allowed_ips move semantics?

Ivan Labáth labawi-wg at matrix-dream.net
Thu May 18 10:02:13 CEST 2017 

Hi,

I was asking, because I think automatically
moving allowed_ips is prone to cause more
trouble than the small savings of one or few
commands, both via IPC and the wg tool. I would
suggest having an error semantics instead.


I believe there are two cases where moving
ranges is relevant:

1) You know the range is a duplicate, in which
case it shouln't be that hard to remove it
from the relevant peer first.
If it is hard, then it is a good area
of improvement.

2) You don't know the range is a duplicate,
in which case you have probably made a mistake.
One wich you might not notice until you see
something is broken, so an error instead would
be welcome.


Semantics of (permanently) moving a range
from another peer is not obvious unless you
know it or actually consider the effects.

IMO it is a bad default. It will cause pains
to fat-fingered sysadmins, it is prone to
race conditions and even more importantly
if in API, it will lead to development of
slightly broken tools.


Case in point:

The wg tool itself (0.0.20170517) will happily
accept this configuration

[Interface]
ListenPort = 51820
PrivateKey = NNNNooootttt++rrreeeaaalll+++kkkkkeeeeyyyy0=

[Peer]
PublicKey = 5c/Fuf2V7tgcxNRfMvuyCsZ+/5xXZm1pxewmvpY0n1k=
AllowedIPs = 172.16.0.1/32

[Peer]
PublicKey = 6yztQEsu3vCsKz3WrCgqXfTjizHAtTylqAQzrTwjIA0=
AllowedIPs = 172.16.0.1/32

After load, the first peer will have no allowed ips,
which was probably not intended and in large configurations
it would be easy to miss.


Example of prior art:

# ip route add 172.16.0.1/32 dev lo
# ip route add 172.16.0.1/32 dev wg0
RTNETLINK answers: File exists


I would suggest changing allowed_ips moves to be errors,
and possibly improving the wg tool to make removing unwanted
allowed_ips easier. Perhaps something ip route add/delete style
would be appropriate.

Regards,
Ivan


On Wed, May 17, 2017 at 03:47:51PM +0200, Jason A. Donenfeld wrote:
> Hi Ivan,
> 
> On Tue, May 16, 2017 at 5:42 PM, Ivan Labáth <labawi-wg at matrix-dream.net> wrote:
> > does changing one peer affect settings of another
> > peer if they have common allowed_ips?
> 
> Great question. I've improved the documentation to note this. The
> answer is that: if you have a 100% identical allowed_ips entry in a
> first peer and in a second peer, the entry moves from the first to the
> second.
> 
> Jason

More information about the WireGuard mailing list