so this whole zerocorp/zerotier/encrypted-mesh networking approach is pretty cool, but every time i see it i ask myself: how do you monitor for malicious nodes? in old setups, typically there would be some sort of passive monitoring system that would monitor the traffic between hosts and could be used for forensics/malicious traffic identification. but if you're encrypting traffic at each node for each other node, then only the participant nodes are privy to the traffic. if one or both are compromised, how would you ever know? sure you can run userland security agents on them that collect data, but if the machines are actually compromised, you can't really trust what they say, right? (that's the whole reason why you use a third system for monitoring!)
so that's a pretty cool and elegant solution. i suppose they don't have the log tampering detection stuff implemented yet, but it seems straightforward to implement and i'm sure it will happen eventually.
cool. netflow for encrypted mesh networking. still vulnerable if both nodes are compromised via a sidechannel and collude on their logs, but that's also getting pretty radical in terms of an attack vector.
what about actually logging the contents? i've seen big commercial systems that look pretty much like distributed wireshark, with capture points, storage systems and pretty guis for inspection... not sure how prevalent and useful they are, but having a step deeper than netflow style logs can be useful, both for debugging and security purposes. i suppose you could do this double entry for that as well, but that seems a pretty high cost if the tunnels are high bandwidth?
ZeroTier rules can be used to monitor traffic via the "tee" rule. You can send copies of any packet matching any criteria (whole packet or part of it) to a monitor. Both sender and receiver can match, so someone would have to compromise both sides to evade it.
