Posts made by adam.ierymenko

@dafyre Also wanted to mention: ZT doesn't use DHCP per se. It can do its own IP assignment using its own methods (network controller assigns IPs) or it can let the OS manage it. In the latter case it will pass DHCP packets so if you enable DHCP on the interface it should work if you have a server on the same network. Beware of DHCP + bridging though, since you can get weird route issues.

Yeah so far for us stuff like managing endpoints is out of scope and there are already tools that do it well. Detailed security analytics is also out of scope so far, but maybe not forever.

@dafyre Yes, there's some great software for that including some that does detailed security analytics and scans for known malware traffic, etc.

ZT tells you basic information: assigned IP, who is on your network, etc., but it doesn't do sysadmin stuff... Puppet and Chef and such have very deep well-developed products that do that and you can use them over a ZT network just fine.

@dafyre ZT addresses are stable down to the virtual Ethernet MAC, which is derived from your ZeroTier address + network ID, and both of those are cryptographic credentials. Basically your identity.secret file is your virtual network endpoint on all networks you belong to. (A gotcha we see from time to time is people cloning VMs then wondering why the clone gets the same addresses. It's because it has the same identity.)

What do you mean by visibility into? We don't have anything that does system administration and control, but then again most people I talk to use something like Puppet or Chef for that.

Heh... in that case ZT will work fine if they can work around addressing edge cases like the aforementioned. If you are all-in on SDN you just use that as your LAN in which case it all works because it's all just a LAN.

The hairy legacy heterogenous things are the evil ones, but I suspect that's where a good chunk of revenue might be if you could actually do it well.

What are the most common management needs you tend to see in the field? I assume once you have a network you want to do access control / identity management tie-in somehow (which we're looking at), and you want security monitoring of some form or another, but what else? AD / LDAP already does user management and most people are not going to switch their whole user DB over to another service, and companies like Chef, Puppet Labs, and Hashicorp are completely rocking the devops large-scale management side of things. I'd hesitate to try to compete with any of those on their own turf.

Pertino seems to have a lot of enterprise management features we don't have, and may or may not ever build. We've decided to focus intensely upon the "SDN everywhere" problem domain and do it right and that's our bread and butter as they say. We're targeting mobile, IoT, data center, and hybrid cloud as well as distributed teams and other VPN-ish use cases. (And tech hobbyists, hackers, gamers, etc. We've even had someone install ZT on an ARM Linux device in a drone and make the drone switch WiFi networks as it flies... said it worked decently well.)

@scottalanmiller Yes ZT is SDN, basically VXLAN over a P2P network. Here is a brief technical overview: https://www.zerotier.com/misc/2015-09-23_ZeroTier_Tech_Intro.pdf

@hubtechagain E-mail me at [email protected] and we can determine if that would work or not for your use case. (Also helps us decide what to build next even if it won't work.)

Interesting. I haven't looked deeply into Pertino because my business philosophy is to focus on doing what users want and what makes technical design sense and ignore competition. In fact, during ZT initial design I deliberately did not try any alternatives because I didn't want to "pollute" my headspace.

ZT may not need the DNS hack, since it doesn't use DNS to route traffic. It doesn't need any of that. It does everything a layer down using crypto for authentication and lazy route-learning with automatic switching and preference order. It's like VXLAN over a p2p mesh. It will fall back to WAN-in-WAN-out however if your LAN has rules that prohibit lateral communication... I've seen that in houses that run WiFi switches that do that.

It does seem like the DNS hack would help with the IP ambiguity issue though in mixed deployments, and mixed deployments are what most non-greenfield existing enterprises are going to want because they can't install SDN software on everything... either because they are risk/change averse or because they run a lot of things that are too old/slow/whatever to run it.

@scottalanmiller Every ZT device has a cryptographically-defined identity, so any time it gets a packet it knows who sent it. It can then try various paths for connectivity and use them if a bi-directional link is determined to be present. ZeroTier devices on the same virtual network try each other over their local IPs as well as via NAT-t and other methods and if that works they prefer local to global. But if it stops working they'll fall back to whatever works according to a preference order based on IP scope/class and type (V6 over V4, local over global, direct over indirect).

It's open source if you're curious: https://github.com/zerotier/ZeroTierOne

@scottalanmiller Sure, but why wouldn't you handle that a layer down? Are you saying Pertino uses DNS to route traffic?

@scottalanmiller ZeroTier just connects directly over LAN if two devices are in the same physical network (if possible). So in-building traffic goes in-building, albeit with the overhead of an extra 28 byte header and encryption/authentication. Overhead is somewhat comparable to IPSec.

For high performance stuff where you don't want any encapsulation overhead it makes more sense to just physically wire thing together on private special purpose backplane networks. You will never beat that with SDN because... well... it's just a wire.

We've had the same experience with ZeroTier which does the same thing in this use case minus some of the bundled hacks for things like AD. Greenfield is easy. "Brownfield" as they call it -- namely anywhere other than California -- is a lot harder because you have to still connect to the 1990s Windows NT server that is mission critical or the printers that can't run SDN software or the ancient Solaris box that talks via 1200 baud modem bank to the store PoS systems or the IP over carrier pigeon (RFC1149) deployment.

Right now we've elected to focus more on other uses of SDN, but yes we do eventually want to go there.

So... if Pertino is often used all-or-nothing then why is the DNS mangling needed? I understood it with mixed installs but I don't understand it if you're doing greenfield all-in SDN.

ZeroTier officially support bridging but our documentation on it stinks or is nonexistent. We're going to be fixing that fairly soon.

We have a user in Germany using it to provide a backplane to stitch together hundreds of local mesh access points for a community meshnet project. He says bridging with ZT works fine with dozens of bridges with hundreds of clients behind each bridge, albeit with a bit of traffic overhead... but it's Germany so they get real fiber Internet connections.

So yeah, like I said above you can support a mixed use case with bridging. Install a bridge on the main LAN and connect your mobile clients to it. When they're also in-house they'll end up with two IP addresses: one via their bridged-across ZT extension of the main LAN and one direct. But the direct one will have a lower metric so it will be used preferentially (though any connections to/from the other IP will keep working, just slightly more slowly than direct LAN due to encapsulation overhead).

@scottalanmiller Agreed for greenfield SDN deployments, but greenfield is hard to achieve in enterprise. Part of what's hard about enterprise as I'm sure you're well aware is that it's hard to undo or un-provision anything, ever. I've seen enterprise houses running 1980s Ultrix software in a modified KVM Alpha emulator on a VM in the cloud because the software is binary-only, the maker of the software is gone, and it's mission critical.

In that case then yes, you can do precisely the same with ZeroTier. Install it on everything and use it as the primary network. But as @Dashrender says not everyone wants to do that for multiple reasons.

BTW, does Pertino support Ethernet bridging? ZT can do that but I have yet to check others to see.

If Pertino were all or nothing it wouldn't need the DNS rewriting. You can use ZeroTier like that too, as some distributed workforce clients do -- use it as the primary company network and use the physical network(s) for transport only. In that case you put your AD servers on ZT only and they only advertise ZT IPs via intranet DNS.

@Dashrender It's probably doing it outbound as well as inbound, and you probably have to run something on your AD server(s).

@scottalanmiller Understood. That would indeed work -- basically it's an intra-LAN version of what Amazon Route 53 and other cloud DNS providers can do on the global Internet -- but I can think of more elegant solutions 1-2 layers down. Might explore in the near-mid term, but right now we're focused on more devops and IoT use cases.

So let me check my understanding: Pertino hijacks and manipulates DNS in order to implement multi-path routing, modifying DNS in transit to fill in the best reachable IP address for a given device?

@Dashrender Right now ZeroTier does nothing for DNS. It virtualizes at L2 and that's it. It does handle IP address management if you enable that feature, but otherwise it just moves packets around.