WG interface to ipv4

ѽ҉ᶬḳ℠ vtol at gmx.net
Sun May 6 18:33:09 CEST 2018

> SSH is different for two reasons: It runs over TCP, and it runs in
> userspace.
> Because it runs over TCP, it will react to unauthenticated packets,
> perform a handshake and exchange quite a bit of traffic before its gets
> to the point where it can authenticate its peer. Wireguard does not
> exhibit this behaviour: Instead, every data packet is authenticated
> individually, and if it doesn't match it is simply dropped. So an
> attacker that doesn't know the private key can't even discover that a
> host is running wireguard.
> Secondly, because SSH runs in userspace, a lot of the processing (such
> as the TCP handshake) is done by the kernel on the application's behalf.
> So the only way the application has of telling the kernel not to do
> this, is by setting the listen address. Wireguard lives directly in the
> kernel and so can perform the authentication directly after receiving
> the packet, without suffering a context switch to userspace.

Thanks for the expansive discourse.

> The first reason is obviously more important than the second one. Either
> way, the decision about whether to add a configuration knob is a
> tradeoff; where any possible security gains have to be weighed against
> the added complexity (which includes maintaining the extra code, the
> risk of misconfiguration, and the cognitive load on the user who has to
> deal with more options). Wireguard, in general, tries very hard to avoid
> configuration knobs that are not absolutely necessary; and since in this
> case the security gains are lower than in many other cases (to the point
> where they are mostly theoretical), this decision does make sense :)
> -Toke

Depends perhaps a bit of what the (long term) aim/goal of the WG is - 
whether to be a niche product for enthusiasts (only guessing here that 
this is the current state) or to make it into the 
mainstream/corporate/commercial arena. I doubt that server 
administrators will take to it with no control over WG's socket/iface 
exposure. Probably time will tell and/or I am wrong with that 
perspective already.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4174 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180506/584153d1/attachment.p7s>

More information about the WireGuard mailing list