WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Are cookie-required handshakes at least REKEY_TIMEOUT long?
@ 2019-08-07 21:30 Reid Rankin
  2019-08-25 15:47 ` Jason A. Donenfeld
  0 siblings, 1 reply; 2+ messages in thread
From: Reid Rankin @ 2019-08-07 21:30 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 415 bytes --]

Quick question: I've been looking at the code in
 wg_cookie_message_consume() and wg_receive_handshake_packet(), and as far
as I can tell there's no mechanism that re-initiates a handshake after
receiving a cookie reply to a first handshake other than the  REKEY_TIMEOUT
+ jitter timer.

Is this correct, and do, therefore, all handshakes involving cookies take
at least 5 seconds to complete?

Thanks,
Reid Rankin

[-- Attachment #1.2: Type: text/html, Size: 716 bytes --]

<div dir="ltr">Quick question: I&#39;ve been looking at the code in  wg_cookie_message_consume() and wg_receive_handshake_packet(), and as far as I can tell there&#39;s no mechanism that re-initiates a handshake after receiving a cookie reply to a first handshake other than the  REKEY_TIMEOUT + jitter timer.<br><span style="color:rgb(51,51,51);font-family:&quot;Source Code Pro&quot;,Menlo,Monaco,Consolas,&quot;Courier New&quot;,monospace;font-size:13.5px;white-space:nowrap;background-color:rgb(245,245,245)"></span><div><br></div><div>Is this correct, and do, therefore, all handshakes involving cookies take at least 5 seconds to complete?</div><div><br></div><div>Thanks,</div><div>Reid Rankin</div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Are cookie-required handshakes at least REKEY_TIMEOUT long?
  2019-08-07 21:30 Are cookie-required handshakes at least REKEY_TIMEOUT long? Reid Rankin
@ 2019-08-25 15:47 ` Jason A. Donenfeld
  0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2019-08-25 15:47 UTC (permalink / raw)
  To: Reid Rankin; +Cc: WireGuard mailing list

Yes, to prevent certain types of DoS. Most packets only move around
the timer state machine, but don't actually result in a direct action.
Rather, a timer firing sometime later is what starts an action. In the
case of cookies, the cookie is used in the subsequent message. See
section 6.6 of https://www.wireguard.com/papers/wireguard.pdf
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-07 21:30 Are cookie-required handshakes at least REKEY_TIMEOUT long? Reid Rankin
2019-08-25 15:47 ` Jason A. Donenfeld

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox