Skip to content
CaiShu edited this page Jul 28, 2024 · 4 revisions

ZTM (Zero Trust Mesh)

ZTM is HTTP2 tunneling based decentralized, Web3 oriented open source network infrastructure software.ZTM can run on top of any existing IP network, including but not limited to LANs, the Internet, container networks, etc. ZTM provides the network infrastructure necessary for building and using decentralized applications, including network connectivity, port-based access control, mTLS encrypted network channels, certificate-based identification and access control, load balancing, and other basic network and security capabilities. network foundation, including network connectivity, port-based access control, mTLS-encrypted network channels, certificate-based identification and access control, load balancing, and other basic network and security capabilities. Based on ZTM, it is possible to build a variety of secure network solutions applicable to individual users, small and medium-sized groups, and enterprise organizations, such as:

  • Intranet penetration tools for individual users, allowing users to access files on their home computers in the office network
  • Build content sharing network similar to ipfs (https://ipfs.tech/) to share web pages, videos, pictures, etc. among friends without relying on *** social networking platforms controlled by *** Internet giants to ensure the privacy of the content within the group while safeguarding the ownership of the work
  • Build private chat, voice, and video conferencing tools to avoid the risk of privacy leakage associated with the use of SaaS-type tools (e.g., Webex), and provide more proactive and manageable privacy protection capabilities.
  • Build a SASE similar to cloudflare one but privatized to provide cloudflare tunnel and cloudflare access capabilities, and the deployment of this solution is private and does not rely on cloud flare network and operations.
  • build a networking solution similar to zerotier (https://www.zerotier.com/) and tailscale (https://tailscale.com/). The difference is that ZTM runs on Layer 7 network and doesn't need to build virtual NICs, adjust routes, configure firewall policies, etc. in the device, so it doesn't need system privileges, is non-intrusive, simple and more secure. At the same time, ZTM only provides the technical components and solutions needed to build a similar network; the ZTM team does not physically own, control, or operate the network!

Features of ZTM

  • ZTM is programmable. ZTM builds its data and control planes based on Pipy (https://github.com/flomesh-io/pipy), using PipyJS (https://github.com/flomesh-io/pipy?tab=readme- ZTM is based on Pipy () to build the data plane and control plane, developed by PipyJS ( ov-file#programmable), and distributed under the Apache2 License. The programmable features of Pipy enable ZTM to become a programmable network. Based on PipyJS, users can quickly customize functions and capabilities such as access control policies, content caching policies, security threat identification, etc. Programmable and Scalable are important features of ZMT.

  • ZTM is high-performance The ZTM data plane uses Pipy, a high-performance web proxy, and employs HTTP2-based network connectivity, which takes full advantage of HTTP2's multiplexing capabilities. In most cases, ZTM can effectively reduce the performance overhead due to the need to cross multiple network boundaries compared to traditional network solutions (e.g., Firewall + Reverse Proxy + WAF).ZTM delivers a faster network experience for users.

  • ZTM is security oriented. On ZTM, access to any device or service is certificate-based, and the use of client certificates strengthens visitor identification. This is one of the reasons we call it Zero Trust. In addition to natural client identity, ZTM provides the necessary underlying capabilities and programming interfaces for a variety of network security management capabilities, based on ZTM can quickly build such as ZTNA (Zero Trust Network Access), SWG (Secure Web Gateway), RBI (Remote Browser), CASB (Remote Browser Isolation), and other applications. Isolation), CASB (Cloud Access Security Broker), DLP (Data Loss Prevention), WAF (Web Application Firewall) and other network security programs. While ensuring that individuals and small and medium-sized users can use secure ZTM networks out-of-the-box, enterprise-level users can quickly customize complex enterprise-level network security policies. These policies are based on Pipy's built-in modules and are developed using PipyJS, which allows for rapid scripted customization of security policies .

  • ZTM is multiple network planes. In a ZTM network environment, any one access device (called End Point) can access multiple ZTM networks. For example, the mac-air I am currently using is connected to a private office network as well as a network where my college classmates share photos. ztm builds a "slack channel" user experience where each individual (End Point) can exist in multiple network planes at the same time. This kind of three-dimensional network pattern, where one device can access multiple networks at the same time, is the reason why we call it Mesh. When accessing only one network plane, ZTM looks like a ZeroTier network; or rather, ZTM users can quickly build and use multiple "ZeroTier-like" networks. Compared to ZeroTier, or TailScale (based on wireguard), which are decentralized Layer2-based networking solutions, ZTM is much simpler and more feasible to support multiple network planes, because there is no need to build a virtual NIC on the device, adjust the device's routing policy, or set up the device's firewall policy (most of the Layer2 VPN software cannot run on a single host at the same time). Imagine using a VPN and not being able to access the Internet after connecting to the VPN; these problems do not exist with ZTM. ZTM does not need to build a local virtual NIC, does not need IP configuration, and therefore does not need IP routing. ztm's routing capability supports both Layer 4 and Layer 7, and ztm can realize "IP+Port" based routing capability based on the set policy, with the use of With Flomesh FGW(https://github.com/flomesh-io/fgw), you can route specific protocols (e.g., HTTP) based on Layer 7 message characteristics (e.g., HTTP Host and HTTP Path).

  • ZTM is port-based. On a ZTM network, any service (e.g., a privately deployed Zimbra Web Mail) is mapped to a port local to the visitor, and users naturally implement port-based access control when accessing the service. This mechanism avoids the highly dynamic and complex firewall policy management that comes with complex network environments, while effectively narrowing the exposure.

ZTM is compatible with ***existing networks and applications, zero modification ZTM can be used in current networks and applications When users need to build a ZTM network, they do not need to make additional settings such as opening ports, configuring firewall policies, configuring routing rules, etc. on the existing network. Users need to deploy ZTM agent on the host or network of application access side (client side) and application service side (server side), ZTM will build a "tunnel" between the two agents, which is an encrypted, virtual network link. Zero transformation feature allows users to quickly access the inventory of services (such as ERP, OA, WebMail) to ZTM, to achieve simpler management, and higher security policy.

  • ZTM is decentralized One of the original design intention of ZTM is that users can share their own content, such as photos, articles, etc., directly on their cell phones and home computers, but without relying on the services of Internet giants (google, facebook, etc.). Enabling users to cost-effectively and reliably own their own content. On a ZTM network, service visitors (Client) and service providers (Server) are connected through a tunnel, the establishment of which sometimes requires a third-party relay, but the relay node does not own the service. The relay node can only see the encrypted TCP connection, but cannot know and intervene in what is being transmitted.

** ZTM can run on a wide range of CPUs and operating systems, including CPUs such as X86, ARM, and RISC-V, and operating systems such as Linux (including Android), MACOS, FreeBSD, and Windows. In the simplest case, users can run the ZTM Agent on their own cell phones to quickly and securely share photos from their phones with friends without going through a third-party photo sharing service (e.g., google photos). In complex enterprise network environments, such as kubernetes container networks, users can also run ZTM Agent on kubernetes nodes to enable easy, fast, and secure access to kubernetes cluster services from outside the container network. For users familiar with kubernetes, ZTM provides a new alternative to ELB, NodePort, and Ingress for opening services to the outside of the kubernetes network -- tunnels.