This changelog for 1.6, states that zerotier will from now on use AES for symmetric encryption and take advantage of hardware acceleration. Does this mean that a software implementation of AES will be used for devices without hardware support? If that’s the case, wouldn’t this mean a massive performance drop for devices like the raspberry pi or home routers?
The changelog also mentions backwards compatibility with versions that use Salsa/ChaCha for symmetric encryption. Does this mean that the implementation for Salsa/ChaCha exists in newer versions? What are the chances of merging a PR that implements detection of AES-NI primitives to switch to Salsa/ChaCha in the case that hardware acceleration doesn’t exist?
In practice, it does introduce a bit of a performance hit, but it still outperforms most peoples’ available internet bandwidth.
There’s roughly 0 chance of a PR of this nature being merged as it opens up the potential for downgrade attacks such as those that have plagued the TLS protocol for years now.
Sure, but it will still peg the CPU and consume much more power than a software implementation of Salsa/ChaCha. Also, this can be a limiting factor on local gigabit lans.
That would be something to worry about in case Salsa20/Poly1305 could be considered as a downgrade from AES-GMAC-SIV, right?
BEGIN edit (reworded)
I can understand however that this could be an issue regarding FIPS, NIST, or NSA certification, because if it’s up to one node to force the other node to “downgrade” to Salsa20/Poly1305 then maybe the certification could be void. In that case a setting could be added to local.conf to allow a certain node address to “downgrade” to Salsa20/Poly1305. That way a less powerful device could switch to Salsa20/Poly1305 only if the other node allows that mode with the setting in local.conf
END edit