On 6/27/19 10:26, Jason A. Donenfeld wrote:
So, now that we can control the GUID and hence the NetworkSignature, we have to decide what determines a network. It turns out that in WireGuard, we can do this with much higher cryptographic assurance than any of the crazy "authenticated dhcp" proposals of Microsoft. Specifically, we know our own interface public key, the public keys of everyone we're willing to talk to, and which IP addresses we'll accept from those peers. If that doesn't perfectly define a network, I don't know what else does.
The drawback of this approach is that if anything in the configuration changes at all, it becomes a different network. In theory that's the idea, but in practice changes to the configuration will sometimes happen that shouldn't change which network it is.
For example, if a peer suffers a key compromise then its key will have to change (and so thereby will the network GUID when calculated this way) but all of the firewall rules and things like that should remain as they are.
It may help to add a config option to allow the GUID for an interface to be manually assigned a specific value. That way it's possible to explicitly choose whether the configuration has changed in a way that should cause it to be treated as a different network or not.
_______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
