Standardized IPv6 ULA from PublicKey
Jason A. Donenfeld
Jason at zx2c4.com
Mon Jun 29 20:01:03 CEST 2020
We're probably not going to do this, for two reasons:
1. The security model of hashing keys down to tiny hash lengths is
dubious, and opens us up to all manner of interesting collision
attacks. Cryptkey routing implies a strong binding between IP and
pubkey. A hash with collisions means a weak binding.
2. There is very little practical utility. In WireGuard, both sides
must _already_ preshare their public keys, and there's no way around
this. So, at the same time that they preshare their public keys, they
can also exchange randomly generated LL or ULA addresses. (Notably,
this is how wg-dynamic works.) In other words, both sides are already
required to know 32 bytes about each other in order to communicate;
tagging on an additional 16 to whatever mechanism exchanges those 32
should not be a problem anywhere.
Trying to shave off 16 bytes of an initial communications setup by
adding complicated hashing schemes and collision issues seems like not
good decision making.
More information about the WireGuard