...
Example from Cloud Native Deployment:
ubuntu@a-cd-one:~$ kubectl get pods --all-namespaces
(shows 210 pods in onap namespace)
| Type | VMs |
|---|
| Containers | |
|---|---|
| Full Cluster (14 + 1) - recommended | 15 |
| 248 total |
Example from Open Wireless Laboratory (OWL) at Wireless Information Network Laboratory (WINLAB):
...
- Appearance:
- Tinc VPN appears as IP level network device
- ZeroTier appears as Ethernet level network port
- WireGuard appears as IP level network device
- Connectivity provided:
- Tinc VPN automatically gives full mesh routing
- ZeroTier automatically gives full mesh routing
- WireGuard gives point-to-point connection like SSH (mesh routing is a todo)
- Node/Host Configuration:
- Tinc VPN host is configured with public/private key pair, in a config file
- ZeroTier node is configured with public/private key pair, then generates a VL1 ZeroTier Address
- WireGuard host is configured with public/private key pair and ACL, in a config file
- Network Configuration:
- Tinc VPN network is configured by hosts exchanging (out-of-band) exported config files for a specified "network name"
- rest of network is exchanged in-band
- ZeroTier network is configured with knowledge of "roots" and with VL2 ZeroTier Network ID (VL1 ZeroTier Address of the controller and network number)
- rest of network is exchanged in-band
- WireGuard network is configured by hosts sharing public keys (out-of-band), connect via IP Address corresponding to keys
- IP roaming is exchanged in-band
- Tinc VPN network is configured by hosts exchanging (out-of-band) exported config files for a specified "network name"
- Number of network connections:
- Tinc VPN hosts can connect to many "network names" concurrently
- ZeroTier nodes can connect to multiple VL2 ZeroTier Network IDs concurrently
- WireGuard hosts can connect to many other hosts concurrently
- Deployment:
- Tinc VPN is deployed on the VM hosting the pods/containers/processes
- could be in the container base image
- no explicit interoperability with kubernetes to manipulate pod/container network namespaces
- ZeroTier is deployed on the VM hosting the pods/containers/processes
- could be in the container base image
- no explicit interoperability with kubernetes to manipulate pod/container network namespaces
- WireGuard is deployed on the VM hosting the pods/containers/processes
- could be in the container base image
- no explicit interoperability with kubernetes to manipulate pod/container network namespaces
- Tinc VPN is deployed on the VM hosting the pods/containers/processes
- Single-Points-of-Failure:
- Tinc VPN runs daemon processes on each host (one per network name), topology is peer-to-peer
- ZeroTier runs a global "planet" root server called "Earth" apparently as testing network and casual communications
- Unclear about how users can deploy their own "planet" root servers
- Users can deploy their own "moon" root servers
- WireGuard runs daemon processes on each host, topology is peer-to-peer
- Scaling:
- Tinc VPN can add new hosts to existing network names without altering configurations of existing hosts
- invitations dynamically create a configuration on the server
- ZeroTier can add new nodes to existing network IDs without altering configurations of existing nodes (Network ID is obscure but public information)
- Unclear whether adding new root servers requires a restart
- WireGuard can add new hosts but requires both ends of the connection to be updated and present in the ACL of host config file
- Tinc VPN can add new hosts to existing network names without altering configurations of existing hosts
- Access Control:
- Tinc VPN has control by the exchange of exported host config files
- an invitation refers to the configuration on the server
- ZeroTier nodes need to be authorised after attempting to connect the network ID, but it can be turned off to allow "public" networks
- WireGuard has control by the exchange of host public keys and ACL in host config file
- Tinc VPN has control by the exchange of exported host config files
- Based on example from Cloud Native Deployment:
- Tinc VPN would be deployed on 15 VMs, compared to 28 210 pods
- ZeroTier would be deployed on 15 VMs, compared to 28 210 pods
- WireGuard would be deployed on 15 VMs, compared to 28 210 pods
- Based on example from Open Wireless Laboratory:
- Tinc VPN would be deployed on 3 servers or 5 VMs, compared to 28 210 pods
- ZeroTier would be deployed on 3 servers or 5 VMs, compared to 28 210 pods
- WireGuard would be deployed on 3 servers or 5 VMs, compared to 28 210 pods
- tbc
Comparison to Istio
...