Once a session is established, a ts_tunnel endpoint needs to reject old packets. Due to the lossy UDP underlay, it has to allow some reordering by tracking a sliding window of recently seen nonces, instead of just a high watermark. Existing wireguard implementations track this as a bitset + high mark, with a 64-128 packet window.
This should be straightforward to replicate (at least until we allow for more parallelism in packet processing) with ts_bitset. ts_bitset would need Shr/Shl impls, but that seems fine and in line with what ts_bitset wants to be.
Once a session is established, a ts_tunnel endpoint needs to reject old packets. Due to the lossy UDP underlay, it has to allow some reordering by tracking a sliding window of recently seen nonces, instead of just a high watermark. Existing wireguard implementations track this as a bitset + high mark, with a 64-128 packet window.
This should be straightforward to replicate (at least until we allow for more parallelism in packet processing) with ts_bitset. ts_bitset would need Shr/Shl impls, but that seems fine and in line with what ts_bitset wants to be.