Rolling keys without service interuption
Aaron Jones
aaronmdjones at gmail.com
Sat Dec 2 06:10:31 CET 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/12/17 02:45, Ferris Ellis wrote:
> I was wondering if WireGuard supported dynamically updating /
> rolling keys for connections? In many operations security models
> credentials are short lived and rotated regularly so that the
> consequences of any compromise can be minimized. One problem,
> however, with this is that rolling credentials often causes a
> service interrupt for the connection being rolling. Does WireGuard
> have a way to do this currently?
>
> I wanted to ask the mailing list about this both for my own
> knowledge and for public documentation. Though, I presume the
> answer is no as WireGuard uses the keys as identity primitives for
> connections (which I think is the most honest means of relating
> identity to authorization) and thus “rolling” them makes no sense.
As far as I understand it, you can dynamically add a new peer to the
interface with wg(8) with the same configuration (including Allowed
IPs and Endpoint) and then remove the old peer. If you are running
reliable protocols on top (e.g. TCP) their retransmit logic will
establish a new session with the 'new' peer for you.
Regards,
Aaron Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJaIjXEAAoJEIrwc3SIqzAS2yUP/273JhlzYzJREMVzvNyfx2cj
sNImcmTFQhFB8SaSxM7u5yY9FtOSgvEyx+jFBhywVOEQfMFXwCtZL6XIXgLsoaM+
GN2NpY+2I95JYOFO6SF0jm4jy3dj0UAZMRctNuM2nasH31jI+E6VDwPcxGsg2o6g
2Am7ykHXETOZBRG9ZXeQiHiQ9ai3RMbrhP2yiApwzoZg3VsookDN+GEJ/K+ZVxaP
n0r9KbvOOn4rEnQSB+GSADl2uihaJu/ziiSMSlbsbkjS5yoBhI8v3GQvpWGCsdu9
hXOR+pmefDsHmurDpBniPWn9epX4aMnOLxzni7WPc3OlgHQg3ZhmvHjW4FrCjX+n
NDfmcbOxvlcMBhPfoLMk8KJMiWZ2k1yGT4yFYynS99NQ7cFcmQhetAKFochz92OX
AJT/bH7ExqQtxYhK1YR+rhw9HhzyhykQC70B1Kp2F9uVBjdKERHM1saavLxBAjlt
U297jzwqxlVji5h2sWHaflPTSnTyx49jSp3ZCPeJ3N57zHzhOmuuyf76CfoE4do+
/RzUhP96JwWIM6Q4HR/MY7UWHHKvt9GW3M+AwTIRovpL0OFPfuOotXc9fW7F25D2
gdWJSOxza7d31YgU7XnkVdHeY6T+uQrx77yjAnmSTcVPIiQlBzBNXE/jTAFA2uEG
Mj71hyihwWkfWOVREg7M
=naHE
-----END PGP SIGNATURE-----
More information about the WireGuard
mailing list