ziti-doc
ziti-doc copied to clipboard
openziti
Tunnel Comparison
Tunneling Differences: Ziti Router vs. Standalone Tunneler
ziti-edge-tunnel is the preferred standalone edge tunneler. This tunneler employs the C SDK and is the background service component of Ziti Desktop Edge (Windows, macOS). Like the standalone tunneler, ziti router has some in-built tunneling capabilities that may be enabled at the time that a router is created. This summarizes their differences and is not an inventory of all tunneling capabilities.
ziti router |
ziti-edge-tunnel |
|
|---|---|---|
| Fallback (recursive) DNS | :heavy_multiplication_x: | :heavy_check_mark: |
| Load multiple identities | :heavy_multiplication_x: | :heavy_check_mark: |
| SRV DNS Queries | :heavy_multiplication_x: | :heavy_check_mark: |
| Authoritative DNS Response | :heavy_multiplication_x: | :heavy_multiplication_x: |
| Linux install package | :heavy_check_mark: | :heavy_check_mark: |
| End-to-end TCP handshake | :heavy_multiplication_x: | :heavy_check_mark: |
| TCP Proxy Mode | :heavy_check_mark: | :heavy_multiplication_x: |
| GLIBC_2.2.5 | :heavy_check_mark: | :heavy_multiplication_x: |
| PKCS11 | :heavy_check_mark: | :heavy_multiplication_x: |
| PARSEC | :heavy_check_mark: | :heavy_multiplication_x: |
| Multi-threaded | :heavy_check_mark: | :heavy_multiplication_x: |
| Multi-link | :heavy_check_mark: | :heavy_multiplication_x: |
Fallback DNS
The tunnel can be configured to forward DNS queries to an upstream nameserver to handle requests that the tunneler can't answer authoritatively, i.e., match a Ziti client config.
Enhancement request to add this feature in ziti router.
Load Multiple Identities
ziti router run always loads a singular router config at startup. ziti-edge-tunnel run --identity-dir will load all Ziti identities in a directory at startup.
SRV DNS Queries
Enhancement request to implement SRV queries in the ziti router nameserver.
Authoritative DNS Response
"unusable for subtended macOS clients which will not use a non-authoritative resolver"
Linux Install Package
Usability: Linux installer for RPM and DEB package managers is available for ziti-edge-tunnel and openziti (just the ziti CLI), but the package doesn't yet provide a system service unit for ziti router run. That's planned for an openziti-router package that will depend on the existing openziti package.
End-to-end TCP handshake
ziti-edge-tunnel correctly withholds sending SYN/ACK to intercepted TCP clients until the Ziti connection is established with the hosting Ziti SDK. This level of control over the TCP protocol isn't possible with Linux sockets used by ziti router because Linux has already completed the TCP handshake by the time it dispatches the connection to the remote server.
Opaque Proxy Mode
The tunnel that is built in to ziti router can be configured as an opaque proxy, i.e., binding a TCP listener to a specified port to forward all received packets to a particular Ziti service.
A TCP proxy is in progress for ziti-edge-tunnel run-proxy which will function similarly to ziti router run with mode proxy.
GLIBC_2.2.5
The Go builds use an older version of glibc and are, therefore, compatible with older OSs.
# find the version of glibc that was used to build a binary
❯ objdump -T $(which ziti) | grep --color=never GLIBC | sed -E 's/.*GLIBC_([.0-9]*).*/\1/g' |sort -uV|head -1
2.2.5
PKCS11
PKCS11 is implemented in ziti router as a standard interface to a private key that lives in an HSM, e.g., YubiKey.
The C/C++ ziti-edge-tunnel can be built with OpenSSL to enable using keys in a TPM via PKCS11, and the v1 release artifacts are currently built with MBed-TLS for backward compatibility. This tunneler will eventually adopt OpenSSL in v2, if not sooner, which will mean that PKCS11 will then work with both the tunneler and router.
PARSEC
PARSEC is implemented in ziti router as an interface to a private key that lives in an HSM.
Testing Go and C SDKs with an Opaque Forward Proxy
Both C SDK and Go SDK provide a program for testing tunneling. The testing tunneler offers an opaque, forward, TCP proxy listener on the local device.
Testing Tunneling with the C SDK
Most tunneling apps use the C SDK. The C SDK produces a proxy CLI ziti-prox-c that is useful for testing a particular version of the C SDK used by ziti-edge-tunnel.
Example: listen on BIND_IP:TCP_PORT for traffic with destination ZITI_SERVICE_NAME if ZITI_IDENTITY_CONFIG matches a Bind Service Policy for ZITI_SERVICE_NAME.
ziti-prox-c run -c ZITI_IDENTITY_CONFIG -b 'ZITI_SERVICE_NAME':BIND_IP:TCP_PORT
Testing Tunneling with the Go SDK
The ziti CLI has a hidden sub-command ziti tunnel that is useful for testing tunneling with a particular version of the main Ziti Go project and the Ziti Go SDK that is used by ziti router. ziti tunnel has the same tunneling capabilities as ziti router.
Example: listen on 0.0.0.0:TCP_PORT for traffic with destination ZITI_SERVICE_NAME if ZITI_IDENTITY_CONFIG matches a Bind Service Policy for ZITI_SERVICE_NAME.
ziti tunnel proxy --identity ZITI_IDENTITY_CONFIG 'ZITI_SERVICE_NAME':TCP_PORT
Multi-threaded
Supports more sessions and higher throughput due to multi-threading.
Multi-link
The nearest router provides the OpenZiti fabric's smart routing capabilities. This means that running a router on a host brings the smart routing capabilities to that host level, enabling it to take direct advantage of the robustness of multiple mesh links. ziti-edge-tunnel is always using exactly one edge connection to the nearest router (the first to respond) for each Ziti service. Hence, a loss of availability of the connected router means the connection must be reestablished with a different router.
