|I've been reading about the different zero-trust networking solutions (Tailscale, Zerotier, Nebula), and they seem great with peer to peer networking, strong encryption, UDP hole punching, fine grained role based access control, and so on. Tailscale especially goes so far as implying that other authentication and authorization solutions have been obviated by this techonology by writing in their blog about previous generation networking solutions the following:|
"As a result, you end up having to add more layers of authentication, at the transport or application layers. Why do you need ssh or HTTPS? Because the network layer is too insecure to be trusted."
Ok, I'm willing to accept that an encrypted mesh network is so secure that you need neither the secure part in SSH nor PAM servers taking care of authentication. But then, how does this work in practice? To reify the confusion, here's a concrete example:
An organization uses Tailscale. There's 'server102' that is connected to the Tailscale network that all users of the `devops` team have access to. A new employee, Alice, joins the company. Sysadmins set up her SSO account, as well as makes her part of `devops` on Tailscale.
Alice gets her company computer, sets it up, connects to Tailscale, fires up her shell, types in `ssh alice.p.hacker@server102`, presses Enter.
What happens next?