WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: "Ivan Labáth" <labawi-wg@matrix-dream.net>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Deterministic Cryptographically Authenticated Network Signatures on Windows NLA
Date: Tue, 2 Jul 2019 20:47:53 +0000
Message-ID: <20190702204753.GA20367@matrix-dream.net> (raw)
In-Reply-To: <CAHmME9qoUtBVd2+Y_gqr63YWOA00DsPriOBh=N=c+WkeRXMqzQ@mail.gmail.com>

Hi Jason,

while the idea of Deterministic Cryptographically Authenticated
Network Signatures is commendable, what is the *purpose* of the
network signature in Windows?

On Fri, Jun 28, 2019 at 10:15:39PM +0200, Jason A. Donenfeld wrote:
> On Fri, Jun 28, 2019 at 6:33 PM zrm <zrm@trustiosity.com> wrote:
> > The drawback of this approach is that if anything in the configuration
> > changes at all, it becomes a different network. In theory that's the
> > idea, but in practice changes to the configuration will sometimes happen
> > that shouldn't change which network it is.
> 
> No, that's the entire point. If you change your network configuration
> -- which public keys (identities) are allowed to send what traffic,
> then this should not map to collided network signature. You're free to
> configure Windows to apply the same network profile and conditions to
> a variety of network signatures, of course.

What would the procedure be when tweaking/changing the configuration
of the interface? If e.g. peer changes key, added ip, removed ip,
renumbered ip, ... some other trivial change. The more peers you have,
the more changes you have.

Using id from either local priv/pub key, interface name, both,
or possibly a config item seems most reasonable to me.

IMO, if you reuse the same key for different networks, then you are
shooting yourself in the foot, so it is a sufficient identifier.
Add short warning to documentation if appropriate:
"Interface public key is used as the network identifier in Windows.
Its reuse will reuse settings of e.g. firewall."

Regards,
Ivan
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

  reply index

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-27 14:26 Jason A. Donenfeld
2019-06-28 16:25 ` zrm
2019-06-28 20:15   ` Jason A. Donenfeld
2019-07-02 20:47     ` Ivan Labáth [this message]
2019-07-03  5:42       ` Matthias Urlichs

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190702204753.GA20367@matrix-dream.net \
    --to=labawi-wg@matrix-dream.net \
    --cc=Jason@zx2c4.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox