From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0E9B11384B4 for ; Sun, 6 Dec 2015 10:04:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7E70921C005; Sun, 6 Dec 2015 10:04:02 +0000 (UTC) Received: from mail-wm0-f51.google.com (mail-wm0-f51.google.com [74.125.82.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4E09C21C005 for ; Sun, 6 Dec 2015 10:04:01 +0000 (UTC) Received: by wmec201 with SMTP id c201so128149736wme.0 for ; Sun, 06 Dec 2015 02:04:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=2XDKSdPXLi6IHwNZnBcoAKR/mA/MLtHo6nJrnF/Kwhk=; b=DpzIR1W5VPJe6flmKzLseIL5NIIr2AbXA+yIEfd1ERzg7vI2Tit2wJPVR9PgkqA40L IuJPULuiv4TNE5dQY1UTOG7dFWzcXf+olUyT+E0C6fpTwTudwpuBaDcOI58xKmrRnQTj rAjp7Mtz9wH+UpkRuVR6G2S+17wsutDdAQEOCAMs5saPTbHTF6v08P+RxOnCpF8yBw8P D8/wHuZdHwWCnt9kW4Ko/fm5iG5IdRRi2EoPjE4MnzLhCy783FkBE/6XgjFwSguVO42U 0tM8I8EnqpYaqAIHaTjO2dmH8wY35uIXZ6yxbMeiMbKqVp31BlJYTrZDIZMMRNohKgLq Lp+w== X-Received: by 10.194.91.234 with SMTP id ch10mr30011105wjb.69.1449396240164; Sun, 06 Dec 2015 02:04:00 -0800 (PST) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id t2sm14237678wmt.1.2015.12.06.02.03.58 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 06 Dec 2015 02:03:59 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Open RC problem? Date: Sun, 6 Dec 2015 10:03:46 +0000 User-Agent: KMail/1.13.7 (Linux/4.1.12-gentoo; KDE/4.14.8; x86_64; ; ) References: <33706115.JSY9fdmmfA@wstn> <201512051849.25840.michaelkintzios@gmail.com> <20151206092451.6dcf9c2e@digimed.co.uk> In-Reply-To: <20151206092451.6dcf9c2e@digimed.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1549033.pvLxJz5FX7"; protocol="application/pgp-signature"; micalg=pgp-sha256 Content-Transfer-Encoding: 7bit Message-Id: <201512061003.57672.michaelkintzios@gmail.com> X-Archives-Salt: 33404cdf-e09e-46dc-bf23-4989610e3c73 X-Archives-Hash: 8cf6e2adb73517a8aff92aa25f2fbc3b --nextPart1549033.pvLxJz5FX7 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sunday 06 Dec 2015 09:24:51 Neil Bothwick wrote: > On Sat, 5 Dec 2015 18:49:16 +0000, Mick wrote: > > > It's basically a P2P VPN. You set up a network on the controller and > > > then join it from various machines. Those machines register with the > > > network controller, and receive an IP address from it, but the actual > > > communication is direct between the computers. So your data is private > > > and if both computers are on the same LAN, you still get full LAN > > > speed between them. > > >=20 > > > It use a TUN/TAP interface, for example on this laptop: > > >=20 > > > zt0: flags=3D4163 mtu 2800 > > >=20 > > > inet 10.252.252.6 netmask 255.255.255.0 broadcast > > >=20 > > > 10.252.252.255 ether 46:96:8c:9c:02:e1 txqueuelen 500 (Ethernet) > >=20 > > So is this a userspace tunnel implementation, with the controller > > playing the role of a remote VPN gateway? Like OpenVPN? >=20 > The controller is not a gateway, it is only used to connect the computers > initially. It's more like a bittorrent tracker or DNS server, it > facilitates the connection but doesn't see any of it. >=20 > > What encryption does it use? >=20 > From https://www.zerotier.com/tech_faq.shtml >=20 > ZeroTier currently uses 256-bit Curve25519 elliptic curve Diffie-Hellman > for shared key agreement and Ed25519 for elliptic curve signatures. > 256-bit Salsa20 with Poly1305 authentication is used to encrypt traffic > in transit. The construction and use of these algorithms is identical to > the well-regarded NaCl cryptographic library. >=20 > > > So I can connect to 10.252.252.6 from anycomputer on my zerotier > > > network, but you cannot. You may even have the same IP address for > > > one of the computers on your network. > > >=20 > > > It's open source and if you want optimum security, or want to run a > > > network of more than 10 computers without paying a fee, you can run > > > your own controller. > >=20 > > Wouldn't IPSec be more preferable? I'm trying to understand the > > benefit/need for yet another tunneling solution. >=20 > Ease of use and maintenance and flexibility. Creating a network takes > seconds, adding a client takes a few more, and you can use it all the > time, even if you are already connected to your physical network. Thank you Neil! I couldn't find the FAQ page when I had a cursory look at = the=20 beginning. This looks like a very flexible and quite secure option for=20 tunnelling connections, especially as they plan to implement PFS in the nea= r=20 future. From what I read here I am not sure if the initial generation of e= ach=20 device's keys can be controlled by the end user, but even so zerotier still= =20 has a good security model. =2D-=20 Regards, Mick --nextPart1549033.pvLxJz5FX7 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJWZAgNAAoJELAdA+zwE4YeTHoH/2qI758bfDnC9I5FGucGMyl0 RRXhwYBDH3q2F5G01GP4KJNkddJ7C1zBT+Gvf7UsmI92wjUORynfUU843uatufgH 5AwLHWfDNQyNuz40TcllYuH+A+GwiSrQklFvMdHScdz+gRxoOfEYky1J4KmSpUsO F1FcFn58KwmROH5MfQ3YdUgcNoyr11BJBtMwA/mcAiWJhXniy9Wlqo5MURzIh9Lr 0iaUffxYKF/R8CuiBTDiT+//MliDcOyrE600wa5KACj4JjTi4kEobC0pzo1otDh2 65HBIBclHXZD/9cdbCSyVjUx+PQVfS9EE1gy4Fxn+gfm/RhANYMkDsd61HqhDJY= =WNVl -----END PGP SIGNATURE----- --nextPart1549033.pvLxJz5FX7--