Compute credential TTL et al.

node/CertificateOfMembership.hpp

@@ -33,11 +33,6 @@
 #include "Identity.hpp"
 #include "Utils.hpp"
 
-/**
- * Default window of time for certificate agreement
- */
-#define ZT_NETWORK_COM_DEFAULT_REVISION_MAX_DELTA (ZT_NETWORK_AUTOCONF_DELAY * 5)
-
 /**
  * Maximum number of qualifiers allowed in a COM (absolute max: 65535)
  */

node/Membership.hpp

@@ -32,10 +32,10 @@
 #include "NetworkConfig.hpp"
 
 // Expiration time for capability and tag cache
-#define ZT_MEMBERSHIP_STATE_EXPIRATION_TIME (ZT_NETWORK_COM_DEFAULT_REVISION_MAX_DELTA * 4)
+#define ZT_MEMBERSHIP_STATE_EXPIRATION_TIME 600000
 
 // Expiration time for Memberships (used in Peer::clean())
-#define ZT_MEMBERSHIP_EXPIRATION_TIME (ZT_MEMBERSHIP_STATE_EXPIRATION_TIME * 4)
+#define ZT_MEMBERSHIP_EXPIRATION_TIME (ZT_MEMBERSHIP_STATE_EXPIRATION_TIME * 2)
 
 namespace ZeroTier {
 

node/NetworkConfig.hpp

@@ -40,6 +40,22 @@
 #include "Dictionary.hpp"
 #include "Identity.hpp"
 
+/**
+ * Default maximum credential TTL and maxDelta for COM timestamps
+ *
+ * The current value is two hours, providing ample time for a controller to
+ * experience fail-over, etc.
+ */
+#define ZT_NETWORKCONFIG_DEFAULT_MAX_CREDENTIAL_TTL 7200000ULL
+
+/**
+ * Default minimum credential TTL and maxDelta for COM timestamps
+ *
+ * This is just slightly over three minutes and provides three retries for
+ * all currently online members to refresh.
+ */
+#define ZT_NETWORKCONFIG_DEFAULT_MIN_CREDENTIAL_TTL 185000ULL
+
 /**
  * Flag: allow passive bridging (experimental)
  */