Recent Kernel exploits, attack surface reduction, example IPSEC

13 points by hanno

stephank

I think it's fair to say that IPSEC is not widely used these days.

It isn't? Isn't it the basis for lots of corporate VPN software still?

I found IKEv2 to be a lot simpler to setup than older IPsec, but obviously Wireguard beats it in simplicity.

vbernat

Wireguard is too simple. With IKEv2, you can push routes and DNS (configuration payload). I think IKEv2 displaced many proprietary VPN/OpenVPN setups because of this (IKEv1 was not able to do that).
- tptacek
  
  It's not that WireGuard "can't" do that, it's that it pushes those features to another layer of the stack. There are WireGuard-backed VPN systems that have all those features and more.
  - ambee
    
    IKEv2 does all those things without any further integration, and all major OSes support said features without further integration. It doesn't matter what Wireguard can do if you just bolt more things on top of it.
    
    tptacek
    
    Right, the only problem with it is that it's a security train wreck.
  - thesadsre
    
    Not many corporates run Linux desktops and on the server side it can always be enabled as part of the install configuration.
- 7tehdt3cnw6kir6o
  
  Secureblue has been blacklisting problematic kernel modules for a while, I think they might be planning to move to an allowlist in the future? Brace (same dev as the defunct DivestOS) is also doing some interesting work in that area.
- projectgus
  
  To pick the example of IPSEC, i wonder if it wouldn't be better to have, e.g., a separate "linux-modules-ipsec" package that isn't installed by default.
  
  I have been thinking about this, too. The only distro I know which does this for their binary kernel packaging is OpenWRT (for size reasons), and it does seem like an easy way to shrink the kernel module attack surface down.
  
  For existing distro kernels, I wonder if there's a tool similar to make localmodconfig that looks at the currently installed kernel modules and drops an entry into /etc/modprobe.d/ that blacklists everything but those kernel modules? (AFAICT there's no wildcard or whitelisting support in modprobe.d so you'd need to do this in a hook after every kernel update, but it seems like a viable thing to do...?)
  - projectgus
    
    a tool similar to make localmodconfig that looks at the currently installed kernel modules and drops an entry into /etc/modprobe.d/ that blacklists everything but those kernel modules?
    
    Oh, the Brace module_restricter scripts linked from this comment look like they're intended to do something like this. Looks like started last week and actively being worked on. Nice!
- doctor_eval
  
  IPSec is the standard for inter-DC routing, used by AWS and OCI to name just two. So idk but it seems pretty important, certainly it is to me.
  
  I can set up a managed and redundant IPsec tunnel pair at both AWS and OCI but AFAIK I cant do that using wireguard.