Hi, I had an idea which I’d like to share and see what you guys think as a feature request.
The fact that there is no authentication beyond the certificate on device does leave me feeling a little uneasy. Someone with administrative access to a device could just clone the certificate and then take it to a new device. This has been discussed previously and as I understand it, would also required the original leaf to be disabled so that the IP addresses did not conflict.
Thinking about what could be done to remedy this situation, I think a TOTP system could be of benefit here.
At the controller side, a TOTP secret could be generated, and this can be distributed to the user as a URL or QR code for importing into an app like Bitwarden/Google Authenticator, whathaveyou.
Then, the leaf device that gets authorised onto the network, for the very first network join request it needs to contain a valid TOTP code. Now of course how does that help us once that passes verification? The certificate can just be cloned after this auth process.
So I thought how about we pin a TOTP validation to an IP address, so for each external IP address that I am leveraging ZeroTier over, I need a signed claim from the controller that says I have previously verified to use this IP address by providing a valid TOTP code.
Any time I change IP address, I would be required to supply another TOTP at least for the first time I am using that IP address. Granted that people who use the same IP address could still steal and use my certificate (public wifi for example) it could still be useful?
What do you guys think?