NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/60386: experimental wg(4) DoS mitigation is suboptimal



>Number:         60386
>Category:       kern
>Synopsis:       experimental wg(4) DoS mitigation is suboptimal
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 30 00:20:00 +0000 2026
>Originator:     Taylor R Campbell
>Release:        current, 11, 10
>Organization:
The NetDoS Mitigation, Inc.
>Environment:
>Description:

	The logic in wg(4) to manage DoS mitigation cookies stores each
	cookie in the wg_peer data structure.  On receipt of a
	handshake message, looking up the wg_peer to get the cookie to
	verify the mac2 requires doing a DH key agreement.

	The whole point of DoS mitigation is to reduce the
	computational cost of detecting fraudulent handshake attempts,
	and the DH key agreement is likely the bulk of that cost, so
	it's a little silly that we still do a DH key agreement at all.
	We do avoid the _second_ DH key agreement but it would be nice
	to avoid all of them.

	Also, when sending the cookie reply, we send it to the peer's
	_existing_ address rather than the source address where the
	handshake came from.  If the peer has just migrated networks,
	the cookie might not get to the peer.

	(This isn't a new issue -- I noticed it back in 2020 when
	importing the code, but since it only affected the cost in DoS
	mitigation, and no other part of security or performance, it
	wasn't a priority to deal with.)

>How-To-Repeat:

	code inspection

>Fix:

	1. recompute the cookie on the fly instead of storing it with
	   the peer

	2. move the mac2 verification up before the DH key agreement

	3. send the cookie to the handshake packet's source address
	   rather than the peer's latest endpoint address




Home | Main Index | Thread Index | Old Index