ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/doc/gvpe.5.pod
(Generate patch)

Comparing gvpe/doc/gvpe.5.pod (file contents):
Revision 1.10 by root, Wed Jul 10 01:51:40 2013 UTC vs.
Revision 1.11 by root, Wed Jul 10 01:53:33 2013 UTC

117 117
118 ./configure --enable-hmac-length=4 --enable-rand-length=0 118 ./configure --enable-hmac-length=4 --enable-rand-length=0
119 119
120Minimize the header overhead of VPN packets (the above will result in 120Minimize the header overhead of VPN packets (the above will result in
121only 4 bytes of overhead over the raw ethernet frame). This is a insecure 121only 4 bytes of overhead over the raw ethernet frame). This is a insecure
122configuration because a HMAC length of 4 makes collision attacks based on 122configuration because a HMAC length of 4 makes collision attacks almost
123the birthday paradox pretty easy. 123trivial.
124 124
125=head2 MINIMIZE CPU TIME REQUIRED 125=head2 MINIMIZE CPU TIME REQUIRED
126 126
127 ./configure --enable-cipher=bf --enable-digest=md4 127 ./configure --enable-cipher=bf --enable-digest=md4
128 128
130gvpe. MD4 has been broken and is quite insecure, though, so using another 130gvpe. MD4 has been broken and is quite insecure, though, so using another
131digest algorithm is recommended. 131digest algorithm is recommended.
132 132
133=head2 MAXIMIZE SECURITY 133=head2 MAXIMIZE SECURITY
134 134
135 ./configure --enable-hmac-length=16 --enable-rand-length=16 --enable-digest=sha384 135 ./configure --enable-hmac-length=16 --enable-rand-length=12 --enable-digest=ripemd610
136 136
137This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12 137This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12
138would also be pretty secure ;) and will additionally prefix each packet 138would also be pretty secure ;) and will additionally prefix each packet
139with 16 bytes of random data. 139with 12 bytes of random data.
140 140
141In general, remember that AES-128 seems to be as secure but faster than 141In general, remember that AES-128 seems to be as secure but faster than
142AES-192 or AES-256, more randomness helps against sniffing and a longer 142AES-192 or AES-256, more randomness helps against sniffing and a longer
143HMAC helps against spoofing. MD4 is a fast digest, SHA1, RIPEMD160, SHA256 143HMAC helps against spoofing. MD4 is a fast digest, SHA1, RIPEMD160, SHA256
144are consecutively better, and Blowfish is a fast cipher (and also quite 144are consecutively better, and Blowfish is a fast cipher (and also quite

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines