Glad you like them!

Thanks! Fixed

Thanks!

Yeah but it's 42.69 so it's fine :)

Disrespect RFC1918, steal a whole /16 for yourself. Be a man.

Very true - The big advantage of this type of zero-trust system is that the ACLs can be written much more narrowly since they are applied on every single device and have (cert signed) knowledge of the node's identity, not just the IP address range. So this removes trust in the network IP address (which requires more physical security) as a source of identity. But you do still have to write good ACLs.

Glad you liked it!

+1

I'm using headscale as well and love it.

There are some architectural differences, so the headscale server does a whole lot more work in the setup than Nebula's lighthouse.

@@apalrdsadventures This is true. Sort of a different use case. Nebula is a bit more zero-trust than headscale.

Yeah, the lower load on the lighthouse and delegated relaying also scales up better at really big setups. Tailscale has a lower barrier to entry for most people. The Nebula lighthouse also has no private data at all, so a compromised lighthouse just means the network stops working, security isn't broken.

I don't have multiple systems with >1G currently setup to test, but I was able to iperf at 923Mbits without and 880Mbits with Nebula, which is expected due to the lower MTU. So basically it's not limited by anything but the 1G wire on my test setup. That of course doesn't mean it will do 10G or higher, but it's certainly performant enough for all of my Proxmox systems.

Mobile Nebula by Defined Networking is the one. No idea on battery life, but it shouldn't keep a connection open unless there are packets periodically going across the tunnel.

it's a 4 color pen lol each of the fins push down separately to activate one color

It's a flesh light.

A given Nebula host learns all of its IP addresses from all interfaces. It then connects to the lighthouse(s) and gives them all of the IP addresses it has learned. The lighthouse then knows all of those IPs plus the IP the lighthouse received (if the node goes through NAT on the way out) and shares this with a node wishing to connect. The sending node will try all of the receiving node's addresses in order of similarity to its own addresses, so if they are on a private cloud network they will use that. But if you use IPv6 it doesn't matter since IP will always route most efficiently without any NAT or overlapping address ranges on different networks.

Nebula can use relays, which are nodes not behind NAT. You can configure a node to advertise a relay for itself.

DNS queried over the public network doesn’t require any authentication, dns doesn’t really have any facilities for that. The lighthouse also doesn’t have a database of all clients, it only has a table of clients that have recently established sessions with it, and that’s what it uses for it’s dns query. So if spaceship3 doesn’t have a valid certificate it won’t end up in that table.

So in general, the danger is that a certificate and it's private key are compromised. The two ways to avoid this are to use hardware-bound keys (Yubikey, TPM2, ...) or continuously re-key everything so a compromised key doesn't have as long of a useful life. This applies to all keys, TLS, Nebula, and SSH. Since the ACME protocol is entirely automated, we can use a really short interval (24 hours) and there won't be any client interruption. With Nebula, for servers we could automate re-keying at that interval, but since clients also use the crypto system and might not be powered on for 24 hours that's a bit too short. So we need a compromise. The Nebula defaults are 1 year, which is decent if you don't have any automation to re-key. It's just a default though. Reading through the weeds a bit, it seems like Slack has a CA which they use to issue minimal-access provisional certs to machines as they go through the automated first boot setup which has enough access for the re-keying automation to come in and replace the key with the real one when it fully sets up the server with a role. They haven't said how they do attestation to re-key. In general you are right and the CA does need to trust something to issue certs. 'Zero-trust' refers more to the individual connections, in which a node trusts nothing other than the root certificate it's told to trust, and then builds trust in other nodes via keys which have been signed by the root. How you attest to the CA at re-key time is still not perfect. You could trust the existing nebula cert to renew the same one, for example. And finally, Smallstep has a provisioner which uses Nebula certs as a means of trust to issue x.509 and SSH certs.

I don't use Windows so I'm not an expert on this.

Sort of, however you can use it to "break" the model and use subnet routers, which removes the "trust" part of it.

Tailscale also centralizes all of the trust at the tailscale service or headscale server, since it's responsible for all of the ACLs and pushing config to clients.

@@apalrdsadventures This is a good thing (and sometimes required) depending on your zero trust implementation. Besides easier management due to the centralization, the user *and* device identity are validated before connecting unlike Nebula which only validates the device. The user identity part is an extremely common thing that comes up during zero trust discussions which is probably why Nebula isn't advertised as such.

The Tailscale client device can't check a cert for validity, it can only trust that the auth server was correct. This is very centralized trust. Nebula centralizes management at the certificate authority, but once a cert is signed it remains valid. This means any node can now validate a certificate on its own, without relying on the central server. The PKI part isn't done internal to Nebula, so it's not a complete solution for all use cases. It's advertised for server to server zero-trust that can scale up to tens of thousands of nodes, which is something that's hard to do when you make a centralized node key to every decision.

​ @apalrdsadventures Yup, all depends on the implementation requirements, this one being access vs datacenter/server networks. I said not advertised because looking at their website and docs I only see "overlay networking" referenced, not zero trust (unless it's hidden on a page I'm not seeing). Tho it very much is a server based zero-trust model

producer

It's the answer to life, the universe, and everything But it's also allocated (to a Taiwanese ISP) but not advertised over BGP so it won't route on the public internet either (at least for now).

On which node? In general unless you have open security vulnerabilities or an extremely fast internet connection you will saturate the internet connection before there's any problems with the host (lighthouse or otherwise), although this would have happened anyway with any other network architecture using the same connection.