[maxhou]

Does the protocol implement any kind of negotiation (ciphers, ...) ? if not, how would you handle future type of attacks against the then hardwired constructions ?

I fully agreed that being in-kernel is the right choice for performance, but the chosen constructs excludes the possibility of using any type of existing crypto hardware accelerator that shines in the IPSEC use-case (cache cold data == no cache flush overhead, fully async processing of packets with DMA chaining). Time to start lobbying SOC vendors :)

[zx2c4]

The cipher suite is part of the Noise preamble, so all operations are crytographically bound to the cipher suite to prevent against related-algo attacks. WireGuard itself has no plans for cipher agility, something that is considered an anti-feature. If these ciphers are ever considered problematic, we'll change them and release a new version (with an incremented preamble), and the new set of ciphers will be similarly non-configurable.

Fortunately AVX2-accelerated (and soon AVX512-accelerated) ChaPoly is super fast in pretty much all hardware.