Professional Documents
Culture Documents
Protocol Design Whitepaper - ZeroTier Documentation
Protocol Design Whitepaper - ZeroTier Documentation
Protocol Design Whitepaper - ZeroTier Documentation
Whitepaper
Introduction
ZeroTier is a smart Ethernet switch for planet Earth.
Network Hypervisor
Overview
The ZeroTier network hypervisor (currently found
in the node/ subfolder of the ZeroTierOne git
repository) is a self-contained network
virtualization engine that implements an Ethernet
virtualization layer similar to VXLAN on top of a
global encrypted peer to peer network.
Addressing
Every node is uniquely identified on VL1 by a 40-bit
(10 hex digit) ZeroTier address. This address is
computed from the public portion of a
public/private key pair. A node’s address, public
key, and private key together form its identity.
On devices running ZeroTier One the node identity
is stored in identity.public and
identity.secret in the service’s home
directory.
Cryptography
If you don’t know much about cryptography you
can safely skip this section. TL;DR: packets are
end-to-end encrypted and can’t be read by roots
or anyone else, and we use modern 256-bit crypto
in ways recommended by the professional
cryptographers that created it.
Multipath
Multipath allows the simultaneous (or conditional)
aggregation of multiple physical links into a bond
for increased total throughput, load balancing,
redundancy, and fault tolerance. There is a set of
standard bonding policies available that can be
used right out of the box with no configuration.
These policies are inspired by the policies offered
by the Linux kernel. A bonding policy can be used
easily without specifying any additional
parameters.
Credential Types
Ethernet Bridging
ZeroTier emulates a true Ethernet switch. This
includes the ability to L2 bridge other Ethernet
networks (wired LAN, WiFi, virtual backplanes,
etc.) to virtual networks using conventional
Ethernet bridging.
Public Networks
It is possible to disable access control on a
ZeroTier network. A public network’s members do
not check certificates of membership, and new
members to a public network are automatically
marked as authorized by their host controller. It is
not possible to de-authorize a member from a
public network.
Ad-Hoc Networks
A special kind of public network called an ad-hoc
network may be accessed by joining a network ID
with the format:
ffSSSSEEEE000000
| | | |
| | | Reserved for future
use, must be 0
| | End of port range (hex)
| Start of port range (hex)
Reserved ZeroTier address prefix
indicating a controller-less network
priority 6
ipprotocol udp
and dport 5060-5065
and sport 5060-5065
;
priority 3
ipprotocol tcp
and dport 80
and sport 80
;
This would place VoIP traffic on ports 5060 to
5065 at a higher priority 6 than the standard port
80 web traffic in bucket 3 .