Best posts made by adam.ierymenko

Assign mode 'dhcp' is intended to mean 'enable DHCP on this interface and let the OS query DHCP and get an IP assignment.' But it's not actually implemented yet in the client, so it would do nothing and be equivalent to 'none'.

DHCP isn't the default method because DHCP is unsafe. If you joined a malicious network, DHCP could be used to push e.g. alternative DNS servers and other settings to your device. Some OSes support all kinds of potentially unsafe settings via DHCP. So it's something that we'd want to only enable with some consideration. Current idea is to require the user to explicitly okay DHCP on a per-network basis before it would ever be used even if 'dhcp' is the assign mode.

You can use DHCP now by setting assign mode to 'none' and invoking DHCP yourself and it will work.

@Dashrender The answer is a huge pile of "it depends." It depends on protocol, application, OS, etc.

If you're running a closed/private ZeroTier network, then you're not at much greater risk than if you have a VPN. A public ZeroTier network is obviously exposing you a lot more, but keep in mind that every time you join a coffee shop, hotel, university, or other public WiFi network you are doing the same thing. Every time you join someone's WiFi you are exposing L2.

So the risk is not as great as you might think. A lot of people think "ZOMG! my machine is exposed I will get hax0r3d in seconds!" This is mostly an obsolete fear. OSes today are a lot more secure than they were in the late 90s / early 2000s when we had remote Windows vulnerability of the week and LAN worms were commonplace. You can still have problems if you have a bunch of remote services enabled but most OSes no longer ship this way.

If you have ZeroTier and join 8056c2e21c00001 (Earth, our public test net) and ping 29.44.238.229, that's my laptop. If you don't get a ping reply it probably means it's asleep. Obviously I am not worried about it. Of course the only remote service I run is ssh and I don't allow password auth so there isn't a lot of exposed surface area.

There is still some risk of course. The only way to perfectly secure a computer is to turn it off.

As far as MITM goes, there are a couple answers there and it depends on the nature of the attack. Network virtualization layers like ZeroTier are generally more secure than cheapo switches or WiFi routers in that the MAC addresses of endpoint devices are cryptographically authenticated. It's harder to spoof endpoints, though it's not impossible. On ZT you can't spoof L2 traffic without stealing someone's identity.secret file. It's a bit like a wired network with 802.1X.

The only wrinkle is Ethernet bridging, and that's why bridging must be allowed on a per-device basis. Normal devices are not allowed to bridge.

But... the real answer to MITM is: never trust the network. If you are not authenticating your endpoint cryptographically then you are vulnerable to MITM on every network. Use SSL, SSH, etc. and check certificates or you are not safe.

@Dashrender Finally, you can count me in the "firewalls are obsolete" camp. I've worked infosec before. During my tenure we had many attacks, and zero were naive remote attacks that the firewall did anything to stop.

A short summary of real world attack vectors we saw: phishing, phishing, phishing, phishing, phishing, malware, phishing, drive-by downloads, phishing, and phishing. Did I mention phishing? The least secure thing on the network is the meat bag behind the screen, but in all of the above cases the firewall is worthless. That's because all those threat vectors are "pull" based, not "push" based. We had malware get in through the web, e-mail, Dropbox (with phishing), etc., and in all cases it was pulled in over HTTPS and IMAPS links that happily went right through the firewall.

Firewalls are dead. Thank the cloud.

@Dashrender Here open this attachment!

No joke though. I really honestly think we could have just taken our firewall down and given every machine a public IP and there would have been little or no change to security posture. If anything, firewalls encourage the "soft underbelly" problem by giving people the illusion that the local network is secure. Take that old obsolete crutch away and people who do things like bind unpassworded databases to ::0 will look like dummies real fast and the problem will take care of itself over time.

It's been a while since I've seen a completely deadpan naive remote vulnerability in a consumer OS. By "naive" I mean one that can be exploited in the real world with no credentials, special knowledge, or participation from the user. OSes really have gotten better and if you turn off unnecessary services you're probably not in too terribly much danger. The danger isn't nonexistent but it's probably a lot less than, say, browsing the web with five different plugins enabled or the always popular:

curl http://note_lack_of_https.itotallytrustthissitelol.com/ | sudo bash

@Dashrender SDNs are about connectivity and manageability, not security per se -- though they can of course be secure and have lots of security related features. SDN is about being able to have mobile devices with stable addresses, fail-over without interrupting flows, control over where flows go, ability to provision new network paths without pulling cable, seamlessly link locations, fail-over across ISPs and clouds, etc.

@Dashrender The economy of scale thing is what I meant by the p2p complexity tax being "regressive" in my presentation on firewalls. The bigger you are, the less it costs to either invest in the engineering required to do p2p well or just back-haul everything to the cloud. If (like MS) you own a bunch of your own data centers, then putting all traffic through your cloud is very cheap due to the scale you already have. So the cloud back-haul requirement intrinsically favors large vendors.

Personally I think Skype going central was just the MS economy of scale thing. You can do P2P on mobile-- ZeroTier has an Android app and soon an iOS one and they work fine. My phone is always pingable on our company LAN and the impact on battery life is in the fractions of a percent. Of course maybe that's more true today... Skype ported to mobile back when phones had slower single-core CPUs and smaller batteries. Radios have quietly gotten way more efficient too, so the constant low-grade peer-to-peer packet slinging doesn't eat as much battery as it might have with earlier generation LTE and WiFi chipsets.

@scottalanmiller People already run PBXes and VOIP over ZeroTier and say it works great. No need to worry about NAT-t, etc.

@scottalanmiller We hope to be the last wave. Please let us know about any issues you find and consider visiting https://www.zerotier.com/community/ and starting a thread about specific use cases you are investigating.

Check out Gogs:

https://gogs.io

It's a single process Git server written in Go. We use it. Infinitely easier to deal with than GitLab, though it lacks some features.

@Dashrender Yeah, if we go full product on this we will want some kind of "migration assistant" and/or detailed HOWTO that doesn't suck.

@scottalanmiller If you try AD feel free to update this thread and/or https://www.zerotier.com/community/topic/22/the-big-zerotier-active-directory-lan-virtualization-thread-retitled/2 -- would be helpful

@JaredBusch I used teh Google a little and found this open source project:

https://github.com/stackia/DNSAgent

Never used it but it looks promising. This could be installed on a client machine and then you could configure it to route DNS queries to different servers by regex of the DNS name.

Looks source only so you'd need to build. Has a .sln file.

@Dashrender Pertino as far as I know implemented some kind of local split brain DNS proxy. That's not quite black magic but it's a pain.

What we do is to actually put private ZT IPs in our public DNS, e.g. <host>.int.zerotier.com where int.zerotier.com is the internal LAN. But I'm not sure that'll work for Active Directory.

Agreed. Linux is fragmented into many distributions and it's still easier.

The most expensive piece of software ZeroTier, Inc. has ever purchased is Advanced Installer, a Windows installer builder. We needed the full enterprise version. Worth every penny.

Actually I'm heading over to their site to see what kind of auto-update stuff they have. I know they have something. If it's included we might start using it.

Hmm... will have to look at the banner still being there. Probably a web UI bug. If you are running 1.1.6 or newer (current is 1.1.12) then ignore it.

We're about to push binaries for 1.2.4 which is a minor bug fix and performance improvement update. We'll be updating Chocolatey for that, or at least we'll attempt it. (Their auto-validator chokes on our package and requires manual intervention.)