* Is udp data corruption over wireguard possible?
@ 2018-12-23 3:37 Matt Avery
2019-01-02 19:46 ` David Anderson
0 siblings, 1 reply; 2+ messages in thread
From: Matt Avery @ 2018-12-23 3:37 UTC (permalink / raw)
To: wireguard
[-- Attachment #1.1: Type: text/plain, Size: 348 bytes --]
It dawned to me today that if I write an application that sends udp
datagrams through the wireguard interface that corruption of the data
within the datagram is not possible even if I decide to zero-out my
datagram checksums (assuming the datagram doesn't get intentionally
corrupted within the kernel.)
Is that assumption correct?
Thanks,
-Matt
[-- Attachment #1.2: Type: text/html, Size: 694 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Is udp data corruption over wireguard possible?
2018-12-23 3:37 Is udp data corruption over wireguard possible? Matt Avery
@ 2019-01-02 19:46 ` David Anderson
0 siblings, 0 replies; 2+ messages in thread
From: David Anderson @ 2019-01-02 19:46 UTC (permalink / raw)
To: Matt Avery; +Cc: WireGuard mailing list
[-- Attachment #1.1: Type: text/plain, Size: 1530 bytes --]
It's not possible within the tunnel, but it's still possible anywhere else
in the path.
That said, you should never rely on the IP/TCP/UDP checksums at the
application layer. Most modern router ASICs unconditionally recalculate the
checksum right before transmission (to account for any packet mangling that
happened in the ASIC pipeline), so it's very common for routers with faulty
RAM or a faulty ASIC to corrupt a packet and then recalculate all the L3/L4
checksums to be "correct" before transmitting the broken packet.
If you need to verify traffic integrity, you need your own integrity check
at L7 - ideally bound to a cryptographic exchange so you can be certain
that it's an e2e integrity check that cannot be tampered with even by
"smart" proxies. Wireguard can provide you some "integrity by proxy" if
you're not routing traffic on either end of the tunnel, but that won't save
you in any other cases :)
- Dave
On Wed, Jan 2, 2019 at 11:37 AM Matt Avery <matthewaveryusa@gmail.com>
wrote:
> It dawned to me today that if I write an application that sends udp
> datagrams through the wireguard interface that corruption of the data
> within the datagram is not possible even if I decide to zero-out my
> datagram checksums (assuming the datagram doesn't get intentionally
> corrupted within the kernel.)
>
> Is that assumption correct?
>
> Thanks,
> -Matt
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
[-- Attachment #1.2: Type: text/html, Size: 2430 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-02 19:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-23 3:37 Is udp data corruption over wireguard possible? Matt Avery
2019-01-02 19:46 ` David Anderson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).