WireGuard: Next Generation Kernel Network Tunnel

WireGuard is a secure network tunnel, operating at layer 3, implemented as a kernel virtual network interface for Linux, which aims to replace both IPsec for most use cases, as well as popular user space and/or TLS-based solutions like OpenVPN, while being more secure, more performant, and easier to use. The virtual tunnel interface is based on a proposed fundamental principle of secure tunnels: an association between a peer public key and a tunnel source IP address. It uses a single round trip key exchange, based on NoiseIK, and handles all session creation transparently to the user using a novel timer state machine mechanism. Short pre-shared static keys—Curve25519 points—are used for mutual authentication in the style of OpenSSH. The protocol provides strong perfect forward secrecy in addition to a high degree of identity hiding. Transport speed is accomplished using ChaCha20Poly1305 authenticated-encryption for encapsulation of packets in UDP. An improved take on IP-binding cookies is used for mitigating denial of service attacks, improving greatly on IKEv2 and DTLS’s cookie mechanisms to add encryption and authentication. The overall design allows for allocating no resources in response to received packets, and from a systems perspective, there are multiple interesting Linux implementation techniques for queues and parallelism. Finally, WireGuard can be simply implemented for Linux in less than 4,000 lines of code, making it easily audited and verified. Permanent ID of this document: 4846ada1492f5d92198df154f48c3d54205657bc. Static link: wireguard.com/papers/wireguard .pdf. Date: June 1, 2020. This is draft revision e2da747. A version of this paper appears in Proceedings of the Network and Distributed System Security Symposium, NDSS 2017. Copyright © 2015–2020 Jason A. Donenfeld. All Rights Reserved.

[2]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[3]  Van Jacobson,et al.  Controlling queue delay , 2012, Commun. ACM.

[4]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[5]  Gunnar Karlsson,et al.  IP-address lookup using LC-tries , 1999, IEEE J. Sel. Areas Commun..

[6]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[7]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.

[8]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[9]  Yoichi Hariguchi ART – Allotment Routing Table – A Fast Free Multibit Trie Based Routing Table , .

[10]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[11]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[12]  Hari Balakrishnan,et al.  Mosh: An Interactive Remote Shell for Mobile Clients , 2012, USENIX Annual Technical Conference.

[13]  Paul E. Hoffman,et al.  Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[14]  Tina Tsou,et al.  IPsec Anti-Replay Algorithm without Bit Shifting , 2012, RFC.

[15]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .

[16]  Jennifer Seberry,et al.  Public Key Cryptography , 2000, Lecture Notes in Computer Science.

[17]  Toke Høiland-Jørgensen,et al.  The Flow Queue CoDel Packet Scheduler and Active Queue Management Algorithm , 2018, RFC.

[18]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[19]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[20]  Aggelos Kiayias,et al.  Public key cryptography - PKC 2006 : 9th International Conference on Theory and Practice in Public Key Cryptography, New York, NY, USA, April 24-26, 2006 : proceedings , 2006 .