[Cryptography] WireGuard

Jerry Leichter leichter at lrw.com
Wed Sep 5 06:45:19 EDT 2018

> My biggest issues with WireGuard is that they didn't sit down and
> thought about how to best replace IPsec. They thought only about the
> remote access VPN use case, put something together that mostly dictates
> parameters out-of-band and then claiming how much better/faster/stronger
> they are compared to IPsec. But IKE/IPsec offers much more then just a
> Remote Access VPN. I suspect they will see over the next 10 years that
> if the expand beyond the simple remote access use case, that they need
> to -add their own warts to support these. There is a reason we have ESP
> and AH, tunnel mode and transport mode, IPCOMP, MOBIKE, various user
> authentication methods, various NOTIFICATION payloads, etc etc. I'd love
> if that would all go away, but it won't unless either I or someone else
> is being prevented their IPsec use case.
The real question isn't whether all these things are potentially useful, it's whether people actually do use them.  The takeup of IPSec is pretty small.

There was a potential really interesting use case just a little while back:  When you're using containers, you generally run them on an overlay network that only the containers have access to.  There was an IPsec implementation for Docker which made that overlay network secure completely transparently - kind of the perfect use case.  Unfortunately, for reasons having nothing to do with IPsec - the overlay network implementation had all kinds of problems - it was very unreliable.  Meanwhile, Kubernetes seems to have taken on the mantel of "the way containers are done" - and no one seems to be interested in implementing an IPsec overlay network for it, at least the last time I looked.  What instead seems to win - what *always* seems to win - is TLS-based VPN's.  Five years (more?) ago, you could actually find IPsec-based VPN's.  Those faded, too (though, again, not so much because of IPsec itself as that the use of a separate protocols rather than TCP or UDP lead to endless problems with cheap routers).

The market has spoken, and the demand seems to be for Remote Access VPN's built on top of, not beside, TCP/UDP.  WireGuard addresses that market.  Whether it will succeed in displacing existing VPN's, I have no idea - but IPsec's additional features are not going to help it, any more than they have in the last two decades.
                                                        -- Jerry

More information about the cryptography mailing list