Linux counter_validate() RFC6479 replay detection modifies bitmap before authentication?

Jason A. Donenfeld Jason at
Sat Apr 22 12:03:42 UTC 2023

On 4/20/23, Leon Woestenberg <leon at> wrote:
> Hello all,
> I am trying to understand a few details in WireGuard protocol, looking
> at the Linux kernel WireGuard implementation if I am unsure about the
> description from the paper. One question I have:
> Does counter_validate() in the receive path update the bitmap from the
> Type 4 counter (their_counter) before the received Type 4 packet was
> authenticated?

No, it happens after authentication. Otherwise that'd be a real DoS vector.

More information about the WireGuard mailing list