[followups to tech-net to reduce cross-posting noise] Hi, Jason!
Sorry about not reaching out. The history is that the code has been kicking around the NetBSD world since Ozaki-san first wrote it in 2018, without getting merged into src. It felt a shame to let it wallow in that state indefinitely, and it seemed to be in pretty good shape when I reviewed it this year, with a few small issues I saw, so I dusted it off and merged it. I would be happy to hear specific criticism of the code and its implementation flaws and violations, and/or pointers to documentation of the certain set of behaviours and security criteria that you expect implementations to adhere to. Also happy to help answer questions about and navigate the NetBSD network stack if you want to review it yourself. As far as I know, Ozaki-san wrote the code following the WireGuard protocol paper. There are a few XXX comments in the code that should be addressed, and there are some issues I know of that I have a small TODO list for but didn't seem critical enough to block committing the initial work: [ ] self-tests for crypto [ ] fix libssh dependency [ ] dtrace probes [ ] lockless radix tree lookups for peers [ ] take advantage of sys/crypto/chacha &c. [ ] modularize [ ] split sliding window out [ ] rename wgconfig(8) -> wg(8) and make interface compatible For now, users have to go out of their way to enable the experimental wg(4) interface, and I didn't have any specific timeline planned for enabling it in GENERIC kernels -- wasn't likely to have been before September 1st anyway and I'm happy to commit to holding off on that until we've had a chance to discuss further in September. Does that work? Thanks, -Riastradh