ZeroTier
| Developer(s) | ZeroTier, Inc. |
|---|---|
| Operating system | Microsoft Windows (7 or later), macOS, Linux, FreeBSD, iOS, Android |
| Type | P2P, SD-WAN, VPN, SDN |
| License | GPL |
| Website | https://www.zerotier.com/ |
ZeroTier is an open source network virtualization overlay that combines a cryptographically addressed secure peer-to-peer network with an Ethernet virtualization protocol similar in design to VXLAN that supports multicast, braodcast, filtering, security monitoring, and certificate based access control.
ZeroTier's purpose is to simplify network operation by completely divorcing logical network boundaries from physical networks, eliminating the complexity of multiple tunnels, VPNs, etc. ZeroTier's authors term this the "planetary data center," and ZeroTier itself a "software-based planetary smart switch."
The ZeroTier software is created and maintained by ZeroTier, Inc., a software and infrastructure company located in Irvine, California. It's free to use under the GNU GPL. Commercial licenses for incorporation into proprietary systems, support, and services are available.
Operational summary
The ZeroTier network protocol consists of two tightly coupled but distinct layers. These are termed VL1 and VL2 in ZeroTier documentation. VL1 and VL2 stand for Virtual Layer 1 and 2, with layers in this context referring to OSI model terminology. VL1 provides a "virtual wire" connecting all devices and infrastructure. VL2 is an Ethernet virtualization protocol with SDN-like features such as rools, access control, redirection, monitoring, etc.
The open source ZeroTier software consists of an OS-independent core protocol implementation plus a service incorporating this core and providing VPN-like virtual network connectivity for Linux, MacOS, Windows, BSD, iOS, and Android systems. A software development kit is also available that combines the ZeroTier core with an embedded TCP/IP stack to allow applications to be outfit with virtual network connectivity with no kernel, driver, or third party softawre requirements.
Network Protocol
VL1 is a secure encrypted peer to peer network. Each device on ZeroTier VL1 is addressed by a 40-bit hash of the public portion of a public/private key pair. This hash is computed using a one-way proof of work algorithm as a first line of defense against intentional address collision.
Initial VL1 peer-to-peer connection setup is faciliated by a set of global "root servers" operated by ZeroTier, Inc. The software includes the capability to add your own root servers alongside these to reduce dependency on ZeroTier infrastructure or to enable disconnected or air gapped operation. Root servers are simply regular ZeroTier VL1 nodes that are designated as such and that run at stable locations on the network. The existence of a standard set of global root servers allows ZeroTier nodes to instantly bootstrap themselves automatically for zero-configuration networking.
Actual VL1 transport is via UDP with techniques such as UDP hole punching being used for peer to peer connection establishment. Both IPv4 and IPv6 are supported. The protocol could technically make use of other transports such as plain Ethernet framing or Bluetooth.
VL2 is somewhat similar in operation to VXLAN. It encapsulates Ethernet packets in ZeroTier VL1 packets and uses optimization techniques to eliminate the need for additional Ethernet overhead in the unicast case. It supports limited-scale multicast and broadcast with a configurable maximum number of recipients per multicast channel and unlimited-scale unicast (networks can have up to 2^40 devices). VL2 networks can be bridged to physical Ethernet networks and can carry any network protocol that can be carried by Ethernet.
Each VL2 virtual network is identified by a 64-bit ID composed of the 40-bit ZeroTier VL1 address of its primary controller and CA and a 24-bit arbitrary number identifying it on this controller/CA. Members of a network periodically query the network's controller for configuration and certificate information. During communication certificates are presented and verified peer-to-peer, eliminating the need for the global distribution of what could be a very large white-list of permitted devices. Since VL2's SDN control plane is accessed through VL1, no additional out-of-band network path is necessary.
A given VL1 peer can participate in an unlimited number of VL2 networks. VL2 network boundaries are entirely software defined. Traffic between the same two peers over different VL2 networks will only require a single shared VL1 peer-to-peer network link.
Security
All ZeroTier traffic is encrypted end-to-end using the Salsa20 stream cipher for symmetric encryption and the Poly1305 MAC algorithm for packet authentication. Symmetric encryption keys are generated via elliptic curve Diffie-Hellman key exchange. Private keys are never transmitted to ZeroTier servers or to any other third party.
Compatibility
- Microsoft Windows (6 or later, 32 and 64 bit)
- macOS (10.7 and later, 10.10 or later required for graphical user interface)
- Linux
- FreeBSD
- OpenBSD
- iOS
- Android
See also
- P2P
- VXLAN
- SDN
- VPN
- SD-WAN
- Virtual Private LAN Service
- Network Virtualization
- Network address translation (NAT) Overview, related RFCs: RFC 4008, RFC 3022, RFC 1631 (obsolete)
- UDP hole punching another NAT traversal technique
References
External links
- Official website
- Template:Source code repository