… | |
… | |
5 | =head1 DESCRIPTION |
5 | =head1 DESCRIPTION |
6 | |
6 | |
7 | GVPE is a suite designed to provide a virtual private network for multiple |
7 | GVPE is a suite designed to provide a virtual private network for multiple |
8 | nodes over an untrusted network. |
8 | nodes over an untrusted network. |
9 | |
9 | |
|
|
10 | =over 4 |
|
|
11 | |
|
|
12 | =item X<Virtual> |
|
|
13 | |
10 | "Virtual"X<Virtual> means that no physical network is created (of course), but an |
14 | Virtual means that no physical network is created (of course), but an |
11 | ethernet is emulated by creating multiple tunnels between the member |
15 | ethernet is emulated by creating multiple tunnels between the member |
12 | nodes. |
16 | nodes. |
13 | |
17 | |
|
|
18 | =item X<Private> |
|
|
19 | |
14 | "Private"X<Private> means that non-participating nodes cannot decode ("sniff)" nor |
20 | Private means that non-participating nodes cannot decode ("sniff)" nor |
15 | inject ("spoof") packets. |
21 | inject ("spoof") packets. |
16 | |
22 | |
17 | In the case of gvpe, even participating nodes cannot sniff packets send to |
23 | In the case of gvpe, even participating nodes cannot sniff packets send to |
18 | other nodes or spoof packets as if sent from other nodes. |
24 | other nodes or spoof packets as if sent from other nodes. |
19 | |
25 | |
|
|
26 | =item X<Network> |
|
|
27 | |
20 | "Network"X<Network> means that more than two parties can participate in the |
28 | Network means that more than two parties can participate in the network, |
21 | network, so for instance it's possible to connect multiple branches of a |
29 | so for instance it's possible to connect multiple branches of a company |
22 | company into a single network. Many so-called "vpn" solutions only create |
30 | into a single network. Many so-called "vpn" solutions only create |
23 | point-to-point tunnels. |
31 | point-to-point tunnels. |
|
|
32 | |
|
|
33 | =back |
24 | |
34 | |
25 | =head2 DESIGN GOALS |
35 | =head2 DESIGN GOALS |
26 | |
36 | |
27 | =over 4 |
37 | =over 4 |
28 | |
38 | |
… | |
… | |
71 | =head1 COMPILETIME CONFIGURATION |
81 | =head1 COMPILETIME CONFIGURATION |
72 | |
82 | |
73 | Please have a look at the C<gvpe.osdep(5)> manpage for platform-specific |
83 | Please have a look at the C<gvpe.osdep(5)> manpage for platform-specific |
74 | information. |
84 | information. |
75 | |
85 | |
76 | Here are a few recipes for compiling your gvpe: |
86 | Here are a few recipes for compiling your gvpe, showing the extremes |
|
|
87 | (fast, small, insecure OR slow, large, more secure), between you should |
|
|
88 | choose: |
77 | |
89 | |
78 | =head2 AS LOW PACKET OVERHEAD AS POSSIBLE |
90 | =head2 AS LOW PACKET OVERHEAD AS POSSIBLE |
79 | |
91 | |
80 | ./configure --enable-hmac-length=4 --enable-rand-length=0 |
92 | ./configure --enable-hmac-length=4 --enable-rand-length=0 |
81 | |
93 | |
82 | Minimize the header overhead of VPN packets (the above will result in only |
94 | Minimize the header overhead of VPN packets (the above will result in |
83 | 4 bytes of overhead over the raw ethernet frame). |
95 | only 4 bytes of overhead over the raw ethernet frame). This is a insecure |
|
|
96 | configuration because a HMAC length of 4 makes collision attacks based on |
|
|
97 | the birthday paradox easy, though. |
84 | |
98 | |
85 | =head2 MINIMIZE CPU TIME REQUIRED |
99 | =head2 MINIMIZE CPU TIME REQUIRED |
86 | |
100 | |
87 | ./configure --enable-cipher=bf --enable-digest=md4 |
101 | ./configure --enable-cipher=bf --enable-digest=md4 |
88 | |
102 | |
89 | Use the fastest cipher and digest algorithms currently available in gvpe. |
103 | Use the fastest cipher and digest algorithms currently available in |
|
|
104 | gvpe. MD4 has been broken and is quite insecure, though. |
90 | |
105 | |
91 | =head2 MAXIMIZE SECURITY |
106 | =head2 MAXIMIZE SECURITY |
92 | |
107 | |
93 | ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
108 | ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
94 | |
109 | |