From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
Subject: Re: WireGuard deployment considerations for improved privacy
Date: Mon, 14 Jan 2019 13:53:13 +0100 [thread overview]
Message-ID: <0c9b65e6-c285-c926-51c2-02aafb0cf12c@urlichs.de> (raw)
In-Reply-To: <CANTUoec=rCy0fcW1ukUfYQLsj73sJ3CAPFMu+sgHxZMxF=__NA@mail.gmail.com>
[-- Attachment #1.1.1: Type: text/plain, Size: 1027 bytes --]
Hi,
> 3. The attacker uses the VPN server static private key to decrypt the
> recorded handshakes, revealing client static pubkeys.
Create a service that sets a new temporary pubkey. Call it *before*
connecting with WG.
Switching during a connection doesn't help much IMHO, because if you
have recorded WG traffic you probably can correlate by IP address.
> Make it possible for clients to request a dynamically assigned IP
> address from the VPN server.
Use the above service to also assign a new dynamic IP address.
Both can and probably should be done at some arbitrary time, thus
decoupling this step from using the WG connection.
I haven't seen a compelling argument for augmenting the WG protocol
(and/or its in-kernel implementation) with support for this. However,
there may be a case for creating a standardized userspace
protocol+library to implement this and possibly a few other higher-level
features, so that people don't need to reinvent their wheels.
--
-- Matthias Urlichs
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-01-14 12:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 10:23 WireGuard deployment considerations for improved privacy Fredrik Strömberg
2019-01-14 12:53 ` Matthias Urlichs [this message]
[not found] ` <CAOAVeL0Hv343JWU1m06p-WaspsNFpB6Tnw6EdYr=LdMVQLM0AQ@mail.gmail.com>
2019-01-15 10:56 ` Fredrik Strömberg
[not found] ` <CAOAVeL32OBbhyzrJ-z6nLYMUUJsOFOSVNpbo4wdQN3zV=6yndw@mail.gmail.com>
2019-01-15 14:27 ` Fredrik Strömberg
2019-01-16 16:34 ` Jose Marinez
2019-01-18 8:19 ` Fredrik Strömberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c9b65e6-c285-c926-51c2-02aafb0cf12c@urlichs.de \
--to=matthias@urlichs.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.