[Joel_Mckay]

The relatively benign legacy kernel level pointer-bug CVE chosen is hardly the worst thing from WireGuard or strongSwan over the years. However, it makes the point a priority reliable network side-channel administrative login is more robust under some use-cases.

Adding layers of complexity rarely improves security, and doesn't usually address the underlying issue of accountability. And I often ponder if a bastion host is even still meaningful in modern clouds. =3

[tptacek]

The bug you cited is in Netlink. It's not exposed on the network. What's the "worse" thing you're referring to? I think you just searched "WireGuard CVE" and tried to play it off.

[Joel_Mckay]

In general, doing a qualitative summary of the projects impact is less helpful, and never as verbose as some would prefer on platform specific issues. Additionally, wireguard is now more popular than strongswan these days...

https://www.cve.org/CVERecord/SearchResults?query=ipsec

https://www.cve.org/CVERecord/SearchResults?query=wireguard

https://www.cve.org/CVERecord/SearchResults?query=strongswan

Best of luck, and straw-man arguments are never taken seriously. =3

[tptacek]

This reads like a long-winded way of saying you aren't bothering to read what the vulnerabilities actually are.

[Joel_Mckay]

>This reads like a long-winded way of saying you aren't bothering to read what the vulnerabilities actually are.

Almost, it is more that I don't care specifically why a IPSec option is often a liability, and would rather stick with something less silly.

Ad hominem attacks do not change the fact there are new issues in IPSec/VPN approaches found regularly. Pick any failure mode(s) on the list that applies to your specific use-case and platform.... or could find new ones if you are still bored.

Have a great day =3

https://www.youtube.com/watch?v=6vgoEhsJORU