From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
Subject: Re: WireGuard deployment considerations for improved privacy
Date: Mon, 14 Jan 2019 13:53:13 +0100 [thread overview]
Message-ID: <0c9b65e6-c285-c926-51c2-02aafb0cf12c@urlichs.de> (raw)
In-Reply-To: <CANTUoec=rCy0fcW1ukUfYQLsj73sJ3CAPFMu+sgHxZMxF=__NA@mail.gmail.com>
[-- Attachment #1.1.1: Type: text/plain, Size: 1027 bytes --]
Hi,
> 3. The attacker uses the VPN server static private key to decrypt the
> recorded handshakes, revealing client static pubkeys.
Create a service that sets a new temporary pubkey. Call it *before*
connecting with WG.
Switching during a connection doesn't help much IMHO, because if you
have recorded WG traffic you probably can correlate by IP address.
> Make it possible for clients to request a dynamically assigned IP
> address from the VPN server.
Use the above service to also assign a new dynamic IP address.
Both can and probably should be done at some arbitrary time, thus
decoupling this step from using the WG connection.
I haven't seen a compelling argument for augmenting the WG protocol
(and/or its in-kernel implementation) with support for this. However,
there may be a case for creating a standardized userspace
protocol+library to implement this and possibly a few other higher-level
features, so that people don't need to reinvent their wheels.
--
-- Matthias Urlichs
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-01-14 12:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 10:23 WireGuard deployment considerations for improved privacy Fredrik Strömberg
2019-01-14 12:53 ` Matthias Urlichs [this message]
[not found] ` <CAOAVeL0Hv343JWU1m06p-WaspsNFpB6Tnw6EdYr=LdMVQLM0AQ@mail.gmail.com>
2019-01-15 10:56 ` Fredrik Strömberg
[not found] ` <CAOAVeL32OBbhyzrJ-z6nLYMUUJsOFOSVNpbo4wdQN3zV=6yndw@mail.gmail.com>
2019-01-15 14:27 ` Fredrik Strömberg
2019-01-16 16:34 ` Jose Marinez
2019-01-18 8:19 ` Fredrik Strömberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c9b65e6-c285-c926-51c2-02aafb0cf12c@urlichs.de \
--to=matthias@urlichs.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).