a forbidden site, read a forbidden book, happen to be of wrong nation or otherwise violate ToSes of said govporations?A wonderful chain to link to the CBDC shackle.
• Menu

  wiremine
  This looks really interesting... I think I grok the basic value prop.However, I'm confused on the open source vs. commercial offerings. How do they differ? How do they work together?
• Menu

  dignifiedquire
  hey, I helped make this :) will try to answer questions where I can
• sgsvnk
  This is great work, but the blog is too esoteric, likely written by the developers. You should revamp the website to appeal to more general software engineers with more easy to understand terminology to get better traction.
• Menu

  overgard
  This sounds useful, but isn't this the problem that ipv6 is supposed to solve with 128bit addresses? (I'm not really familiar with why IPv6 never really seemed to take off -- does NAT block incoming IPv6 traffic? (I guess that's the other thing -- even though my devices all seem to have IPv6 addresses I can't recall ever using them))
• Menu

  w10-1
  I definitely see the value! But I'm not confident I can tell whether there are e.g., security implications, and I couldn't find anything on point in the docs or on github (other than one discussion on authentication that mentions the information disclosed). Would love a whitepaper on that and any other issues adopters should consider.
• bicepjai
  So each app can be its own tailnet, and let devices talk to each other on its network using api keys. Like home appliances in HomeKit network ?
• geoctl
  Honestly I am happy that more remote access products are using QUIC, not WireGuard, for tunneling and realizing its technical benefits (e.g. AES hardware acceleration, dynamic endpoints, custom auth with JWT or mTLS, FIPS compliance, traffic masquerading as HTTP/3, etc.). I am a big fan of QUIC myself and I implemented it long ago in Octelium, which is a similar remote access product that's more centered around access control and zero trust rather than P2P connectivity. I believe QUIC should be the future of tunneling, especially when it comes to business and enterprise remote access use cases. Congrats on launching an I wish you the best of luck.
• mnot
  The site mentions preferring open standards in the IETF - where is it being discussed there?
• Menu

  0x59
  So this could be used as a streamlined way for client devices (mobile phones for example) to phone home to servers (google.com for example) with user data and bypass some local network controls? (DNS block lists, for example)Is there an android SDK available?
• yapancha
  Maybe it's just me but it's not clear immediately what this is about. I did get a sense after spending enough time. Just feedback.
• infogulch
  How does Iroh's performance compare to wireguard?
• Menu

  MostlyStable
  I'm out of my technical depth here, but out of curiosity: is this meant to be a full replacement for the current IP address paradigm, or is this meant to be a specific tool on top of/alongside IP addresses that solves particular problems/frictions?
• Menu

  Imustaskforhelp
  Good for Iroh to have libraries within different languages.I think that with Kotlin support, the creation of some android/multi-platform gui apps can be made easier if they want to use Iroh.
• Menu

  jbverschoor
  Nice video production, but as you can see on this thread of nerds, the messaging is not clear.. Content first, presentation later.
• mrbluecoat
  Surprising you don't support golang
• born-jre
  As a person which tried to love libp2p so much this look. Great will definitely take deeper look
• anon
  undefined
• mcdermott
  "If the implementation is hard to explain, it's a bad idea." --Zen of Python
• anon
  undefined
• Menu

  porsager
  How is this different from https://holepunch.to/ ?
• janandonly
  This is big > We built & continually check that iroh can compile to WASM & run in the browser
• arianvanp
  Are you able to do any form of highly available loadbalancing with this?
• Menu

  saberience
  This page is basically useless in explaining what Iroh is or does and why I should care.
• 28304283409234
  I love it. I think. But I find it hard to parse tech videos with music in the background.
• Menu

  nicebyte
  I am confused why this is needed.> IP addresses can break, without warning, and it's outside of your device's control.We have DNS?> Keys, however, are created & controlled by you. They stay the same as your device moves, and are yours to throw away, or not.So are domain names? This page does not do a good job of helping me find what it is that I'm missing.
• Menu

  suwapat
  Missing a native go version
• Menu

  gnarlouse
  Is the intent to replace the IP protocol ever?
• superkuh
  I am happy to see that Iroh says they'll support the 1.0 protocol for the entire life of the project even if they make a new version. If they can stay true to this it'll be a useful alternative domain system. But using QUIC means it's CA TLS only. As we've seen with the US government pressure on Lets Encrypt recently this CA TLS requirement allows the US (or other nation's) feds to shut down your 'key' no matter where you are. If they allowed self signed or even plain text this would not be a serious issue. But QUIC libs generally can't do this or at best offer a 'scary' build flag for self-signed that is never enabled on any dev's machine during compiling for distribution.
• sunshine-o
  I am looking at the awesome page [0] and was surprise not to see a syncthing equivalent.Wouldn't that an obvious use case? or am I missing a technical limitation?- [0] https://github.com/n0-computer/awesome-iroh#file-sharing
• Menu

  Seattle3503
  What are people building with Iroh?
• r0l1
  Netbird offers the same. Just based on wireguard and everything is open source.
• Menu

  commandersaki
  So what has the reception been like with IETF?
• Menu

  convolvatron
  I should read the specs, but since it's such a foundational issue maybe someone who knows could respond briefly? the problem with a flat addressing space is that it requires every intermediate node to have state about every address, or perform a costly discovery mechanism for those it doesn't know about. is there a clever answer to this?
• MoonWalk
  Is what?
• shevy-java
  > And because all data that comes from the connection is secured by that key, we can build up from that same key into identity, permissions, and attribution.So basically they want to find out who is who. In other words: sniffing.It's interesting how the discussion is currently shifting to meta-explain why sniffing is necessary. I noticed this at universities in the last years; people now either have a tablet or a smartphone or a yubico key. This will be extended in the future, there is no doubt about that. And they are selling it with fancy words, just as Iroh showed.
• Menu

  gamegod
  Sounds good, but the first step in your quickstart is getting an API key, and I'm oh, so I guess your sales pitch was a lie and this is really just another Cloudflare-like play to build another intermediary in the internet. If that's not the case, then I shouldn't need an API key for hello world...
• Menu

  jMyles
  So is this like an unfree CJDNS? What are the main differences?
• Menu

  ssx-x1
  reticullum is better, and faster
• Menu

  schlap
  Were all building the exact same shit.
• yusefnapora
  [dead]
• snowflaxxx
  [dead]
• abricq
  [dead]
• YuanJiwei
  [dead]
• Lapsa
  [dead]
• WhereIsTheTruth
  Looking at the pricing page, how can this be the future, maybe the post was written in 1998