(Cross-posting on Consul's Google group and WireGuard's mailing list.) Hello,
After watching the keynotes [1], are you also asking yourself if Consul's Service Mesh is a cloud-native Control Plane for dynamic overlay (mesh) networks, and if mTLS with certificates could not be replaced by WireGuard [2] with private/public keys in the Data Plane? Could such a combination become be a light-weight (elastic) alternative to network-centric (static) overlays, such as VxLAN or EVPN? Or, Consul could be a much more comprehensive Control Plane for WireGuard, compared to WireGuard-p2p [3] that uses ad-hoc Distributed Hash Tables (DHT) for "Service Registration & Discovery"? Eventually, the user-space Go implementation of WireGuard could be included into Consul, as HashiCorp already did for its PKI (parts taken from Vault). This would make the alternate Data Plane portable to platforms other than Linux, much in line with the idea of running Consul agents on each node providing a "dial-tone". However, running Consul on each node might be a chatty and large Control Plane that may be harder to lock down, compared to WireGuard network overlays and proxies in the Data Plane. For the Data Plane, Consul Connect provides nice security controls, such as key management, or Service Graphs with ACLs and Intentions. As everything is identity-based and independent of IP addresses, this would fit Zero Trust Network designs. Is this idea viable at all and worth further exploration, or do I miss something? Thanks, Rolf [1] https://www.hashicorp.com/resources/hashidays-2018-full-keynote-armon-mitchell [2] https://www.wireguard.com [3] https://github.com/manuels/wireguard-p2p _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
