Hi there. I’m in the beginning stages of introducing NetFoundry into our company’s infrastructure. So far, I am pleased with what I have seen. However, I have some concerns/questions from some of the senior engineers regarding the workings of routing and name resolution. Specifically, I was asked “how do we know that packets that we do not want routed outside of NetFoundry’s fabric stay inside that fabric?” Put another way, I guess “How does only the NetFoundry-inteded traffic get routed over the ziti-edge-tunnel”? Let me know if I did not adequately explain my question. I appreciate answers in advance.
The ziti edge tunnel will only intercept packets for the services that are defined. Whether that is on a host, or in a gateway mode. On the flip side, once packets are in the fabric, the only way out is via the terminating device defined in the service config, a tunneler (independent or combined with an Edge Router in a LAN gateway configuration) or an application with an embedded SDK and identity.
I’m not sure if I fully understood the question, so if the answer isn’t the right one, or if there is more detail required, let me know.
This is what I was looking for. I didn’t have the words to construct an answer in a succinct way, but your understanding of the question is correct. This particular engineer airs on the side of caution in every way, so it’s a natural question coming from them, but I wanted to be able to provide them an answer that was not a billion words long.
My understanding of their question is that they want to make sure when they go to “domain.com” that traffic only gets sent to NetFoundry’s fabric if there is a “domian.com” intercept defined, which is what I think you are saying.
Yes. Depending on your exact configuration, there are a couple of ways it is accomplished, but effectively, when a connection is started, the DNS query will go through our DNS responder, and if there is a match to a service, it replies with a local 100.64.x.x address, which points to our software on the local machine. The actual traffic is then routed to the software, and enters the fabric as defined. If the name isn’t a match, we pass it along to the “normal” DNS and it is treated as usual by the system. Services defined by IP:PORT are configured similarly, with local routes pointing those packets into the tunneler as soon as the services are initialized, usually at connection, but also if new services are configured while connected.
Thank you for the explanation. That leads nicely to another question regarding what you mentioned. This engineer asked me what permission level ziti obtains in order to control the routing/resolution, as well as adding the tun0 device. I know that on my ubuntu 22.04 laptop, since a recent update, the ziti-edge-tunnel systemd service runs as user ziti (group ziti) and that user is not a privileged user. I think their concerns are more along the lines of “does this program get more permission than it needs? Does it run as a sudo-privileged user?”, to which I would reply no, since it’s a non-privileged user. Is my understanding correct?
Your understanding is correct.