wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: vtol <vtol@gmx.net>
Cc: wireguard <wireguard@lists.zx2c4.com>
Subject: Re: WG interface to ipv4
Date: Sun, 6 May 2018 03:21:09 +0200	[thread overview]
Message-ID: <CAHmME9r5cwdfDaHCbO50UhREG9z2zv39y+32YYwAYJEfsGDgVA@mail.gmail.com> (raw)
In-Reply-To: <493b3bdf-3cf0-5594-dd7e-4b9c8d84e74c@gmx.net>

On Sat, May 5, 2018 at 10:18 AM, =D1=BD=D2=89=E1=B6=AC=E1=B8=B3=E2=84=A0 <v=
tol@gmx.net> wrote:
> It would certainly instill more confidence in network security/control

Why? Can you outline the threat model?

As I mentioned earlier, to disable v6 socket creation, pass
ipv6.disable=3D1 on the kernel command line, or just unload the v6
module. If you're worried about the Linux v6 stack being a pile of
scary bugs, then you certainly want to be doing this already, and not
relying on simply disabling v6 routing within that network namespace,
which you're doing with the conf.default.disable_ipv6=3D1. In other
words, if you don't want v6 for reasons of attack surface, then you
should actually be disabling v6 properly.

> Which brings up the next point, I have asked previously twice about -
> wildcard ip 0.0.0.0 . How to bind WG to a particular iface/subnet, as  a
> another matter of network security?

Why is this a matter of network security? WireGuard will ignore
packets that don't have the correct authentication tag. If you're
receiving authentic packets, you're receiving authentic packets, and
the origin shouldn't matter, in terms of the packets' authenticity. In
other words, if an attacker has stolen a private key, this is the
problem to address. Anyway, regardless of this, if you want to filter
out packets coming from a certain interface, a certain subnet, or any
other characteristics, use netfilter and make these preferences
explicit in your rules, rather than the implicit details of listening
sockets.

  parent reply	other threads:[~2018-05-06  1:19 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-03 16:57 WG interface to ipv4 ѽ҉ᶬḳ℠
2018-05-04  1:06 ` Jason A. Donenfeld
2018-05-04  9:27   ` ѽ҉ᶬḳ℠
2018-05-05  3:44     ` Jason A. Donenfeld
2018-05-05  8:18       ` ѽ҉ᶬḳ℠
2018-05-05  9:28         ` Kalin KOZHUHAROV
2018-05-05 17:33           ` Christophe-Marie Duquesne
2018-05-05 17:53             ` ѽ҉ᶬḳ℠
2018-05-06  1:27               ` Jason A. Donenfeld
2018-05-06  7:31                 ` ѽ҉ᶬḳ℠
2018-05-06  9:00                   ` Matthias Urlichs
2018-05-06  9:26                     ` ѽ҉ᶬḳ℠
2018-05-06  0:14             ` RFE: Name of peer in configuration John Huttley
2018-05-06  1:21         ` Jason A. Donenfeld [this message]
2018-05-06  8:58           ` WG interface to ipv4 ѽ҉ᶬḳ℠
2018-05-06 13:34             ` Jordan Glover
2018-05-06 14:12               ` ѽ҉ᶬḳ℠
2018-05-06 14:17                 ` Jason A. Donenfeld
2018-05-06 15:21                 ` Toke Høiland-Jørgensen
2018-05-06 16:33                   ` ѽ҉ᶬḳ℠
2018-05-06 18:09                     ` Jordan Glover
2018-05-06 19:39                       ` ѽ҉ᶬḳ℠
2018-05-06 21:37                         ` Android Configuration File John Huttley
2018-05-06 22:10                           ` Jason A. Donenfeld
2018-05-07  4:22                             ` John Huttley
2018-05-07 13:35                         ` WG interface to ipv4 Christophe-Marie Duquesne
2018-05-07 16:34                           ` ѽ҉ᶬḳ℠
2018-05-08  8:48                             ` Christophe-Marie Duquesne
2018-05-08  9:35                               ` ѽ҉ᶬḳ℠
2018-05-07  8:24                   ` ѽ҉ᶬḳ℠
2018-05-07  8:41                     ` Jordan Glover
2018-05-07  9:37                       ` Matthias Urlichs
2018-05-07 11:21                         ` Jordan Glover
2018-05-07  6:49           ` Kalin KOZHUHAROV
2018-05-08 15:44 Riccardo Berto
2018-05-08 16:23 ` logcabin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9r5cwdfDaHCbO50UhREG9z2zv39y+32YYwAYJEfsGDgVA@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=vtol@gmx.net \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).