WG interface to ipv4
Jason A. Donenfeld
Jason at zx2c4.com
Sun May 6 03:21:09 CEST 2018
On Sat, May 5, 2018 at 10:18 AM, ѽ҉ᶬḳ℠ <vtol at gmx.net> wrote:
> It would certainly instill more confidence in network security/control
Why? Can you outline the threat model?
As I mentioned earlier, to disable v6 socket creation, pass
ipv6.disable=1 on the kernel command line, or just unload the v6
module. If you're worried about the Linux v6 stack being a pile of
scary bugs, then you certainly want to be doing this already, and not
relying on simply disabling v6 routing within that network namespace,
which you're doing with the conf.default.disable_ipv6=1. In other
words, if you don't want v6 for reasons of attack surface, then you
should actually be disabling v6 properly.
> Which brings up the next point, I have asked previously twice about -
> wildcard ip 0.0.0.0 . How to bind WG to a particular iface/subnet, as a
> another matter of network security?
Why is this a matter of network security? WireGuard will ignore
packets that don't have the correct authentication tag. If you're
receiving authentic packets, you're receiving authentic packets, and
the origin shouldn't matter, in terms of the packets' authenticity. In
other words, if an attacker has stolen a private key, this is the
problem to address. Anyway, regardless of this, if you want to filter
out packets coming from a certain interface, a certain subnet, or any
other characteristics, use netfilter and make these preferences
explicit in your rules, rather than the implicit details of listening
sockets.
More information about the WireGuard
mailing list