github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-19 01:06:27 +00:00
Code Issues Projects Releases Wiki Activity
master
linuxkit/reports/sig-security/2017-07-19.md
Justin Cormack de11ea12ac Merge pull request #2254 from riyazdf/wireguard-video 
sig-security: add youtube video and forum link
2017-07-20 08:40:49 +01:00

59 lines
2.5 KiB
Markdown
Raw Permalink Blame History

# 2017-07-19
Time: **9am PDT** (12pm EDT, 5pm BST) [see the time in your timezone](https://www.timeanddate.com/worldclock/fixedtime.html?msg=Linuxkit+Security+SIG&iso=20170719T09&p1=224)
Meeting location: https://docker.zoom.us/j/779801882
Announcement:
[Moby project forum post](https://forums.mobyproject.org/t/2017-07-19-linuxkit-security-sig-meeting/109)
Video recording: https://www.youtube.com/watch?v=04TsF72o-V4
Previous meeting notes: [2017-07-05](2017-07-05.md)
## Agenda
- Introductions & Administrivia (5 min)
- WireGuard deep dive - @zx2c4 (45 min)
- Differences from other VPNs
- Cryptography
- Usage with network namespaces
- demo
- Project updates (10 min)
- Next meeting: 2017-08-02
- deep dive TBD
- we can propose additional deep dives and discussion topics!
## Meeting Notes
- WireGuard intro;
[slides](https://www.wireguard.com/talks/dockersig2017-slides.pdf) are
comprehensive, below is a small discussion of questions that occurred
- Jason Donenfeld the author and maintainer
- Patches for traditional userspace tools (ifupdown, OpenWRT/LEDE,
OpenRC netifrc, NixOS, systemd-networkd WIP, NetworkManager WIP) available
to allow ease of interface configuration
- demo
- ip and wg tools used to configure and inspect WireGuard interfaces
- no patches needed for iproute2, since the string "WireGuard" just gets
passed to the kernel via netlink when doing `ip link add type wireguard`
- WireGuard can live in one netns, physical interface can live in another
- so you can put wg0 in a container as the only interface, and it *must*
connect to the world via this interface
- No additional traffic necessary when packets are successfully sent/received
- When a unidirectional packet is sent, WireGuard sends back an empty ack
packet
- Kernel networking stack is the one allocating the packet buffers,
WireGuard doesn't allocate anything on top of this
- WireGuard overhead: ipv4 header (20 bytes) + udp header (8 bytes) + wireguard header (4 byte type, 4 byte keyid, 8 byte nonce, 16 byte authtag = 32 bytes) = 60 bytes
- performance
- fast, no copies across \*space
- ChaChaPoly is fast
- upstreaming status:
- no v1 posted
- need to move from ioctl => netlink
- need to improve kernel crypto API to remove allocations
- maturity
- officially "experimental"
- formally verified, "pretty damn stable" :)
- may break protocol, but hopefully not now that it's verified
- Next meeting August 2nd, please propose topics!
Reference in New Issue View Git Blame Copy Permalink