[WireGuard] auth-only wireguard

Jehan Tremback jehan at altheamesh.com
Thu Oct 6 18:34:18 CEST 2016 

Let me be more specific about my application. I'm trying to create a
system where routers in a "mesh" network (mixed ad-hoc wifi and
ethernet) pay their neighbors, or are paid by their neighbors for
bandwidth. To make this happen, I've got to be able to identify traffic
from specific neighbors with something less spoofable than MAC
addresses. Creating tunnels between neighbors fits the bill for now, and
gives me a good handle to apply traffic shaping to different neighbors.
The encapsulating tunnel packet will have the source IP address of the
previous hop neighbor, and will be sent to the next hop neighbor, and
can be prioritized . Authentication keeps anyone from spoofing addresses
and stealing bandwidth. 

Anyway, I'm experimenting with fastd right now, and it's working, but
WireGuard seems like a very nicely designed and executed piece of
software so I thought I'd ask. I understand that WireGuard is designed
to be very focused on a traditional VPN server usecase, so more
configurability may not be something you want to support. 

> Without encryption you authentication won't be useful against attackers 
> that can modify packets or insert packets with the source address of your 
> contact.

Isn't this exactly what authentication prevents? If the signature does
not match the sender and the packet content, it will fail authentication
by definition, at least by any definition of authentication that I am
familiar with.

-Jehan

-- 
  Jehan Tremback
  jehan at altheamesh.com

On Thu, Oct 6, 2016, at 08:03 AM, Bruno Wolff III wrote:
> On Wed, Oct 05, 2016 at 19:12:57 -0700,
>   Jehan Tremback <jehan at altheamesh.com> wrote:
> >Are there any plans, or would you even consider, adding an option to
> >WireGuard to disable encryption, and only authenticate packets? I'm
> >assuming that an authentication-only mode would be significantly faster
> >(maybe I'm wrong though). My use-case only needs auth, so if I were to
> >use WireGuard, the encryption would be redundant.
> 
> That would depend on how fast your internet connection is and how much
> CPU 
> power you have. I suspect in many cases the extra latency is negligible 
> and it would be rare for encryption to be limiting bandwidth.
> 
> Without encryption you authentication won't be useful against attackers 
> that can modify packets or insert packets with the source address of your 
> contact.

More information about the WireGuard mailing list