WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: Vasili Pupkin <diggest@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>,
	WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Date: Thu, 5 Dec 2019 22:50:54 +0300
Message-ID: <db72ae85-4e68-1745-e11b-0fb81016358e@gmail.com> (raw)
In-Reply-To: <20191205191318.GA44156@zx2c4.com>

Isn't it enough to just enforce Strong Host Model, i.e. a host won't 
respond from it's IP that is not facing the interface. If a host is 
connected to two subnets 10.1.x.x and 10.2.x.x and have two IP 10.1.0.1 
and 10.2.0.1, it will just drop all the packets sent to 10.1.0.1 that 
came from the interface 10.2.0.1 and vice verse. This model can be 
emulated using the FIB lookup feature of NFT with this one liner:

nft add rule inet filter input fib daddr . iif type != { local, 
broadcast, multicast } drop

this also works for both IP4 and IP6. This mode can be safely enabled on 
most setups not breaking things. Enabling it is a good precaution 
measure anyway and it is a shame that it is not widely assumed as 
default and standard.

Doing the same with just iptables isn't easy and can't be accomplished 
with one liner but nft perfectly coexist with iptables.

On 05.12.2019 22:13, Jason A. Donenfeld wrote:
> Hey folks,
>
> William unembargoed his nice vuln this week: https://seclists.org/oss-sec/2019/q4/122
>
> It appears to affect basically most common unix network stacks. This
> isn't a WireGuard vulnerability, but rather something in the routing
> table code and/or TCP code on affected operating systems. However, it
> does affect us, since WireGuard exists on those affected OSes.
>
> Some might chalk it up to just a configuration error, dismissing it as,
> "well, if you configure your networking stack poorly, bad things will
> happen," but I don't really buy that: the network setups affected by
> this vulnerability are pretty much the norm everywhere.
>
> And it turns out that we actually are in the business of properly
> configuring people's networking stacks. Specifically, the tools we ship
> come with the little bash script, wg-quick(8), which is a popular way of
> automating some common tasks. We've started looking at kernel-level
> mitigations within the Linux networking stack, but before those are
> ready, I thought it would be prudent to put some first-level defenses
> into wg-quick(8) itself.
>
> For that reason, since November, wg-quick(8) has added a few iptables(8)
> rules. I really dislike having wg-quick(8) grow any sort of dependency
> on iptables(8) (and eventually on nftables(8)), but at the moment, I
> don't see a viable alternative. Suggestions are welcome. In particular,
> we're adding a rule that is something like:
>
>      iptables -t raw -I PREROUTING ! -i wg0 -d 10.182.12.8 -m addrtype ! --src-type LOCAL -j DROP
>
> where wg0 is the WireGuard interface and 10.182.12.8 is the local IP of
> the interface.
>
> This says to drop all packets that are sent to that IP address that
> aren't coming from the WireGuard interface. And it's done very early in
> Netfilter, in the "raw" table. The researchers have confirmed that this
> mitigates the issue.
>
> Adding iptables(8) into wg-quick(8) has been predictably problematic,
> and it'll probably be at least another snapshot until we get things
> bug-free on all the different variations of the utility that distros
> ship, but we'll get there. In the meantime, I'd certainly appreciate
> patches to do the same with nftables(8), as well as some fresh thoughts
> on how to accomplish this same thing _without_ the firewall. (In the
> process of writing this email, for example, I had an idea regarding
> ip-rule(8) that might work out, but I haven't tried yet.) We also have
> some non-Linux operating systems to consider.
>
>
> Feedback welcome.
>
> Regards,
> Jason
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

  reply index

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05 19:13 Jason A. Donenfeld
2019-12-05 19:50 ` Vasili Pupkin [this message]
2019-12-05 20:24   ` Jason A. Donenfeld
2019-12-05 21:28     ` Vasili Pupkin
2019-12-06 15:18       ` Jason A. Donenfeld
2019-12-06 17:21         ` Vasili Pupkin
2019-12-07 20:51         ` Lonnie Abelbeck
2019-12-06 12:58     ` William J. Tolley
2019-12-06 15:06     ` Jordan Glover
2019-12-06 15:08       ` Jason A. Donenfeld
2019-12-06 16:03         ` Vasili Pupkin
2019-12-06 16:12           ` Jordan Glover
2019-12-06 17:06             ` Vasili Pupkin
2019-12-05 20:10 ` zrm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=db72ae85-4e68-1745-e11b-0fb81016358e@gmail.com \
    --to=diggest@gmail.com \
    --cc=Jason@zx2c4.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git