[WireGuard] auth-only wireguard

[WireGuard] auth-only wireguard

[Jehan Tremback]

Are there any plans, or would you even consider, adding an option to
WireGuard to disable encryption, and only authenticate packets? I'm
assuming that an authentication-only mode would be significantly faster
(maybe I'm wrong though). My use-case only needs auth, so if I were to
use WireGuard, the encryption would be redundant. 

-- 
  Jehan Tremback
  jehan@altheamesh.com

Re: [WireGuard] auth-only wireguard

[Jason A. Donenfeld]

Dear NSA,

No.

Love,
Jason

Re: [WireGuard] auth-only wireguard

[Bruno Wolff III]

On Wed, Oct 05, 2016 at 19:12:57 -0700,
  Jehan Tremback <jehan@altheamesh.com> wrote:
>Are there any plans, or would you even consider, adding an option to
>WireGuard to disable encryption, and only authenticate packets? I'm
>assuming that an authentication-only mode would be significantly faster
>(maybe I'm wrong though). My use-case only needs auth, so if I were to
>use WireGuard, the encryption would be redundant.

That would depend on how fast your internet connection is and how much CPU 
power you have. I suspect in many cases the extra latency is negligible 
and it would be rare for encryption to be limiting bandwidth.

Without encryption you authentication won't be useful against attackers 
that can modify packets or insert packets with the source address of your 
contact.

Re: [WireGuard] auth-only wireguard

[Jehan Tremback]

Let me be more specific about my application. I'm trying to create a
system where routers in a "mesh" network (mixed ad-hoc wifi and
ethernet) pay their neighbors, or are paid by their neighbors for
bandwidth. To make this happen, I've got to be able to identify traffic
from specific neighbors with something less spoofable than MAC
addresses. Creating tunnels between neighbors fits the bill for now, and
gives me a good handle to apply traffic shaping to different neighbors.
The encapsulating tunnel packet will have the source IP address of the
previous hop neighbor, and will be sent to the next hop neighbor, and
can be prioritized . Authentication keeps anyone from spoofing addresses
and stealing bandwidth. 

Anyway, I'm experimenting with fastd right now, and it's working, but
WireGuard seems like a very nicely designed and executed piece of
software so I thought I'd ask. I understand that WireGuard is designed
to be very focused on a traditional VPN server usecase, so more
configurability may not be something you want to support. 

> Without encryption you authentication won't be useful against attackers 
> that can modify packets or insert packets with the source address of your 
> contact.

Isn't this exactly what authentication prevents? If the signature does
not match the sender and the packet content, it will fail authentication
by definition, at least by any definition of authentication that I am
familiar with.

-Jehan

-- 
  Jehan Tremback
  jehan@altheamesh.com

On Thu, Oct 6, 2016, at 08:03 AM, Bruno Wolff III wrote:
> On Wed, Oct 05, 2016 at 19:12:57 -0700,
>   Jehan Tremback <jehan@altheamesh.com> wrote:
> >Are there any plans, or would you even consider, adding an option to
> >WireGuard to disable encryption, and only authenticate packets? I'm
> >assuming that an authentication-only mode would be significantly faster
> >(maybe I'm wrong though). My use-case only needs auth, so if I were to
> >use WireGuard, the encryption would be redundant.
> 
> That would depend on how fast your internet connection is and how much
> CPU 
> power you have. I suspect in many cases the extra latency is negligible 
> and it would be rare for encryption to be limiting bandwidth.
> 
> Without encryption you authentication won't be useful against attackers 
> that can modify packets or insert packets with the source address of your 
> contact.

Re: [WireGuard] auth-only wireguard

[Jason A. Donenfeld]

On Thu, Oct 6, 2016 at 5:03 PM, Bruno Wolff III <bruno@wolff.to> wrote:
> Without encryption you authentication won't be useful against attackers that
> can modify packets or insert packets with the source address of your
> contact.

Either I've misunderstood you, or this is completely inaccurate.

What do you mean exactly?

Re: [WireGuard] auth-only wireguard

[Jason A. Donenfeld]

On Thu, Oct 6, 2016 at 6:34 PM, Jehan Tremback <jehan@altheamesh.com> wrote:
> Let me be more specific about my application. I'm trying to create a
> system where routers in a "mesh" network (mixed ad-hoc wifi and
> ethernet) pay their neighbors, or are paid by their neighbors for
> bandwidth. To make this happen, I've got to be able to identify traffic
> from specific neighbors with something less spoofable than MAC
> addresses. Creating tunnels between neighbors fits the bill for now, and
> gives me a good handle to apply traffic shaping to different neighbors.
> The encapsulating tunnel packet will have the source IP address of the
> previous hop neighbor, and will be sent to the next hop neighbor, and
> can be prioritized . Authentication keeps anyone from spoofing addresses
> and stealing bandwidth.

And encryption keeps various neighbors traffic hidden from passive
eavesdroppers. Do your customers a service; encrypt their traffic
wherever possible.

>
> Anyway, I'm experimenting with fastd right now, and it's working, but
> WireGuard seems like a very nicely designed and executed piece of
> software so I thought I'd ask. I understand that WireGuard is designed
> to be very focused on a traditional VPN server usecase, so more
> configurability may not be something you want to support.

WireGuard isn't very focused on any particular use case. It certainly
aims to be something directly applicable for what you have in mind.
Recently we've been talking with a large community run ISP that
extends across Germany that does some interesting and complicated mesh
networking to bring affordable internet everywhere. They're currently
using fastd, too, but I believe are in a transition to WireGuard,
because the performance is substantially better than fastd.

>
>> Without encryption you authentication won't be useful against attackers
>> that can modify packets or insert packets with the source address of your
>> contact.
>
> Isn't this exactly what authentication prevents? If the signature does
> not match the sender and the packet content, it will fail authentication
> by definition, at least by any definition of authentication that I am
> familiar with.

I was confused by Bruno's statement too with more or less your exact
same reaction.

Re: [WireGuard] auth-only wireguard

[Alex Xu]

On Thu, 06 Oct 2016 09:34:18 -0700
Jehan Tremback <jehan@altheamesh.com> wrote:

> Let me be more specific about my application. I'm trying to create a
> system where routers in a "mesh" network (mixed ad-hoc wifi and
> ethernet) pay their neighbors, or are paid by their neighbors for
> bandwidth. To make this happen, I've got to be able to identify
> traffic from specific neighbors with something less spoofable than MAC
> addresses. Creating tunnels between neighbors fits the bill for now,
> and gives me a good handle to apply traffic shaping to different
> neighbors. The encapsulating tunnel packet will have the source IP
> address of the previous hop neighbor, and will be sent to the next
> hop neighbor, and can be prioritized . Authentication keeps anyone
> from spoofing addresses and stealing bandwidth.

So... now everybody can spy on each other's traffic instead of
also spoofing it. That doesn't seem like a huge improvement to me.

Re: [WireGuard] auth-only wireguard

[Bruno Wolff III]

On Thu, Oct 06, 2016 at 19:32:36 +0200,
  "Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
>On Thu, Oct 6, 2016 at 5:03 PM, Bruno Wolff III <bruno@wolff.to> wrote:
>> Without encryption you authentication won't be useful against attackers that
>> can modify packets or insert packets with the source address of your
>> contact.
>
>Either I've misunderstood you, or this is completely inaccurate.
>
>What do you mean exactly?

Someone able to watch and modify traffic can wait for authentication to occur 
and then take over the connection. So you don't know you are still 
communicating with the party that did the authentication. You need something 
protecting message integrity which is normally based on encryption, but I 
think there might be ways to do that with just hashing.

Re: [WireGuard] auth-only wireguard

[Jehan Tremback]

> And encryption keeps various neighbors traffic hidden from passive
> eavesdroppers. Do your customers a service; encrypt their traffic
> wherever possible.

> So... now everybody can spy on each other's traffic instead of
> also spoofing it. That doesn't seem like a huge improvement to me.

Just to elaborate on why I don't want encryption for the specific tunnel
I describe: This is to be used between physical neighbors, to prevent
spoofing IP addresses to steal bandwidth. For example, let's say that
Alice and Bob are both connected to Charlie. Charlie has a connection to
the internet, and has made a contract with Bob to sell him a certain
amount of data (or a certain connection duration at a specified
bandwidth). Without authentication, Alice could spoof Bob's IP or MAC
address to use up his quota, or his bandwidth. This authentication is
happening at every hop, so it would be good to keep the overhead down.

There is typically another tunnel used on mesh networks, between exit
servers (which perform NAT and deal with legal complaints) and the end
user nodes. This would be encrypted, and I believe this is what the
network in Germany is looking at WireGuard for. Having two layers of
encryption within the network, in addition to whatever e2e the user may
be using, seems excessive.

Also, Bob doesn't necessarily trust Charlie. He is just providing a
service. Encryption between Bob and Charlie provides little benefit. The
NSA could join the mesh group, set up a cheaper uplink, get Bob to buy
some bandwidth, and see Bob's packets that way. The encryption is
provided by the tunnel to the exit server, and more importantly, the
user's e2e.

-- 
  Jehan Tremback
  jehan@altheamesh.com

On Thu, Oct 6, 2016, at 10:42 AM, Alex Xu wrote:
> On Thu, 06 Oct 2016 09:34:18 -0700
> Jehan Tremback <jehan@altheamesh.com> wrote:
> 
> > Let me be more specific about my application. I'm trying to create a
> > system where routers in a "mesh" network (mixed ad-hoc wifi and
> > ethernet) pay their neighbors, or are paid by their neighbors for
> > bandwidth. To make this happen, I've got to be able to identify
> > traffic from specific neighbors with something less spoofable than MAC
> > addresses. Creating tunnels between neighbors fits the bill for now,
> > and gives me a good handle to apply traffic shaping to different
> > neighbors. The encapsulating tunnel packet will have the source IP
> > address of the previous hop neighbor, and will be sent to the next
> > hop neighbor, and can be prioritized . Authentication keeps anyone
> > from spoofing addresses and stealing bandwidth.
> 
> So... now everybody can spy on each other's traffic instead of
> also spoofing it. That doesn't seem like a huge improvement to me.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [WireGuard] auth-only wireguard

[Jason A. Donenfeld]

[-- Attachment #1: Type: text/plain, Size: 589 bytes --]

Hi Bruno,

On Oct 6, 2016 9:29 PM, "Bruno Wolff III" <bruno@wolff.to> wrote:
> Someone able to watch and modify traffic can wait for authentication to
occur and then take over the connection. So you don't know you are still
communicating with the party that did the authentication. You need
something protecting message integrity which is normally based on
encryption, but I think there might be ways to do that with just hashing.

You're misunderstanding terminology, I think. Rather than polluting this
thread here, I'd be happy to explain to you on IRC -- I'm zx2c4 on freenode.

Jason

[-- Attachment #2: Type: text/html, Size: 734 bytes --]