On Fri, Jun 21, 2019 at 02:46:47PM -0400, Justin Kilpatrick wrote:
Hmm... does HMAC alleviate the need for the bottom layer?
https://tools.ietf.org/html/draft-ietf-babel-hmac
As a proof of concept, I created a broker-script that allows setting unique addresses on the server. The IP address of one end of the tunnel is generated from the mac. On the server, the interfaces are enumerated.(It's implemented, but not merged yet -- I've got two students working on making it mergeable.)HMAC would resolve the need for the bottom layer. There are advantages to being able to share keys between the layers though. Not sure I would want to give up on Wireguard especially since we're so dependent on it for performance. All this encryption on little passively cooled processors is a real challenge.It's also only designed to work with link-local addresses, I'm not sure how much work it would be to get it work over global addresses.Link local is fine. The big kicker for Wireguard is uniqueness.
It might be interesting for you to look at. I do not claim it is error-free. At the very least it may give you a few ideas on what *could* be done.
Christof -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
signature.asc
Description: PGP signature
_______________________________________________ Babel-users mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
