[RFC] Multicast and IPv6 Link Local Addresses
Baptiste Jonglez
baptiste at bitsofnetworks.org
Mon Apr 17 16:11:07 CEST 2017
Hi Jason,
On Fri, Apr 07, 2017 at 04:02:49PM +0200, Jason A. Donenfeld wrote:
> Various networking people have been poking and prodding about
> supporting IPv6 Link Local addresses and about supporting special
> multicast addresses. *I MAY VERY WELL NEVER CHOOSE TO IMPLEMENT THIS*
> but in case I do, I wanted to start spec'ing out what this might look
> like in order to think about it better. There are a lot of odd
> concerns to take into account, so I doubt that the below will wind up
> as a final solution.
This is good news! I can't wait to see Babel running on a wireguard
interface with several peers, or even what OSPF would look like on such a
network.
That being said, for the purpose of a routing protocol like Babel, I think
it still makes more sense to use only *point-to-point* wireguard links.
Link-local and multicast communication solves the problem of discovering
remote routing daemon, but the AllowedIPs list is still static, which does
not make sense for a routing protocol. With point-to-point links, you can
bypass this limitation by simply setting AllowedIPs to ::/0. Of course,
once we have dynamic AllowedIPs, this will change :)
Regarding the current consensus about link-local and multicast:
1) link-local:
> This command fails and returns -ENOTUNIQ if two existing peers have
> the same value of hash(pubkey). When this command succeeds:, the wg0
> interface receives an automatically assigned IP address of
> fe80::hash(interfacepubkey)/64. Every peer has
> fe80::hash(peerpubkey)/128 implicitly added to their allowed-ips. When
> adding a new peer, if hash(pubkey) is the same value of an existing
> peer, the command fails and returns -ENOTUNIQ.
This looks like a very good idea, and I think it should be enabled by
default. What would be the cost of doing this, except for the risk of
collision? If I'm not mistaken, you would have a high chance of collision
starting with around 2**32 peers (see [1]).
2) multicast:
I agree that George's solution (no implicit multicast AllowedIPs, and
AllowedIPs in a multicast range have a "cloning" semantic instead of the
usual "moving" semantic) is clean.
There is just the minor issue of subnets that encompass both unicast and
multicast addresses, the simplest one being ::/0. Such subnets could be
automatically split by wireguard, or just have the "moving" semantic of
unicast subnets. With this last option, a user would have to explicitly
add a subnet which is *within* a multicast prefix to trigger the "cloning"
semantic.
Another idea could be to add ff02::1/128 (the all-nodes multicast address)
by default to every peer. This would allow to nicely discover the
link-local address and RTT of neighbouring peers by simply running:
$ ping -6 -L -I wg0 ff02::1
PING ff02::1(ff02::1) from fe80::XXX%wg0 wg0: 56 data bytes
64 bytes from fe80::YYY%wg0: icmp_seq=1 ttl=64 time=0.459 ms
64 bytes from fe80::ZZZ%wg0: icmp_seq=1 ttl=64 time=0.692 ms (DUP!)
However, it would be another special case in Wireguard, and some people
might want to disable this behaviour if it's enabled by default.
Baptiste
[1] https://en.wikipedia.org/wiki/Birthday_problem#Probability_table
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20170417/be7922d4/attachment.asc>
More information about the WireGuard
mailing list