Re: Need for HW-clock independent timestamps

Re: Need for HW-clock independent timestamps

[reiner otto]

Having implemented this solution already, I consider it some type of hack, =
as the standard time sync unfortunately happens very late in the start of t=
he services,  after rc.local called. And the sync might take quite some tim=
e.

Which means, I had to "hack"  the time sync immediately after WAN up, and t=
o be done in a single shot, before starting WG.

It might be a reasonable workaround, as a standard new option in openwrt, t=
o allow immediate time sync after WAN up, instead of the graceful sync much=
 later.

However, as a real RTC is rather cheap, it might be a good idea, in case of=
 commercial apps, to ask the supplier of the device to be used  for the inc=
lusion of a RTC.
The more requests, the better the chances to find more devices with RTC inc=
luded.

--------------------------------------------
Toke H=C3=B8iland-J=C3=B8rgensen <toke@toke.dk> schrieb am So, 13.5.2018:

=20
=20
 The analogue for a wireguard deployment would
 be to run NTP on the
 unsecured links and not
 configure the wireguard tunnels until NTP has
 synced. This has different security
 implications for a VPN than for
 dnssec, of
 course, but it could be doable.=20
=20

Re: Need for HW-clock independent timestamps

[Toke Høiland-Jørgensen]

reiner otto <augustus_meyer@yahoo.de> writes:

> Having implemented this solution already, I consider it some type of
> hack, as the standard time sync unfortunately happens very late in the
> start of the services, after rc.local called. And the sync might take
> quite some time.
>
> Which means, I had to "hack" the time sync immediately after WAN up,
> and to be done in a single shot, before starting WG.

Yeah, messing init script order is going to be hackish. You'd want to
add a hotplug script to react to when the NTP daemon syncs and apply
config after that. See the dnsmasq hotplug script for an example:

https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/dnsmasq/files/dnsmasqsec.hotplug;h=781d5337348bb8e927bd15f1caac94a5e7a9ba63;hb=HEAD

For WG it should be necessary to wait to configure the wg interfaces;
they just won't validate correctly until time is fixed. So you could
configure the interfaces in /etc/config/network and just have the
hotplug script add the default route (or whatever your needs are).

> However, as a real RTC is rather cheap, it might be a good idea, in
> case of commercial apps, to ask the supplier of the device to be used
> for the inclusion of a RTC. The more requests, the better the chances
> to find more devices with RTC included.

Sure, for people who are building their own hardware. Most people
aren't, though...

-Toke

Re: Need for HW-clock independent timestamps

[Matthias Urlichs]

[-- Attachment #1: Type: text/plain, Size: 402 bytes --]

On 17.05.2018 09:07, Axel Neumann wrote:
>> Wireguard's connection setup is a whole lot simpler than most other
> But only if you ignore the implications coming with NTP transmissions.

The implication is to require a monotonically increasing 96-bit value.
Using NTP is one way to do that. There are obviously others which do not
depend on external protocols and/or services.

-- 
-- Matthias Urlichs


[-- Attachment #2: Type: text/html, Size: 913 bytes --]

Re: Need for HW-clock independent timestamps

[Axel Neumann]

Am 17=2E Mai 2018 07:53:17 MESZ schrieb Matthias Urlichs <matthias@urlichs=
=2Ede>:
>On 17=2E05=2E2018 07:03, Roman Mamedov wrote:
>> Personally I am puzzled this is even an issue in WG=2E Not a single
>other VPN
>> protocol mandates every node to keep a monotonically increasing
>counter,
>> including even over reboots=2E
>
>Wireguard's connection setup is a whole lot simpler than most other

But only if you ignore the implications coming with NTP transmissions=2E
its like Outsourcing some state transfer to another service and then claim=
 that remaining procedures are most simple=2E=20
/axel

>protocols=2E It basically doesn't require a "real" handshake, just a
>request/reply pair=2E Thus it's vulnerable against disruption by replay
>attacks =E2=80=93 a replayed rekey packet would disrupt conversation unti=
l the
>real sender times out, a minute later=2E
>
>--=20
>-- Matthias Urlichs
>
>_______________________________________________
>WireGuard mailing list
>WireGuard@lists=2Ezx2c4=2Ecom
>https://lists=2Ezx2c4=2Ecom/mailman/listinfo/wireguard

--=20
Diese Nachricht wurde von meinem Android-Ger=C3=A4t mit K-9 Mail gesendet=
=2E

Re: Need for HW-clock independent timestamps

[Matthias Urlichs]

On 17.05.2018 07:03, Roman Mamedov wrote:
> Personally I am puzzled this is even an issue in WG. Not a single other VPN
> protocol mandates every node to keep a monotonically increasing counter,
> including even over reboots.

Wireguard's connection setup is a whole lot simpler than most other
protocols. It basically doesn't require a "real" handshake, just a
request/reply pair. Thus it's vulnerable against disruption by replay
attacks – a replayed rekey packet would disrupt conversation until the
real sender times out, a minute later.

-- 
-- Matthias Urlichs

Re: Need for HW-clock independent timestamps

[Roman Mamedov]

On Thu, 17 May 2018 12:40:55 +0900
Paul <paul@makrotopia.org> wrote:

> For me it looks like a problem solvable in software (as done for the 
> BMX routing protocol). Why even bother to get hardware involved?

Personally I am puzzled this is even an issue in WG. Not a single other VPN
protocol mandates every node to keep a monotonically increasing counter,
including even over reboots.

This has never been an issue in Tinc and OpenVPN at least, and if I'm not
mistaken neither in IPsec. And now suddenly we have people saying everyone now
has to buy and solder in some satellite based hardware just to use a VPN.

Given this didn't even arise in other VPN solutions, surely there must be other
way to solve the "replay attack" issue, without requiring an RTC (or a
persistent counter)? Perhaps nobody has just thought long enough about finding
one, and given the project in the early stages, just using the RTC (which
"everyone has") was chosen as a quick placeholder for now?

-- 
With respect,
Roman

Re: Need for HW-clock independent timestamps

[Paul]

Hi all,

If I'm not mistaken replay attacks are checked here [1] and only 
compare integers with no reference to local time of the receiving node.

The sending nodes timestamp is generated via tai64n_now [2][3]. From my 
understanding this function could simply be changed to a auto increased 
counter, periodically saved on disc and increased on boot, following 
the approach described by Axel Neumann[4]. Mixing real timestamps and 
counter should be compatible to one another. Only drawback is see is 
that the overview function is likely mixed up [5].

All could be done by a patch specifically for HW-clock less devices or 
added to OpenWrt buildroot only[6].

Any reasons why such a patch could be bad?

[1]: 
https://github.com/WireGuard/WireGuard/blob/ddb82700a810c3f929e5a2fff00254b29eadc689/src/noise.c#L454
[2]: 
https://github.com/WireGuard/WireGuard/blob/ddb82700a810c3f929e5a2fff00254b29eadc689/src/noise.c#L353
[3]: 
https://github.com/WireGuard/WireGuard/blob/ddb82700a810c3f929e5a2fff00254b29eadc689/src/noise.c#L396
[4]: https://github.com/bmx-routing/bmx7/blob/semtor/bmx.c#L1397
[5]: 
https://github.com/WireGuard/WireGuard/blob/a7f2ceacb9ee09ab37302cddc0ce15a96fd95e70/src/tools/show.c#L25
[6]: 
https://github.com/openwrt/openwrt/tree/master/package/network/services/wireguard/patches

Just a few thoughts regarding GPS:

On Thu, May 17, 2018 at 5:32 AM, Steve Gilberd <steve@erayd.net> wrote:
> > $20 would increase the HW cost of many typical community-networks 
> (CN) deployments significantly.
> 
> This seems unlikely. In most cases, $20 is notably less than the cost 
> of a single node.

I'd doubt that. People massively use TP-Link 841 (~20$, 100%) or 
Uqiquity Nanobeams (~60$, 34%) as node hardware.

> > Plus requiering more knowledge, maintenence, and power supply for 
> sometimes solar-powered setups... no USB.
> 
> If that's a concern, then put the GPS on nodes where those 
> constraints aren't a problem. You only need GPS on a few nodes (or 
> one node if you don't care about redundancy). Most nodes will get by 
> just fine with just plain NTP, and can happily fetch their time from 
> the GPS nodes, or from other non-GPS nodes with a correct time sync.

This was already answered and found as unusable as it introduces 
additional configuration of all nodes, firewall rules, etc?

> 
> > It is really NOT as simple as it sounds to plug a $20 GPS !!!
> 
> It's not particularly complicated either. The actual setup of the 
> devices isn't particularly difficult, and you're already touching 
> these nodes to set up wireguard on them, so "I have to touch the 
> config" isn't a barrier in this case.

Opening and closing (in a waterproof manner) the previously mentioned 
Nanobeam is not particularly trivial. Also it introduces a whole stack 
of device specific knowledge. As stated before, this changes the 
configuration from "enter wireguard credentials" to "{open, buy 
additional, glue} hardware, setup {wireguard, gps, more?}.

For me it looks like a problem solvable in software (as done for the 
BMX routing protocol). Why even bother to get hardware involved?

Sunshine,
Paul

Re: Need for HW-clock independent timestamps

[Kalin KOZHUHAROV]

Hello Axel,

I may have not been clear in my last response, it was to be taken in
the context of the whole thread...

On Wed, May 16, 2018 at 9:32 PM, Axel Neumann <neumann@cgws.de> wrote:
>
>
> Am 15. Mai 2018 22:49:15 MESZ schrieb Kalin KOZHUHAROV <me.kalin@gmail.com>:
>>On Tue, May 15, 2018 at 10:21 PM, Devan Carpenter
>
>>> Using NTP is not a viable solution for a distributed mesh network.
>>What
>>> if the Internet is only accesible via WG, or what if the network is
>>not
>>> connected to the Internet at all?
>>>
>>Why do you need the Internet at all?
>>You can do as simple as plug a $20 GPS receiver (serial/USB) in any
>>node and get precise time that is shared with others in the network.
>
I meant to have one (or few) nodes that do provide time over UDP from
a GPS or other time-source, i.e. not connected to the Internet.
Not every node needs that.

Alternatively, as a pure software solution, every node of the network
may be required to run ntp on udp, or even other time protocol (say
RFC 867, RFC 868).
So any new node, before connecting to the WG endpoint with WG tunnel,
sets its time from it.
Nodes that do have access to the Net (exit nodes in a way), can run
ntpd internally and also don't need GPS or other time sources, if the
purpose of the network is "connect to the Net".

Cheers,
Kalin.

Re: Need for HW-clock independent timestamps

[Steve Gilberd]

[-- Attachment #1: Type: text/plain, Size: 1139 bytes --]

> $20 would increase the HW cost of many typical community-networks (CN)
deployments significantly.

This seems unlikely. In most cases, $20 is notably less than the cost of a
single node.

> Plus requiering more knowledge, maintenence, and power supply for
sometimes solar-powered setups... no USB.

If that's a concern, then put the GPS on nodes where those constraints
aren't a problem. You only need GPS on a few nodes (or one node if you
don't care about redundancy). Most nodes will get by just fine with just
plain NTP, and can happily fetch their time from the GPS nodes, or from
other non-GPS nodes with a correct time sync.

> It is really NOT as simple as it sounds to plug a $20 GPS !!!

It's not particularly complicated either. The actual setup of the devices
isn't particularly difficult, and you're already touching these nodes to
set up wireguard on them, so "I have to touch the config" isn't a barrier
in this case.

Cheers,
Steve
-- 

Cheers,

*Steve Gilberd*
Erayd LTD *·* Consultant
*Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
*PO Box 10019, The Terrace, Wellington 6143, NZ*

[-- Attachment #2: Type: text/html, Size: 1850 bytes --]

Re: Need for HW-clock independent timestamps

[Axel Neumann]

[-- Attachment #1: Type: text/plain, Size: 1172 bytes --]



Am 15. Mai 2018 22:49:15 MESZ schrieb Kalin KOZHUHAROV <me.kalin@gmail.com>:
>On Tue, May 15, 2018 at 10:21 PM, Devan Carpenter 

>> Using NTP is not a viable solution for a distributed mesh network.
>What
>> if the Internet is only accesible via WG, or what if the network is
>not
>> connected to the Internet at all?
>>
>Why do you need the Internet at all?
>You can do as simple as plug a $20 GPS receiver (serial/USB) in any
>node and get precise time that is shared with others in the network.

$20 would increase the HW cost of many typical community-networks (CN) deployments significantly. Plus requiering more knowledge, maintenence, and power supply for sometimes solar-powered setups. Think of a recent typical CN node like this [1], so no usb. The admins are not hackers. Also there are tens of thousands of existing and productively operating (partially 5-10-years-old) nodes that nobody wants to upgrade HW wise. 
It is really NOT as simple as it sounds to plug a  $20 GPS !!!

[1] https://www.tp-link.com/en/products/details/cat-37_CPE510.html


/axel



-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

[-- Attachment #2: Type: text/html, Size: 1401 bytes --]

Re: Need for HW-clock independent timestamps

[Axel Neumann]

Am 16=2E Mai 2018 11:38:23 MESZ schrieb "Toke H=C3=B8iland-J=C3=B8rgensen"=
 <toke@toke=2Edk>:
>Axel Neumann <neumann@cgws=2Ede> writes:
>
>> On 13=2E05=2E2018 14:37, Toke H=C3=B8iland-J=C3=B8rgensen wrote:> Matth=
ias Urlichs
>> <matthias@urlichs=2Ede> writes:
>>>
>>>> Can anybody think of problems with this solution?
>>>
>>> Well, the possibility of DOS if you set the counter too high,
>>
>> Correct me please, but skipping even many counter values should not be
>> a problem at all=2E So do you mean DOS in case your hit a wrap around o=
f
>> the counter? IMO this can be easily prevented=2E
>
>No I meant DOS if you fail to save state properly=2E I=2Ee=2E, I send seq=
no
>100000, lose my state, reboot, and re-initialise to seqno 100=2E I have
>now essentially locked myself out of the network until my seqno goes
>above 100000 again=2E Since I have no way of reliably detecting this
>condition, there is no straight-forward manual recovery possible=2E

Ok, then measures to mitigate this likelyhood are needed=2E But as said, i=
t boils down to incrementing and saving  a number during each system boot=
=2E Don't you think thid can be done in a reliable way=2E

>
>>> and the
>>> possibility of replay attacks if you fail to save the last state
>when
>>> you shut down comes to mind :)
>>
>> Where is that possibility? If you fail then you would send
>> handshake_initiation messages with an already outdated timestamp
>> field=2E Exactly what now happens by default with non-HWC equipped
>> devices after each reboot=2E
>
>You'd need to not only save your own seqno, but also the last seen
>seqno
>from every peer=2E Otherwise you're vulnerable to a replay attack after
>rebooting=2E And if you lose that state you are, well, vulnerable to a
>replay attack after rebooting :)

With my understanding, the same issue exists right now=2E The peers only v=
erify if a less or equal timestamp has been seen before from this peer=2E P=
eer timestamps are not recovered over reboots and also NOT related to its o=
wn clock or timestamps=2E As said in the other thread=2E Time discrepancy c=
an be infinite as long as it increases monotonically per peer=2E

/axel


>
>>> (Not saying it's not possible to create a workable solution, just
>that
>>> it's not trivial and requires careful thought to not break the
>security
>>> assumptions of the protocol)=2E
>>
>> I agree, but looking at the recent discussion (how to secure NTP as a
>> work around for for non-HWC devices) some of the assumptions made by
>> the current approach seem already quite questionable to me right now=2E
>> Like super-simple WG and firewall setup=2E Instead of two-lines
>> documentation you will likely need 2 pages plus some references for
>> further reading to other tools (like NTP) and also inherit related
>> problems=2E That does not sound like the WG philosophy to me=2E
>
>Oh, I totally agree that it would be good if a solution could be found
>to this=2E I'm just objecting to the assertion that "it's easy, just
>replace the timestamp with an increasing seqno"=2E
>
>-Toke

--=20
Diese Nachricht wurde von meinem Android-Ger=C3=A4t mit K-9 Mail gesendet=
=2E

Re: Need for HW-clock independent timestamps

[Matthias Urlichs]

On 16.05.2018 11:38, Toke Høiland-Jørgensen wrote:
> No I meant DOS if you fail to save state properly. I.e., I send seqno
> 100000, lose my state, reboot, and re-initialise to seqno 100.
So don't do that then. Your saved state needs to be substantially higher
than any seqno you could possibly send, which is why I advocated adding
a trillion or so to the state you write to disk (NOT to the state you
actually use!). The timestamp field is large enough for that to work.
> You'd need to not only save your own seqno, but also the last seen seqno
> from every peer. Otherwise you're vulnerable to a replay attack after
> rebooting. And if you lose that state you are, well, vulnerable to a
> replay attack after rebooting 

If that were the case you'd be vulnerable to such an attack right now,
as there is no check whatsoever that the timestamp you get corresponds
to any notion of current time, and nothing saves your peers' state at
reboot.

So let's look at what a replay attack can possibly accomplish after a
reboot – essentially, this requires Eve to store a bunch of Alice's
crypto setup packets and then feed them all to Bob after she detects
that he has rebooted. He'll respond to each of those and the attack ties
up one of his CPUs , but Eve doesn't know his private key thus can't do
anything with the replies. Meanwhile either Alice or Bob will send a new
setup packet to each other, which causes all further of Eve's packets to
be ignored.


-- 
-- Matthias Urlichs

Re: Need for HW-clock independent timestamps

[Toke Høiland-Jørgensen]

Axel Neumann <neumann@cgws.de> writes:

> On 13.05.2018 14:37, Toke H=C3=B8iland-J=C3=B8rgensen wrote:> Matthias Ur=
lichs
> <matthias@urlichs.de> writes:
>>
>>> Can anybody think of problems with this solution?
>>
>> Well, the possibility of DOS if you set the counter too high,
>
> Correct me please, but skipping even many counter values should not be
> a problem at all. So do you mean DOS in case your hit a wrap around of
> the counter? IMO this can be easily prevented.

No I meant DOS if you fail to save state properly. I.e., I send seqno
100000, lose my state, reboot, and re-initialise to seqno 100. I have
now essentially locked myself out of the network until my seqno goes
above 100000 again. Since I have no way of reliably detecting this
condition, there is no straight-forward manual recovery possible.

>> and the
>> possibility of replay attacks if you fail to save the last state when
>> you shut down comes to mind :)
>
> Where is that possibility? If you fail then you would send
> handshake_initiation messages with an already outdated timestamp
> field. Exactly what now happens by default with non-HWC equipped
> devices after each reboot.

You'd need to not only save your own seqno, but also the last seen seqno
from every peer. Otherwise you're vulnerable to a replay attack after
rebooting. And if you lose that state you are, well, vulnerable to a
replay attack after rebooting :)

>> (Not saying it's not possible to create a workable solution, just that
>> it's not trivial and requires careful thought to not break the security
>> assumptions of the protocol).
>
> I agree, but looking at the recent discussion (how to secure NTP as a
> work around for for non-HWC devices) some of the assumptions made by
> the current approach seem already quite questionable to me right now.
> Like super-simple WG and firewall setup. Instead of two-lines
> documentation you will likely need 2 pages plus some references for
> further reading to other tools (like NTP) and also inherit related
> problems. That does not sound like the WG philosophy to me.

Oh, I totally agree that it would be good if a solution could be found
to this. I'm just objecting to the assertion that "it's easy, just
replace the timestamp with an increasing seqno".

-Toke

Re: Need for HW-clock independent timestamps

[Matthias Urlichs]

On 15.05.2018 22:49, Kalin KOZHUHAROV wrote:
> [1]  Can anyone point me to the piece in code that shows that
> precision? In other words, how far apart can 2 peers' clocks be and
> still connect.

Infinite.

Seriously. The timestamp field is essentially a counter. It just counts
up in rather large time-based increments and happens to be seeded with
the current time, in the current implementation that is. If you forego
all of that, seed it with one, and make sure that there'll never be a
decrement (for instance by saving the current value + a trillion after
every reboot – you don't reboot a router often enough to endanger your
flash that way) you're all set.

-- 
-- Matthias Urlichs

Need for HW-clock independent timestamps

[Axel Neumann]

[-- Attachment #1: Type: text/plain, Size: 2631 bytes --]

On 13.05.2018 14:37, Toke Høiland-Jørgensen wrote:> Matthias Urlichs
<matthias@urlichs.de> writes:
>
>> Can anybody think of problems with this solution?
>
> Well, the possibility of DOS if you set the counter too high,

Correct me please, but skipping even many counter values should not be a problem at all. So do you mean DOS in case your hit a wrap around of the
counter? IMO this can be easily prevented.

If the 
TAI64/96 bit timestamp field (64-bit seconds count + 32-bit nanoseconds count) 
in WG handshake_init messages is used as a counter, then it seems sufficient to just use the 32-bit nano-cnt part for sequential increments after each handshake. Only the sec-cnt part needs to be saved with a +1 value (implicitly assuming nano-cnt saved as zero): during wg modprobe and also whenever the in-memory nano-cnt value got 80% exhausted. Reserving room for 800 000 000 handshakes (in non-reboot cases) before a new fs-write operation is needed. Given that just the handshake-required ECDH-Curve25519 takes more than a ms (eg 769 handshake/s measured on my intel notebook) calculation, that would happen at most once every 10 days. But realistically rather in terms of month or years. 
So in practice, a sec-cnt+1 value, now representing not secs but handshake counts x 1000000000) would only be saved during each system boot or wg init.


> and the
> possibility of replay attacks if you fail to save the last state when
> you shut down comes to mind :)

Where is that possibility? If you fail then you would send
handshake_initiation messages with an already outdated timestamp field.  Exactly what now happens by default with non-HWC equipped devices after each reboot.


>
> (Not saying it's not possible to create a workable solution, just that
> it's not trivial and requires careful thought to not break the security
> assumptions of the protocol).

I agree,
but looking at the recent discussion (how to secure NTP as a work around for for non-HWC devices) some of the assumptions made by the current approach seem already quite questionable to me right now. Like super-simple WG and firewall setup. Instead of two-lines documentation
you will likely need 2 pages plus some references for further reading to other tools (like NTP) and also inherit related problems. That does not sound like the WG philosophy to me.

/Axel

>
> -Toke
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>


-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

[-- Attachment #2: Type: text/html, Size: 2950 bytes --]

Re: Need for HW-clock independent timestamps

[Kalin KOZHUHAROV]

On Tue, May 15, 2018 at 10:21 PM, Devan Carpenter <mail@dvn.me> wrote:
> Aaron Jones transcribed 3.1K bytes:
>> On 12/05/18 19:29, Axel Neumann wrote:
>> > You want WG to secure your network. So the suggestion can not be to open
>> > your network for a pretty insecure deamon in order to get WG working.
>> > This would essentially allow attackers to a fake the ntp server and then
>> > block WG forever.
>>
>> Someone in a position to fake NTP (which needs bidirectional
>> communication) is already in a position to block WG forever (by simply
>> refusing to forward its packets).
>>
>> Additionally, there are a few very well-designed and secure NTP daemons
>> out there (such as OpenNTPd).
>>
>
> Using NTP is not a viable solution for a distributed mesh network. What
> if the Internet is only accesible via WG, or what if the network is not
> connected to the Internet at all?
>
Why do you need the Internet at all?
You can do as simple as plug a $20 GPS receiver (serial/USB) in any
node and get precise time that is shared with others in the network.
Heck, even go analog and use the Colorado WWV radio signal.
Or go fancy and buy a dedicated Cesium-backed "private" NTP server.

> It's not a trivial problem, but I think it would be benefecial to WireGuard as a project to not depend on
> centralized time authority *if there is an option not to*.
>
I wouldn't call universal time a "centralized authority", it is more
of a well-agreed-upon concept.
With a clear view of the sky and some math, you can use the stars (Sun
incl.) even and nobody can ban you from knowing the time.
It is not like say centralized DNS.

So, yes you need a method for obtaining the time at somewhat precise
scale[1], but "NTP-to-I'net" is just one somewhat convenient method.

[1]  Can anyone point me to the piece in code that shows that
precision? In other words, how far apart can 2 peers' clocks be and
still connect.
I spend some time grepping, but couldn't find it... I guess it is
connected to 'REJECT_AFTER_TIME = 180 * HZ;' ?

Cheers,
Kalin.

Re: Need for HW-clock independent timestamps

[Devan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]

Aaron Jones transcribed 3.1K bytes:
> On 12/05/18 19:29, Axel Neumann wrote:
> > You want WG to secure your network. So the suggestion can not be to open
> > your network for a pretty insecure deamon in order to get WG working.
> > This would essentially allow attackers to a fake the ntp server and then
> > block WG forever.
> 
> Someone in a position to fake NTP (which needs bidirectional
> communication) is already in a position to block WG forever (by simply
> refusing to forward its packets).
> 
> Additionally, there are a few very well-designed and secure NTP daemons
> out there (such as OpenNTPd).
> 

Using NTP is not a viable solution for a distributed mesh network. What
if the Internet is only accesible via WG, or what if the network is not
connected to the Internet at all? It's not a trivial problem, but I
think it would be benefecial to WireGuard as a project to not depend on
centralized time authority *if there is an option not to*.

-Devan


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Need for HW-clock independent timestamps

[Wang Jian]

[-- Attachment #1: Type: text/plain, Size: 577 bytes --]

2018-05-12 6:45 GMT+08:00 Kalin KOZHUHAROV <me.kalin@gmail.com>:
> I only see 2 ways:
> * hardware: add a cheap RTC (best), or storage (USB, SD)
> * policy: add exception for ntpdate on base UDP (not WG) (or have
> dedicated server/s for that, which you control).

As Kalin's suggestion, I think policy routing, or plain static route, is
the easier
solution.

You can point ntpdate or ntpd to a fixed ntp server, and add a rule or more
specific staticr oute for this fixed server.

Or, if you have a running computer in your local net, use that computer as
one of ntp servers.

[-- Attachment #2: Type: text/html, Size: 748 bytes --]

Re: Need for HW-clock independent timestamps

[Toke Høiland-Jørgensen]

Matthias Urlichs <matthias@urlichs.de> writes:

> Can anybody think of problems with this solution?

Well, the possibility of DOS if you set the counter too high, and the
possibility of replay attacks if you fail to save the last state when
you shut down comes to mind :)

(Not saying it's not possible to create a workable solution, just that
it's not trivial and requires careful thought to not break the security
assumptions of the protocol).

-Toke

Re: Need for HW-clock independent timestamps

[Matthias Urlichs]

[-- Attachment #1.1.1: Type: text/plain, Size: 1720 bytes --]

On 12.05.2018 21:29, Axel Neumann wrote:
> Thanks a lot for your replies. But as you can see from my comments below
> this all does not look like a valid option for many embedded use cases.
> BTW, my background are community mesh networks which are maintained by
> all kind of different individuals using a zoo of different device types.
>
> I would really appreciate if WG can further elaborate on this issue.
> There are many real-life communities with embedded-device deployments
> that would be looking forward to use WG.
>
> Could you also comment on the described approach (see again at the end
> of the mail) of allowing (maybe as an alternative) a sequence number
> instead of a timestamp?
What's the problem? the protocol documentation states

> The server keeps track of the greatest timestamp received /per client/
> and discards packets containing timestamps less than or equal to it.

I just checked the C implementation; it does this check (and no others).
In particular it doesn't check whether the timestamp field corresponds
to anybody's idea of the current time.

Thus you don't need current time; you just need to seed a counter. I
would thus add an option to wg.conf that, if present, sets the
interface's current timestamp to some value and uses it as a counter
instead of a timestamp.

Then, when you set up your WG instance, you should immediately rewrite
your wg.conf file (just add 2^32) so that a reboot doesn't DoS yourself.
Additionally, when you acquire NTP sync, set the parameter to the
TAI64N() of the current time. To be extra safe, repeat this every week
or month or so.

Can anybody think of problems with this solution?

-- 
-- Matthias Urlichs


[-- Attachment #1.1.2: Type: text/html, Size: 2269 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Need for HW-clock independent timestamps

[Reuben Martin]

On Saturday, May 12, 2018 2:29:24 PM CDT Axel Neumann wrote:
> Thanks a lot for your replies. But as you can see from my comments below
> this all does not look like a valid option for many embedded use cases.

Perhaps it might make sense to add functionality for WG to request a timest=
amp=20
from peers and to reply to TS requests so long as they are signed with a va=
lid=20
key.

Implementing the WG side of a TS exchange would probably be fairly trivial,=
=20
but I don=E2=80=99t know what is involved to take the received timestamp an=
d use that=20
to set the system clock. That part might present a whole can of worms that=
=20
Jason may not want to deal with.

=2DReuben

Re: Need for HW-clock independent timestamps

[Toke Høiland-Jørgensen]

Axel Neumann <neumann@cgws.de> writes:

> Thanks a lot for your replies. But as you can see from my comments below
> this all does not look like a valid option for many embedded use cases.
> BTW, my background are community mesh networks which are maintained by
> all kind of different individuals using a zoo of different device
> types.

We had a long discussion on the issue of time on embedded routers with
no RTC around the time support for DNSSEC was added to dnsmasq. The
solution we ended up with in OpenWrt was that dnsmasq will run without
validating signatures until NTP indicates that it has synced to a time
server. See the --dnssec-no-timecheck and --dnssec-timestamp options to
dnsmasq for details on how this works.

You're right, of course, that "just add an RTC" is not a solution...

The analogue for a wireguard deployment would be to run NTP on the
unsecured links and not configure the wireguard tunnels until NTP has
synced. This has different security implications for a VPN than for
dnssec, of course, but it could be doable. Depends on your setup how
this is best done; you don't give enough details for me to have an
informed opinion :)

> I would really appreciate if WG can further elaborate on this issue.
> There are many real-life communities with embedded-device deployments
> that would be looking forward to use WG.
>
> Could you also comment on the described approach (see again at the end
> of the mail) of allowing (maybe as an alternative) a sequence number
> instead of a timestamp?

Can't comment on the security implications of this; but even if it is
possible without degrading the security of the protocol, this is a
non-trivial change at the protocol level; so if you want to deploy
anything within the next ~6-12 months, I'd suggest finding a
workaround...

-Toke

Re: Need for HW-clock independent timestamps

[Aaron Jones]

[-- Attachment #1.1: Type: text/plain, Size: 589 bytes --]

On 12/05/18 19:29, Axel Neumann wrote:
> You want WG to secure your network. So the suggestion can not be to open
> your network for a pretty insecure deamon in order to get WG working.
> This would essentially allow attackers to a fake the ntp server and then
> block WG forever.

Someone in a position to fake NTP (which needs bidirectional
communication) is already in a position to block WG forever (by simply
refusing to forward its packets).

Additionally, there are a few very well-designed and secure NTP daemons
out there (such as OpenNTPd).

-- 
Aaron Jones




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]

Re: Need for HW-clock independent timestamps

[Axel Neumann]

Thanks a lot for your replies. But as you can see from my comments below
this all does not look like a valid option for many embedded use cases.
BTW, my background are community mesh networks which are maintained by
all kind of different individuals using a zoo of different device types.

I would really appreciate if WG can further elaborate on this issue.
There are many real-life communities with embedded-device deployments
that would be looking forward to use WG.

Could you also comment on the described approach (see again at the end
of the mail) of allowing (maybe as an alternative) a sequence number
instead of a timestamp?


More inline below...

On 12.05.2018 00:45, Kalin KOZHUHAROV wrote:
> On Sat, May 12, 2018 at 12:07 AM, Axel Neumann <neumann@cgws.de> wrote:
>> We have the following chicken-egg problem:
>> We are using WG on openwrt devices which do not have a hardware clock so
>> that time is resetted after each reboot.
>> Because internet access shall be routed via WG tunnels the internet and
>> network-time services (NTP) is not available unless WG works properly.
>> But, guess, to reconnect, WG needs a greater time than before it
>> rebooted :-(
>>
>> I heard that a suggested solution is to periodically save the current
>> time to filesystem and then fix it during boot based on the last saved
>> one. But all embedded devices use flash memory with a limited amount
>> (about 10^5) of write cycles before they become unstable which would
>> destroy the flash within weeks.
>>
> Good/Hard problem!
> 
>> Any ideas how to circumvent this problem?
>>
> I only see 2 ways:
> * hardware: add a cheap RTC (best), or storage (USB, SD)

That is not convenient. People buy standard devices, often for outdoor,
which can not easily be extended with extra storage.

> * policy: add exception for ntpdate on base UDP (not WG) (or have
> dedicated server/s for that, which you control).

You want WG to secure your network. So the suggestion can not be to open
your network for a pretty insecure deamon in order to get WG working.
This would essentially allow attackers to a fake the ntp server and then
block WG forever.

> 
> BTW, while flash write cycles are indeed limited, you are writing a
> very small data (that causes a single block to be rewritten).
> So a device with say 32 MB(8000 x 4K blocks) will last about 9000
> years if you write one block once per hour until 10% (=800) of its
> cells are past 10^5 writes.
> (or 3 years if you write once per second!)
> But my knowledge says 10^3-10^4 write cycles (so still 90-900 years for 1/hour).

Actually, many devices have only 8MB flash (some only 4MB almost
entirely used) and from this there is only few space left. So the blocks
used for storing can not be cycled as much as you suggest. And time
should not be saved 1/hour because nobody wants to wait an hour after a
reboot to let his connectivity recover. Such effects would likely cause
users to do any kind of panic-like rescue measures which usually hits
security first. So again, I don't think its a way to go.

> 
> If you have a large number of devices of the same hardware, 

Community networks don't !

> I'd
> suggest a "kill test" of one of them, by rewriting its flash. You can

I do not understand this. Could you explain in more detail?

> further use specific file-systems optimized for NAND/NOR flash.

I think openwrt already does a lot to optimize this. Still it would not
solve but only mitigate the problem.



On 12.05.2018 00:07, Axel Neumann wrote:
> As a remark, BMX7 is doing it the following way:
> Instead of using timestamps to protect against replay attacks the
> approach is to use just an always increasing integer (sqn), for each new
> signature (from the WG white paper I understand that that should be
> possible). Sqn Jumps, as long as they are just increasing the sqn, are
fine.
> Now, to save the sqn over reboot it is read from filesystem as
> current_sqn during boot and immediately saved as
> save_sqn=current_sqn+100000 and then only be re-saved (again as new
> current_sqn+100000) when the last used current_sqn equals the last saved
> save_sqn. This way, jumps of at most 100000 occur only in case of node
> reboots. But as such jumps are harmless anyway its ok. And with a
> 48-bit-timestamp field it would still survive 28^9 reboots till the
> timestamp reaches end-of-life. Of course the 100000 is debatable as I do
> not know how much DH-based connection attempts may happen over a day or
> week. But given that no more than one sqn save occurs in average per day
> the flash lifetime could already be increased significantly.


Thanks a lot
/Axel

Re: Need for HW-clock independent timestamps

[Glen Bojsza]

[-- Attachment #1: Type: text/plain, Size: 2410 bytes --]

Why not add a configurable  timer feature to wireguard where you can set
the amount of time after power up before the wireguard vpn comes up? This
would solve the problem universally and may be the simplest / quickest
solution.

Disclaimer: I don't have a developer's background only a user's one so I am
not sure how hard this technically would be to implement...maybe someone
can weigh in from the wireguard team.

Glen

On Fri, May 11, 2018 at 6:46 PM Kalin KOZHUHAROV <me.kalin@gmail.com> wrote:

> On Sat, May 12, 2018 at 12:07 AM, Axel Neumann <neumann@cgws.de> wrote:
> > We have the following chicken-egg problem:
> > We are using WG on openwrt devices which do not have a hardware clock so
> > that time is resetted after each reboot.
> > Because internet access shall be routed via WG tunnels the internet and
> > network-time services (NTP) is not available unless WG works properly.
> > But, guess, to reconnect, WG needs a greater time than before it
> > rebooted :-(
> >
> > I heard that a suggested solution is to periodically save the current
> > time to filesystem and then fix it during boot based on the last saved
> > one. But all embedded devices use flash memory with a limited amount
> > (about 10^5) of write cycles before they become unstable which would
> > destroy the flash within weeks.
> >
> Good/Hard problem!
>
> > Any ideas how to circumvent this problem?
> >
> I only see 2 ways:
> * hardware: add a cheap RTC (best), or storage (USB, SD)
> * policy: add exception for ntpdate on base UDP (not WG) (or have
> dedicated server/s for that, which you control).
>
> BTW, while flash write cycles are indeed limited, you are writing a
> very small data (that causes a single block to be rewritten).
> So a device with say 32 MB(8000 x 4K blocks) will last about 9000
> years if you write one block once per hour until 10% (=800) of its
> cells are past 10^5 writes.
> (or 3 years if you write once per second!)
> But my knowledge says 10^3-10^4 write cycles (so still 90-900 years for
> 1/hour).
>
> If you have a large number of devices of the same hardware, I'd
> suggest a "kill test" of one of them, by rewriting its flash. You can
> further use specific file-systems optimized for NAND/NOR flash.
>
> Cheers,
> Kalin.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #2: Type: text/html, Size: 3165 bytes --]

Re: Need for HW-clock independent timestamps

[Kalin KOZHUHAROV]

On Sat, May 12, 2018 at 12:07 AM, Axel Neumann <neumann@cgws.de> wrote:
> We have the following chicken-egg problem:
> We are using WG on openwrt devices which do not have a hardware clock so
> that time is resetted after each reboot.
> Because internet access shall be routed via WG tunnels the internet and
> network-time services (NTP) is not available unless WG works properly.
> But, guess, to reconnect, WG needs a greater time than before it
> rebooted :-(
>
> I heard that a suggested solution is to periodically save the current
> time to filesystem and then fix it during boot based on the last saved
> one. But all embedded devices use flash memory with a limited amount
> (about 10^5) of write cycles before they become unstable which would
> destroy the flash within weeks.
>
Good/Hard problem!

> Any ideas how to circumvent this problem?
>
I only see 2 ways:
* hardware: add a cheap RTC (best), or storage (USB, SD)
* policy: add exception for ntpdate on base UDP (not WG) (or have
dedicated server/s for that, which you control).

BTW, while flash write cycles are indeed limited, you are writing a
very small data (that causes a single block to be rewritten).
So a device with say 32 MB(8000 x 4K blocks) will last about 9000
years if you write one block once per hour until 10% (=800) of its
cells are past 10^5 writes.
(or 3 years if you write once per second!)
But my knowledge says 10^3-10^4 write cycles (so still 90-900 years for 1/hour).

If you have a large number of devices of the same hardware, I'd
suggest a "kill test" of one of them, by rewriting its flash. You can
further use specific file-systems optimized for NAND/NOR flash.

Cheers,
Kalin.