← Back to context

Comment by dathery

1 year ago

Really cool article, I enjoy reading through all the details behind the decision making.

Just spit-balling a little, but I wonder if Wireguard is the best tool here given that the author is only using it for a single point-to-point link and they control the devices on both ends. That CPU supports AES-NI and probably does it a lot faster than Wireguard's ChaCha20 (hard to get numbers for their server CPU, but the tiny little x86 mini PC I use as my router does AES XTS at 43Gbps according to `cryptsetup benchmark`).

You might see better performance by tunneling the vxlan connection using a different technology which can use AES-NI? Then again, Wireguard is definitely still a good tool for stuff like this, and maybe the performance penalty isn't a big deal here.

16 comments

dathery

Reply
alphager  1 year ago

AES can only encrypt up to 64TB; after that you need to re-key. So you need a mechanism for rekeying anyway. Definitely a good idea to use a battle-tested tool like wireguard instead of rolling your own.

  • EE84M3i  1 year ago

    >AES can only encrypt up to 64TB

    I've never heard that before. Are you referring to a specific mode of operation?

    • coadytech  1 year ago

      I think alphager is referring to the upper limits of AES before a birthday attack becomes a concern. In GCM mode there's a realistic chance of an IV being reused after around 64GB of data. Other modes have differing limits.

      1 reply →

  • zokier  1 year ago

    Umm... IPsec?

    • akira2501  1 year ago

      Truly. I think IPSec is practically more "battle tested" than wireguard ever could be, and IPSec offers more useful functionality than wireguard ever will.

wmf  1 year ago

Because Wireguard is cool and AES is uncool.

  • tptacek  1 year ago

    I guess it depends on whether you're more concerned about transport security or cipher cycles/byte.

    • dathery  1 year ago

      Is there reason to think AES used appropriately would be any less secure here? Not trying to be argumentative, genuinely curious.

      My understanding is that AES has some design warts that make it not ideal (basically, it's easy to both implement and use in ways that leak information if you're not careful) but that it's still essentially perfect symmetric encryption if you're using it as recommended. Is that wrong?

      FWIW, the reason I brought up performance was because the OP spends a large chunk of the post talking about it, so I assume it's an important requirement for them.

      7 replies →