Comment by api
6 hours ago
We do P2P in our networking software and this is why we do it all in band instead of using STUN, TURN, or other common methods. Those get blocked and they’re also often insecure.
STUN has mitigations now against being weaponized but it’s still a shit protocol. The fact that neither STUN nor TURN contain any way whatsoever to accomplish any kind of rendezvous without yet another signaling path boggles my mind given how easy it would have been.
> The fact that neither STUN nor TURN contain any way whatsoever to accomplish any kind of rendezvous without yet another signaling path boggles my mind
Interesting. Can you expound on this a bit? How does ZeroTier do it?
ZeroTier has "roots," which are nodes that relay packets and also tell you what your IP info is. Everyone in the world connects to a pool of these.
Other than relaying and STUN-like IP info reflection, they're dumb and do very little. They can't see your traffic or other information or even what virtual networks you're on.
Once both sides learn their external info, they communicate via the root to arrange P2P rendezvous. If both have IPv6 they use that, but still do a hole punch due to stateful firewalls. But with V6 it works almost 100% of the time. If one or both have V4, they do more cumbersome V4 hole punch maneuvers.
Our next-gen product, which is still in pre-release and has been shown only to some enterprise customers, is called ZeroTier Quantum. It's called that cause it's built on PQC (pqNoise to be exact) but it's also a full-scale reengineering of the whole system. But it still uses very similar techniques. Everything is in-band. No STUN, TURN, or even DNS dependencies.