Trusted path support -- disable encryption, authentication, and compression for fast local SDN use on local LAN links

[raarts]

There are various use cases. Some providers offer unlimited bandwidth, some don't. Also, possibly (VoIP is my work area) the data is already compressed, and using up CPU for no reason is costly. Using a command line parameter would be fine. Interface granularity would not be needed.

[adamierymenko]

I retitled this because it's already in our backlog sort of.

• Disabling compression, sure. Maybe that could be a network-level option. Note that in our testing compression is actually significantly less costly than Salsa20+Poly1305 encryption/auth.
• We also want to add a way to disable encryption and even auth along certain designated paths or on certain interfaces. This would be for in-data-center or in-LAN SDN use where you want max performance at the expense of some (local) security. We'd call this a "trusted path." It turns out that if you do that by editing the code you get within 5% of bare metal performance over ZeroTier, and a little more optimization (like zero-copy I/O) could probably close that gap more. This could allow us to compete with data center SDN solutions from people like Cisco and Juniper.

So yes, this is backlog.

[raarts]

Yes, I saw your posting on HN. Could not find an issue for it here, so created it. How much is 'significantly less'? Anyway, for my use case disabling encryption would also be useful, since all traffic is already encrypted. I saw a large drop in max traffic when comparing the plain network, and the ZT network, and in some cases the CPU usage is important.

[adamierymenko]

First, a baseline with no ZT in the way:

Raw private network performance: 944mbits/sec Raw public network performance: 938mbits/sec (NYC3<>NYC3)

Then with standard ZT:

Encryption, compression, authentication: 510mbits/sec

Now let’s try selectively deactivating parts of ZT that are higher overhead:

Encryption, NO compression, authentication: 519mbits/sec NO encryption, NO compression, authentication: 605mbits/sec NO encryption, NO compression, NO authentication: 901mbits/sec

Most of the overhead is encryption/authentication. This is comparable to published numbers I’ve seen for OpenVPN and GRE+IPsec and isn’t surprising.

[adamierymenko]

cut/pasted from an e-mail we sent to someone

[adamierymenko]

That was between two Digital Ocean droplets in the same DO region. Their private networks are basically 1gig Ethernet and benchmark as such.

[adamierymenko]

That was measured with iperf3.

[adamierymenko]

Note that turning off compression only gave us another 9mbits/sec, while turning off encryption/auth gave us hundreds. That actually surprised me. But LZ4 is very fast, and is very fast in the "can't compress" case.

[adamierymenko]

This was done as of 1.1.12 -- see https://www.zerotier.com/community/topic/77/how-to-define-trusted-paths-for-internal-sdn-use-1-1-12

[tamilhce]

Hi Adam, I am using zerotier in openwrt to create a tunnel interface between two devices. I have configured the trusted path as well. without tunnel I am getting 900 mbs/sec with tunnel I am getting only 50 mbs/sec( checked using iperf). Any help is very much appreciated.

[thearchitect]

Hi Adam, I am using zerotier in openwrt to create a tunnel interface between two devices. I have configured the trusted path as well. without tunnel I am getting 900 mbs/sec with tunnel I am getting only 50 mbs/sec( checked using iperf). Any help is very much appreciated.

I think you could experience decreased performance if you device is limited in resources (especially cpu). Because it's a Software Defined Network.

[crzsotona]

Hello @adamierymenko, https://www.zerotier.com/community/topic/77/how-to-define-trusted-paths-for-internal-sdn-use-1-1-12 this link seems to be dead, could you provide this guide please?

[raarts]

@crzsotona: Here it is: https://www.zerotier.com/manual/#2_1_4

[Metaphorme]

@crzsotona: Here it is: https://www.zerotier.com/manual/#2_1_4

This link can’t work now…😖

The new link to describe trusted paths is https://docs.zerotier.com/config/#local-configuration-options