I have discovered openziti two months and have some question 。
question one：whether the open ziti has benchmark tests like Lantency、 Maximum concurrent users （i have seen throughpoot in privious invitation）。
question two ：i have seen some paid sdp software design。according these design，i have rewrited my own ziti-zac software and write a ziti-client。add spa function into my own ziti-zac 。the ziti-client knock into zac by spa,and send username and password to my own zac to verify the identity , the zac according the username to Auto generate create ziti-user-identity commands and create ziti-service config commands according the username’s resources access rights ，send these commands to ziti-controller。Based on this design，I have realized automatic setting of user resource access rights and dynamic threats of handling。i known this implement is just a demo。i want to integrate automatic setting of user resource access rights and dynamic threats of handling into the ziti-controller，and add some api between client 、 zac and controller。can Demonstrate some cases about the ziti-controller debug and add api between controller and client。
My English is poor，Please forgive me if I didn’t express clearly。
Hey KittySammy123, welcome!
We have some benchmark tests; here is a sizing guide which includes concurrent data sessions - https://support.netfoundry.io/hc/en-us/articles/360025875331-NetFoundry-Gateway-Sizing-Guide. What is important to note that OpenZiti is built to be highly scalable, so you can scale up (bigger VMs) or scale out (deploy more machines). OpenZiti’s smart routing will balance sessions across the data-plane for scale-out while determining the lowest latency paths.
Going to split this into sub-sections:
- To be clear, do you want to make the administration plane ‘dark’ to the network with no inbound ports? If yes, this has been discussed in other threads - Making ZAC dark - #20 by markamind - and was demonstrated on ZitiTV - Ziti TV - Making ZAC (and the Management API) DARK! - YouTube.
- I believe your work/desire to implement SPA (single-packet authentication) could be useful for communication between ziti-client and the ziti-controller.
- Currently, the controller only ‘listens’ on ports 443 and 80, and only accepts connections from authenticated endpoints (which have bootstrapped trust), but it still processes requests from anyone. Thus, it is not protected from DDoS attacks as much as we would like to right now. We are actively developing HA control plane which reduces the risk of this type of attack. Someone in the community has mentioned developing AI/ML for service assurance to implement self-healing if an underlying component is compromised (e.g., DDoS against control or data plane).
- Therefore, it could be very interesting to implement SPA between the ziti-client and the ziti-controller as some type of cryptographic “knock knock” on the door to open it.