From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: George Walker <georgewalkeriv@gmail.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Juliusz Chroboczek <jch@irif.fr>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: The case for anycast (contra move semantics for unicast AllowedIPs).
Date: Fri, 20 Apr 2018 11:37:46 +0200 [thread overview]
Message-ID: <87wox2xlp1.fsf@toke.dk> (raw)
In-Reply-To: <CAC92Z13zi6Gsq2CGwohZSEcF04Sa+m+WO3yCzWjXvn4DZuy-Rg@mail.gmail.com>
George Walker <georgewalkeriv@gmail.com> writes:
> Hi Jason, Juliusz, Toke, Dave, et. al.,
>
> A year ago we discussed Multicast addressing and the move semantics for
> allowedIPs.
Yeah, whatever happened to actually implementing that? :)
> Recently, I've been mulling over move semantics and their
> implication for WireGuard's support for anycast addressing.
>
> Unlike Multicast addresses, there are no designated address ranges for
> anycast: an anycast address is just a unicast address that's
> advertised in more than one place. As I understand it, the move
> semantics for allowedIPs preclude anycast addressing, as IP addresses
> can only be assigned to one peer at a time. This makes me wonder if it
> might be more correct to allow unicast allowedIPs to be assigned to
> more than one peer, treating them as anycast in that case.
That is not how anycasting works. You don't actually get more than one
path to an anycast address, and you don't duplicate any packets
(otherwise TCP would break, as you say). What anycast does is just that
it announced the same address in multiple places *at the control plane*,
and each router can then pick the closest path to that address and
install that one route in its data plane.
The AllowedIP configuration in WireGuard is the data plane configuration
(i.e., it corresponds to the kernel FIB). So supporting anycast at that
level doesn't make sense; you'll need to decide which peer gets your
"anycast" traffic. To the extent that anycast makes sense as a concept
at all on top of a VPN, you'd need to run some sort of control plane
(e.g., a routing protocol; there's a WireGuard GSOC that looks into
that) which would then configure appropriate AllowedIP configs into
wireguard.
> Also, if memory serves, move semantics account for a large proportion
> of the troubleshooting requests that show up on this list, suggesting
> to me that the status quo --elegant though it is!-- may not be
> especially intuitive.
This is probably a separate point that might be worth exploring further ;)
-Toke
next prev parent reply other threads:[~2018-04-20 9:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-19 19:44 George Walker
2018-04-20 9:37 ` Toke Høiland-Jørgensen [this message]
2018-04-20 9:48 ` Juliusz Chroboczek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wox2xlp1.fsf@toke.dk \
--to=toke@toke.dk \
--cc=Jason@zx2c4.com \
--cc=georgewalkeriv@gmail.com \
--cc=jch@irif.fr \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).