Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2023316pxf; Sat, 13 Mar 2021 05:26:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJyL4efMdJ7dI8kyYgjCWlyVrFacgSDah0RuqOX3zbxLB+OwsYD8cCwcEF33y3BtzERMuCny X-Received: by 2002:a17:906:ecf3:: with SMTP id qt19mr13699395ejb.467.1615641975010; Sat, 13 Mar 2021 05:26:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615641975; cv=none; d=google.com; s=arc-20160816; b=YTMC5uCEv7ua98IhOaxyXucIkm1V34y4mcNZafSEWvHecsZ2K+vOQj0VEB0B4s5SY7 NtXi8mg+Lqh2Mi/fj8a3g0Nt8sl+0O75AyxcuMv4mitNNeRIxJjRY3I2qiXUzYnJYEVO iqZQNtQe2UIEfM7de+/HE0lCvZaJOWVsIn9MsdcNfKJvlypwVLaG7wFCskxZf3aiijLj RxiIp/paCg4i5keTQs8Kshn5NHqBgvHBnlOyqwIzRTy4dCZNXnEMqKYiIwAl4wBqt46W yRVuQjzecphE/7yCE5jvf361bjFqEdEAnaCIoJp35uLuqV1iZ9dywrqlCD4Mnkqft7OD k3ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject:from :references:cc:to; bh=DTj3TBK3cKc26gP/LEhc4n7u1RdKrcwZLAsNMTlQ3+k=; b=LZX39q5etEbXPTR9O9bRAaeouArBAjEQrdW+6VVm4ZD8THXtp2ahcYLSyuF419TxTy P6cbl+ykxjsOeu3esGLFBKYAALlB8DA0guJg35KYDivb0BBa6Wb/O4Wbq++abRVI4kmg liP9rydve8gYza5FuEM/Tc2FJXffDIbX8PF3cqT9R4vsVvV+71myz0xd0mOrCT99/fQH UOfch6OzHGewbP3zv9M5IieQwp8uVHkFOtD7Q77X6v4zFuDze5HEtRfceXCFejTCq6VI o2IauvT55rpdpKRbph7BvMKbeJ4Dp/lC6aaWPzpQ7cColW7wW6xYqV1OX6D3LHqVjKbZ 1kxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id eb13si6451522edb.538.2021.03.13.05.25.52; Sat, 13 Mar 2021 05:26:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230441AbhCMNYu (ORCPT + 99 others); Sat, 13 Mar 2021 08:24:50 -0500 Received: from mail.dr-lotz.de ([5.9.59.78]:33654 "EHLO mail.dr-lotz.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233188AbhCMNYW (ORCPT ); Sat, 13 Mar 2021 08:24:22 -0500 X-Greylist: delayed 348 seconds by postgrey-1.27 at vger.kernel.org; Sat, 13 Mar 2021 08:24:21 EST Received: from localhost (localhost [127.0.0.1]) by mail.dr-lotz.de (Postfix) with ESMTP id 787315C86E; Sat, 13 Mar 2021 14:18:32 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail.dr-lotz.de Received: from mail.dr-lotz.de ([127.0.0.1]) by localhost (mail.dr-lotz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nteY4s-GT1AN; Sat, 13 Mar 2021 14:14:36 +0100 (CET) Received: from [192.168.42.35] (ipb21b6623.dynamic.kabel-deutschland.de [178.27.102.35]) by mail.dr-lotz.de (Postfix) with ESMTPSA id 2E0325C86D; Sat, 13 Mar 2021 14:14:36 +0100 (CET) To: "Jason A. Donenfeld" Cc: "David S. Miller" , Jakub Kicinski , WireGuard mailing list , Netdev , LKML References: <20210109210056.160597-1-linus@lotz.li> From: Linus Lotz Subject: Re: [PATCH] wireguard: netlink: add multicast notification for peer changes Message-ID: Date: Sat, 13 Mar 2021 14:14:34 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jason,> Thanks for the patch and sorry for the delay in reviewing it. Seeing > the basic scaffolding for getting netlink notifiers working with > WireGuard is enlightening; it looks surprisingly straightforward. Glad to hear that this is a welcome feature. > > There are three classes of things that are interesting to receive > notifications for: > > 1) Things that the admin changes locally. This is akin to the `ip > monitor`, in which you can see various things that other programs (or > the kernel) modify. This seems straightforward and uncontroversial. The current patch will also trigger for admin changes of the endpoint. This could obviously be extended to other events as well. > > 2) Authenticated events from peers. This basically amounts to new > sessions being created following a successful handshake. This seems > mostly okay because authenticated actions already have various DoS > protections in place. > > 3) Unauthenticated events. This would be things like (a) your patch -- > a peer's endpoint changes -- or, more interestingly, (b) public keys > of unknown peers trying to handshake. I was under the impression that this is an authenticated event. The function 'wg_socket_set_peer_endpoint' where I hook in the notification is called from: - set_peer (changes from netlink, authenticated) - wg_packet_consume_data_done (which should be authenticated?) - wg_socket_set_peer_endpoint_from_skb And wg_socket_set_peer_endpoint_from_skb is in turn called from wg_receive_handshake_packet where it is called after validating a handshake initiation and after validating a handshake response. So it should be authenticated, right? If the endpoint could be updated without authentication I would be concerned that an attacker could change the stored endpoint and thus do a DOS on a tunnel, as he could change the endpoints for both peers by sending them messages from an invalid endpoint. > > (b) is interesting because it allows doing database lookups in > userspace, adding the looked up entry, adding it to the interface, and > initiating a handshake in the reverse direction using the endpoint > information. It's partially DoS-protected due to the on-demand cookie > mac2 field. This is indeed an interesting feature. In this case we might want to keep the handshake information so that we can complete it if the lookup is successful. Since this would keep some state for unauthenticated peers it should probably only be used when explicitly enabled. This could probably also be used to debug tunnel settings. > > (a) is also interesting for the use cases you outlined, but much more > perilous, as these are highspeed packets where the outer IP header is > totally unauthenticated. What prevents a man in the middle from doing > something nasty there, causing userspace to be inundated with > expensive calls and filling up netlink socket buffers and so forth? I was assuming it was authenticated, if not, there should definitely be some counter measures and it should only be enabled manually. > > I wonder if this would be something better belonging to (2) -- getting > an event on an authenticated peer handshake -- and combining that with > the ability to disable roaming (something discussed a few times on > wgml). Alternatively, maybe you have a different idea in mind about > this? If wg_socket_set_peer_endpoint is the only place where the endpoint is modified it would be relatively simple to implement a flag that disables roaming. In theory it could also be possible to send a notification, but not change the endpoint and only let userspace update it. So an userspace application could decide if the roaming is allowed or not. > > I also don't (yet) know much about the efficiency of multicast netlink > events and what the overhead is if nobody is listening, and questions > like that. So I'd be curious to hear your thoughts on the matter. I do not know how big the overhead is. I was assuming that a change of the endpoint address is relatively rare so that the impact should be negligible (since I assumed that changing the endpoint is authenticated.) Regards, Linus