1 /*
2  * Copyright (c)2019 ZeroTier, Inc.
3  *
4  * Use of this software is governed by the Business Source License included
5  * in the LICENSE.TXT file in the project's root directory.
6  *
7  * Change Date: 2025-01-01
8  *
9  * On the date above, in accordance with the Business Source License, use
10  * of this software will be governed by version 2.0 of the Apache License.
11  */
12 /****/
13 
14 #ifndef ZT_NETWORKCONFIG_HPP
15 #define ZT_NETWORKCONFIG_HPP
16 
17 #include <stdint.h>
18 #include <string.h>
19 #include <stdlib.h>
20 
21 #include <vector>
22 #include <stdexcept>
23 #include <algorithm>
24 
25 #include "../include/ZeroTierOne.h"
26 
27 #include "Constants.hpp"
28 #include "Buffer.hpp"
29 #include "DNS.hpp"
30 #include "InetAddress.hpp"
31 #include "MulticastGroup.hpp"
32 #include "Address.hpp"
33 #include "CertificateOfMembership.hpp"
34 #include "CertificateOfOwnership.hpp"
35 #include "Capability.hpp"
36 #include "Tag.hpp"
37 #include "Dictionary.hpp"
38 #include "Hashtable.hpp"
39 #include "Identity.hpp"
40 #include "Utils.hpp"
41 #include "Trace.hpp"
42 
43 /**
44  * Default maximum time delta for COMs, tags, and capabilities
45  *
46  * The current value is two hours, providing ample time for a controller to
47  * experience fail-over, etc.
48  */
49 #define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MAX_MAX_DELTA 7200000ULL
50 
51 /**
52  * Default minimum credential TTL and maxDelta for COM timestamps
53  *
54  * This is just slightly over three minutes and provides three retries for
55  * all currently online members to refresh.
56  */
57 #define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_MIN_MAX_DELTA 185000ULL
58 
59 /**
60  * Flag: enable broadcast
61  */
62 #define ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST 0x0000000000000002ULL
63 
64 /**
65  * Flag: enable IPv6 NDP emulation for certain V6 address patterns
66  */
67 #define ZT_NETWORKCONFIG_FLAG_ENABLE_IPV6_NDP_EMULATION 0x0000000000000004ULL
68 
69 /**
70  * Flag: result of unrecognized MATCH entries in a rules table: match if set, no-match if clear
71  */
72 #define ZT_NETWORKCONFIG_FLAG_RULES_RESULT_OF_UNSUPPORTED_MATCH 0x0000000000000008ULL
73 
74 /**
75  * Flag: disable frame compression
76  */
77 #define ZT_NETWORKCONFIG_FLAG_DISABLE_COMPRESSION 0x0000000000000010ULL
78 
79 /**
80  * Device can bridge to other Ethernet networks and gets unknown recipient multicasts
81  */
82 #define ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE 0x0000020000000000ULL
83 
84 /**
85  * Anchors are stable devices on this network that can act like roots when none are up
86  */
87 #define ZT_NETWORKCONFIG_SPECIALIST_TYPE_ANCHOR 0x0000040000000000ULL
88 
89 /**
90  * Designated multicast replicators replicate multicast in place of sender-side replication
91  */
92 #define ZT_NETWORKCONFIG_SPECIALIST_TYPE_MULTICAST_REPLICATOR 0x0000080000000000ULL
93 
94 namespace ZeroTier {
95 
96 // Dictionary capacity needed for max size network config
97 #define ZT_NETWORKCONFIG_DICT_CAPACITY (4096 + (sizeof(ZT_VirtualNetworkRule) * ZT_MAX_NETWORK_RULES) + (sizeof(Capability) * ZT_MAX_NETWORK_CAPABILITIES) + (sizeof(Tag) * ZT_MAX_NETWORK_TAGS) + (sizeof(CertificateOfOwnership) * ZT_MAX_CERTIFICATES_OF_OWNERSHIP))
98 
99 // Dictionary capacity needed for max size network meta-data
100 #define ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY 1024
101 
102 // Network config version
103 #define ZT_NETWORKCONFIG_VERSION 7
104 
105 // Fields for meta-data sent with network config requests
106 
107 // Network config version
108 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_VERSION "v"
109 // Protocol version (see Packet.hpp)
110 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_PROTOCOL_VERSION "pv"
111 // Software vendor
112 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_VENDOR "vend"
113 // Software major version
114 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MAJOR_VERSION "majv"
115 // Software minor version
116 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_MINOR_VERSION "minv"
117 // Software revision
118 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_NODE_REVISION "revv"
119 // Rules engine revision
120 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV "revr"
121 // Maximum number of rules per network this node can accept
122 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_RULES "mr"
123 // Maximum number of capabilities this node can accept
124 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_CAPABILITIES "mc"
125 // Maximum number of rules per capability this node can accept
126 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_CAPABILITY_RULES "mcr"
127 // Maximum number of tags this node can accept
128 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_MAX_NETWORK_TAGS "mt"
129 // Network join authorization token (if any)
130 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_AUTH "a"
131 // Network configuration meta-data flags
132 #define ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_FLAGS "f"
133 
134 // These dictionary keys are short so they don't take up much room.
135 // By convention we use upper case for binary blobs, but it doesn't really matter.
136 
137 // network config version
138 #define ZT_NETWORKCONFIG_DICT_KEY_VERSION "v"
139 // network ID
140 #define ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID "nwid"
141 // integer(hex)
142 #define ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP "ts"
143 // integer(hex)
144 #define ZT_NETWORKCONFIG_DICT_KEY_REVISION "r"
145 // address of member
146 #define ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO "id"
147 // remote trace target
148 #define ZT_NETWORKCONFIG_DICT_KEY_REMOTE_TRACE_TARGET "tt"
149 // remote trace level
150 #define ZT_NETWORKCONFIG_DICT_KEY_REMOTE_TRACE_LEVEL "tl"
151 // flags(hex)
152 #define ZT_NETWORKCONFIG_DICT_KEY_FLAGS "f"
153 // integer(hex)
154 #define ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_LIMIT "ml"
155 // network type (hex)
156 #define ZT_NETWORKCONFIG_DICT_KEY_TYPE "t"
157 // text
158 #define ZT_NETWORKCONFIG_DICT_KEY_NAME "n"
159 // network MTU
160 #define ZT_NETWORKCONFIG_DICT_KEY_MTU "mtu"
161 // credential time max delta in ms
162 #define ZT_NETWORKCONFIG_DICT_KEY_CREDENTIAL_TIME_MAX_DELTA "ctmd"
163 // binary serialized certificate of membership
164 #define ZT_NETWORKCONFIG_DICT_KEY_COM "C"
165 // specialists (binary array of uint64_t)
166 #define ZT_NETWORKCONFIG_DICT_KEY_SPECIALISTS "S"
167 // routes (binary blob)
168 #define ZT_NETWORKCONFIG_DICT_KEY_ROUTES "RT"
169 // static IPs (binary blob)
170 #define ZT_NETWORKCONFIG_DICT_KEY_STATIC_IPS "I"
171 // rules (binary blob)
172 #define ZT_NETWORKCONFIG_DICT_KEY_RULES "R"
173 // capabilities (binary blobs)
174 #define ZT_NETWORKCONFIG_DICT_KEY_CAPABILITIES "CAP"
175 // tags (binary blobs)
176 #define ZT_NETWORKCONFIG_DICT_KEY_TAGS "TAG"
177 // tags (binary blobs)
178 #define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATES_OF_OWNERSHIP "COO"
179 // dns (binary blobs)
180 #define ZT_NETWORKCONFIG_DICT_KEY_DNS "DNS"
181 // sso enabld
182 #define ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED "ssoe"
183 // authentication URL
184 #define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL "aurl"
185 // authentication expiry
186 #define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME "aexpt"
187 
188 // Legacy fields -- these are obsoleted but are included when older clients query
189 
190 // boolean (now a flag)
191 #define ZT_NETWORKCONFIG_DICT_KEY_ENABLE_BROADCAST_OLD "eb"
192 // IP/bits[,IP/bits,...]
193 // Note that IPs that end in all zeroes are routes with no assignment in them.
194 #define ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC_OLD "v4s"
195 // IP/bits[,IP/bits,...]
196 // Note that IPs that end in all zeroes are routes with no assignment in them.
197 #define ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC_OLD "v6s"
198 // 0/1
199 #define ZT_NETWORKCONFIG_DICT_KEY_PRIVATE_OLD "p"
200 // integer(hex)[,integer(hex),...]
201 #define ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES_OLD "et"
202 // string-serialized CertificateOfMembership
203 #define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP_OLD "com"
204 // node[,node,...]
205 #define ZT_NETWORKCONFIG_DICT_KEY_ACTIVE_BRIDGES_OLD "ab"
206 // node;IP/port[,node;IP/port]
207 #define ZT_NETWORKCONFIG_DICT_KEY_RELAYS_OLD "rl"
208 
209 // End legacy fields
210 
211 /**
212  * Network configuration received from network controller nodes
213  *
214  * This is a memcpy()'able structure and is safe (in a crash sense) to modify
215  * without locks.
216  */
217 class NetworkConfig
218 {
219 public:
NetworkConfig()220 	NetworkConfig() :
221 		networkId(0),
222 		timestamp(0),
223 		credentialTimeMaxDelta(0),
224 		revision(0),
225 		issuedTo(),
226 		remoteTraceTarget(),
227 		flags(0),
228 		remoteTraceLevel(Trace::LEVEL_NORMAL),
229 		mtu(0),
230 		multicastLimit(0),
231 		specialistCount(0),
232 		routeCount(0),
233 		staticIpCount(0),
234 		ruleCount(0),
235 		capabilityCount(0),
236 		tagCount(0),
237 		certificateOfOwnershipCount(0),
238 		capabilities(),
239 		tags(),
240 		certificatesOfOwnership(),
241 		type(ZT_NETWORK_TYPE_PRIVATE),
242 		dnsCount(0),
243 		ssoEnabled(false),
244 		authenticationURL(),
245 		authenticationExpiryTime(0)
246 	{
247 		name[0] = 0;
248 		memset(specialists, 0, sizeof(uint64_t)*ZT_MAX_NETWORK_SPECIALISTS);
249 		memset(routes, 0, sizeof(ZT_VirtualNetworkRoute)*ZT_MAX_NETWORK_ROUTES);
250 		memset(staticIps, 0, sizeof(InetAddress)*ZT_MAX_ZT_ASSIGNED_ADDRESSES);
251 		memset(rules, 0, sizeof(ZT_VirtualNetworkRule)*ZT_MAX_NETWORK_RULES);
252 		memset(&dns, 0, sizeof(ZT_VirtualNetworkDNS));
253 	}
254 
255 	/**
256 	 * Write this network config to a dictionary for transport
257 	 *
258 	 * @param d Dictionary
259 	 * @param includeLegacy If true, include legacy fields for old node versions
260 	 * @return True if dictionary was successfully created, false if e.g. overflow
261 	 */
262 	bool toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,bool includeLegacy) const;
263 
264 	/**
265 	 * Read this network config from a dictionary
266 	 *
267 	 * @param d Dictionary (non-const since it might be modified during parse, should not be used after call)
268 	 * @return True if dictionary was valid and network config successfully initialized
269 	 */
270 	bool fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d);
271 
272 	/**
273 	 * @return True if broadcast (ff:ff:ff:ff:ff:ff) address should work on this network
274 	 */
enableBroadcast() const275 	inline bool enableBroadcast() const { return ((this->flags & ZT_NETWORKCONFIG_FLAG_ENABLE_BROADCAST) != 0); }
276 
277 	/**
278 	 * @return True if IPv6 NDP emulation should be allowed for certain "magic" IPv6 address patterns
279 	 */
ndpEmulation() const280 	inline bool ndpEmulation() const { return ((this->flags & ZT_NETWORKCONFIG_FLAG_ENABLE_IPV6_NDP_EMULATION) != 0); }
281 
282 	/**
283 	 * @return True if frames should not be compressed
284 	 */
disableCompression() const285 	inline bool disableCompression() const
286 	{
287 #ifndef ZT_DISABLE_COMPRESSION
288 		return ((this->flags & ZT_NETWORKCONFIG_FLAG_DISABLE_COMPRESSION) != 0);
289 #else
290 		/* Compression is disabled for libzt builds since it causes non-obvious chaotic
291 		interference with lwIP's TCP congestion algorithm. Compression is also disabled
292 		for some NAS builds due to the usage of low-performance processors in certain
293 		older and budget models. */
294 		return false;
295 #endif
296 	}
297 
298 	/**
299 	 * @return Network type is public (no access control)
300 	 */
isPublic() const301 	inline bool isPublic() const { return (this->type == ZT_NETWORK_TYPE_PUBLIC); }
302 
303 	/**
304 	 * @return Network type is private (certificate access control)
305 	 */
isPrivate() const306 	inline bool isPrivate() const { return (this->type == ZT_NETWORK_TYPE_PRIVATE); }
307 
308 	/**
309 	 * @return ZeroTier addresses of devices on this network designated as active bridges
310 	 */
activeBridges() const311 	inline std::vector<Address> activeBridges() const
312 	{
313 		std::vector<Address> r;
314 		for(unsigned int i=0;i<specialistCount;++i) {
315 			if ((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE) != 0)
316 				r.push_back(Address(specialists[i]));
317 		}
318 		return r;
319 	}
320 
activeBridges(Address ab[ZT_MAX_NETWORK_SPECIALISTS]) const321 	inline unsigned int activeBridges(Address ab[ZT_MAX_NETWORK_SPECIALISTS]) const
322 	{
323 		unsigned int c = 0;
324 		for(unsigned int i=0;i<specialistCount;++i) {
325 			if ((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE) != 0)
326 				ab[c++] = specialists[i];
327 		}
328 		return c;
329 	}
330 
isActiveBridge(const Address & a) const331 	inline bool isActiveBridge(const Address &a) const
332 	{
333 		for(unsigned int i=0;i<specialistCount;++i) {
334 			if (((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE) != 0)&&(a == specialists[i]))
335 				return true;
336 		}
337 		return false;
338 	}
339 
anchors() const340 	inline std::vector<Address> anchors() const
341 	{
342 		std::vector<Address> r;
343 		for(unsigned int i=0;i<specialistCount;++i) {
344 			if ((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_ANCHOR) != 0)
345 				r.push_back(Address(specialists[i]));
346 		}
347 		return r;
348 	}
349 
multicastReplicators() const350 	inline std::vector<Address> multicastReplicators() const
351 	{
352 		std::vector<Address> r;
353 		for(unsigned int i=0;i<specialistCount;++i) {
354 			if ((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_MULTICAST_REPLICATOR) != 0)
355 				r.push_back(Address(specialists[i]));
356 		}
357 		return r;
358 	}
359 
multicastReplicators(Address mr[ZT_MAX_NETWORK_SPECIALISTS]) const360 	inline unsigned int multicastReplicators(Address mr[ZT_MAX_NETWORK_SPECIALISTS]) const
361 	{
362 		unsigned int c = 0;
363 		for(unsigned int i=0;i<specialistCount;++i) {
364 			if ((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_MULTICAST_REPLICATOR) != 0)
365 				mr[c++] = specialists[i];
366 		}
367 		return c;
368 	}
369 
isMulticastReplicator(const Address & a) const370 	inline bool isMulticastReplicator(const Address &a) const
371 	{
372 		for(unsigned int i=0;i<specialistCount;++i) {
373 			if (((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_MULTICAST_REPLICATOR) != 0)&&(a == specialists[i]))
374 				return true;
375 		}
376 		return false;
377 	}
378 
alwaysContactAddresses() const379 	inline std::vector<Address> alwaysContactAddresses() const
380 	{
381 		std::vector<Address> r;
382 		for(unsigned int i=0;i<specialistCount;++i) {
383 			if ((specialists[i] & (ZT_NETWORKCONFIG_SPECIALIST_TYPE_ANCHOR | ZT_NETWORKCONFIG_SPECIALIST_TYPE_MULTICAST_REPLICATOR)) != 0)
384 				r.push_back(Address(specialists[i]));
385 		}
386 		return r;
387 	}
388 
alwaysContactAddresses(Address ac[ZT_MAX_NETWORK_SPECIALISTS]) const389 	inline unsigned int alwaysContactAddresses(Address ac[ZT_MAX_NETWORK_SPECIALISTS]) const
390 	{
391 		unsigned int c = 0;
392 		for(unsigned int i=0;i<specialistCount;++i) {
393 			if ((specialists[i] & (ZT_NETWORKCONFIG_SPECIALIST_TYPE_ANCHOR | ZT_NETWORKCONFIG_SPECIALIST_TYPE_MULTICAST_REPLICATOR)) != 0)
394 				ac[c++] = specialists[i];
395 		}
396 		return c;
397 	}
398 
alwaysContactAddresses(Hashtable<Address,std::vector<InetAddress>> & a) const399 	inline void alwaysContactAddresses(Hashtable< Address,std::vector<InetAddress> > &a) const
400 	{
401 		for(unsigned int i=0;i<specialistCount;++i) {
402 			if ((specialists[i] & (ZT_NETWORKCONFIG_SPECIALIST_TYPE_ANCHOR | ZT_NETWORKCONFIG_SPECIALIST_TYPE_MULTICAST_REPLICATOR)) != 0) {
403 				a[Address(specialists[i])];
404 			}
405 		}
406 	}
407 
408 	/**
409 	 * @param fromPeer Peer attempting to bridge other Ethernet peers onto network
410 	 * @return True if this network allows bridging
411 	 */
permitsBridging(const Address & fromPeer) const412 	inline bool permitsBridging(const Address &fromPeer) const
413 	{
414 		for(unsigned int i=0;i<specialistCount;++i) {
415 			if ((fromPeer == specialists[i])&&((specialists[i] & ZT_NETWORKCONFIG_SPECIALIST_TYPE_ACTIVE_BRIDGE) != 0))
416 				return true;
417 		}
418 		return false;
419 	}
420 
operator bool() const421 	inline operator bool() const { return (networkId != 0); }
operator ==(const NetworkConfig & nc) const422 	inline bool operator==(const NetworkConfig &nc) const { return (memcmp(this,&nc,sizeof(NetworkConfig)) == 0); }
operator !=(const NetworkConfig & nc) const423 	inline bool operator!=(const NetworkConfig &nc) const { return (!(*this == nc)); }
424 
425 	/**
426 	 * Add a specialist or mask flags if already present
427 	 *
428 	 * This masks the existing flags if the specialist is already here or adds
429 	 * it otherwise.
430 	 *
431 	 * @param a Address of specialist
432 	 * @param f Flags (OR of specialist role/type flags)
433 	 * @return True if successfully masked or added
434 	 */
addSpecialist(const Address & a,const uint64_t f)435 	inline bool addSpecialist(const Address &a,const uint64_t f)
436 	{
437 		const uint64_t aint = a.toInt();
438 		for(unsigned int i=0;i<specialistCount;++i) {
439 			if ((specialists[i] & 0xffffffffffULL) == aint) {
440 				specialists[i] |= f;
441 				return true;
442 			}
443 		}
444 		if (specialistCount < ZT_MAX_NETWORK_SPECIALISTS) {
445 			specialists[specialistCount++] = f | aint;
446 			return true;
447 		}
448 		return false;
449 	}
450 
capability(const uint32_t id) const451 	const Capability *capability(const uint32_t id) const
452 	{
453 		for(unsigned int i=0;i<capabilityCount;++i) {
454 			if (capabilities[i].id() == id)
455 				return &(capabilities[i]);
456 		}
457 		return (Capability *)0;
458 	}
459 
tag(const uint32_t id) const460 	const Tag *tag(const uint32_t id) const
461 	{
462 		for(unsigned int i=0;i<tagCount;++i) {
463 			if (tags[i].id() == id)
464 				return &(tags[i]);
465 		}
466 		return (Tag *)0;
467 	}
468 
469 	/**
470 	 * Network ID that this configuration applies to
471 	 */
472 	uint64_t networkId;
473 
474 	/**
475 	 * Controller-side time of config generation/issue
476 	 */
477 	int64_t timestamp;
478 
479 	/**
480 	 * Max difference between timestamp and tag/capability timestamp
481 	 */
482 	int64_t credentialTimeMaxDelta;
483 
484 	/**
485 	 * Controller-side revision counter for this configuration
486 	 */
487 	uint64_t revision;
488 
489 	/**
490 	 * Address of device to which this config is issued
491 	 */
492 	Address issuedTo;
493 
494 	/**
495 	 * If non-NULL, remote traces related to this network are sent here
496 	 */
497 	Address remoteTraceTarget;
498 
499 	/**
500 	 * Flags (64-bit)
501 	 */
502 	uint64_t flags;
503 
504 	/**
505 	 * Remote trace level
506 	 */
507 	Trace::Level remoteTraceLevel;
508 
509 	/**
510 	 * Network MTU
511 	 */
512 	unsigned int mtu;
513 
514 	/**
515 	 * Maximum number of recipients per multicast (not including active bridges)
516 	 */
517 	unsigned int multicastLimit;
518 
519 	/**
520 	 * Number of specialists
521 	 */
522 	unsigned int specialistCount;
523 
524 	/**
525 	 * Number of routes
526 	 */
527 	unsigned int routeCount;
528 
529 	/**
530 	 * Number of ZT-managed static IP assignments
531 	 */
532 	unsigned int staticIpCount;
533 
534 	/**
535 	 * Number of rule table entries
536 	 */
537 	unsigned int ruleCount;
538 
539 	/**
540 	 * Number of capabilities
541 	 */
542 	unsigned int capabilityCount;
543 
544 	/**
545 	 * Number of tags
546 	 */
547 	unsigned int tagCount;
548 
549 	/**
550 	 * Number of certificates of ownership
551 	 */
552 	unsigned int certificateOfOwnershipCount;
553 
554 	/**
555 	 * Specialist devices
556 	 *
557 	 * For each entry the least significant 40 bits are the device's ZeroTier
558 	 * address and the most significant 24 bits are flags indicating its role.
559 	 */
560 	uint64_t specialists[ZT_MAX_NETWORK_SPECIALISTS];
561 
562 	/**
563 	 * Statically defined "pushed" routes (including default gateways)
564 	 */
565 	ZT_VirtualNetworkRoute routes[ZT_MAX_NETWORK_ROUTES];
566 
567 	/**
568 	 * Static IP assignments
569 	 */
570 	InetAddress staticIps[ZT_MAX_ZT_ASSIGNED_ADDRESSES];
571 
572 	/**
573 	 * Base network rules
574 	 */
575 	ZT_VirtualNetworkRule rules[ZT_MAX_NETWORK_RULES];
576 
577 	/**
578 	 * Capabilities for this node on this network, in ascending order of capability ID
579 	 */
580 	Capability capabilities[ZT_MAX_NETWORK_CAPABILITIES];
581 
582 	/**
583 	 * Tags for this node on this network, in ascending order of tag ID
584 	 */
585 	Tag tags[ZT_MAX_NETWORK_TAGS];
586 
587 	/**
588 	 * Certificates of ownership for this network member
589 	 */
590 	CertificateOfOwnership certificatesOfOwnership[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
591 
592 	/**
593 	 * Network type (currently just public or private)
594 	 */
595 	ZT_VirtualNetworkType type;
596 
597 	/**
598 	 * Network short name or empty string if not defined
599 	 */
600 	char name[ZT_MAX_NETWORK_SHORT_NAME_LENGTH + 1];
601 
602 	/**
603 	 * Certificate of membership (for private networks)
604 	 */
605 	CertificateOfMembership com;
606 
607 	/**
608 	 * Number of ZT-pushed DNS configurations
609 	 */
610 	unsigned int dnsCount;
611 
612 	/**
613 	 * ZT pushed DNS configuration
614 	 */
615 	ZT_VirtualNetworkDNS dns;
616 
617 	/**
618 	 * SSO enabled flag.
619 	 */
620 	bool ssoEnabled;
621 
622 	/**
623 	 * Authentication URL if authentication is required
624 	 */
625 	char authenticationURL[2048];
626 
627 	/**
628 	 * Time current authentication expires or 0 if external authentication is disabled
629 	 */
630 	uint64_t authenticationExpiryTime;
631 };
632 
633 } // namespace ZeroTier
634 
635 #endif
636