From: Aaron Jones <aaronmdjones@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Re: Rolling keys without service interuption
Date: Sat, 2 Dec 2017 05:10:31 +0000 [thread overview]
Message-ID: <3830a82e-8c9f-2b91-b408-0901bb7c8f8b@gmail.com> (raw)
In-Reply-To: <2185653B-D592-4179-96D6-2CFC16F3E0B1@ferrisellis.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/12/17 02:45, Ferris Ellis wrote:
> I was wondering if WireGuard supported dynamically updating /
> rolling keys for connections? In many operations security models
> credentials are short lived and rotated regularly so that the
> consequences of any compromise can be minimized. One problem,
> however, with this is that rolling credentials often causes a
> service interrupt for the connection being rolling. Does WireGuard
> have a way to do this currently?
>
> I wanted to ask the mailing list about this both for my own
> knowledge and for public documentation. Though, I presume the
> answer is no as WireGuard uses the keys as identity primitives for
> connections (which I think is the most honest means of relating
> identity to authorization) and thus “rolling” them makes no sense.
As far as I understand it, you can dynamically add a new peer to the
interface with wg(8) with the same configuration (including Allowed
IPs and Endpoint) and then remove the old peer. If you are running
reliable protocols on top (e.g. TCP) their retransmit logic will
establish a new session with the 'new' peer for you.
Regards,
Aaron Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJaIjXEAAoJEIrwc3SIqzAS2yUP/273JhlzYzJREMVzvNyfx2cj
sNImcmTFQhFB8SaSxM7u5yY9FtOSgvEyx+jFBhywVOEQfMFXwCtZL6XIXgLsoaM+
GN2NpY+2I95JYOFO6SF0jm4jy3dj0UAZMRctNuM2nasH31jI+E6VDwPcxGsg2o6g
2Am7ykHXETOZBRG9ZXeQiHiQ9ai3RMbrhP2yiApwzoZg3VsookDN+GEJ/K+ZVxaP
n0r9KbvOOn4rEnQSB+GSADl2uihaJu/ziiSMSlbsbkjS5yoBhI8v3GQvpWGCsdu9
hXOR+pmefDsHmurDpBniPWn9epX4aMnOLxzni7WPc3OlgHQg3ZhmvHjW4FrCjX+n
NDfmcbOxvlcMBhPfoLMk8KJMiWZ2k1yGT4yFYynS99NQ7cFcmQhetAKFochz92OX
AJT/bH7ExqQtxYhK1YR+rhw9HhzyhykQC70B1Kp2F9uVBjdKERHM1saavLxBAjlt
U297jzwqxlVji5h2sWHaflPTSnTyx49jSp3ZCPeJ3N57zHzhOmuuyf76CfoE4do+
/RzUhP96JwWIM6Q4HR/MY7UWHHKvt9GW3M+AwTIRovpL0OFPfuOotXc9fW7F25D2
gdWJSOxza7d31YgU7XnkVdHeY6T+uQrx77yjAnmSTcVPIiQlBzBNXE/jTAFA2uEG
Mj71hyihwWkfWOVREg7M
=naHE
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2017-12-02 5:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-02 2:45 Ferris Ellis
2017-12-02 5:10 ` Aaron Jones [this message]
2017-12-02 13:31 ` Jason A. Donenfeld
2017-12-02 14:12 ` Ferris Ellis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3830a82e-8c9f-2b91-b408-0901bb7c8f8b@gmail.com \
--to=aaronmdjones@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).