Deterministic Cryptographically Authenticated Network Signatures on Windows NLA

[Jason A. Donenfeld]

On Fri, Jun 28, 2019 at 6:33 PM zrm <zrm at trustiosity.com> wrote:
> The drawback of this approach is that if anything in the configuration
> changes at all, it becomes a different network. In theory that's the
> idea, but in practice changes to the configuration will sometimes happen
> that shouldn't change which network it is.

No, that's the entire point. If you change your network configuration
-- which public keys (identities) are allowed to send what traffic,
then this should not map to collided network signature. You're free to
configure Windows to apply the same network profile and conditions to
a variety of network signatures, of course.

> For example, if a peer suffers a key compromise then its key will have
> to change (and so thereby will the network GUID when calculated this
> way) but all of the firewall rules and things like that should remain as
> they are.

Remap the new signature to the same network profile as before, in that
case. In fact, remove the old signature from the trusted network
profile, since now ostensibly it's compromised, given your premise.

> It may help to add a config option

We generally don't add nobs when there are sane secure solid defaults.

> to allow the GUID for an interface to
> be manually assigned a specific value. That way it's possible to
> explicitly choose whether the configuration has changed in a way that
> should cause it to be treated as a different network or not.

Sounds like a "shoot yourself in the foot" situation.