Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3406566imm;
        Mon, 13 Aug 2018 11:06:43 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPwj+CZfKPA5BTg6wKtHuENf3pfkoV58+7lhLo7gPORvBtoXwEvX75DqaAOMJJDAPh71fMmy
X-Received: by 2002:a63:314f:: with SMTP id x76-v6mr17602112pgx.373.1534183603167;
        Mon, 13 Aug 2018 11:06:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534183603; cv=none;
        d=google.com; s=arc-20160816;
        b=oqJDRtZdE3LcLSlrwgFfVp54FOMVVPr2wJBXzD/F3PVWq1z8xOJbGfv6+HCF3fPIlw
         GbZgw2pr0PQtjkaKHTEehAV93et1JxaYS9T/yQDXfDiikzvvzXBkyOKIfg4gmgM5qD8H
         fCLjSzY9qQkLcJsLr6r6V1V91K+CucI0obG0Qa6qBsiuZXtX27zU8c4U0g3fqqiwbKjj
         o527yo9KP0S4bFCzcG7fMuPAbdvSY626HqN0t3mQ8wxL3u419pnGnWc03WbE32UyZArB
         UW9SZo1w7mlqSC8XIm2oGEEFUruXCyscJPByEyEOsxurEo8fFEhq/rXCc3NedkB7YYjI
         AUkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature:arc-authentication-results;
        bh=8sxSYBg3OP7xLmzNzpjSo5y8jK+x1fe41JNH7YURKhk=;
        b=R545Edn6c/UvRYfnfD1707C/9n8+UcZVzIQ78K4VYVkKT/67tNwepBpGKBAPfd0IS/
         XRGr+D7LMPXTUShbNzEk/0Ql36Xfq87v3KSWUKr3QwOn8La8FD+xPONii1RD7RSElsId
         060LEod22pBj6BSC9lqUQMKeo1Ldut+7dtZgSOiedOxEW96XS58OXTlNXq+aDG68+0mO
         0cL12hCzXamIOi5DkFuRTiLCXQgzr/16EaRFOD5u6hTf/2SgeznbdfkGzMLCsigYORi5
         fSR6acUk1efbuOyeumX5rKon59BquaOI7BQm4+Taf15xyGMwkB/RpqMLsarvg1y5eXE6
         Gf0g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=ZrzeDdFr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g16-v6si18608536pgi.373.2018.08.13.11.06.27;
        Mon, 13 Aug 2018 11:06:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=ZrzeDdFr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730214AbeHMUUX (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Mon, 13 Aug 2018 16:20:23 -0400
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:39548 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1729346AbeHMUUX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Aug 2018 16:20:23 -0400
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id 120938EE171;
        Mon, 13 Aug 2018 10:37:12 -0700 (PDT)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id A8KoWGR37buj; Mon, 13 Aug 2018 10:37:11 -0700 (PDT)
Received: from [153.66.254.194] (unknown [50.35.68.20])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 8457E8EE0ED;
        Mon, 13 Aug 2018 10:37:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
        s=20151216; t=1534181831;
        bh=eI5Uoi9tJvSfyhubBa3yw7z7t845SBHGxs6Ka/iWCTk=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=ZrzeDdFroGGP4DGf8n66aXZAwuGMrLa/ElEPB/VcJWjFWZ609RfaJMkFTXpQ61Kly
         rW7fNhjoMb574PuJo3hf8S3wHWgldS/wbGzF7ld8mJZYU2sveSYxgXDHTCSZXZOauM
         xBfJ55pHUJ30r5yxiDIjsJSJS0uHL/zi9HKvKwbA=
Message-ID: <1534181830.7872.10.camel@HansenPartnership.com>
Subject: Re: [PATCH v1 0/3] WireGuard: Secure Network Tunnel
From:   James Bottomley <James.Bottomley@HansenPartnership.com>
To:     "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc:     linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        davem@davemloft.net, linux-crypto@vger.kernel.org
Date:   Mon, 13 Aug 2018 10:37:10 -0700
In-Reply-To: <CAHmME9raa81A_hH_Zykp2r8zOk0ySroFEsk+8384vnVOCuSa=g@mail.gmail.com>
References: <20180731191102.2434-1-Jason@zx2c4.com>
         <1534174811.7872.3.camel@HansenPartnership.com>
         <CAHmME9raa81A_hH_Zykp2r8zOk0ySroFEsk+8384vnVOCuSa=g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.22.6 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 2018-08-13 at 10:02 -0700, Jason A. Donenfeld wrote:
> > Could we please build planning for this crypto failure day into
> > wireguard now rather than have to do it later?  It doesn't need to
> > be full cipher agility, it just needs to be the ability to handle
> > multiple protocol versions ... two should do it because that gives
> > a template to follow (and test version to try to find bugs in the
> > implementation). It looks like the protocol could simply be updated
> > to put the version into one (or more) of the three reserved bytes
> > in the handshake headers, so perhaps doing this before they get
> > used for something else would be a good first step?
> > 
> > James
> > 
> > 
> 
> Indeed the answer is in fact along the lines of what you've suggested
> in your question: the protocol is very strictly versioned. This means
> that while there intentionally isn't negotiation of ciphers --
> something historically very bug-prone -- there is ample room for
> updating the protocol. This is enabled via 4 aspects of the protocol:
> 
> - An explicit "identifier" string is hashed in as part of the first
> step of cryptographic operations, containing a "v1" as well as the
> protocol designer's email.
> - An explicit "construction" string is hashed in as part of the first
> step of cryptographic operations, containing the Noise handshake
> pattern and a list of the cryptographic primitives used.

Any hash involving other parameters allows you to check for a version
mismatch, but it's very hard for a flow classifier because you have to
do the hash at the point you classify.  If we're running concurrent
versions we need an easy way to separate them.

> - A type field at the beginning of each message. Newer message types
> (corresponding with newer versions) can easily be introduced via this
> field, and they can even coexist with older ones need be.
> - Three unused reserved fields ready to be utilised in the event
> they're needed.

Either of these will work for easy classification.

> In other words, there's ample room for such contingency measures
> within the protocol.

I have a preference for explicit versioning, having dealt with some
protocol issues before.  However, I'm much less concerned with *how*
it's done than that it *be* done in the kernel patch so we can test out
 rolling the version number to change the algorithms in a backward
compatible way, so lets pick one of the above and try it out.

Regards,

James