WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Wireguard Security Specification
@ 2018-08-14 14:01 Ivan Labáth
  0 siblings, 0 replies; only message in thread
From: Ivan Labáth @ 2018-08-14 14:01 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list


I have read the wireguard submission, read or skimmed most
of the website and whitepaper, but I have not found any
firm commitment on its high-level security characteristics.
It is good to know high-level characteristics when choosing
a solution to a problem. What does wireguard do, what does
it provide, under what assumptions and what are the limitations?

To illustrate, if evaluating from an infrastructure/sysadmin/
devops/whatever perspective, I would come up with:
Wireguard claims to be a fast <marketing> secure .. tunnel,
mentions a bunch of keywords, it's trendy, explains how
it has a good development methodology and someone proved
some aspect of it to be "secure". No disrespect intended.

It would be very helpful to know what secure tunnel
means in the context of what wireguard provides.

Assuming a wireguard connection A <-> B.
1) What can a passive observer see (or deduce)?
  - is it a apparently a wireguard connection? -> yes?
  - packet
    - count -> yes?
    - size -> byte level?
    - timing -> ? no/hardware limit?
    - classification -> data vs. protocol, message type?
    - transported(inner) header/data bits -> 2?
  - other info
    e.g. host name/software/version/architecture/speed/..

2) What can an active attacker do?
  - malleability
    - transported header/data -> limited?
    - wg protocol packets -> ?
    - outer headers -> no protection
        IP source -> temporarily deflects traffic?
  - replay
  - spoofing

3) What does B learn about A? (e.g. if B is a service provider)
  - all listed in (1)
  - pubkey? should be random

Ivan Labáth

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-14 14:01 Wireguard Security Specification Ivan Labáth

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard

Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/ public-inbox