wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: Rolf Sommerhalder <rolf.sommerhalder@alumni.ethz.ch>
To: wireguard@lists.zx2c4.com, consul-tool@googlegroups.com
Subject: Consul Connect and WireGuard?
Date: Sat, 7 Jul 2018 13:21:17 +0200	[thread overview]
Message-ID: <CAG9f2fhr6Sw2GL_WzB2kZHK7emDTX_Tx9LDct90C5Sgqmp=L8Q@mail.gmail.com> (raw)

(Cross-posting on Consul's Google group and WireGuard's mailing list.)

Hello,

After watching the keynotes [1], are you also asking yourself if
Consul's Service Mesh is a cloud-native Control Plane for dynamic
overlay (mesh) networks, and if mTLS with certificates could not be
replaced by WireGuard [2] with private/public keys in the Data Plane?

Could such a combination become be a light-weight (elastic)
alternative to network-centric (static) overlays, such as VxLAN or
EVPN?
Or, Consul could be a much more comprehensive Control Plane for
WireGuard, compared to WireGuard-p2p [3] that uses ad-hoc Distributed
Hash Tables (DHT) for "Service Registration & Discovery"?

Eventually, the user-space Go implementation of WireGuard could be
included into Consul, as HashiCorp already did for its PKI (parts
taken from Vault). This would make the alternate Data Plane portable
to platforms other than Linux, much in line with the idea of running
Consul agents on each node providing a "dial-tone".

However, running Consul on each node might be a chatty and large
Control Plane that may be harder to lock down, compared to WireGuard
network overlays and proxies in the Data Plane. For the Data Plane,
Consul Connect provides nice security controls, such as key
management, or Service Graphs with ACLs and Intentions. As everything
is identity-based and independent of IP addresses, this would fit Zero
Trust Network designs.

Is this idea viable at all and worth further exploration, or do I miss
something?

Thanks,
Rolf

[1] https://www.hashicorp.com/resources/hashidays-2018-full-keynote-armon-mitchell
[2] https://www.wireguard.com
[3] https://github.com/manuels/wireguard-p2p

                 reply	other threads:[~2018-07-07 11:14 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAG9f2fhr6Sw2GL_WzB2kZHK7emDTX_Tx9LDct90C5Sgqmp=L8Q@mail.gmail.com' \
    --to=rolf.sommerhalder@alumni.ethz.ch \
    --cc=consul-tool@googlegroups.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).