passing-through TOS/DSCP marking
Florent Daigniere
nextgens at freenetproject.org
Tue Jul 6 07:00:14 UTC 2021
On Wed, 2021-06-16 at 18:28 +0200, Jason A. Donenfeld wrote:
> WireGuard does not copy the inner DSCP mark to the outside, aside from
> the ECN bits, in order to avoid a data leak.
>
> Jason
Hi Jason,
Is there any room for revisiting this design decision? We are talking
about 6 bits of metadata per packet here...
Which realistic threats are we trying to protect against?
The solutions that don't involve code changes all have significant
drawbacks:
- awesome BPF-based magic will be Linux only
- multiple tunnels are not always practical and arguably worse traffic
correlation-wise.
I still use a patched wireguard to protect traffic from a voip app on an
android handset using wifi here... and while I have a solution that's
good enough for my requirements, I do think that the community would
benefit from having something that works better out of the box (and on
all platforms).
Florent
More information about the WireGuard
mailing list