Presented by Jason A Donenfeld FOSDEM 2017

Recommendations

Info

Stealth ▪ Some aspects of WireGuard grew out of an earlier kernel rootkit project. ▪ Should not respond to any unauthenticated packets. ▪ Hinder scanners and service discovery. ▪ Service only responds to packets with correct crypto. ▪ Not chatty at all. ▪ When there’s no data to be exchanged, both peers become silent.
Solid Crypto ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ We make use of Trevor Perrin’s Noise Protocol Framework – noiseprotocol.org ▪ Developed with much feedback from WireGuard motivations. ▪ Custom written very specific implementation of NoiseIK for the kernel. Perfect forward secrecy – new key every 2 minutes Avoids key compromise impersonation Identity hiding Authenticated encryption Replay-attack prevention, while allowing for network packet reordering Modern primitives: Curve25519, Blake2s, ChaCha20, Poly1305, SipHash2-4 Lack of cipher agility!
Page 1 and 2: Presented by Jason A. Donenfeld FOS
Page 3 and 4: What is WireGuard? ▪ Layer 3 secu
Page 5 and 6: Easily Auditable IPsec (XFRM+Strong
Page 7 and 8: Blasphemy! ▪ WireGuard is blasphe
Page 9 and 10: Cryptokey Routing PUBLIC KEY :: IP
Page 11 and 12: Cryptokey Routing User space send()
Page 13 and 14: Cryptokey Routing ▪ Makes system
Page 15 and 16: Demo
Page 17 and 18: Simple Composable Tools: wg-quick
Page 19 and 20: Namespaces: Containers # ip addr 1:
Page 21: Static Allocations, Guarded State,
Page 25 and 26: The Key Exchange ▪ In order for t
Page 27 and 28: The Key Exchange ▪ Very limited s
Page 29 and 30: Timers User space sends packet. •
Page 31 and 32: Denial of Service Resistance ▪ Ha
Page 33 and 34: Cookies: DTLS-like and IKEv2-like
Page 35 and 36: Cookies: The WireGuard Variant ▪
Page 37 and 38: Cookies: The WireGuard Variant ▪
Page 39 and 40: Performance: Measurements Bandwidth
Page 41: More Information WireGuard ▪ Main

Presented by Jason A Donenfeld FOSDEM 2017

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?