[WireGuard] auth-only wireguard

Jehan Tremback jehan at altheamesh.com
Thu Oct 6 21:34:10 CEST 2016


> And encryption keeps various neighbors traffic hidden from passive
> eavesdroppers. Do your customers a service; encrypt their traffic
> wherever possible.

> So... now everybody can spy on each other's traffic instead of
> also spoofing it. That doesn't seem like a huge improvement to me.

Just to elaborate on why I don't want encryption for the specific tunnel
I describe: This is to be used between physical neighbors, to prevent
spoofing IP addresses to steal bandwidth. For example, let's say that
Alice and Bob are both connected to Charlie. Charlie has a connection to
the internet, and has made a contract with Bob to sell him a certain
amount of data (or a certain connection duration at a specified
bandwidth). Without authentication, Alice could spoof Bob's IP or MAC
address to use up his quota, or his bandwidth. This authentication is
happening at every hop, so it would be good to keep the overhead down.

There is typically another tunnel used on mesh networks, between exit
servers (which perform NAT and deal with legal complaints) and the end
user nodes. This would be encrypted, and I believe this is what the
network in Germany is looking at WireGuard for. Having two layers of
encryption within the network, in addition to whatever e2e the user may
be using, seems excessive.

Also, Bob doesn't necessarily trust Charlie. He is just providing a
service. Encryption between Bob and Charlie provides little benefit. The
NSA could join the mesh group, set up a cheaper uplink, get Bob to buy
some bandwidth, and see Bob's packets that way. The encryption is
provided by the tunnel to the exit server, and more importantly, the
user's e2e.

-- 
  Jehan Tremback
  jehan at altheamesh.com

On Thu, Oct 6, 2016, at 10:42 AM, Alex Xu wrote:
> On Thu, 06 Oct 2016 09:34:18 -0700
> Jehan Tremback <jehan at altheamesh.com> wrote:
> 
> > Let me be more specific about my application. I'm trying to create a
> > system where routers in a "mesh" network (mixed ad-hoc wifi and
> > ethernet) pay their neighbors, or are paid by their neighbors for
> > bandwidth. To make this happen, I've got to be able to identify
> > traffic from specific neighbors with something less spoofable than MAC
> > addresses. Creating tunnels between neighbors fits the bill for now,
> > and gives me a good handle to apply traffic shaping to different
> > neighbors. The encapsulating tunnel packet will have the source IP
> > address of the previous hop neighbor, and will be sent to the next
> > hop neighbor, and can be prioritized . Authentication keeps anyone
> > from spoofing addresses and stealing bandwidth.
> 
> So... now everybody can spy on each other's traffic instead of
> also spoofing it. That doesn't seem like a huge improvement to me.
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/wireguard


More information about the WireGuard mailing list