Looking for ZeroTier VPN user feedback

unquietwiki · 08-10-2020, 03:36 PM

Hey everyone. I've been getting Happy Birthday messages from here for years now, and like to stop by on occasion. Last week, I started working for ZeroTier as a Community Support Manager and trying to get the team more feedback on how folks use the software; as well as any problems they're having. Any and all is appreciated.

https://github.com/zerotier/ZeroTierOne/labels/Linux => Github issues page

https://www.reddit.com/r/zerotier/ => I know folks here aren't big Reddit fans, but I did go over a backlog of older threads there, that might highlight some issues you may be interested in.

Thanks!

business_kid · 08-13-2020, 09:35 AM

I looked at the Github page, and came away wondering "What is zerotier? What does it do"

'A smart ethernet switch for planet earth' cuts no ice.

BTW, with 7 posts in16 years, it looks more like every 2 years.

unquietwiki · 08-13-2020, 05:57 PM

Hey business_kid. 13 years ago, I wrote up http://tinc-vpn.org/examples/ipv6-network/ ; this is like a managed, smarter version of that software. And yeah, I could be more active: I pretty much divided the bulk of my time between Slashdot and Reddit.

business_kid · 08-14-2020, 01:35 PM

Quote:

Originally Posted by unquietwiki

Hey business_kid. 13 years ago, I wrote up http://tinc-vpn.org/examples/ipv6-network/ ; this is like a managed, smarter version of that software. And yeah, I could be more active: I pretty much divided the bulk of my time between Slashdot and Reddit.

So, zerotier is an ipv6 vpn?

unquietwiki · 08-14-2020, 01:41 PM

P2P virtualized Ethernet, using the TUN/TAP driver. When I've used tinc, it generates SSH-style keys to use for security; with IPv4, IPv6, and raw frame deployment options. What I liked about this before I started working for them, is that it has those options, except you can build out a managed mesh topology, vs having to edit a bunch of key files. Either option is superior to OpenVPN IMO. I could see WireGuard supplanting tinc & OpenVPN for 1-to-1 connections.

unquietwiki · 08-14-2020, 01:42 PM

Regarding IPv6 support, specifically...

Quote:

Multicast-Free IPv6 Addressing Modes

IPv6 uses a protocol called NDP in place of ARP. It is similar in role and design but uses narrow multicast in place of broadcast for superior scalability on large networks. This protocol nevertheless still imposes the latency of an additional multicast lookup whenever a new address is contacted. This can add hundreds of milliseconds over a wide area network, or more if latencies associated with pub/sub recipient lookup are significant.

IPv6 addresses are large enough to easily encode ZeroTier addresses. For faster operation and better scaling we’ve implemented several special IPv6 addressing modes that allow the local node to emulate NDP. These are ZeroTier’s rfc4193 and 6plane IPv6 address assignment schemes. If these addressing schemes are enabled on a network, nodes locally intercept outbound NDP queries for matching addresses and then locally generate spoofed NDP replies.

Both modes dramatically reduce initial connection latency between network members. 6plane additionally exploits NDP emulation to transparently assign an entire IPv6 /80 prefix to every node without requiring any node to possess additional routing table entries. This is designed for virtual machine and container hosts that wish to auto-assign IPv6 addresses to guests and is very useful on microservice architecture backplane networks.

Finally there is a security benefit to NDP emulation. ZeroTier addresses are cryptographically authenticated, and since Ethernet MAC addresses on networks are computed from ZeroTier addresses these are also secure. NDP emulated IPv6 addressing modes are therefore not vulnerable to NDP reply spoofing.

Normal non-NDP-emulated IPv6 addresses (including link-local addresses) can coexist with NDP-emulated addressing schemes. Any NDP queries that do not match NDP-emulated addresses are sent via normal multicast.