> If Wireguard let you configure a list of allowed keys for a peer (instead of > a single key) that would be a logical solution without much extra complexity > at all I imagine.
As a handshake initiator, you wouldn't know which key to use. Similarly, when receiving a handshake initiation, you wouldn't know which key to use to authenticate the handshake. You'd have to fall back to trial decryption/encryption, which I think is a non-starter. The one-to-one correspondence of IP ranges to keys is baked into the protocol pretty deeply. I'd say this is one of those simplifying assumptions that Wireguard makes over IPsec and friends that makes it easier to configure and administrate. -Phil
signature.asc
Description: OpenPGP digital signature
_______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
