ZeroTier - Decentralized Networking

Tuesday, July 11th, 2023

Decentralization of the tech stack has adopted within the blockchain community from the distributed ledger (most blockchains) as well as for data indexing (The Graph).

The networking remains mostly centralized. For example, if a "decentralized App" like a new DEX wanted to be be made available to web users, it would need to rely on DNS. While DNS servers are distributed, there is still centralization through entities such as Verisign and ICANN.

I am still going through the protocol white paper to get a sense of the problems it solve, but here is what I can tell.

The network has a design similar to the OSI model of Layer 1 and Layer 2.

L1 is the physical wire carrying the bits.

In a conventional network, DNS knows the IP addresses based on a domain name and can then route packets to the appropriate servers. The route across the Internet by hopping across routes which contain IP tables to eventually hit their target.

Under ZeroTier's model, ZeroTier recreates a similar DNS model by starting with "root servers" operated by ZeroTier; but it seems to support user generated (permissionless?) "moon" servers that are redundancy to this root servers.

The purpose of the root server, however, is not to just provided a trusted routing for every packet. It's primarily a "first responder" to a request and the eventually provides a route for the devices (or client and devices) to connect peer-to-peer.

Similar to the IP-based network, the nodes have an address; but the address is more similar to what is found on the blockchain, meaning it is the public side of a generated public-private key and is unique to the node.

In the same way that the blockchain associate wallets with the public address and the private key, so are the nodes on the ZeroTier network.

Traditional Layer 2 is called the "data link" for the physical connection between nodes and the flow protocol.

Something similar is done in ZeroTier (although it's not a clear to me) where there are nodes that run "controllers."

These controllers issues the credentials and configurations to requesting nodes and are basically certificate authorities. In the decentralized scheme, this reduces risk from central control or failure, but is also a valuable attack vector.

These controllers can essential broadcast meta-data about nodes, such as certificate expiration and privileges.

What are the use cases?

The protocol paper goes into further depth (and already is beyond me).

One model of networking is completely managed, such as by Cloudflare which works within the existing Internet infrastructure.

A subset of this is the ability provide tunneling, where the network ingress is associated with the application and the edge and routing of the ingress controller is managed (ngrok - accelerating GTFOL).

My hunch is the decentralized networking is suitable for those "permissionless" networks like blockchain node clusters. The question to me is how would one prevent attackers from leveraging this and creating their own node on the network and then intercepting traffic maliciously.

Seems like it would need a staking protocol as they do with the data layer or with the ledger.

So outside of blockchain, what are the use cases for this?

My hunch (and they should have documented use cases to help their story) is that it provides an easier and faster way to set up private networks, perhaps zero trust networks, that provide the same capabilities of a private LAN or a VPN connection in, but without the VPN infrastructure.

In this case, it seems like it potentially coincides with one of ngrok's value proposition which is providing granular control at ingress points to applications or nodes, which allows a more composable, federated network topology.

This would be worth chatting and maybe adding to my podcast and Substack.