Clean out unused netconf fields, rename a few, work on new netconf server.

netconf-service/index.js

@@ -26,20 +26,15 @@
 //
 
 // Fields in netconf response dictionary
-var ZT_NETWORKCONFIG_DICT_KEY_NETCONF_SERVICE_VERSION = "ncver";
 var ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES = "et";
 var ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID = "nwid";
 var ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP = "ts";
 var ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO = "id";
 var ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_PREFIX_BITS = "mpb";
 var ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_DEPTH = "md";
-var ZT_NETWORKCONFIG_DICT_KEY_ARP_CACHE_TTL = "cARP";
+var ZT_NETWORKCONFIG_DICT_KEY_PRIVATE = "p";
-var ZT_NETWORKCONFIG_DICT_KEY_NDP_CACHE_TTL = "cNDP";
+var ZT_NETWORKCONFIG_DICT_KEY_NAME = "n";
-var ZT_NETWORKCONFIG_DICT_KEY_EMULATE_ARP = "eARP";
+var ZT_NETWORKCONFIG_DICT_KEY_DESC = "d";
-var ZT_NETWORKCONFIG_DICT_KEY_EMULATE_NDP = "eNDP";
-var ZT_NETWORKCONFIG_DICT_KEY_IS_OPEN = "o";
-var ZT_NETWORKCONFIG_DICT_KEY_NAME = "name";
-var ZT_NETWORKCONFIG_DICT_KEY_DESC = "desc";
 var ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC = "v4s";
 var ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC = "v6s";
 var ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES = "mr";
@@ -48,6 +43,9 @@ var ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP = "com";
 // Path to zerotier-idtool binary, invoked to enerate certificates of membership
 var ZEROTIER_IDTOOL = '/usr/local/bin/zerotier-idtool';
 
+// From Constants.hpp in node/
+var ZT_NETWORK_AUTOCONF_DELAY = 60000;
+
 // Connect to redis, assuming database 0 and no auth (for now)
 var redis = require('redis');
 var DB = redis.createClient();
@@ -58,6 +56,8 @@ DB.on("error",function(err) {
 // Global variables -- these are initialized on startup or netconf-init message
 var netconfSigningIdentity = null; // identity of netconf master, with private key portion
 
+var spawn = require('child_process').spawn;
+
 function ztDbTrue(v) { return ((v === '1')||(v === 'true')||(v > 0)); }
 function csvToArray(csv) { return (((typeof csv === 'string')&&(csv.length > 0)) ? csv.split(',') : []); }
 function arrayToCsv(a) { return ((Array.isArray(a)) ? ((a.length > 0) ? a.join(',') : '') : (((a !== null)&&(typeof a !== 'undefined')) ? a.toString() : '')); }
@@ -208,28 +208,37 @@ function Identity(idstr)
 		thiz.fromString(idstr);
 };
 
+function generateCertificateOfMembership(nwid,peerAddress,callback)
+{
+	var comTimestamp = '0,' + Date.now().toString(16) + ',' + (ZT_NETWORK_AUTOCONF_DELAY * 4).toString(16);
+	var comNwid = '1,' + nwid + ',0';
+	var comIssuedTo = '2,' + peerAddress + ',ffffffffffffffff';
+	var cert = '';
+	var idtool = spawn(ZEROTIER_IDTOOL,[ 'mkcom',netconfSigningIdentity,comTimestamp,comNwid,comIssuedTo ]);
+	idtool.stdout.on('data',function(data) {
+		if (typeof data === 'string')
+			cert += data;
+	});
+	idtool.on('close',function(exitCode) {
+		return callback((cert.length > 0) ? cert : null,exitCode);
+	});
+};
+
 //
 // Message handler for messages over ZeroTier One service bus
 //
 
-function handleMessage(dictStr)
+function doNetconfInit(message)
 {
-	var message = new Dictionary(dictStr);
-
-	if (!('type' in message.data)) {
-		console.error('ignored message without request type field');
-		return;
-	}
-
-	if (message.data['type'] === 'netconf-init') {
-
 	netconfSigningIdentity = new Identity(message.data['netconfId']);
 	if (!netconfSigningIdentity.hasPrivate()) {
 		netconfSigningIdentity = null;
-			console.error('got invalid netconf signing identity');
+		console.error('got invalid netconf signing identity in netconf-init');
 	}
+}
 
-	} else if (message.data['type'] === 'netconf-request') {
+function doNetconfRequest(message)
+{
 	if ((!netconfSigningIdentity)||(!netconfSigningIdentity.hasPrivate())) {
 		console.error('got netconf-request before netconf-init, ignored');
 		return;
@@ -243,33 +252,38 @@ function handleMessage(dictStr)
 	if ((!peerId)||(!peerId.isValid())||(!fromIpAndPort)||(!nwid)||(nwid.length !== 16)||(!requestId))
 		return;
 
-		// Get optional fields
-		var meta = new Dictionary(message.data['meta']);
-		var clientVersion = message.data['clientVersion'];
-		var clientOs = message.data['clientOs'];
-
 	var network = null;
 	var member = null;
+
 	var authorized = false;
+
 	var v4NeedAssign = false;
 	var v6NeedAssign = false;
 	var v4Assignments = [];
 	var v6Assignments = [];
+	var ipAssignments = []; // both v4 and v6
 
-		async.series([function(next) { // network lookup
+	async.series([function(next) {
+
+		// network lookup
 		DB.hgetall('zt1:network:'+nwid+':~',function(err,obj) {
 			network = obj;
 			return next(err);
 		});
-		},function(next) { // member record lookup, unless public network
+
+	},function(next) {
+
+		// member record lookup, unless public network
 		if ((!network)||(!('nwid' in network)||(network['nwid'] !== nwid))
 			return next(null);
+
 		var memberKey = 'zt1:network:'+nwid+':member:'+peerId.address()+':~';
 		DB.hgetall(memberKey,function(err,obj) {
 			if (err)
 				return next(err);
-				else if (obj) {
+
-					// Update member object
+			if (obj) {
+				// Update existing member record with new last seen time, etc.
 				member = obj;
 				authorized = (ztDbTrue(network['private']) || ztDbTrue(member['authorized']));
 				DB.hmset(memberKey,{
@@ -279,23 +293,27 @@ function handleMessage(dictStr)
 					'clientOs': (clientOs) ? clientOs : '?'
 				},next);
 			} else {
-					// Add member object for new and unauthorized member
+				// Add member record to network for newly seen peer
-					authorized = false;
+				authorized = ztDbTrue(network['private']) ? false : true; // public networks authorize everyone by default
+				var now = Date.now().toString();
 				member = {
 					'id': peerId.address(),
 					'nwid': nwid,
-						'authorized': 0,
+					'authorized': authorized ? '1' : '0',
 					'identity': peerId.toString(),
-						'firstSeen': Date.now(),
+					'firstSeen': now,
-						'lastSeen': Date.now(),
+					'lastSeen': now,
 					'lastAt': fromIpAndPort,
-						'clientVersion': (clientVersion) ? clientVersion : '?.?.?',
+					'clientVersion': (message.data['clientVersion']) ? message.data['clientVersion'] : '?.?.?',
-						'clientOs': (clientOs) ? clientOs : '?'
+					'clientOs': (message.data['clientOs']) ? message.data['clientOs'] : '?'
 				};
 				DB.hmset(memberKey,member,next);
 			}
 		});
-		},function(next) { // IP address auto-assignment, if needed
+
+	},function(next) {
+
+		// Figure out which IP address auto-assignments we need to look up or make
 		if (!authorized)
 			return next(null);
 
@@ -304,20 +322,26 @@ function handleMessage(dictStr)
 
 		var ipa = csvToArray(member['ipAssignments']);
 		for(var i=0;i<ipa.length;++i) {
-				if ((ipa[i].indexOf('.') > 0)&&(v4NeedAssign))
+			if (ipa[i])
+				ipAssignments.push(ipa[i]);
+			if ((ipa[i].indexOf('.') > 0)&&(v4NeedAssign)) {
 				v4Assignments.push(ipa[i]);
-				else if ((ipa[i].indexOf(':') > 0)&&(v6NeedAssign))
+			} else if ((ipa[i].indexOf(':') > 0)&&(v6NeedAssign)) {
 				v6Assignments.push(ipa[i]);
 			}
+		}
 
 		return next(null);
-		},function(next) { // assign IPv4 if needed
+
-			if ((!authorized)||(!v4NeedAssign))
+	},function(next) {
+
+		// assign IPv4 if needed
+		if ((!authorized)||(!v4NeedAssign)||(v4Assignments.length > 0))
 			return next(null);
 
-			var ipAssignmentAttempts = 0; // for sanity-checking
+		var ipAssignmentAttempts = 0;
-			var v4pool = network['v4AssignPool'];
+		var v4pool = network['v4AssignPool']; // technically csv but only one netblock currently supported
-			var ztaddr = peerId.address();
+		var peerAddress = peerId.address();
 
 		var network = 0;
 		var netmask = 0;
@@ -336,113 +360,157 @@ function handleMessage(dictStr)
 						netmaskBits = 32; // sanity check
 					for(var i=0;i<netmaskBits;++i)
 						netmask |= (0x80000000 >> i);
+					netmask &= 0xffffffff;
 				}
 			}
 		}
+		if ((network === 0)||(netmask === 0xffffffff))
+			return next(null);
 		var invmask = netmask ^ 0xffffffff;
 		var abcd = 0;
+
 		var assignment = null;
 
 		var ipAssignmentsKey = 'zt1:network:'+nwid+':ipAssignments';
-			var memberKey = 'zt1:network:'+nwid+':member:'+ztaddr+':~';
+		var memberKey = 'zt1:network:'+nwid+':member:'+peerAddress+':~';
 
 		async.whilst(
-				function() { return ((v4NeedAssign)&&(v4Assignments.length === 0)&&(network !== 0)&&(netmask !== 0xffffffff)&&(ipAssignmentAttempts < 1000)); },
+			function() { return ((v4Assignments.length === 0)&&(ipAssignmentAttempts < 1000)); },
 			function(next2) {
 				++ipAssignmentAttempts;
 
-					// Generate or increment IP address
+				// Generate or increment IP address source bits
 				if (abcd === 0) {
-						var a = parseInt(ztaddr.substr(2,2),16) & 0xff;
+					var a = parseInt(peerAddress.substr(2,2),16) & 0xff;
-						var b = parseInt(ztaddr.substr(4,2),16) & 0xff;
+					var b = parseInt(peerAddress.substr(4,2),16) & 0xff;
-						var c = parseInt(ztaddr.substr(6,2),16) & 0xff;
+					var c = parseInt(peerAddress.substr(6,2),16) & 0xff;
-						var d = parseInt(ztaddr.substr(8,2),16) & 0xff;
+					var d = parseInt(peerAddress.substr(8,2),16) & 0xff;
 					abcd = (a << 24) | (b << 16) | (c << 8) | d;
 				} else ++abcd;
 				if ((abcd & 0xff) === 0)
 					abcd |= 1;
+				abcd &= 0xffffffff;
 
 				// Derive an IP to test and generate assignment ip/bits string
 				var ip = (abcd & invmask) | (network & netmask);
 				assignment = ((ip >> 24) & 0xff).toString(10) + '.' + ((ip >> 16) & 0xff).toString(10) + '.' + ((ip >> 8) & 0xff).toString(10) + '.' + (ip & 0xff).toString(10) + '/' + netmaskBits.toString(10);
 
+				// Check :ipAssignments to see if this IP is already taken
 				DB.hget(ipAssignmentsKey,assignment,function(err,value) {
 					if (err)
 						return next2(err);
-						if ((value)&&(value !== ztaddr))
+
+					// IP is already taken, try again via async.whilst()
+					if ((value)&&(value !== peerAddress))
 						return next2(null); // if someone's already got this IP, keep looking
 
 					v4Assignments.push(assignment);
+					ipAssignments.push(assignment);
 
 					// Save assignment to :ipAssignments hash
-						DB.hset(ipAssignmentsKey,assignment,ztaddr,function(err) {
+					DB.hset(ipAssignmentsKey,assignment,peerAddress,function(err) {
 						if (err)
 							return next2(err);
 
 						// Save updated CSV list of assignments to member record
-							var ipAssignments = member['ipAssignments'];
+						var ipacsv = ipAssignments.join(',');
-							if (!ipAssignments)
+						member['ipAssignments'] = ipacsv;
-								ipAssignments = '';
+						DB.hset(memberKey,'ipAssignments',ipacsv,next2);
-							if (ipAssignments.length > 0)
-								ipAssignments += ',';
-							ipAssignments += assignment;
-							member['ipAssignments'] = ipAssignments;
-							DB.hset(memberKey,'ipAssignments',ipAssignments,next2);
 					});
 				});
 			},
 			next
 		);
 
-		},function(next) { // assign IPv6 if needed -- TODO
+	},function(next) {
-			if ((!authorized)||(!v6NeedAssign))
+
+		// assign IPv6 if needed -- TODO
+		if ((!authorized)||(!v6NeedAssign)||(v6Assignments.length > 0))
 			return next(null);
 
 		return next(null);
+
 	}],function(err) {
+
 		if (err) {
 			console.log('error composing response for '+peerId.address()+': '+err);
 			return;
-			} else if (authorized) {
+		}
-				// TODO: COM!!!
-				var certificateOfMembership = null;
-
-				var netconf = new Dictionary();
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NETCONF_SERVICE_VERSION] = '0.0.0';
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES] = network['etherTypes'];
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID] = nwid;
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP] = Date.now().toString();
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO] = peerId.address();
-				//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_PREFIX_BITS] = 0;
-				//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_DEPTH] = 0;
-				//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES] = '';
-				//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_ARP_CACHE_TTL] = 0;
-				//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NDP_CACHE_TTL] = 0;
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_EMULATE_ARP] = '0';
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_EMULATE_NDP] = '0';
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_IS_OPEN] = ztDbTrue(network['private']) ? '0' : '1';
-				netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NAME] = network['name'];
-				if (network['desc'])
-					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_DESC] = network['desc'];
-				if (v4NeedAssign)
-					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC] = (v4Assignments.length > 0) ? v4Assignments.join(',') : '';
-				if (v6NeedAssign)
-					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC] = (v6Assignments.length > 0) ? v6Assignments.join(',') : '';
-				if (certificateOfMembership !== null)
-					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP] = certificateOfMembership;
 
 		var response = new Dictionary();
 		response.data['peer'] = peerId.address();
 		response.data['nwid'] = nwid;
 		response.data['type'] = 'netconf-response';
 		response.data['requestId'] = requestId;
+
+		if (authorized) {
+			var certificateOfMembership = null;
+			var privateNetwork = ztDbTrue(network['private']);
+
+			async.series([function(next) {
+
+				// Generate certificate of membership if necessary
+				if (privateNetwork) {
+					generateCertificateOfMembership(nwid,peerId.address(),function(cert,exitCode) {
+						if (cert) {
+							certificateOfMembership = cert;
+							return next(null);
+						} else return next(new Error('zerotier-idtool returned '+exitCode));
+					});
+				} else return next(null);
+
+			}],function(err) {
+
+				if (err) {
+					console.error('unable to generate certificate for peer '+peerId.address()+' on network '+nwid+': '+err);
+					response.data['error'] = 'ACCESS_DENIED'; // unable to generate certificate
+				} else {
+					var netconf = new Dictionary();
+					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES] = network['etherTypes'];
+					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID] = nwid;
+					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP] = Date.now().toString(16);
+					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO] = peerId.address();
+					//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_PREFIX_BITS] = 0;
+					//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_DEPTH] = 0;
+					//netconf.data[ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES] = '';
+					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_PRIVATE] = privateNetwork ? '1' : '0';
+					netconf.data[ZT_NETWORKCONFIG_DICT_KEY_NAME] = network['name'];
+					if (network['desc'])
+						netconf.data[ZT_NETWORKCONFIG_DICT_KEY_DESC] = network['desc'];
+					if ((v4NeedAssign)&&(v4Assignments.length > 0))
+						netconf.data[ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC] = v4Assignments.join(',');
+					if ((v6NeedAssign)&&(v6Assignments.length > 0))
+						netconf.data[ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC] = v6Assignments.join(',');
+					if (certificateOfMembership !== null)
+						netconf.data[ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP] = certificateOfMembership;
 					response.data['netconf'] = netconf.toString();
+				}
 
 				process.stdout.write(response.toString()+'\n');
-				return;
+
-			} else {
-			}
 			});
+
+		} else {
+
+			// Peer not authorized to join network
+			response.data['error'] = 'ACCESS_DENIED';
+			process.stdout.write(response.toString()+'\n');
+
+		}
+
+	});
+}
+
+function handleMessage(dictStr)
+{
+	var message = new Dictionary(dictStr);
+	if (!('type' in message.data)) {
+		console.error('ignored message without request type field');
+		return;
+	} else if (message.data['type'] === 'netconf-init') {
+		doNetconfInit(message);
+	} else if (message.data['type'] === 'netconf-request') {
+		doNetconfRequest(message);
 	} else {
 		console.error('ignored unrecognized message type: '+message.data['type']);
 	}

netconf-service/redis-schema.md

@@ -58,7 +58,7 @@ Each network has a network record indexed by its 64-bit network ID in lower-case
 - R infrastructure :: if true, network can't be deleted through API or web UI
 - M private :: if true, network requires authentication
 - R creationTime :: timestamp of network creation
-- M etherTypes :: comma-delimited list of integers indicating Ethernet types permitted on network
+- M etherTypes :: comma-delimited list of *hexadecimal* integers indicating Ethernet types permitted on network
 - M enableBroadcast :: if true, ff:ff:ff:ff:ff:ff is enabled network-wide
 - M v4AssignMode :: 'none' (or null/empty/etc.), 'zt', 'dhcp'
 - M v4AssignPool :: network/bits from which to assign IPs

node/NetworkConfig.cpp

@@ -84,11 +84,7 @@ void NetworkConfig::_fromDictionary(const Dictionary &d)
 	_issuedTo = Address(d.get(ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO));
 	_multicastPrefixBits = Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_PREFIX_BITS,_zero).c_str());
 	_multicastDepth = Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_DEPTH,_zero).c_str());
-	_arpCacheTtl = Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_ARP_CACHE_TTL,_zero).c_str());
+	_private = (Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_PRIVATE,_zero).c_str()) != 0);
-	_ndpCacheTtl = Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_NDP_CACHE_TTL,_zero).c_str());
-	_emulateArp = (Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_EMULATE_ARP,_zero).c_str()) != 0);
-	_emulateNdp = (Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_EMULATE_NDP,_zero).c_str()) != 0);
-	_isOpen = (Utils::hexStrToUInt(d.get(ZT_NETWORKCONFIG_DICT_KEY_IS_OPEN,_zero).c_str()) != 0);
 	_name = d.get(ZT_NETWORKCONFIG_DICT_KEY_NAME);
 	_description = d.get(ZT_NETWORKCONFIG_DICT_KEY_DESC,std::string());
 

node/NetworkConfig.hpp

@@ -48,23 +48,18 @@ namespace ZeroTier {
 
 // These dictionary keys are short so they don't take up much room in
 // netconf response packets.
-#define ZT_NETWORKCONFIG_DICT_KEY_NETCONF_SERVICE_VERSION "ncver"
 #define ZT_NETWORKCONFIG_DICT_KEY_ALLOWED_ETHERNET_TYPES "et"
 #define ZT_NETWORKCONFIG_DICT_KEY_NETWORK_ID "nwid"
 #define ZT_NETWORKCONFIG_DICT_KEY_TIMESTAMP "ts"
 #define ZT_NETWORKCONFIG_DICT_KEY_ISSUED_TO "id"
 #define ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_PREFIX_BITS "mpb"
 #define ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_DEPTH "md"
-#define ZT_NETWORKCONFIG_DICT_KEY_ARP_CACHE_TTL "cARP"
+#define ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES "mr"
-#define ZT_NETWORKCONFIG_DICT_KEY_NDP_CACHE_TTL "cNDP"
+#define ZT_NETWORKCONFIG_DICT_KEY_PRIVATE "p"
-#define ZT_NETWORKCONFIG_DICT_KEY_EMULATE_ARP "eARP"
+#define ZT_NETWORKCONFIG_DICT_KEY_NAME "n"
-#define ZT_NETWORKCONFIG_DICT_KEY_EMULATE_NDP "eNDP"
+#define ZT_NETWORKCONFIG_DICT_KEY_DESC "d"
-#define ZT_NETWORKCONFIG_DICT_KEY_IS_OPEN "o"
-#define ZT_NETWORKCONFIG_DICT_KEY_NAME "name"
-#define ZT_NETWORKCONFIG_DICT_KEY_DESC "desc"
 #define ZT_NETWORKCONFIG_DICT_KEY_IPV4_STATIC "v4s"
 #define ZT_NETWORKCONFIG_DICT_KEY_IPV6_STATIC "v6s"
-#define ZT_NETWORKCONFIG_DICT_KEY_MULTICAST_RATES "mr"
 #define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATE_OF_MEMBERSHIP "com"
 
 /**
@@ -122,11 +117,8 @@ public:
 	inline const Address &issuedTo() const throw() { return _issuedTo; }
 	inline unsigned int multicastPrefixBits() const throw() { return _multicastPrefixBits; }
 	inline unsigned int multicastDepth() const throw() { return _multicastDepth; }
-	inline unsigned int arpCacheTtl() const throw() { return _arpCacheTtl; }
+	inline bool isOpen() const throw() { return (!_private); }
-	inline unsigned int ndpCacheTtl() const throw() { return _ndpCacheTtl; }
+	inline bool isPrivate() const throw() { return _private; }
-	inline bool emulateArp() const throw() { return _emulateArp; }
-	inline bool emulateNdp() const throw() { return _emulateNdp; }
-	inline bool isOpen() const throw() { return _isOpen; }
 	inline const std::string &name() const throw() { return _name; }
 	inline const std::string &description() const throw() { return _description; }
 	inline const std::set<InetAddress> &staticIps() const throw() { return _staticIps; }
@@ -162,11 +154,7 @@ private:
 	Address _issuedTo;
 	unsigned int _multicastPrefixBits;
 	unsigned int _multicastDepth;
-	unsigned int _arpCacheTtl;
+	bool _private;
-	unsigned int _ndpCacheTtl;
-	bool _emulateArp;
-	bool _emulateNdp;
-	bool _isOpen;
 	std::string _name;
 	std::string _description;
 	std::set<InetAddress> _staticIps;