Re: [PATCH v1 0/3] WireGuard: Secure Network Tunnel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	davem@davemloft.net, linux-crypto@vger.kernel.org
Subject: Re: [PATCH v1 0/3] WireGuard: Secure Network Tunnel
Date: Mon, 13 Aug 2018 10:37:10 -0700	[thread overview]
Message-ID: <1534181830.7872.10.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAHmME9raa81A_hH_Zykp2r8zOk0ySroFEsk+8384vnVOCuSa=g@mail.gmail.com>

On Mon, 2018-08-13 at 10:02 -0700, Jason A. Donenfeld wrote:
> > Could we please build planning for this crypto failure day into
> > wireguard now rather than have to do it later?  It doesn't need to
> > be full cipher agility, it just needs to be the ability to handle
> > multiple protocol versions ... two should do it because that gives
> > a template to follow (and test version to try to find bugs in the
> > implementation). It looks like the protocol could simply be updated
> > to put the version into one (or more) of the three reserved bytes
> > in the handshake headers, so perhaps doing this before they get
> > used for something else would be a good first step?
> > 
> > James
> > 
> > 
> 
> Indeed the answer is in fact along the lines of what you've suggested
> in your question: the protocol is very strictly versioned. This means
> that while there intentionally isn't negotiation of ciphers --
> something historically very bug-prone -- there is ample room for
> updating the protocol. This is enabled via 4 aspects of the protocol:
> 
> - An explicit "identifier" string is hashed in as part of the first
> step of cryptographic operations, containing a "v1" as well as the
> protocol designer's email.
> - An explicit "construction" string is hashed in as part of the first
> step of cryptographic operations, containing the Noise handshake
> pattern and a list of the cryptographic primitives used.

Any hash involving other parameters allows you to check for a version
mismatch, but it's very hard for a flow classifier because you have to
do the hash at the point you classify.  If we're running concurrent
versions we need an easy way to separate them.

> - A type field at the beginning of each message. Newer message types
> (corresponding with newer versions) can easily be introduced via this
> field, and they can even coexist with older ones need be.
> - Three unused reserved fields ready to be utilised in the event
> they're needed.

Either of these will work for easy classification.

> In other words, there's ample room for such contingency measures
> within the protocol.

I have a preference for explicit versioning, having dealt with some
protocol issues before.  However, I'm much less concerned with *how*
it's done than that it *be* done in the kernel patch so we can test out
 rolling the version number to change the algorithms in a backward
compatible way, so lets pick one of the above and try it out.

Regards,

James

next prev parent reply	other threads:[~2018-08-13 17:37 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-31 19:10 [PATCH v1 0/3] WireGuard: Secure Network Tunnel Jason A. Donenfeld
2018-07-31 19:11 ` [PATCH v1 1/3] random: Make crng state queryable Jason A. Donenfeld
2018-08-02 21:35   ` Theodore Y. Ts'o
2018-07-31 19:11 ` [PATCH v1 2/3] zinc: Introduce minimal cryptography library Jason A. Donenfeld
2018-07-31 19:11 ` [PATCH v1 3/3] net: WireGuard secure network tunnel Jason A. Donenfeld
2018-07-31 20:02   ` Andrew Lunn
2018-07-31 20:22   ` Stephen Hemminger
2018-08-21 23:41     ` Jason A. Donenfeld
2018-08-21 23:54       ` David Miller
2018-08-21 23:59         ` Jason A. Donenfeld
2018-08-22  0:23           ` Andrew Lunn
2018-07-31 20:27   ` Stephen Hemminger
2018-08-03  0:35     ` Jason A. Donenfeld
2018-08-03 14:39       ` Andrew Lunn
2018-08-01  1:21   ` Shawn Landden
2018-08-13 15:40 ` [PATCH v1 0/3] WireGuard: Secure Network Tunnel James Bottomley
2018-08-13 15:53   ` Willy Tarreau
2018-08-13 17:02   ` Jason A. Donenfeld
2018-08-13 17:37     ` James Bottomley [this message]
2018-08-13 17:55       ` Jason A. Donenfeld
2018-08-13 18:04         ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1534181830.7872.10.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=Jason@zx2c4.com \
    --cc=davem@davemloft.net \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.