Hi Jochen, On Tue, Mar 14, 2023 at 09:28:48AM +0100, Jochen Demmer wrote: > > What do you mean? If your AllowedIPs set is empty wireguard will just > > act as a big useless black hole. > > Well there were several blog posts and texts that said running > wireguard without a filter to IPs was a bad idea. I do not concur > that's why I implemented it without a filter and I'm happy with it :-)
Right, that is true in general. You want AllowedIPs to be as restrictive as is practical (but never empty). In the case of dynamic routing things are just a bit more complicated than in a static setup. Essentially the problem is the dynamic v6 prefix at your Site A. In a static setup you could just set AllowedIPs to be the prefix(es) of the site at the other end of the tunnel and that'll work, but if the prefix keeps changing you can't do that. You'd need support for setting AllowedIPs dynamically in babeld which just isn't a thing yet. Together with babel's source-specific routing support I do thing this is something we can do even without any protocol changes and I have at numerous occations thought about adding it but just haven't really had the motivation yet. Mainly because I have static prefixes everywhere since I run my own AS :P --Daniel _______________________________________________ Babel-users mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
