From: Baptiste Jonglez <baptiste@bitsofnetworks.org>
To: Norman Shulman <norman.shulman@n-dimension.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: [WireGuard] WireGuard cryptokey routing
Date: Wed, 6 Jul 2016 17:48:35 +0200 [thread overview]
Message-ID: <20160706154834.GH2040@lud.polynome.dn42> (raw)
In-Reply-To: <CANQAqMX-1MrYW+Yfn6g7BGPwn2qCDWOCoMWkLyM5W9KZgm52tQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2050 bytes --]
On Wed, Jul 06, 2016 at 11:31:28AM -0400, Norman Shulman wrote:
> Ethernet networks don't scale; that's why we have IP networks.
Wireguard does not use Ethernet at all, it operates purely at layer 3 (IP).
IP over Ethernet would use a reactive scheme (ARP, Neighbour Discovery) to
discover the mapping between IP addresses and link-layer addresses. This
is part of the reason why Ethernet does not scale well.
Wireguard, on the other hand, does the equivalent mapping statically, via
the AllowedIPs directive. The mapping is also slightly different:
- with Ethernet, you map from IP address to MAC address (using ARP or ND)
- Wireguard maps from IP address to public key (using AllowedIP, so this
is completely static). A public key is then mapped to the IP address
and UDP port of the peer on the Internet, using the last known endpoint
of the peer. This makes this second mapping mostly dynamic, even though
it falls back to a static "Endpoint" configuration for bootstrap.
Does that make things clearer for you?
> So in general a client needs one address for each server? Rather limiting
> for clients on small subnets, especially considering the case of n clients
> on a subnet, each connecting to m different servers.
>
>
>
>
> On Tue, Jul 5, 2016 at 3:11 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> > On Tue, Jul 5, 2016 at 9:09 PM, Norman Shulman
> > <norman.shulman@n-dimension.com> wrote:
> > > How is this enforced?
> > Receiving, line 238 here:
> > https://git.zx2c4.com/WireGuard/tree/src/receive.c#n238
> > Sending, line 112 here:
> > https://git.zx2c4.com/WireGuard/tree/src/device.c#n112
> >
> > > How does this scale?
> > The same way in which an ethernet network scales? One ethernet device
> > can have multiple IPs, but separate (unbonded) ethernet devices
> > generally do not share IPs.
> >
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/wireguard
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-07-06 15:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CANQAqMXqQv_MkEsLSuSHNVqHGJuy6yVHhVP4mM6v3x+5iVbVqA@mail.gmail.com>
[not found] ` <CAHmME9rXYm3yV0j5pW3yH59j-C9S=6X8-6OY+b=dkuRq7Vpzvw@mail.gmail.com>
[not found] ` <CANQAqMX8Bf9taS+VgRYnGwuOoJcG3PL8PNmyOK66O3pHjP6VBw@mail.gmail.com>
[not found] ` <CAHmME9rRHgEtsJ8F-4UrzZMwOs43T24Jq+mUHO91-oimQXXjwg@mail.gmail.com>
[not found] ` <CANQAqMV=QeCG9BPvPpaCAu56a+mNi_7sNvhDL=_i4N7WFY1=Ng@mail.gmail.com>
[not found] ` <CAHmME9qr2H=4Qdzx9Kz4=op-O-yzum0+hJWvazHZ_K7ex05ncQ@mail.gmail.com>
2016-07-05 16:34 ` [WireGuard] Fwd: WireGuard cryptokey routing Jason A. Donenfeld
2016-07-05 18:05 ` [WireGuard] " Norman Shulman
2016-07-05 19:06 ` Jason A. Donenfeld
2016-07-05 19:09 ` Norman Shulman
2016-07-05 19:11 ` Jason A. Donenfeld
2016-07-06 15:31 ` Norman Shulman
2016-07-06 15:37 ` Jason A. Donenfeld
2016-07-06 15:48 ` Baptiste Jonglez [this message]
2016-07-07 16:15 ` Norman Shulman
2016-07-07 16:18 ` Jason A. Donenfeld
2016-07-14 21:16 ` Norman Shulman
2016-07-15 11:51 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160706154834.GH2040@lud.polynome.dn42 \
--to=baptiste@bitsofnetworks.org \
--cc=norman.shulman@n-dimension.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.