> > So are you saying that the handshake timing constraints in the > > WireGuard protocol are so stringent that we can't run it securely on, > > e.g., an ARM CPU that lacks a NEON unit? Or given that you are not > > providing accelerated implementations of blake2s or Curve25519 for > > arm64, we can't run it securely on arm64 at all? > > Deployed at scale, the handshake must have a certain performance to > not be DoS'd. I've spent a long time benching these and attacking my > own code. I won't be comfortable with this going in without the fast > implementations for the handshake. As a networking guy, the relation between fast crypto for handshake and DoS is not obvious. Could you explain this a bit? It seems like a lot of people would like an OpenWRT box to be their VPN gateway. And most of them are small ARM or MIPs processors. Are you saying WireGuard will not be usable on such devices? Thanks Andrew