That's not hugely secure, though: IPv6 is only 128 bits, which means that the hash is would only provide 64 bits of security if it provided all the bits for the address. And I assume that the IPv6 address is not _only_ the hash, but instead some bits are used to put it into ULA space or similar. ULA uses 7 bits, which means that only 121 bits of the hash are usable, which means it provides 60.5 bits of security, which isn't nothing, but isn't really good enough for anything you care about.
In 2022, 128 bits is the bare minimum, and frankly 192 or 256 are often preferable.
Encryption is done using normal Wireguard keys so it's not a security problem. Im curious if the DHT routing is done based on the key or on the IPv6 address that represents the key.
The software is essentially a 'node', doing the routing. Whenever it starts it reads the config file to see if there is a private key in there. If no, it will generate a new one for you and that is your identity on the network.
> Just perhaps with something other than IPsec underneath?
That is correct, it uses standard, but not ipsec, encryption based on public key cryptography. A host that saves its private key will thus forever have the same IP address and if it runs services you connect to them using the encryption to its public key.
A node that is configured to connect to the wider yggdrasil public network will thus be reachable on a single IP with an identity that is based on public key cryptography, even if the machine is moving from network to network or even another continent.
