IETF Logo Mail Archive

Re: [lisp] Wireguard and LISP [Was: Virtual meeting]

Dino Farinacci <farinacci@gmail.com> Mon, 23 March 2020 21:42 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7A313A0ECF for <lisp@ietfa.amsl.com>; Mon, 23 Mar 2020 14:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IiGqzkQmytBO for <lisp@ietfa.amsl.com>; Mon, 23 Mar 2020 14:41:59 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22643A0EC9 for <lisp@ietf.org>; Mon, 23 Mar 2020 14:41:59 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id j1so5485162pfe.0 for <lisp@ietf.org>; Mon, 23 Mar 2020 14:41:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XW9zkH5auKD4ZcesudmWFVABpsgVpy6RKtkwVAaefAY=; b=U6dMUPZARUpngO2bhcGwyu4FPgzOXRuPh2NZepNo0VFVX7nBdnbd48Za8U4hXBAgo1 hiIx6jHbpPLAyn7OozntpqTsOJV+elrWsWHVBNQ1A/txWo5ud2LQlR1Xcso4OAeHxzHd us/orByh/bdOPf84NGtNcB1bTJNL6mB/0yfmsxFQgFbIcjm7hiJcafGuDNWWcYvgxIfG SniE1FB2tgznz2Na9x9Yv3Ku1CFrBn0RTvxPu95hAtkP1HtOWVB3Y+GI+HvGw9W4fp3w YTEeuAMU7bsNWJ34RB79056u67xfoK5324eBTTLQsR3XGw7wM/kGM/H0uysAVMPi1/yF yGyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XW9zkH5auKD4ZcesudmWFVABpsgVpy6RKtkwVAaefAY=; b=b0YrUKxZCzrA59GW9Hy5nxxeQ9VCIPMXjhTXFnyzvvZWxZ2MgZaE9KeIVZl3GbLnuS +YQSRlBvcr9yykhC18mbBuF0X9yLQQg603+5BiKnLBwo30jWud/914WlAfQezxTISCDi 2/uiW4d2weBaXO5ZhDkT0NwCmjMrapxs7oDu//RrrdXGvYDS6GIy/a0FiL8XGc+FKk/H 77wCr4uel6fS6uSLnYr7ua4bYti+G1mr7xOgoKkV/ilKFkrRxQqZsTVgiZqZ2hkK+oys 5B6sk79XuzVihrQfP37lXTfJe0QeRgTnvhvqiFGcTS8xMYdocSWh4gz7AFFQTS80cKaL ivqg==
X-Gm-Message-State: ANhLgQ0oCtMm1WxfgfuCpYfaFeobpq/NlIv7wsxGg9yl2UIW+UABalHP eVoTwNA7XAOb6HJIJjdmgcw=
X-Google-Smtp-Source: ADFU+vtN76z55e0akzooVVbRqPJIpGMFoKYSKJaeMu7OX/SYlzysctMLOkRez6sYRvsrzqJTXptFvQ==
X-Received: by 2002:a62:a116:: with SMTP id b22mr27178543pff.122.1584999719136; Mon, 23 Mar 2020 14:41:59 -0700 (PDT)
Received: from ?IPv6:2601:646:9600:af10:58ee:97d4:d949:ed33? ([2601:646:9600:af10:58ee:97d4:d949:ed33]) by smtp.gmail.com with ESMTPSA id p4sm14194699pfg.163.2020.03.23.14.41.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Mar 2020 14:41:58 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <CAGE_Qexud9SVudjSxYAEADbfKL9M9QfCt4_c2GhQHO8fVbhV+A@mail.gmail.com>
Date: Mon, 23 Mar 2020 14:41:57 -0700
Cc: "lisp@ietf.org list" <lisp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7B04376E-6E99-4544-BC26-ADD799BE31D4@gmail.com>
References: <bf751274-3d10-4675-40ff-0876b968ec58@joelhalpern.com> <CAGE_Qexud9SVudjSxYAEADbfKL9M9QfCt4_c2GhQHO8fVbhV+A@mail.gmail.com>
To: Albert Cabellos <albert.cabellos@gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/0ecYzUKdIbKYK531arKzwXgVD8M>
Subject: Re: [lisp] Wireguard and LISP [Was: Virtual meeting]
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 21:42:01 -0000

> Wireguard does not have a control-plane, this means that Wireguard nodes need to be manually configured before being able to exchange packets. Manual configuration typically involved provisioning public keys using out-of-band mechanisms. In this context, we have architected and prototyped a control-plane for Wireguard using LISP, this enables automatic and secure retrieval of public keys using LISP.

Sounds good Albert. I have looked at Wireguard in the past and agree its great stuff.

Note the LISP-decent stuff allows the wireguard nodes to be their own mapping system. So you can continue to use and deploy Wireguard in a decentralized manner.

Also note, you can distribute public-keys using the draft-ietf-lisp-ecdsa-auth (and draft-farinacci-lisp-decent). Colin and I are working on distributing public-keys by the nodes that generate their own key-pairs without a need for a third-party trust anchor.

> This raises -hopefully- interesting questions, how should LISP support multiple data-planes? In this context Wireguard can be seen just as another data-plane. Additionally, Wiregard provides a secure data-plane, can we learn something from them? 

Use the LCAF Encap-Format Type, so an ETR, when it sends a Map-Reply (or the mapping system) to indicate which data-planes an ITR can use to encap traffic to the ETR.

Note that if Wireguard wants to rekey the data-plane keys, it can use RLOC-probing DH key exchange documented in RFC 8061.

Let me know if you need any help or clarification.

Dino

v2.23.0 | Report a Bug | By Email