• fsxNet Feedback (ZeroTier)

    From Oli@21:3/102 to deon on Sunday, May 16, 2021 15:43:20
    deon wrote (2021-05-15):

    So in the case of a "network" setup for "fsx" - the network admin would authorise nodes to access the "fsx" network (I would suggest based on
    their application to join the network) - and de-authorise them when they leave the network.

    -1

    We are still strangers here, but we are a list of known strangers and we can identify who is doing something in appropriate on the network and
    take action if that is deemeed the right response.

    -1

    But at the same time,
    our conversations and traffic is encrypted from the outside world.

    there are other ways for encryption, which fit the FTN model better.

    Anybody outside of the network cant get to our systems and do stuff
    (which is the script kiddies reference I made when I started this thread).

    So you propose everything should happen within the VPN? No open BBS / binkp ports to the real Internet?

    -1

    ---
    * Origin: . (21:3/102)
  • From Oli@21:3/102 to deon on Sunday, May 16, 2021 15:52:53
    deon wrote (2021-05-15):

    Another incredibly powerful feature of ZeroTier is the ability to
    tap the entire network regardless of how widely distributed its
    nodes are.

    Is there a way to prevent this?

    I dont see this as an issue, it would be no differnet to tcpdump -ni eth0:

    I was not aware that you can monitor all of my fsxnet traffic with a tcpdump on your side.

    For a corporate network this is obviously a feature, but in our use case I would call it a security flaw.

    ---
    * Origin: . (21:3/102)
  • From deon@21:2/116 to Oli on Monday, May 17, 2021 10:07:39
    Re: fsxNet Feedback (ZeroTier)
    By: Oli to deon on Sun May 16 2021 03:43 pm

    Anybody outside of the network cant get to our systems and do stuff
    (which is the script kiddies reference I made when I started this thread).

    So you propose everything should happen within the VPN? No open BBS / binkp ports to the real Internet?

    No, its not an all or nothing. As an example, my hub is connected to a ZeroTier VPN for another net, but folks can still get to it for FSX.

    You can *choose* to connect to the VPN or not. I doubt we would see the day that you are forced to join a VPN for folks to interact with your BBS.

    My suggestion was to use the technology to obtain a benefit or two - some of those benefits I think are useful - I'm not suggesting that everybody thinks the same.

    The benefits were:

    * Securing transmission
    * Adding some privacy to connections between systems - which can extend to the user logging in telnet and the EMSI/BINKP exchanges of mail/files.
    * By definition of the above, reducing the "script kiddies" from bashing ports * And, to achieve all of the above, is just a client that needs to be installed.

    I know I would close my binkp/emsi to public interfaces if access to those services was a "standard" via a virtual network. I just makes sense to me.

    So in the case of a "network" setup for "fsx" - the network admin would authorise nodes to access the "fsx" network (I would suggest based on
    their application to join the network) - and de-authorise them when they leave the network.

    -1

    If there was an FSX "VPN", I dont see a reason to allow folks on that VPN if there are not part of FSX - so I dont understand your '-1' thinking.

    We are still strangers here, but we are a list of known strangers and we can identify who is doing something in appropriate on the network and
    take action if that is deemeed the right response.

    -1

    Likewise, I dont understand your thinking. It would be easier to identify if somebody was doing something inappropriate on the network, and an easy way to address it. I'm wondering if your concern is to do with the fact that you can be removed from the network by somebody who "manages it" if your conduct was determined to be unappropriate?

    there are other ways for encryption, which fit the FTN model better.

    Sure, suggest some - since I think this discussion started by your comments around privacy and security.

    ...лоеп
    --- SBBSecho 3.14-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From deon@21:2/116 to Oli on Monday, May 17, 2021 10:14:25
    Re: fsxNet Feedback (ZeroTier)
    By: Oli to deon on Sun May 16 2021 03:52 pm

    Another incredibly powerful feature of ZeroTier is the ability to
    tap the entire network regardless of how widely distributed its
    nodes are.

    Is there a way to prevent this?

    I dont see this as an issue, it would be no differnet to tcpdump -ni eth0:

    I was not aware that you can monitor all of my fsxnet traffic with a tcpdump on your side.

    For a corporate network this is obviously a feature, but in our use case I would call it a security flaw.

    I didnt say I could see "all traffic" - infact I've been explaining how its peer to peer all along - so there is no way I can see your traffic to another node, since it doesnt come via me.

    But I can see any traffic that broadcasts on the network (BAU), as well as any traffic that is destined to me, via a TCPDUMP. (I think from memory that broadcasts can be blocked via configuration, and thus if so, I would see them.)

    The interface that ZT creates is similar to a switched ethernet interface - anything that comes down that port I can see.

    ...лоеп
    --- SBBSecho 3.14-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From Oli@21:3/102 to deon on Friday, May 14, 2021 11:19:20
    deon wrote (2021-05-14):

    # We could choose to 'secure' the network using something like
    ZeroTier
    I used ZeroTier and it's quite easy to setup and works, but I
    dislike the idea to use a commercial provider for the basic
    infrastructure. FTN is DIY.

    You dont have to use "a provider" with ZeroTier.

    I run a ZeroTier network that is independant of "zerotier" (the provider) itself.

    Is it completely independent?

    Wikipedia tells me: "Virtual networks are created and managed using a ZeroTier controller. Management is done using an API, proprietary web-based UI (ZeroTier Central), open-source web-based or CLI alternative. Using root servers other than those hosted by ZeroTier Inc. is *impeded* by the software's license.

    While you may argue that you "find" me through their root server (which
    is the default) - it doesnt "have" to operate that way. I can populate a "moon" that you "orbit" around (their terms, not mine) so that zerotier
    can be turned off and our connection still works.

    I know ZeroTier were working on personal "roots" so that this moon thing has a less of a value (and they are no longer a sudo dependancy). (I
    havent kept up with it recently though.)

    root, moons, orbits, ... contr

    The other good thing, with ZeroTier, you dont necessarily provide anybody on the network (who needs to be authorised if it is configured to do so), to see everything on all ports. You can firewall it to a certain extent
    (at the network layer), such that only specific ports are permitted on
    the network. (I did setup the FSX zerotier network this way.) (You could also have your own running firewall as well if you wanted.)

    Can I configure the ports or has the admin the power to change the rules at will?

    Is it possible to use ZeroTier in a really decentralized way?

    ---
    * Origin: . (21:3/102)
  • From deon@21:2/116 to Oli on Friday, May 14, 2021 22:53:11
    Re: fsxNet Feedback (ZeroTier)
    By: Oli to deon on Fri May 14 2021 11:19 am

    Is it completely independent?

    Yes - https://www.zerotier.com/manual/#4_4

    Wikipedia tells me: "Virtual networks are created and managed using a ZeroTier controller. Management is done using an API,
    proprietary web-based UI (ZeroTier Central), open-source web-based or CLI alternative. Using root servers other than those hosted by
    ZeroTier Inc. is *impeded* by the software's license.

    It seems illogical to impede the use of their roots via the software license, when their documentation tells you how to do it (via moons).

    Can I configure the ports or has the admin the power to change the rules at will?

    The owner of the network controls the ports for the network. But you with a (virtual) interface to the network can apply your OS level firewalling - in the same way you may want to firewall one host from another on the same ethernet network.

    Is it possible to use ZeroTier in a really decentralized way?

    Yes, I believe so - even though I've not actually tried it with any system not connected to the internet.

    The concept is similar to DNS - my DNS server isnt authoritive for .de domains - it finds them via "known" root servers and thus can resolve .de addresses. OR if I configure my DNS server directly with the information of the root .de TLD, it doesnt need to query the known roots to find them.

    So I run my own controller, configure my own network on that controller and you as an endpoint can find my network, directly if you configure my "moon" or indirectly via the root servers (aka planets). If zerotier shuts down their root servers, you will still continue to function if you have my moon configured.

    ...лоеп

    ... Elevators smell different to midgets
    --- SBBSecho 3.14-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From Oli@21:3/102 to deon on Friday, May 14, 2021 20:31:01
    deon wrote (2021-05-14):

    Is it completely independent?

    Yes - https://www.zerotier.com/manual/#4_4

    not convinced yet.

    Wikipedia tells me: "Virtual networks are created and managed using
    a ZeroTier controller. Management is done using an API, proprietary
    web-based UI (ZeroTier Central), open-source web-based or CLI
    alternative. Using root servers other than those hosted by ZeroTier
    Inc. is *impeded* by the software's license.

    It seems illogical to impede the use of their roots via the software license, when their documentation tells you how to do it (via moons).

    I agree. It also would not qualify as Open Source software / license.

    Can I configure the ports or has the admin the power to change the
    rules at will?

    The owner of the network controls the ports for the network. But you with
    a (virtual) interface to the network can apply your OS level firewalling
    - in the same way you may want to firewall one host from another on the same ethernet network.

    The owner of the network can also set other funky rules:

    *Tap all of the traffic!*
    Another incredibly powerful feature of ZeroTier is the ability to tap the entire network regardless of how widely distributed its nodes are. Using the tee ability within a flow rule essentially copies every frame sent/received by nodes on the network and sends it to a node of your choice such as an IDS or full packet capture solution such as Moloch.
    from: https://blog.reconinfosec.com/locking-down-zerotier/

    see also: https://www.zerotier.com/2016/08/31/capability-based-security-for-virtual-networks/
    headline "Global Rules and Security Monitoring"

    Is there a way to prevent this?

    Is it possible to use ZeroTier in a really decentralized way?

    Yes, I believe so - even though I've not actually tried it with any
    system not connected to the internet.

    [...]

    If zerotier
    shuts down their root servers, you will still continue to function if you have my moon configured.

    It's still kind of centralized (your moon).

    ---
    * Origin: . (21:3/102)
  • From deon@21:2/116 to Oli on Saturday, May 15, 2021 09:44:49
    Re: fsxNet Feedback (ZeroTier)
    By: Oli to deon on Fri May 14 2021 08:31 pm

    Another incredibly powerful feature of ZeroTier is the ability to tap the entire network regardless of how widely distributed its
    nodes are. Using the tee ability within a flow rule essentially copies every frame sent/received by nodes on the network and sends it
    to a node of your choice such as an IDS or full packet capture solution such as Moloch.
    from: https://blog.reconinfosec.com/locking-down-zerotier/

    see also: https://www.zerotier.com/2016/08/31/capability-based-security-for-virtual-networks/
    headline "Global Rules and Security Monitoring"

    Is there a way to prevent this?

    I dont see this as an issue, it would be no differnet to tcpdump -ni eth0:

    a) You can firewall what goes into the interface (aka the network) - as well as firewall what is coming to you.

    b) Communications is peer to peer - the network (like the DNS analogy I gave) provides a way for you to find me. Once you do, you communicate directly to me (not via the planets and moons).

    c) Communications between you and me is encrypted - with a key that you an I create once you find me. (This part I may have misread - and in fact the key may be the network key that all members have joined.)

    While still a "VPN" - it is still semi public, so you still have obligations. Their are people you dont know on the network - but not *anybody* - the network "admin" can choose to "authorise" (or not) those requesting to join it.

    So in the case of a

    It's still kind of centralized (your moon).

    If you are on "my" network, sure. But if you created your own network you have no dependancy (if you choose so) to use my moon. You could deploy your own.

    ...лоеп

    ... Wait! You have not been prepared! Mr. Atoz, stardate 3113.2.
    --- SBBSecho 3.14-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From deon@21:2/116 to Oli on Saturday, May 15, 2021 09:49:20
    Re: fsxNet Feedback (ZeroTier)
    By: deon to Oli on Sat May 15 2021 09:44 am

    So crap, hit something and my last message was sent..

    While still a "VPN" - it is still semi public, so you still have obligations. Their are people you dont know on the network - but not
    *anybody* - the network "admin" can choose to "authorise" (or not) those requesting to join it.

    So in the case of a


    So in the case of a "network" setup for "fsx" - the network admin would authorise nodes to access the "fsx" network (I would suggest based on their application to join the network) - and de-authorise them when they leave the network.

    We are still strangers here, but we are a list of known strangers and we can identify who is doing something in appropriate on the network and take action if that is deemeed the right response. But at the same time, our conversations and traffic is encrypted from the outside world.

    Anybody outside of the network cant get to our systems and do stuff (which is the script kiddies reference I made when I started this thread).

    ...лоеп

    ... Committees: A group that takes minutes and wastes hours.
    --- SBBSecho 3.14-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From deon@21:2/116 to N1uro on Saturday, May 15, 2021 13:26:01
    Re: fsxNet Feedback (ZeroTier
    By: N1uro to deon on Fri May 14 2021 09:22 pm

    Hi,

    Any VPN has to have some sort of a hub. Even ZeroTier. At least with OpenVPN it's open source, and we could customize it to how we
    see fit and we need
    not announce which port or which protocol type we decide to use.

    So I dont agree with you.

    If traffic from A to C must go through "B", then yes, "B" is a hub.

    With ZeroTier traffic goes direct A to C. B is only used for A to find C, but traffic does not go through it. (In much the same way you ("A") query a DNS server (aka "B") to find the server ("C"), a web server with your browser.)

    B in this example can be ZeroTier infrastructure or your own.

    The root nodes in this case would be hubs. There needs to be a central point within each network to host and serve the proper
    security certs. Even with OpenVPN, a point/node would still be able to see another point/node within the private IP network. That

    So no.

    Like web serving - the DNS server has nothing to do with the SSL exchange that occurs when you "A" and the server "C" when you are browsing a secure website.

    ...лоеп

    ... Old age is life's parody.
    --- SBBSecho 3.14-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From deon@21:2/116 to N1uro on Saturday, May 15, 2021 13:32:20
    Re: fsxNet Feedback (ZeroTier)
    By: deon to N1uro on Sat May 15 2021 01:26 pm

    The root nodes in this case would be hubs. There needs to be a central point within each network to host and serve the proper
    security certs. Even with OpenVPN, a point/node would still be able to see another point/node within the private IP network.
    That

    So no.

    Like web serving - the DNS server has nothing to do with the SSL exchange that occurs when you "A" and the server "C" when you are
    browsing a secure website.

    So I'll concede a little here. "B" wont let you find "C" unless you've been authorised (if it is setup that way), and "C" knows you've been authorised, because you have a token that is signed by "B", that "C" can verify with "B"'s public cert.

    So from that point of view "B" is a requirement to instigate a conversation, but not to maintain it. As an example, I have a zerotier controller that serves a network for another FTN. Over the last 6 months, that controller has been down more times than its been up (because I forget to start it), but that two systems that exchange mail over that network havent missed a beat.

    (Which reminds me, I need to check its running since I've moved stuff around...)

    ...лоеп

    ... Diogenes is still searching.
    --- SBBSecho 3.14-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)