From: John Huttley <john@mib-infotech.co.nz>
To: John Huttley <john@mib-infotech.co.nz>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: DMVPM appreciation
Date: Sun, 4 Dec 2016 18:57:04 +1300 [thread overview]
Message-ID: <689268d1-473f-6df6-61ba-989f8aed9928@mib-infotech.co.nz> (raw)
In-Reply-To: <e1085a46-e38f-c13c-86f5-de312b3a5c05@mib-infotech.co.nz>
Hmm...
Really good high level theory ...
> Don't forget we need two more things:
> * A --> C (over UDP)
> * C --> A (over UDP)
>Throw a few weird NAT/PAT and other ACLs in between and try again.
In one direction there is no need, because that's how we established the
tunnel. See below, we could make exposed endpoints a requirement.
>> First. A can talk to C just fine on the VPN. Thats all the
>> authentication required.
>>
>Yes, but in the background A only talks to B over UDP... and B to C
>over UDP.
Sorry I don't get what you mean. Anyone /could/ talk to anyone,
firewalls permitting.
>I think there may be cases where such situation is possible and highly
>desirable.
>The logic being, try to talk directly (using the protocol described
>above), if it doesn't work, continue talking via B.
>Reminds me of STUN and friends.
Actually we can simplify it further. Just make it a requirement of
overlaying that you have a valid listener. Then no UDP magic. Overly
works or it doesn't.
>And an alternative will be centralized database/service advertising
>public keys and endpoints (think PGP keyserver).
>And then comes the WoT and then... Jason will shoot us for bringing
>the complexity he is so fond of avoiding (and I am supporting him) :-D
Agreed. I don't think Jason will be more than mildly interested and it
shouldn't be a part of Wireguard itself.
>Since this functionality can be implemented outside of Wireguard, as a
>simple script (I guess 5 lines of Bash, but will leave the challenge
>open), it is all a matter of convenience.
>Nothing can be gained by "building it in", may be except tiny >convenience.
>If you try to script it, then provide clean documentation/test cases,
>I am sure it can be included in
>https://git.zx2c4.com/WireGuard/plain/contrib/examples/
Agreed.
>Also consider the trust model you are changing, because security DOES
>matter :-)
>As an example, think buying on Amazon from 3rd party, vs. talking to
>them directly:
>(1st -> 2nd case may be possible, 2nd ->1st is highly improbable)
If you are on the VPN, you are by definition, trusted as much as anyone is.
"Improbable" is a policy decision. Overlaying might not even be of
benefit. If C is on bad, slow connection, an overlay to C isn't going to
help. Policy needs to figure that out.
>* 1st case is more secure, but more expensive
>* 1st provides a way to find your party, plus it provides some
>mediatior/trust relationship (at cost)
>* How often did you buy something via Amazon an then went directly to
>the seller to buy more?
This isn't the use case I'm considering. I'm not quite sure what you mean.
>It is all about balancing security/cost and convenience of setup a
>transaction, within some (implicit) trust/insurance model.
Definitely don't know what you mean.
Regards
-Dad
prev parent reply other threads:[~2016-12-04 5:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-03 11:53 [PATCH 1/1] include tests/debug.mk only if exists Christian Hesse
2016-12-03 18:07 ` DMVPM appreciation John Huttley
2016-12-03 18:48 ` Dave Taht
2016-12-04 3:01 ` Kalin KOZHUHAROV
2016-12-04 5:57 ` John Huttley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=689268d1-473f-6df6-61ba-989f8aed9928@mib-infotech.co.nz \
--to=john@mib-infotech.co.nz \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).