Albert, Dino, Following this, >> This raises -hopefully- interesting questions, how should LISP support >> multiple data-planes? In this context Wireguard can be seen just as another >> data-plane. Additionally, Wiregard provides a secure data-plane, can we >> learn something from them? >Use the LCAF Encap-Format Type, so an ETR, when it sends a Map-Reply (or the >mapping system) to indicate which data-planes an ITR can use to encap traffic >to the ETR.
Have you given any thought to supporting segmentation when using wireguard encapsulation in the dataplane? Could the Receiver field in the wireguard header be used for that and linked somehow to LISP IIDs? Marc On 3/23/20, 2:42 PM, "lisp on behalf of Dino Farinacci" <lisp-boun...@ietf.org on behalf of farina...@gmail.com> wrote: > Wireguard does not have a control-plane, this means that Wireguard nodes need > to be manually configured before being able to exchange packets. Manual > configuration typically involved provisioning public keys using out-of-band > mechanisms. In this context, we have architected and prototyped a > control-plane for Wireguard using LISP, this enables automatic and secure > retrieval of public keys using LISP. Sounds good Albert. I have looked at Wireguard in the past and agree its great stuff. Note the LISP-decent stuff allows the wireguard nodes to be their own mapping system. So you can continue to use and deploy Wireguard in a decentralized manner. Also note, you can distribute public-keys using the draft-ietf-lisp-ecdsa-auth (and draft-farinacci-lisp-decent). Colin and I are working on distributing public-keys by the nodes that generate their own key-pairs without a need for a third-party trust anchor. > This raises -hopefully- interesting questions, how should LISP support > multiple data-planes? In this context Wireguard can be seen just as another > data-plane. Additionally, Wiregard provides a secure data-plane, can we learn > something from them? Use the LCAF Encap-Format Type, so an ETR, when it sends a Map-Reply (or the mapping system) to indicate which data-planes an ITR can use to encap traffic to the ETR. Note that if Wireguard wants to rekey the data-plane keys, it can use RLOC-probing DH key exchange documented in RFC 8061. Let me know if you need any help or clarification. Dino _______________________________________________ lisp mailing list lisp@ietf.org https://www.ietf.org/mailman/listinfo/lisp _______________________________________________ lisp mailing list lisp@ietf.org https://www.ietf.org/mailman/listinfo/lisp
