WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: zrm <zrm@trustiosity.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Deterministic Cryptographically Authenticated Network Signatures on Windows NLA
Date: Fri, 28 Jun 2019 22:15:39 +0200
Message-ID: <CAHmME9qoUtBVd2+Y_gqr63YWOA00DsPriOBh=N=c+WkeRXMqzQ@mail.gmail.com> (raw)
In-Reply-To: <b24e4e96-8449-9286-0c33-a23418c079be@trustiosity.com>

On Fri, Jun 28, 2019 at 6:33 PM zrm <zrm@trustiosity.com> wrote:
> The drawback of this approach is that if anything in the configuration
> changes at all, it becomes a different network. In theory that's the
> idea, but in practice changes to the configuration will sometimes happen
> that shouldn't change which network it is.

No, that's the entire point. If you change your network configuration
-- which public keys (identities) are allowed to send what traffic,
then this should not map to collided network signature. You're free to
configure Windows to apply the same network profile and conditions to
a variety of network signatures, of course.

> For example, if a peer suffers a key compromise then its key will have
> to change (and so thereby will the network GUID when calculated this
> way) but all of the firewall rules and things like that should remain as
> they are.

Remap the new signature to the same network profile as before, in that
case. In fact, remove the old signature from the trusted network
profile, since now ostensibly it's compromised, given your premise.

> It may help to add a config option

We generally don't add nobs when there are sane secure solid defaults.

> to allow the GUID for an interface to
> be manually assigned a specific value. That way it's possible to
> explicitly choose whether the configuration has changed in a way that
> should cause it to be treated as a different network or not.

Sounds like a "shoot yourself in the foot" situation.
WireGuard mailing list

  reply index

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-27 14:26 Jason A. Donenfeld
2019-06-28 16:25 ` zrm
2019-06-28 20:15   ` Jason A. Donenfeld [this message]
2019-07-02 20:47     ` Ivan Labáth
2019-07-03  5:42       ` Matthias Urlichs

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHmME9qoUtBVd2+Y_gqr63YWOA00DsPriOBh=N=c+WkeRXMqzQ@mail.gmail.com' \
    --to=jason@zx2c4.com \
    --cc=wireguard@lists.zx2c4.com \
    --cc=zrm@trustiosity.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard

Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/ public-inbox