NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/60386: experimental wg(4) DoS mitigation is suboptimal
>Number: 60386
>Category: kern
>Synopsis: experimental wg(4) DoS mitigation is suboptimal
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jun 30 00:20:00 +0000 2026
>Originator: Taylor R Campbell
>Release: current, 11, 10
>Organization:
The NetDoS Mitigation, Inc.
>Environment:
>Description:
The logic in wg(4) to manage DoS mitigation cookies stores each
cookie in the wg_peer data structure. On receipt of a
handshake message, looking up the wg_peer to get the cookie to
verify the mac2 requires doing a DH key agreement.
The whole point of DoS mitigation is to reduce the
computational cost of detecting fraudulent handshake attempts,
and the DH key agreement is likely the bulk of that cost, so
it's a little silly that we still do a DH key agreement at all.
We do avoid the _second_ DH key agreement but it would be nice
to avoid all of them.
Also, when sending the cookie reply, we send it to the peer's
_existing_ address rather than the source address where the
handshake came from. If the peer has just migrated networks,
the cookie might not get to the peer.
(This isn't a new issue -- I noticed it back in 2020 when
importing the code, but since it only affected the cost in DoS
mitigation, and no other part of security or performance, it
wasn't a priority to deal with.)
>How-To-Repeat:
code inspection
>Fix:
1. recompute the cookie on the fly instead of storing it with
the peer
2. move the mac2 verification up before the DH key agreement
3. send the cookie to the handshake packet's source address
rather than the peer's latest endpoint address
Home |
Main Index |
Thread Index |
Old Index