From: "Ivan Labáth" <labawi-wg@matrix-dream.net>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Deterministic Cryptographically Authenticated Network Signatures on Windows NLA
Date: Tue, 2 Jul 2019 20:47:53 +0000 [thread overview]
Message-ID: <20190702204753.GA20367@matrix-dream.net> (raw)
In-Reply-To: <CAHmME9qoUtBVd2+Y_gqr63YWOA00DsPriOBh=N=c+WkeRXMqzQ@mail.gmail.com>
Hi Jason,
while the idea of Deterministic Cryptographically Authenticated
Network Signatures is commendable, what is the *purpose* of the
network signature in Windows?
On Fri, Jun 28, 2019 at 10:15:39PM +0200, Jason A. Donenfeld wrote:
> On Fri, Jun 28, 2019 at 6:33 PM zrm <zrm@trustiosity.com> wrote:
> > The drawback of this approach is that if anything in the configuration
> > changes at all, it becomes a different network. In theory that's the
> > idea, but in practice changes to the configuration will sometimes happen
> > that shouldn't change which network it is.
>
> No, that's the entire point. If you change your network configuration
> -- which public keys (identities) are allowed to send what traffic,
> then this should not map to collided network signature. You're free to
> configure Windows to apply the same network profile and conditions to
> a variety of network signatures, of course.
What would the procedure be when tweaking/changing the configuration
of the interface? If e.g. peer changes key, added ip, removed ip,
renumbered ip, ... some other trivial change. The more peers you have,
the more changes you have.
Using id from either local priv/pub key, interface name, both,
or possibly a config item seems most reasonable to me.
IMO, if you reuse the same key for different networks, then you are
shooting yourself in the foot, so it is a sufficient identifier.
Add short warning to documentation if appropriate:
"Interface public key is used as the network identifier in Windows.
Its reuse will reuse settings of e.g. firewall."
Regards,
Ivan
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-07-02 20:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-27 14:26 Deterministic Cryptographically Authenticated Network Signatures on Windows NLA Jason A. Donenfeld
2019-06-28 16:25 ` zrm
2019-06-28 20:15 ` Jason A. Donenfeld
2019-07-02 20:47 ` Ivan Labáth [this message]
2019-07-03 5:42 ` Matthias Urlichs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190702204753.GA20367@matrix-dream.net \
--to=labawi-wg@matrix-dream.net \
--cc=Jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).