<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<a
href="https://tools.ietf.org/html/draft-hohendorf-secure-sctp-25"
moz-do-not-send="true"></a><br>
<blockquote type="cite"
cite="mid:CADX+UFjEBcWRsL3SRv5_b0ezU0adcURqOJf=MvDbQkSXg3JRHg@mail.gmail.com">
<div dir="ltr"><br>
Another option would be to run insecure QUIC or SCTP on top of
WireGuard,<br>
</div>
</blockquote>
You cannot run SCTP on the Internet anyway. Too many routers block
anything that's not TCP/UDP/ICMP.<br>
<br>
<blockquote type="cite"
cite="mid:CADX+UFjEBcWRsL3SRv5_b0ezU0adcURqOJf=MvDbQkSXg3JRHg@mail.gmail.com">
<div dir="ltr">I'm also wondering how easy this would be to
program. It would clearly be much<br>
more heavyweight than simply opening a socket, but I guess it
can be done via<br>
invocations of the `wg` or `wg-quick` tools.</div>
</blockquote>
Don't use the tools. There's a library around that you can use to do
all of the heavy lifting via netlink sockets. You'll also need the
privilege to assign addresses and routes to the WG interfaces.<br>
<blockquote type="cite"
cite="mid:CADX+UFjEBcWRsL3SRv5_b0ezU0adcURqOJf=MvDbQkSXg3JRHg@mail.gmail.com">
<div dir="ltr">Ideally we wouldn't need root</div>
</blockquote>
If you go the netlink route, you do need one process that has the
appropriate privilege, which means root at install time (but not
runtime).<br>
<blockquote type="cite"
cite="mid:CADX+UFjEBcWRsL3SRv5_b0ezU0adcURqOJf=MvDbQkSXg3JRHg@mail.gmail.com">
<div dir="ltr"><br>
Once the network is live, we'd need the transport protocol to be
relatively<br>
stable, or at least be easily upgradeable</div>
</blockquote>
Well, the WG wire protocol is supposed to be stable by now.
Switching away from it would require new code on your side anyway,
so you can implement the exact method of switching at that time.<br>
<br>
<pre class="moz-signature" cols="72">--
-- Matthias Urlichs</pre>
</body>
</html>