undefined | Better HN

0 pointstptacek5mo ago0 comments

There is literally no value to cutting down on WireGuard attempts. Like, the exact same set of skbuffs are being created and destroyed in either case.

0 comments

immibis5mo ago

Sure there is, if the attacker has to fulfil some basic obfuscation then it cuts down on the amount of crypto work you have to do before ignoring the packet.

It's not extra security but it is a little extra efficiency.

Wireguard has something like this built in though, the PresharedKey (which is in addition to the public key crypto, and doesn't reduce your security to the level of a shared-key system). It's still more work to verify that than a port knock however.

tptacekOP5mo ago

This has no value at all. WireGuard assumes an adversary trying to make it do extra work doing handshakes; a big chunk of the WireGuard paper discusses it. I don't think this is as important a problem as Jason does (but it's his baby), but either way: part of the point of WireGuard is that it's safe to hang out on the open Internet this way.

j / k navigate · click thread line to collapse

0 comments

immibis5mo ago

Sure there is, if the attacker has to fulfil some basic obfuscation then it cuts down on the amount of crypto work you have to do before ignoring the packet.

It's not extra security but it is a little extra efficiency.

tptacekOP5mo ago

j / k navigate · click thread line to collapse