WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: zrm <zrm@trustiosity.com>
To: wireguard@lists.zx2c4.com
Subject: Re: Deterministic Cryptographically Authenticated Network Signatures on Windows NLA
Date: Fri, 28 Jun 2019 12:25:51 -0400
Message-ID: <b24e4e96-8449-9286-0c33-a23418c079be@trustiosity.com> (raw)
In-Reply-To: <CAHmME9o2Hixoo_XawTGjHoVmuV5h=VxdfN+3i9Lyc_eRuA_60A@mail.gmail.com>

On 6/27/19 10:26, Jason A. Donenfeld wrote:
> So, now that we can control the GUID and hence the NetworkSignature,
> we have to decide what determines a network. It turns out that in
> WireGuard, we can do this with much higher cryptographic assurance
> than any of the crazy "authenticated dhcp" proposals of Microsoft.
> Specifically, we know our own interface public key, the public keys of
> everyone we're willing to talk to, and which IP addresses we'll accept
> from those peers. If that doesn't perfectly define a network, I don't
> know what else does.

The drawback of this approach is that if anything in the configuration 
changes at all, it becomes a different network. In theory that's the 
idea, but in practice changes to the configuration will sometimes happen 
that shouldn't change which network it is.

For example, if a peer suffers a key compromise then its key will have 
to change (and so thereby will the network GUID when calculated this 
way) but all of the firewall rules and things like that should remain as 
they are.

It may help to add a config option to allow the GUID for an interface to 
be manually assigned a specific value. That way it's possible to 
explicitly choose whether the configuration has changed in a way that 
should cause it to be treated as a different network or not.
WireGuard mailing list

  reply index

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-27 14:26 Jason A. Donenfeld
2019-06-28 16:25 ` zrm [this message]
2019-06-28 20:15   ` Jason A. Donenfeld
2019-07-02 20:47     ` Ivan Labáth
2019-07-03  5:42       ` Matthias Urlichs

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b24e4e96-8449-9286-0c33-a23418c079be@trustiosity.com \
    --to=zrm@trustiosity.com \
    --cc=wireguard@lists.zx2c4.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git