WG interface to ipv4

ѽ҉ᶬḳ℠ vtol at gmx.net
Sun May 6 21:39:19 CEST 2018 

> Several people described to you that there is no exposure as every invalid
> packet will be silently dropped and you still insist there is a flaw in WG
> which will hurt it's adoption.

Perhaps a bit of misunderstanding here. Nowhere I stated that WG in 
particularly has a flaw but exposing potential attack surfaces 
unnecessarily.

Having searched the net for wireguard vetting/(security) audit/scrutiny 
I came up empty. Thus so far any statement on WG security seems to be 
stemming from the horse's mouth (no pun intended just the old saying).

With a thread model considering every piece of software being flawed in 
mind, and with whatever CVE unearthed being a point in case, it should 
be of little surprise that the question of mitigating surface exposure 
is raised. Once WG would gain traction beyond a niche app it is likely 
to be subjected to malicious attacks with increased frequency.

I am having trouble seeing a server admin going happy with WG spawning 
all over the network (0.0.0.0) and neither being able to constrain 
ipv4/6 sockets. But again that is just my opinion whilst you may have 
sampled some to the contrary from server/system admins.

Truly understanding and appreciating simplicity and ease of use but 
without options to fine tune some (security) aspects of the app, and 
which don't need to be exposed in the default setup, it may fall short 
for certain deployment markets/adaption. Yet the latter should not be my 
concern.

This thread started as question of how to and perhaps my end tuning it 
more into a suggestion but I am far from asking for it. Like stated 
earlier everyone is at liberty to deploy either this app or another, 
whatever suits. It seems moot to ride this subject any further.

> For constructive discussion I propose this:
> present us PoC which will show that listening on 0.0.0.0 and ::1 can be
> exploited with WG and binding it exclusively to x.x.x.x will help to mitigate
> it.

It would not be within my capacity to produce such PoC. But then not 
every potential WG user (system/server admin) will be able too. Will 
that stop them from wanting to be in control of sockets/binds?

> At least try to describe such scenario. That would move this discussion
> forward and may even lead to WG code improvements.
>
> ​Jordan

Any sort of attack inside a corporate lan, probably brute force or 
cypher cracking/padding attempts, with zero knowledge of the network 
layout since WG is offering on the wildcard and ipv4/ipv6 sockets and no 
limit to unsuccessful connection attempts (unless I missed that). All it 
needs is a compromised machine in the lan with malicious code incl. a 
suitable udp port scanner/probe.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4174 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180506/c64ecd56/attachment.p7s>

More information about the WireGuard mailing list