github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-18 17:01:07 +00:00
Code Issues Projects Releases Wiki Activity
master
linuxkit/reports/sig-security/2017-07-19.md
Justin Cormack de11ea12ac Merge pull request #2254 from riyazdf/wireguard-video 
sig-security: add youtube video and forum link
2017-07-20 08:40:49 +01:00

2.5 KiB
Raw Permalink Blame History

2017-07-19

Time: 9am PDT (12pm EDT, 5pm BST) see the time in your timezone

Meeting location: https://docker.zoom.us/j/779801882

Announcement: Moby project forum post

Video recording: https://www.youtube.com/watch?v=04TsF72o-V4

Previous meeting notes: 2017-07-05

Agenda

  • Introductions & Administrivia (5 min)
  • WireGuard deep dive - @zx2c4 (45 min)
    • Differences from other VPNs
    • Cryptography
    • Usage with network namespaces
    • demo
  • Project updates (10 min)
  • Next meeting: 2017-08-02
    • deep dive TBD
    • we can propose additional deep dives and discussion topics!

Meeting Notes

  • WireGuard intro; slides are comprehensive, below is a small discussion of questions that occurred
    • Jason Donenfeld the author and maintainer
    • Patches for traditional userspace tools (ifupdown, OpenWRT/LEDE, OpenRC netifrc, NixOS, systemd-networkd WIP, NetworkManager WIP) available to allow ease of interface configuration
    • demo
      • ip and wg tools used to configure and inspect WireGuard interfaces
      • no patches needed for iproute2, since the string "WireGuard" just gets passed to the kernel via netlink when doing ip link add type wireguard
    • WireGuard can live in one netns, physical interface can live in another
      • so you can put wg0 in a container as the only interface, and it must connect to the world via this interface
    • No additional traffic necessary when packets are successfully sent/received
      • When a unidirectional packet is sent, WireGuard sends back an empty ack packet
    • Kernel networking stack is the one allocating the packet buffers, WireGuard doesn't allocate anything on top of this
    • WireGuard overhead: ipv4 header (20 bytes) + udp header (8 bytes) + wireguard header (4 byte type, 4 byte keyid, 8 byte nonce, 16 byte authtag = 32 bytes) = 60 bytes
    • performance
      • fast, no copies across *space
      • ChaChaPoly is fast
    • upstreaming status:
      • no v1 posted
      • need to move from ioctl => netlink
      • need to improve kernel crypto API to remove allocations
    • maturity
      • officially "experimental"
      • formally verified, "pretty damn stable" :)
      • may break protocol, but hopefully not now that it's verified
  • Next meeting August 2nd, please propose topics!