another thread on montonic counter alternatives

Karolin Varner karo at
Tue Aug 10 07:53:40 UTC 2021

On 8/10/21 2:09 AM, Trevor Perrin wrote:
> On Sun, Aug 8, 2021 at 5:04 PM Karolin Varner <karo at> wrote:
>> 2) Fall back to an interactive handshake using cookies. Define a protocol version two, mandate that in V2 the cookie must be mixed into the handshake hash. Assign a cookie in case of timestamp failure.
> That could be deployed in a backwards-compatible way, I think?  If the
> client's V1 handshake is rejected due to an old timestamp, the client
> is given the cookie which enables it to do the V2 handshake?

I was thinking InitHello with a flag set in the reserved bytes, peer responds with cookie and a compatibility flag set as well.
The flag would be ignored by legacy responders, these would also respond with the flag set to zero in cookie replies so the initiator knows not to use V2 when resending InitHello with a cookie.
Peers generating messages without a cookie should skip the cookie mixing step (not mix {0}^n) so the message can be processed by legacy peers and modern ones alike.

There may be non-standard implementations which assert the reserved bytes to be {0}^3,
so sending a one-time-counter using an entirely new packet type might be even more compatible. Such a message would be entirely ignored by all but the worst implementations.


More information about the WireGuard mailing list