From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: norman.shulman@n-dimension.com Received: from mail-vk0-f49.google.com (mail-vk0-f49.google.com [209.85.213.49]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d69f9209 for ; Thu, 7 Jul 2016 16:15:08 +0000 (UTC) Received: by mail-vk0-f49.google.com with SMTP id f7so11157220vkb.3 for ; Thu, 07 Jul 2016 09:15:21 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20160706154834.GH2040@lud.polynome.dn42> References: <20160706154834.GH2040@lud.polynome.dn42> From: Norman Shulman Date: Thu, 7 Jul 2016 12:15:19 -0400 Message-ID: To: "Jason A. Donenfeld" Content-Type: multipart/alternative; boundary=94eb2c149e9419bfe005370dfe77 Cc: WireGuard mailing list Subject: Re: [WireGuard] WireGuard cryptokey routing List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c149e9419bfe005370dfe77 Content-Type: text/plain; charset=UTF-8 Look at it from the server side. There are millions of clients on millions of 192.168.1.0/24 networks, yet a server can communicate with no more than 254 of them. On Wed, Jul 6, 2016 at 11:48 AM, Baptiste Jonglez < baptiste@bitsofnetworks.org> wrote: > On Wed, Jul 06, 2016 at 11:31:28AM -0400, Norman Shulman wrote: > > Ethernet networks don't scale; that's why we have IP networks. > > Wireguard does not use Ethernet at all, it operates purely at layer 3 (IP). > > IP over Ethernet would use a reactive scheme (ARP, Neighbour Discovery) to > discover the mapping between IP addresses and link-layer addresses. This > is part of the reason why Ethernet does not scale well. > > Wireguard, on the other hand, does the equivalent mapping statically, via > the AllowedIPs directive. The mapping is also slightly different: > > - with Ethernet, you map from IP address to MAC address (using ARP or ND) > > - Wireguard maps from IP address to public key (using AllowedIP, so this > is completely static). A public key is then mapped to the IP address > and UDP port of the peer on the Internet, using the last known endpoint > of the peer. This makes this second mapping mostly dynamic, even though > it falls back to a static "Endpoint" configuration for bootstrap. > > Does that make things clearer for you? > > > So in general a client needs one address for each server? Rather limiting > > for clients on small subnets, especially considering the case of n > clients > > on a subnet, each connecting to m different servers. > > > > > > > > > > On Tue, Jul 5, 2016 at 3:11 PM, Jason A. Donenfeld > wrote: > > > > > On Tue, Jul 5, 2016 at 9:09 PM, Norman Shulman > > > wrote: > > > > How is this enforced? > > > Receiving, line 238 here: > > > https://git.zx2c4.com/WireGuard/tree/src/receive.c#n238 > > > Sending, line 112 here: > > > https://git.zx2c4.com/WireGuard/tree/src/device.c#n112 > > > > > > > How does this scale? > > > The same way in which an ethernet network scales? One ethernet device > > > can have multiple IPs, but separate (unbonded) ethernet devices > > > generally do not share IPs. > > > > > > _______________________________________________ > > WireGuard mailing list > > WireGuard@lists.zx2c4.com > > http://lists.zx2c4.com/mailman/listinfo/wireguard > > -- Norman Shulman Sr. Developer/Architect N-Dimension Solutions Inc. 9030 Leslie St, Unit 300 Richmond Hill, ON L4B 1G2 Canada Tel: 905 707-8884 x 226 Fax: 905 707-0886 This email and any files transmitted with it are solely intended for the use of the named recipient(s) and may contain information that is privileged and confidential. If you receive this email in error, please immediately notify the sender and delete this message in all its forms. --94eb2c149e9419bfe005370dfe77 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Look at it from the server side. There are millions of cli= ents on millions of 192.168.1.0/24 ne= tworks, yet a server can communicate with no more than 254 of them.

On W= ed, Jul 6, 2016 at 11:48 AM, Baptiste Jonglez <baptiste@bitsofne= tworks.org> wrote:
On Wed, Jul 06, 2016 at 11:31:28AM -0400, Norman Shulman wrote: > Ethernet networks don't scale; that's why we have IP networks.=

Wireguard does not use Ethernet at all, it operates purely at layer = 3 (IP).

IP over Ethernet would use a reactive scheme (ARP, Neighbour Discovery) to<= br> discover the mapping between IP addresses and link-layer addresses.=C2=A0 T= his
is part of the reason why Ethernet does not scale well.

Wireguard, on the other hand, does the equivalent mapping statically, via the AllowedIPs directive.=C2=A0 The mapping is also slightly different:

- with Ethernet, you map from IP address to MAC address (using ARP or ND)
- Wireguard maps from IP address to public key (using AllowedIP, so this =C2=A0 is completely static).=C2=A0 A public key is then mapped to the IP a= ddress
=C2=A0 and UDP port of the peer on the Internet, using the last known endpo= int
=C2=A0 of the peer.=C2=A0 This makes this second mapping mostly dynamic, ev= en though
=C2=A0 it falls back to a static "Endpoint" configuration for boo= tstrap.

Does that make things clearer for you?

> So in general a client needs one address for each server? Rather limit= ing
> for clients on small subnets, especially considering the case of n cli= ents
> on a subnet, each connecting to m different servers.
>
>
>
>
> On Tue, Jul 5, 2016 at 3:11 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> > On Tue, Jul 5, 2016 at 9:09 PM, Norman Shulman
> > <norman.shul= man@n-dimension.com> wrote:
> > > How is this enforced?
> > Receiving, line 238 here:
> > https://git.zx2c4.com/WireGuard/tre= e/src/receive.c#n238
> > Sending, line 112 here:
> > https://git.zx2c4.com/WireGuard/tree= /src/device.c#n112
> >
> > > How does this scale?
> > The same way in which an ethernet network scales? One ethernet de= vice
> > can have multiple IPs, but separate (unbonded) ethernet devices > > generally do not share IPs.
> >

> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com=
> http://lists.zx2c4.com/mailman/listinfo/wiregu= ard




--
Norman Shulman
S= r. Developer/Architect
N-Dimension Solutions Inc.
9030 Leslie St, Uni= t 300
Richmond Hill, ON L4B 1G2
Canada

Tel: 905 707-8884 x 226=
Fax: 905 707-0886

This email and any files transmitted with it a= re solely intended for the use of the named recipient(s) and may contain in= formation that is privileged and confidential. If you receive this email in= error, please immediately notify the sender and delete this message in all= its forms.
--94eb2c149e9419bfe005370dfe77--