From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
Subject: Re: Reflections on WireGuard Design Goals
Date: Fri, 10 Aug 2018 16:09:04 +0200 [thread overview]
Message-ID: <6dfa58da-c733-e08d-c4e4-7ddfd6511e71@urlichs.de> (raw)
In-Reply-To: <b66a15d1-c4f1-78a5-cf5a-4d2a4ca9ce54@pobox.com>
[-- Attachment #1.1: Type: text/plain, Size: 1363 bytes --]
On 10.08.2018 15:35, Brian Candler wrote:
> Whilst I appreciate that wireguard is symmetrical, a common use case
> is to have remote "clients" with a central "office". I'm thinking
> about a hook whereby the "office" side could request extra
> authentication when required - e.g. if it sees a connection from a
> wireguard public key which has been idle for more than a configurable
> amount of time, then it sends a challenge which requires (e.g.) a
> Yubikey to complete. I appreciate that it's not going to be
> straightforward, requiring the kernel module to talk to userland
> components at both ends.
It's reasonably easy to add that as a service on top of Wireguard, once
you have an authenticated connection. The office can easily talk to an
app on the mobile device when it notices a re-awakened stale connection
(triggered by a firewall logging rule, for instance), exchange whatever
crypto it requires, and only then allow packets other than those
required for authenticating to flow through the interface (another
simple firewall rule change).
Adding a feature like this to the WG kernel itself would not be any more
secure (and indeed add a significant amount of complexity which may
exhibit exploitable bugs). It would also unnecessarily enshrine a
particular 2FA scheme into wireguard.
--
-- Matthias Urlichs
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2018-08-10 13:58 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.1318.1533866648.2201.wireguard@lists.zx2c4.com>
2018-08-10 13:35 ` Reflections on WireGuard Design Goals Brian Candler
2018-08-10 14:09 ` Matthias Urlichs [this message]
2018-08-10 14:09 ` Kalin KOZHUHAROV
2018-08-10 14:42 ` Eisfunke
2018-08-10 14:47 ` Konstantin Ryabitsev
2018-08-10 15:03 ` Roman Mamedov
2018-08-10 16:03 ` Brian Candler
2018-08-10 16:38 ` Kalin KOZHUHAROV
2018-08-10 16:40 ` jungle Boogie
2018-08-10 17:12 ` Aaron Jones
2018-08-10 17:25 ` jungle Boogie
2018-08-10 20:15 ` em12345
2018-08-10 23:07 ` Reuben Martin
2018-08-11 19:18 ` Jason A. Donenfeld
2018-08-11 22:52 ` Luiz Angelo Daros de Luca
2018-08-12 0:15 ` Aaron Jones
2018-08-12 0:46 ` Jason A. Donenfeld
2018-08-12 1:07 ` Aaron Jones
2018-08-09 21:52 Jason A. Donenfeld
2018-08-10 15:19 ` nicolas prochazka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6dfa58da-c733-e08d-c4e4-7ddfd6511e71@urlichs.de \
--to=matthias@urlichs.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).