[WireGuard] WireGuard cryptokey routing

Norman Shulman norman.shulman at n-dimension.com
Thu Jul 7 18:15:19 CEST 2016


Look at it from the server side. There are millions of clients on millions
of 192.168.1.0/24 networks, yet a server can communicate with no more than
254 of them.


On Wed, Jul 6, 2016 at 11:48 AM, Baptiste Jonglez <
baptiste at bitsofnetworks.org> wrote:

> On Wed, Jul 06, 2016 at 11:31:28AM -0400, Norman Shulman wrote:
> > Ethernet networks don't scale; that's why we have IP networks.
>
> Wireguard does not use Ethernet at all, it operates purely at layer 3 (IP).
>
> IP over Ethernet would use a reactive scheme (ARP, Neighbour Discovery) to
> discover the mapping between IP addresses and link-layer addresses.  This
> is part of the reason why Ethernet does not scale well.
>
> Wireguard, on the other hand, does the equivalent mapping statically, via
> the AllowedIPs directive.  The mapping is also slightly different:
>
> - with Ethernet, you map from IP address to MAC address (using ARP or ND)
>
> - Wireguard maps from IP address to public key (using AllowedIP, so this
>   is completely static).  A public key is then mapped to the IP address
>   and UDP port of the peer on the Internet, using the last known endpoint
>   of the peer.  This makes this second mapping mostly dynamic, even though
>   it falls back to a static "Endpoint" configuration for bootstrap.
>
> Does that make things clearer for you?
>
> > So in general a client needs one address for each server? Rather limiting
> > for clients on small subnets, especially considering the case of n
> clients
> > on a subnet, each connecting to m different servers.
> >
> >
> >
> >
> > On Tue, Jul 5, 2016 at 3:11 PM, Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
> >
> > > On Tue, Jul 5, 2016 at 9:09 PM, Norman Shulman
> > > <norman.shulman at n-dimension.com> wrote:
> > > > How is this enforced?
> > > Receiving, line 238 here:
> > > https://git.zx2c4.com/WireGuard/tree/src/receive.c#n238
> > > Sending, line 112 here:
> > > https://git.zx2c4.com/WireGuard/tree/src/device.c#n112
> > >
> > > > How does this scale?
> > > The same way in which an ethernet network scales? One ethernet device
> > > can have multiple IPs, but separate (unbonded) ethernet devices
> > > generally do not share IPs.
> > >
>
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/wireguard
>
>


-- 
Norman Shulman
Sr. Developer/Architect
N-Dimension Solutions Inc.
9030 Leslie St, Unit 300
Richmond Hill, ON L4B 1G2
Canada

Tel: 905 707-8884 x 226
Fax: 905 707-0886

This email and any files transmitted with it are solely intended for the
use of the named recipient(s) and may contain information that is
privileged and confidential. If you receive this email in error, please
immediately notify the sender and delete this message in all its forms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160707/0b20ca23/attachment.html>


More information about the WireGuard mailing list