Posts made by adam.ierymenko

Does anyone know if this comes up in other situations? Seems like the one-layer-down issue is getting AD to work in a multi-network environment.

@Dashrender No, we're not doing this if that's what you mean:

https://en.wikipedia.org/wiki/Split-horizon_DNS

We're just putting our intranet IPs under our main domain. Doesn't matter since nobody without intranet access can actually access these systems and they're not advertised anywhere.

I'm thinking that there's a need here for some kind of DNS solution to work with ZeroTier, but in the interest of sanity and avoiding feature explosion I'm reticent to actually build it into ZeroTier itself. Instead I think it should maybe be another app, something that serves DNS locally and makes decisions about where to get the actual DNS information from.

I wonder if anyone's already written anything like this? I know on *nix we have dnsmasq and other similar services.

A lot of our users will place their intranet's DNS under their domain and use that -- so e.g. ours is int.zerotier.com and git.int.zerotier.com resolves to an internal IP. This will work regardless of what DNS servers you are actually using.

Sometimes that's not an option. In that case the best thing might be to manually override DHCP DNS and set your intranet's servers as your DNS servers. ZeroTier does not itself depend upon DNS to work properly, and this is why.

We actually have a forum / knowledge base in development, will go live with the next rev of our web site. But we're going to use it more as a curated knowledge base than an open chat site (though we will allow user reg).

@Dashrender How long was the laptop asleep? If it was a while it's possible that its cert was no longer valid and it couldn't get a new one.

Unlucky moment... multi-homing/cluster of network controllers should make that orders of magnitude less likely. We're doing a lot of robustness work right now (not that it's bad as-is).

There can be issues if a network controller is down for a long time because certs have (effective) TTLs, so an old node that's been offline could be unable to communicate. But it would have to be down for a while. Since ZT addresses are portable if a controller goes down it can be brought up elsewhere with the same identity (failover).

We're adding multi-homing soon, which will make this even more robust:

https://github.com/zerotier/ZeroTierOne/blob/adamierymenko-dev/node/Cluster.hpp#L71

Multi-homing will also be useful for nodes within networks. For example, you could create a global Cassandra cluster behind a single IP on your virtual LAN. Next version should contain an alpha version of cluster/multi-homing capability.

It should use its cached network config and certs -- see the networks.d/<nwid>.conf files, etc.

We caught a network glitch on the web site, but this should not have affected actual virtual networks. If it did then please explain what you saw -- the system should not be vulnerable to this.

FYI network controllers issue config and certificates to network members but are not (by design) a point of failure for actual network communications. If a network controller goes down the network continues to work, but it just isn't possible to change the network (add new devices, de-authorize devices, change IP assignment settings, etc.).

We're doing a round of infrastructure upgrades in the next few weeks anyway. Web will go to redundant bare metal servers and the root infrastructure (which is critical) is getting even more robust and geo-distributed. (It's already spread across three providers on four continents and all nodes are independent.)

Ahh.. nodeBB ... view source is your friend.

BTW what software does this board run? It seems like a forum for the 21st century HTML5 world. It's nice.

@dafyre Yes, the upcoming product is called ZeroTier Central and will consist of the UI you see at https://my.zerotier.com/ plus additional features people would want for in-house usage. We are talking to some potential users about that right now. Potentials include integration with in-house access control mechanisms like active directory and LDAP, etc. So you on-board a user and add them to LDAP and add their ZeroTier device IDs and they now have access to all the correct networks for their job and access levels.

If MS wants to deal themselves back into the mobile deck, they should do a genuinely convergent phone that runs a real Windows desktop with a little micro HDMI jack on it. Plug in a monitor and wham-o, you have a real computer you can do real things on.

Yeah, seems lively. Was invited in here a few times and decided to finally sign up.

I have a bunch of Pi's here that we use for network testing. I could download that image and try it out I suppose.

Hmm... are phones different from tablets? From what I've seen the RT tablets are basically running Windows 10 for ARM, while phones have their own UI thing going on.

If someone can donate a Windows RT (ARM) device we can see if we can build for that. Theoretically it should work if you can build normal Windows apps for it as ARM binaries... never messed with it before. But porting the driver might be loads of fun.

@dafyre We'll support earlier iOS if possible... but from what we've read 9 may have must-haves for us. Doing p2p on mobile is not easy at all. Not even a little bit. Our Android port is pretty solid though... I've had it up for months and you can ping my phone on the ZeroTier company LAN whether it's on WiFi or LTE and it switches pretty fast. For testing I played music from my house over LTE while I was driving to work.

Apparently FreeBSD now has ZeroTier packages -- 'pkg install zerotier' -- haven't had time to test yet though and might only be on the latest release. It's built on FreeBSD from source for a while.

NetBSD and OpenBSD I'm not sure... might need a bit of porting work. OpenBSD might get some love at some point.

We have Android: https://play.google.com/store/apps/details?id=com.zerotier.one

iOS is in active development with an ETA in perhaps 2-3 months. Will probably be iOS 9 only since 9 contains the network extension API that we need. (Technically the API is in earlier versions too but we might not mess with it.)

Things can also be free forever if you are the product: https://www.youtube.com/watch?v=ldhHkVjLe7A

We have every intent of keeping ZeroTier open source and basic end-user use free, but we don't even say "forever" since IMHO that's often duplicitous... there is simply no way you can absolutely guarantee that unless you have no maintenance/upkeep cost at all... and even zero-infrastructure software has upkeep cost. Otherwise it's just marketing bait and should be considered meaningless.

I'm waiting for the first company to get sued for false and misleading advertising for that.

@Dashrender IPs and online status can be seen through the ZT control panel (https://my.zerotier.com/ and we'll be licensing a self-hosted version of this soon with more features) and I'm not sure what you mean by bottlenecks. If you mean traffic monitoring there are tools like Zabbix (linked above) that do that well and so far detailed stats like that have been out of scope for ZT (but maybe not forever). ZeroTier runs a full p2p mesh so under most conditions a bottleneck has no real meaning... traffic just flows directly from endpoint to endpoint as it normally would but with encryption and stable mobile addressing. It will run as fast as the underlying network (minus a bit of crypto overhead).