Connect to peers by ztaddr over VL1 without using a network controller

[waltmck]

I previously posted about this on the forums, but I wanted to check with the developers since this is a somewhat technical question.

In order to prevent outages or MITM attacks from an unavailable/compromised network controller, I would like to locally configure peers on each device by their ztaddr (ideally in a config file) without use of a network controller. I don't need anything more complicated than direct layer-3 connections: more advanced routing/policy features could be handled locally through nftables.

It should be technically straightforward to make connections directly over VL1 given knowledge of peers' ztaddr---in fact, this is what happens with the network config query when self-hosting a network controller. However, as far as I can tell, VL2 as currently implemented will not work since a VL2 VLAN is assumed to be associated with a network controller (this is how the network ID is derived).

I will conclude with a few questions:

• Am I understanding the protocol correctly?
• Is this already possible to do without patching the client?
• If not, would you be open to exposing this functionality?

Thank you!

[laduke]

there's this little known feature https://docs.zerotier.com/protocol/#adhoc

[waltmck]

there's this little known feature https://docs.zerotier.com/protocol/#adhoc

That's very interesting, I didn't find it in the docs and it seems like almost what I am looking for. Since I don't need multicast the trade-offs look compelling to me.

However, I have a few clarifying questions (or you can point me to further documentation on the feature if it exists):

1. Are emulated IPv6 addresses generated uniquely based on ztaddr (and authenticated using the private key corresponding to the ztaddr)? In order to effectively close the network to unauthorized devices, would it be sufficient to have nftables deny all packets except those from a list of IPv6 addresses corresponding to ztaddrs I control?

2. With VL2 networks, NAT hole-punching happens when a devices is connected to the network. Stateful connections to peers are then maintained so that packets can be routed between peers with little latency. However, with ad-hoc network there seems to be a very large potential set of peers, so it wouldn't be feasible to maintain stateful connections to each of them. When does NAT hole-punching happen in ad-hoc networks, and how does zerotier know which devices to establish a connection with before packets are actually being sent? My concern is that a connection forgotten after a period of inactivity will need to be re-established (with fresh peer discovery and hole-punching) every time there is traffic between peers rather than being maintained asynchronously in the background.