Key management characteristics of the Tailscale Control Protocol

Tailscale's Control Protocol is a sophisticated system divided into a control plane and a data plane, designed to manage secure network connections through key management. The control plane handles user authentication, machine key validation, and the dissemination of public keys among network machines. Each machine generates a curve25519 private key upon installation, and the control server uses ECDH crypto_box messages to establish secure communication with clients. Machine keys require pre-authorization, ensuring that only approved machines join the network. Upon login, clients create a separate node key linked to a machine key and user identity, often verified through OAuth2 or SAML with multi-factor authentication. This node key configures WireGuard peers and is subject to automatic rotation for added security. Clients maintain a persistent HTTPS connection with the control server for real-time network updates, while firewall rules derived from network ACLs dictate permissible connections, streamlining policy management and maintaining separation of concerns between client operations and control protocols.