I've been setting up ZT Host Access configurations using Ziti Edge Tunnelers for a while, and I have just a few technical questions regarding how traffic is handled once the tunnel is established:
Once the tunnel is set up and traffic starts transmitting through it, is an additional header added to the packets? If so, could you please explain what this header is, the information it contains, and how much overhead it introduces in terms of bits per packet?
Is there any additional handshaking required before each data transmission? If yes, how does it work, and how might it affect either delay or data overhead? Could you kindly provide more details on this process?
I would greatly appreciate your help with these questions. If there are relevant sections in the documentation that address these details, Iād be grateful if you could point me toward them as well.
OpenZiti will accept packets, wrap them in a tiny OpenZiti specific routing header and send them through the fabric. The fabric knows how to read the headers and route the packets to the appropriate 'terminator'.
How much overhead -- @plorenz would know for sure. I think it's some small number of bytes but I'm not entirely sure. I'll get him to answer (or ask him and reply).
Before each data transmission -- I don't think so. When you first establish the connection there is, that's when the end-to-end encryption is negotiated. After that, there would be whatever overhead the end-to-end encryption adds (if any) but I've never quantified that personally and I'd imagine it would greatly depend on the sort of data you are sending (continual streams, messages, etc). It's hard to document this in particular because it can change based on your usecase.
If we're talking strictly about the tunnelers, then the answer is "not really" :D. The intercepting tunneler extracts the payloads from the intercepted tcp or udp packets and sends them over the OpenZiti overlay, and the receiving/hosting tunneler creates a separate tcp or udp connection to send and receive payloads from the "server" application.
So each tunneler (hosting and intercepted) has its own tcp or udp connection with the respective tcp/ip application, such as a browser or web server. I described this in a little more detail than you're asking for here and here.
Edge <-> router and router <-> router data payloads are all encapsulated. The usual header size per payload is around 44 bytes, at least for edge, which includes a message type, header and payload lengths, routing id and sequence number.