# 2017-07-19
Time: **9am PDT** (12pm EDT, 5pm BST) [see the time in your timezone](https://www.timeanddate.com/worldclock/fixedtime.html?msg=Linuxkit+Security+SIG&iso=20170719T09&p1=224)

Meeting location: https://docker.zoom.us/j/779801882

Announcement:
[Moby project forum post](https://forums.mobyproject.org/t/2017-07-19-linuxkit-security-sig-meeting/109)

Video recording: https://www.youtube.com/watch?v=04TsF72o-V4

Previous meeting notes: [2017-07-05](2017-07-05.md)

## Agenda
- Introductions & Administrivia (5 min)
- WireGuard deep dive - @zx2c4 (45 min)
  - Differences from other VPNs
  - Cryptography
  - Usage with network namespaces
  - demo
- Project updates (10 min)
- Next meeting: 2017-08-02
  - deep dive TBD
  - we can propose additional deep dives and discussion topics!

## Meeting Notes

- WireGuard intro;
  [slides](https://www.wireguard.com/talks/dockersig2017-slides.pdf) are
  comprehensive, below is a small discussion of questions that occurred
  - Jason Donenfeld the author and maintainer
  - Patches for traditional userspace tools (ifupdown, OpenWRT/LEDE,
    OpenRC netifrc, NixOS, systemd-networkd WIP, NetworkManager WIP) available
    to allow ease of interface configuration
  - demo
    - ip and wg tools used to configure and inspect WireGuard interfaces
    - no patches needed for iproute2, since the string "WireGuard" just gets
      passed to the kernel via netlink when doing `ip link add type wireguard`
  - WireGuard can live in one netns, physical interface can live in another
    - so you can put wg0 in a container as the only interface, and it *must*
      connect to the world via this interface
  - No additional traffic necessary when packets are successfully sent/received
    - When a unidirectional packet is sent, WireGuard sends back an empty ack
      packet
  - Kernel networking stack is the one allocating the packet buffers,
    WireGuard doesn't allocate anything on top of this
  - WireGuard overhead: ipv4 header (20 bytes) + udp header (8 bytes) + wireguard header (4 byte type, 4 byte keyid, 8 byte nonce, 16 byte authtag = 32 bytes) = 60 bytes
  - performance
    - fast, no copies across \*space
    - ChaChaPoly is fast
  - upstreaming status:
    - no v1 posted
    - need to move from ioctl => netlink
    - need to improve kernel crypto API to remove allocations
  - maturity
    - officially "experimental"
    - formally verified, "pretty damn stable" :)
    - may break protocol, but hopefully not now that it's verified
- Next meeting August 2nd, please propose topics!