Hi Brad, Exciting to see you working on this. However, I'm afraid the implementation you describe sounds deeply flawed and kind of misses the point of WireGuard.
On Tue, Dec 11, 2018 at 2:24 PM <wireguard-ow...@lists.zx2c4.com> wrote: > Currently, I want to take all the code that doesn't need to be in the > kernel and move it to userspace, which is essentially the handshake > code, timeout timers and state machine functions. What is left is > essentially the transport function (IPSEC transform equivalent), > peforming simple crypto on incoming/outgoing packets. This design is > somewhat similar to how IPSEC is currently implemented in OpenBSD. I > believe this is a reasonable approach, but welcome comments on things I > may not have considered. Do not do this. This is entirely unacceptable and wholly contrary to the design approach of WireGuard. The transport layer and handshake layer exist on the same state machine, and I designed the handshake specifically to be extremely simple and implementable in kernel space. I'm happy to help you clean up your current approach -- which seems nicer and closer to the goal -- but your proposed separated approach is really deeply flawed, and overly complex. Do not make this mistake. Rather, let's clean up your current WIP together. If you're on IRC, I'm happy to discuss with you there (I'm zx2c4 on Freenode) and we can get this into shape. Regards, Jason