On 18.06.2018 14:08, Vivien Malerba wrote: > However, for any organization which will use WireGuard, even if admins > are very effective at applying updates, updating all the endpoint > systems simultaneously is not realistic. At the same time, it may be > the case that the organization can't afford the downtime, in which > case using WireGuard will simply not be an option, which is too bad.
Fixing any crypto weakness will require kernel updates and configuration changes. A very easy config change, compared to all the other work you'd have to do if a flaw is discovered that forces a different crypto algorithm, is "use a second WG instance with a different UDP port". A script that monitors connections to the new WG instance and auto-disables the associated peer keys in the old instance is easy enough to write. Problem solved, no downgrade attack possible. -- -- Matthias Urlichs
_______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
