Subj : fsxNet Feedback (ZeroTier)
To   : Oli
From : deon
Date : Sat May 15 2021 09:44 am

  Re: fsxNet Feedback (ZeroTier)
  By: Oli to deon on Fri May 14 2021 08:31 pm

 Ol> Another incredibly powerful feature of ZeroTier is the ability to tap the entire network regardless of how widely distributed its
 Ol> nodes are. Using the tee ability within a flow rule essentially copies every frame sent/received by nodes on the network and sends it
 Ol> to a node of your choice such as an IDS or full packet capture solution such as Moloch.
 Ol> from: https://blog.reconinfosec.com/locking-down-zerotier/

 Ol> see also: https://www.zerotier.com/2016/08/31/capability-based-security-for-virtual-networks/
 Ol> headline "Global Rules and Security Monitoring"

 Ol> Is there a way to prevent this?

I dont see this as an issue, it would be no differnet to tcpdump -ni eth0:

a) You can firewall what goes into the interface (aka the network) - as well as firewall what is coming to you.

b) Communications is peer to peer - the network (like the DNS analogy I gave) provides a way for you to find me. Once you do, you communicate directly to me (not via the planets and moons).

c) Communications between you and me is encrypted - with a key that you an I create once you find me. (This part I may have misread - and in fact the key may be the network key that all members have joined.)

While still a "VPN" - it is still semi public, so you still have obligations. Their are people you dont know on the network - but not *anybody* - the network "admin" can choose to "authorise" (or not) those requesting to join it.

So in the case of a 

 Ol> It's still kind of centralized (your moon).

If you are on "my" network, sure. But if you created your own network you have no dependancy (if you choose so) to use my moon. You could deploy your own.

....лоеп

.... Wait!  You have not been prepared! Mr. Atoz, stardate 3113.2.
--- SBBSecho 3.14-Linux
 * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

.