Wireguard + anycast

Phil Hofer phil at sunfi.sh
Sat Jan 5 18:39:39 CET 2019


> If Wireguard let you configure a list of allowed keys for a peer (instead of a single key) that would be a logical solution without much extra complexity at all I imagine.

As a handshake initiator, you wouldn't know which key to use.
Similarly, when receiving a handshake initiation, you wouldn't
know which key to use to authenticate the handshake. You'd
have to fall back to trial decryption/encryption, which I
think is a non-starter.

The one-to-one correspondence of IP ranges to keys is
baked into the protocol pretty deeply. I'd say this is one
of those simplifying assumptions that Wireguard makes over
IPsec and friends that makes it easier to configure and
administrate.

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 509 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190105/044cffc1/attachment.asc>


More information about the WireGuard mailing list