[Cryptography] WireGuard

paulv metzdowd at bikkel.org
Thu Sep 6 06:12:56 EDT 2018

On Wed, Sep 05, 2018 at 03:32:05PM -0400, Paul Wouters wrote:
> IPsec has never seen more deployment than right now (even excluding
> the netflix users). You can even trace this in the amount of interest /
> participation in the IETF IPsecME working group.
> So the idea that IPsec is dying is hopeful thinking at best :)
> > The market has spoken, and the demand seems to be for Remote Access VPN's built on top of, not beside, TCP/UDP.
> There has been a need to break out of administrative barriers and broken
> networks, which a typical IETF protocol does not attempt by design. That
> was the sole reason for SSL-VPNs coming into existence. That is now
> dying because IKEv2/IPsec supports this now via RFC 8229 which is being
> implemented for Linux as we speak.
> https://tools.ietf.org/html/rfc8229
> >  WireGuard addresses that market.  Whether it will succeed in displacing existing VPN's, I have no idea - but IPsec's additional features are not going to help it, any more than they have in the last two decades.
> You seem to be moving in very different echo chammbers compared to me :)
I have notticed that although people always recommend ipsec as
the 'correct' vpn protocol, they in practise run openvpn or anything 
else. And this is despite the near universal adoption of ipsec in OS'es.

For anybody wondering why this is the case, I would recommend to this
person that they try to setup a really simple VPN connection between
say .. a Mac, and a linux system on the net. The first thing you will 
discover is that if the product and the settings at both sides are 
not *exactly* the same, then you're in for a afternoon of debugging
with tcpdump/wireshark. And even if they are the same, you will probably
encounter al kinds of issues with firewall's etc.. 

Most people won't go so far and, simply give up after an hour to switch
to wireguard or a TLS based vpn (the only reason I got ipsec up and 
running between <new-name>swan and pfsense is with root + shell access 
on both sides, and lot's and lot's of patience).

ipsec seems to be created for the ideal network administrator living in 
a ideal world managing a ideal network.

If we want universal encryption, then we need praktical systems that 
work, even if they are not perfect. So yes, give me tcpcrypt (opportunistic 
encryption / rfc7435 and draft-ietf-tcpinc-tcpcrypt-12) all the time, and 
wireguard as VPN. 

OE through ipsec (Opportunistic Encryption using The Internet Key Exchange (IKE)) 


sounds like a nice idea, but I don't believe anything ipsec related will 
ever deliver practical universal encryption (I've been waiting for more 
then 20 years, and have moved on).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180906/00c6cea0/attachment.sig>

More information about the cryptography mailing list