[WireGuard] WireGuard cryptokey routing
baptiste at bitsofnetworks.org
Wed Jul 6 17:48:35 CEST 2016
On Wed, Jul 06, 2016 at 11:31:28AM -0400, Norman Shulman wrote:
> Ethernet networks don't scale; that's why we have IP networks.
Wireguard does not use Ethernet at all, it operates purely at layer 3 (IP).
IP over Ethernet would use a reactive scheme (ARP, Neighbour Discovery) to
discover the mapping between IP addresses and link-layer addresses. This
is part of the reason why Ethernet does not scale well.
Wireguard, on the other hand, does the equivalent mapping statically, via
the AllowedIPs directive. The mapping is also slightly different:
- with Ethernet, you map from IP address to MAC address (using ARP or ND)
- Wireguard maps from IP address to public key (using AllowedIP, so this
is completely static). A public key is then mapped to the IP address
and UDP port of the peer on the Internet, using the last known endpoint
of the peer. This makes this second mapping mostly dynamic, even though
it falls back to a static "Endpoint" configuration for bootstrap.
Does that make things clearer for you?
> So in general a client needs one address for each server? Rather limiting
> for clients on small subnets, especially considering the case of n clients
> on a subnet, each connecting to m different servers.
> On Tue, Jul 5, 2016 at 3:11 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> > On Tue, Jul 5, 2016 at 9:09 PM, Norman Shulman
> > <norman.shulman at n-dimension.com> wrote:
> > > How is this enforced?
> > Receiving, line 238 here:
> > https://git.zx2c4.com/WireGuard/tree/src/receive.c#n238
> > Sending, line 112 here:
> > https://git.zx2c4.com/WireGuard/tree/src/device.c#n112
> > > How does this scale?
> > The same way in which an ethernet network scales? One ethernet device
> > can have multiple IPs, but separate (unbonded) ethernet devices
> > generally do not share IPs.
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: not available
More information about the WireGuard