“There are several ways to create a solution (to solve a problem), but not always the most expensive and / and popular way is the most effective!”
Preamble
About three years ago, in the process of developing a remote disaster recovery model, I encountered one obstacle that was not immediately noticed - a lack of information about new original solutions for network virtualization in community sources.
The algorithm of the developed model was planned as follows:
- A remote user who contacted me, whose computer once refused to boot, displaying the message “system disk not detected / not formatted”, loads it using life USB.
- During the boot process, the system automatically connects to a secure private local network, which in addition to itself contains the administrator’s workstation, in this case a laptop, and a NAS node.
- Then I connect - either to reanimate disk partitions, or to extract data from there.
Initially, I implemented this model using a VPN server on a local router in a network under my control, then on a rented VDS. But, as often happens and according to Chisholm’s first law, if it rains, the Internet provider’s network will go down, then disputes between business entities will cause the service provider to lose “energy”...
Therefore, I decided to first form the basic requirements that the necessary tool must meet. The first is decentralization. Secondly, given that I have several such life USBs, each of them has a separate isolated network. Well, the third is a quick connection to the network of various devices and simple management of them, including in case my laptop also falls victim to the law mentioned above.
Based on this and having spent two and a half months on practical research of several not very suitable options, I, at my own peril and risk, decided to try another tool from a startup unknown to me at that time called ZeroTier. Which I never regretted later.
During these New Year holidays, trying to understand whether the situation with the content has changed since that memorable moment, I conducted a selective audit for the presence of articles on this topic, taking Habr as a source. At the request of "ZeroTier" in the search results of which there are only three articles mentioning him, and not a single one, at least with a brief, but description. And this is despite the fact that among them there is a translation of an article written by the founder of ZeroTier, Inc. himself. — .
The results were disappointing and prompted me to start talking about ZeroTier in more detail, saving modern "seekers" from having to go the same route that I went.
So what are you?
The developer positions ZeroTier as an intelligent Ethernet switch for planet Earth.
“This is a distributed network hypervisor built on top of a cryptographically secure global peer-to-peer (P2P) network. Similar to a corporate SDN switch, a tool designed to organize virtual networks over physical ones, both local and global, with the ability to connect almost any application or device.”
This is more of a marketing description, now about the technological features.
▍Core:
The ZeroTier Network Hypervisor is a standalone network virtualization engine that emulates an Ethernet network similar to VXLAN on top of a global encrypted peer-to-peer (P2P) network.
The protocols used in ZeroTier are original, although similar in appearance to VXLAN and IPSec, and consist of two conceptually separate but closely related layers: VL1 and VL2.
→
▍VL1 is a basic peer-to-peer (P2P) transport layer, a kind of “virtual cable”.
"A global data center requires a 'global cabinet' with cables."
In conventional networks, L1 (OSI layer 1) refers to the actual cables or wireless radios that carry data and the physical transceiver chips that modulate and demodulate it. VL1 is a peer-to-peer (P2P) network that does the same, using encryption, authentication, and other network tricks to arrange virtual cables as needed.
Moreover, it does this automatically, quickly and without involving the user launching a new ZeroTier node.
To achieve this, VL1 is organized similarly to the domain name system. At the heart of the network is a group of highly available root servers, whose role is similar to that of DNS root name servers. At the moment, the main (planetary) root servers are managed by the developer - ZeroTier, Inc. and are provided as a free service.
However, it is possible to create custom root servers (luns) that allow you to:
- reduce dependence on ZeroTier, Inc. infrastructure;
- increase productivity by minimizing delays;
- continue to work as usual in case of loss of Internet connection.
Initially, nodes start up without direct connections to each other.
Each peer on VL1 has a unique 40-bit (10 hexadecimal digit) ZeroTier address, which, unlike IP addresses, is an encrypted identifier that contains no route information. This address is calculated from the public part of the public/private key pair. A node's address, public key, and private key together form its identity.
Member ID: df56c5621c
|
ZeroTier address of nodeAs for encryption, this is an occasion for a separate article.
→
To establish communication, peers first send packets "up" the root server tree, and as these packets travel through the network, they initiate random creation of forward links along the way. The tree is constantly trying to "collapse itself" in order to optimize itself for the route scheme it stores.
The mechanism for establishing a peer-to-peer connection is as follows:
- Node A wants to send a packet to Node B, but since it doesn't know the direct path, it sends it upstream to Node R (the moon, the user's root server).
- If node R has a direct connection to node B, it forwards the packet there. Otherwise, it sends the packet upstream before reaching the planetary roots. Planetary roots know about all nodes, so eventually the packet will reach node B if it is online.
- Node R also sends a message called "rendezvous" to Node A containing clues on how it can reach Node B. Meanwhile, the root server, which forwards the packet to Node B, sends a "rendezvous" informing it of how it can reach Node B. Node A.
- Hosts A and B receive their rendezvous messages and try to send probe messages to each other in an attempt to breach the NAT or stateful firewalls they encounter along the way. If this works, then a direct connection is established, and the packets no longer go "gardens".
If a direct connection fails, communication will continue via relay and direct connection attempts will continue until a successful result is reached.
VL1 also has other features for direct connection establishment, including LAN peer discovery, port prediction for traversal of symmetric IPv4 NATs, and explicit port mapping using uPnP and/or NAT-PMP if available on the local physical LAN.
→
▍VL2 is a VXLAN-like Ethernet network virtualization protocol with SDN management functions. Familiar communication environment for OS and applications...
Unlike VL1, creating VL2 networks (VLANs) and connecting nodes to them, as well as managing them, requires direct participation from the user. He can do this using a network controller. Essentially, it’s a regular ZeroTier node, where controller functions are managed in two ways: either directly, by changing files, or, as the developer strongly recommends, using a published API.
This way of managing ZeroTier virtual networks is not very convenient for a simple layman, so there are several GUIs:
- One from developer ZeroTier, available as a SaaS public cloud solution with four subscription plans, including free, but limited in managed devices and support level
- The second is from an independent developer, somewhat simplified in functionality, but available as a private open source solution, for on-premise use or on cloud resources.
VL2 is implemented on top of VL1 and is transported by it. However, it inherits the encryption and authentication of the VL1 endpoint, and also uses its asymmetric keys to sign and verify credentials. VL1 allows you to implement VL2 without worrying about the existing physical network topology. That is, problems with connectivity and routing efficiency are VL1 problems. It is important to understand that there is no connection between VL2 virtual networks and VL1 paths. Similar to VLAN multiplexing in a wired LAN, two nodes that share multiple network memberships will still only have one VL1 (virtual cable) path between them.
Each VL2 network (VLAN) is identified by a 64-bit (16 hexadecimal digit) ZeroTier network address, which contains the controller's 40-bit ZeroTier address and a 24-bit number identifying the network created by that controller.
Network ID: 8056c2e21c123456
| |
| Network number on controller
|
ZeroTier address of controllerWhen a node joins a network or requests a network configuration update, it sends a network configuration request message (via VL1) to the network controller. The controller then uses the host's VL1 address to find it on the network and send it the appropriate certificates, credentials, and configuration information. From the point of view of VL2 virtual networks, VL1 ZeroTier addresses can be thought of as port numbers on a huge global virtual switch.
All credentials issued by network controllers to member nodes of a given network are signed with the controller's secret key so that all network members can verify them. Credentials have controller-generated timestamps, allowing for relative comparisons without having to consult the host's local system clock.
Credentials are issued only to their owners and then sent to peers who want to communicate with other nodes on the network. This allows the network to scale to enormous sizes without the need to cache large amounts of credentials on nodes or constantly contact the network controller.
ZeroTier networks support multicasting through a simple publish/subscribe system.
→
When a node wishes to receive a multicast broadcast for a particular distribution group, it advertises membership in that group to other members of the network it is communicating with and to the network controller. When a node wishes to send a multicast, it simultaneously accesses its cache of recent publications and periodically requests additional publications.
A broadcast (Ethernet ff: ff: ff: ff: ff: ff) is treated as a multicast group to which all participants subscribe. It can be disabled at the network level to reduce traffic if it is not needed.
ZeroTier emulates a real Ethernet switch. This fact allows us to carry out association of the created virtual networks with other Ethernet networks (wired local area network, WiFi, virtual backplane, etc.) at the data link level - using a conventional Ethernet bridge.
To act as a bridge, the network controller must designate a host as one. This scheme is implemented for security reasons, as normal network nodes are not allowed to send traffic from any source other than their MAC address. Nodes designated as bridges also use a special multicast algorithm mode that interacts more aggressively and targetedly with them when multicasting and replicating all broadcast traffic and ARP requests.
The switch also has the ability to create public and ad-hoc networks, a QoS mechanism and a network rules editor.
▍Knot:
Zero Tier One is a service that runs on laptops, desktops, servers, virtual machines, and containers that provides connections to a virtual network through a virtual network port, similar to a VPN client.
Once the service is installed and running, you can connect to virtual networks using their 16-character addresses. Each network appears as a virtual network port on the system that behaves just like a regular Ethernet port.
ZeroTier One is currently available for the following OS and systems.
Operating Systems:
- Microsoft Windows - MSI installer x86/x64
- MacOS - PKG installer
- Apple iOS - App Store
- Android — Play Store
- Linux - DEB/RPM
- FreeBSD - FreeBSD package
IN THE:
- Synology NAS
- QNAP NAS
- WD MyCloud NAS
Others:
- Docker - docker file
- OpenWRT - community port
- App embedding - SDK (libzt)
To summarize all of the above, I would note that ZeroTier is an excellent and fast tool for combining your physical, virtual or cloud resources into a common local network, with the ability to divide it into VLANs and the absence of a single point of failure.
That's it for the theoretical part in the format of the first article about ZeroTier for Habr - that's probably all! In the next article, I plan to demonstrate in practice the creation of a virtual network infrastructure based on ZeroTier, where a VDS with a private open source GUI template will be used as a network controller.
Dear Readers, Do you use ZeroTier technology in your projects? If not, what tools do you use to network your resources?
Source: habr.com