> Wireguard does not have a control-plane, this means that Wireguard nodes need > to be manually configured before being able to exchange packets. Manual > configuration typically involved provisioning public keys using out-of-band > mechanisms. In this context, we have architected and prototyped a > control-plane for Wireguard using LISP, this enables automatic and secure > retrieval of public keys using LISP.
Sounds good Albert. I have looked at Wireguard in the past and agree its great stuff. Note the LISP-decent stuff allows the wireguard nodes to be their own mapping system. So you can continue to use and deploy Wireguard in a decentralized manner. Also note, you can distribute public-keys using the draft-ietf-lisp-ecdsa-auth (and draft-farinacci-lisp-decent). Colin and I are working on distributing public-keys by the nodes that generate their own key-pairs without a need for a third-party trust anchor. > This raises -hopefully- interesting questions, how should LISP support > multiple data-planes? In this context Wireguard can be seen just as another > data-plane. Additionally, Wiregard provides a secure data-plane, can we learn > something from them? Use the LCAF Encap-Format Type, so an ETR, when it sends a Map-Reply (or the mapping system) to indicate which data-planes an ITR can use to encap traffic to the ETR. Note that if Wireguard wants to rekey the data-plane keys, it can use RLOC-probing DH key exchange documented in RFC 8061. Let me know if you need any help or clarification. Dino _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
