Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3395747imm; Mon, 13 Aug 2018 10:55:41 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwQFJEMz9AJhHyeeg4FTtVzyGmeA/03QR/Da7Ness/P3fwS+LDqyNWu40vcsqiBRTzel30x X-Received: by 2002:a63:ea49:: with SMTP id l9-v6mr18033975pgk.427.1534182941551; Mon, 13 Aug 2018 10:55:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534182941; cv=none; d=google.com; s=arc-20160816; b=jJ98PSz6fMsDqby1bMxv1tJIt9mxKgpIR5tdhBndw1gOgWc3DmQ0mob4ubnpRIIuDn wR7MKLgH3b4fzp65N3HO/+SEbOnR1i2CYIqNQY6Cc+/4XVqFUIUEMX2jHmw9ubm/smRR csmq4wzJ/tpVPSzKweIUSwtOPwnkUuvckllhrjv929ZRuz20Y7feltBx4AII5sudq54P k7JgWI3ToCQgni86FiCA7/KFAJQHqDPMeezKifzwuIyKIiSyAOozgr0Becwsg0gbG3Ri Mso1vNzHuZw1DVdduoYzCad4seL/gDG0gzu9Od7gvxoyIUsXMXp9NLJu/JC2vFmJoH+p znbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=8SOjO1s/BJE4qPZ4GQIKuSLeF216YJMNWXEKLHTdGoM=; b=qUL3O2RFve0rIcsnNIDT6AbQQhaW6wNYLFyPKG+RMWgnKb3YYf0VW2vghTycqlyGRN VLEtDK+H7KxT0LxKYDNsnrC7ZyNYRqlD5+5PIppaCeialvigLsUdATwl/t6Ezx5c8kcM F7+WCbyu4Y5XkgeBZkevTbpXYOw5JUSfoJ/5txdjNmOUHQr6moiG48JF72VLLpRsn3Z8 ICdQVNUcofIJx8s9z1V6JAtY67a2JWqiIHucBgxNj486IwCe1/4VM1nNHWPXxE1TFLsk HwKPRz95EKpQ4O8UfSucJeI8onkebFKPrFl4zbCLzoS2BJ0xjhY0W2nmCbDP71bYyqwd HEVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=iTpPgZrX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 6-v6si19739386pfk.287.2018.08.13.10.55.26; Mon, 13 Aug 2018 10:55:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=iTpPgZrX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730258AbeHMTpl (ORCPT + 99 others); Mon, 13 Aug 2018 15:45:41 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:48769 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729029AbeHMTpl (ORCPT ); Mon, 13 Aug 2018 15:45:41 -0400 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 335be67d; Mon, 13 Aug 2018 16:49:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=mail; bh=OuB3aLv7uwiV4HV3KpoGgZgMBQU=; b=iTpPgZ rXaJhxrBk+AGJV6nmuCIhwQX7EJGUmqpOeg8oYHcPz8aucnZM96DtgmQLSbjSEjs auTAX9ovK3qYhj93IiqEfki/QhU2LtmYm0f3Qgzn0RB5Apj+e3qYhZ+F/0DhmsmK aN/lPW7DMQ6FcuF1gVLBg9cQuU+h0X5wdarbinKsVMsHHA6Cca1Rz8GEexlyN7MD UR8WOCOgD+usjDhuzau8kpwYMfQdwlJgKZPngKcP6W/St64wRfYcePY6y7oOKv9a jD/0jLnqsSFqhjmWzGr26K7ET+qbHKev1I10BCcVffaeiqH4AqyV0TelVBio1A13 5U94mo7jY9dqTOXg== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 0efba98b (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO); Mon, 13 Aug 2018 16:49:34 +0000 (UTC) Received: by mail-oi0-f53.google.com with SMTP id j205-v6so28536189oib.4; Mon, 13 Aug 2018 10:02:34 -0700 (PDT) X-Gm-Message-State: AOUpUlFcHSL61B5K5N3QBbBUqE542ux265VpKbwQIvuzK9F3HZ2QmCzl SYOVTYt5kzzgVBWWT262ylG7jywKyMShGxtrlLk= X-Received: by 2002:aca:bec2:: with SMTP id o185-v6mr19801656oif.22.1534179753641; Mon, 13 Aug 2018 10:02:33 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:a025:0:0:0:0:0 with HTTP; Mon, 13 Aug 2018 10:02:32 -0700 (PDT) In-Reply-To: <1534174811.7872.3.camel@HansenPartnership.com> References: <20180731191102.2434-1-Jason@zx2c4.com> <1534174811.7872.3.camel@HansenPartnership.com> From: "Jason A. Donenfeld" Date: Mon, 13 Aug 2018 10:02:32 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v1 0/3] WireGuard: Secure Network Tunnel To: James Bottomley Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, davem@davemloft.net, linux-crypto@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi James, On 8/13/18, James Bottomley wrote: >> Ample information, including documentation, installation >> instructions, >> and project details, is available at: >> >> * https://www.wireguard.com/ >> * https://www.wireguard.com/papers/wireguard.pdf > > In your paper you say this: > >> Finally, WireGuard is cryptographically opinionated. It intentionally >> lacks cipher and protocol agility. If >> holes are found in the underlying primitives, all endpoints will be >> required to update. > > The only thing that's certain (beyond death and taxes) is that your > crypto choice will one day need updating; either in response to an > urgent CVE because an algorithm is compromised or in response to a less > urgent one because it is deprecated. Assuming wireguard is reasonably > successful we'll have a large ecosystem dependent on it. On this day, > we're going to have the choice of either breaking the entire ecosystem > by rolling out a change that can't connect to lower protocol versions > or trying to wedge version agility into wireguard in a hurry. The > former is too awful to contemplate because of the almost universal > ecosystem breakage it would cause and the latter is going to lead to > additional bugs because people in a hurry aren't as careful as they > should be. > > Could we please build planning for this crypto failure day into > wireguard now rather than have to do it later? It doesn't need to be > full cipher agility, it just needs to be the ability to handle multiple > protocol versions ... two should do it because that gives a template to > follow (and test version to try to find bugs in the implementation). > It looks like the protocol could simply be updated to put the version > into one (or more) of the three reserved bytes in the handshake > headers, so perhaps doing this before they get used for something else > would be a good first step? > > James > > Indeed the answer is in fact along the lines of what you've suggested in your question: the protocol is very strictly versioned. This means that while there intentionally isn't negotiation of ciphers -- something historically very bug-prone -- there is ample room for updating the protocol. This is enabled via 4 aspects of the protocol: - An explicit "identifier" string is hashed in as part of the first step of cryptographic operations, containing a "v1" as well as the protocol designer's email. - An explicit "construction" string is hashed in as part of the first step of cryptographic operations, containing the Noise handshake pattern and a list of the cryptographic primitives used. - A type field at the beginning of each message. Newer message types (corresponding with newer versions) can easily be introduced via this field, and they can even coexist with older ones need be. - Three unused reserved fields ready to be utilised in the event they're needed. In other words, there's ample room for such contingency measures within the protocol. Jason