From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
davem@davemloft.net, linux-crypto@vger.kernel.org
Subject: Re: [PATCH v1 0/3] WireGuard: Secure Network Tunnel
Date: Mon, 13 Aug 2018 10:37:10 -0700 [thread overview]
Message-ID: <1534181830.7872.10.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAHmME9raa81A_hH_Zykp2r8zOk0ySroFEsk+8384vnVOCuSa=g@mail.gmail.com>
On Mon, 2018-08-13 at 10:02 -0700, Jason A. Donenfeld wrote:
> > Could we please build planning for this crypto failure day into
> > wireguard now rather than have to do it later? It doesn't need to
> > be full cipher agility, it just needs to be the ability to handle
> > multiple protocol versions ... two should do it because that gives
> > a template to follow (and test version to try to find bugs in the
> > implementation). It looks like the protocol could simply be updated
> > to put the version into one (or more) of the three reserved bytes
> > in the handshake headers, so perhaps doing this before they get
> > used for something else would be a good first step?
> >
> > James
> >
> >
>
> Indeed the answer is in fact along the lines of what you've suggested
> in your question: the protocol is very strictly versioned. This means
> that while there intentionally isn't negotiation of ciphers --
> something historically very bug-prone -- there is ample room for
> updating the protocol. This is enabled via 4 aspects of the protocol:
>
> - An explicit "identifier" string is hashed in as part of the first
> step of cryptographic operations, containing a "v1" as well as the
> protocol designer's email.
> - An explicit "construction" string is hashed in as part of the first
> step of cryptographic operations, containing the Noise handshake
> pattern and a list of the cryptographic primitives used.
Any hash involving other parameters allows you to check for a version
mismatch, but it's very hard for a flow classifier because you have to
do the hash at the point you classify. If we're running concurrent
versions we need an easy way to separate them.
> - A type field at the beginning of each message. Newer message types
> (corresponding with newer versions) can easily be introduced via this
> field, and they can even coexist with older ones need be.
> - Three unused reserved fields ready to be utilised in the event
> they're needed.
Either of these will work for easy classification.
> In other words, there's ample room for such contingency measures
> within the protocol.
I have a preference for explicit versioning, having dealt with some
protocol issues before. However, I'm much less concerned with *how*
it's done than that it *be* done in the kernel patch so we can test out
rolling the version number to change the algorithms in a backward
compatible way, so lets pick one of the above and try it out.
Regards,
James
next prev parent reply other threads:[~2018-08-13 17:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-31 19:10 [PATCH v1 0/3] WireGuard: Secure Network Tunnel Jason A. Donenfeld
2018-07-31 19:11 ` [PATCH v1 1/3] random: Make crng state queryable Jason A. Donenfeld
2018-08-02 21:35 ` Theodore Y. Ts'o
2018-07-31 19:11 ` [PATCH v1 2/3] zinc: Introduce minimal cryptography library Jason A. Donenfeld
2018-07-31 19:11 ` [PATCH v1 3/3] net: WireGuard secure network tunnel Jason A. Donenfeld
2018-07-31 20:02 ` Andrew Lunn
2018-07-31 20:22 ` Stephen Hemminger
2018-08-21 23:41 ` Jason A. Donenfeld
2018-08-21 23:54 ` David Miller
2018-08-21 23:59 ` Jason A. Donenfeld
2018-08-22 0:23 ` Andrew Lunn
2018-07-31 20:27 ` Stephen Hemminger
2018-08-03 0:35 ` Jason A. Donenfeld
2018-08-03 14:39 ` Andrew Lunn
2018-08-01 1:21 ` Shawn Landden
2018-08-13 15:40 ` [PATCH v1 0/3] WireGuard: Secure Network Tunnel James Bottomley
2018-08-13 15:53 ` Willy Tarreau
2018-08-13 17:02 ` Jason A. Donenfeld
2018-08-13 17:37 ` James Bottomley [this message]
2018-08-13 17:55 ` Jason A. Donenfeld
2018-08-13 18:04 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1534181830.7872.10.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=Jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).