… | |
… | |
81 | =head1 COMPILETIME CONFIGURATION |
81 | =head1 COMPILETIME CONFIGURATION |
82 | |
82 | |
83 | Please have a look at the C<gvpe.osdep(5)> manpage for platform-specific |
83 | Please have a look at the C<gvpe.osdep(5)> manpage for platform-specific |
84 | information. |
84 | information. |
85 | |
85 | |
86 | Here are a few recipes for compiling your gvpe: |
86 | Here are a few recipes for compiling your gvpe, showing the extremes |
|
|
87 | (fast, small, insecure OR slow, large, more secure), between you should |
|
|
88 | choose: |
87 | |
89 | |
88 | =head2 AS LOW PACKET OVERHEAD AS POSSIBLE |
90 | =head2 AS LOW PACKET OVERHEAD AS POSSIBLE |
89 | |
91 | |
90 | ./configure --enable-hmac-length=4 --enable-rand-length=0 |
92 | ./configure --enable-hmac-length=4 --enable-rand-length=0 |
91 | |
93 | |
92 | Minimize the header overhead of VPN packets (the above will result in only |
94 | Minimize the header overhead of VPN packets (the above will result in |
93 | 4 bytes of overhead over the raw ethernet frame). |
95 | only 4 bytes of overhead over the raw ethernet frame). This is a insecure |
|
|
96 | configuration because a HMAC length of 4 makes collision attacks based on |
|
|
97 | the birthday paradox easy, though. |
94 | |
98 | |
95 | =head2 MINIMIZE CPU TIME REQUIRED |
99 | =head2 MINIMIZE CPU TIME REQUIRED |
96 | |
100 | |
97 | ./configure --enable-cipher=bf --enable-digest=md4 |
101 | ./configure --enable-cipher=bf --enable-digest=md4 |
98 | |
102 | |
99 | Use the fastest cipher and digest algorithms currently available in gvpe. |
103 | Use the fastest cipher and digest algorithms currently available in |
|
|
104 | gvpe. MD4 has been broken and is quite insecure, though. |
100 | |
105 | |
101 | =head2 MAXIMIZE SECURITY |
106 | =head2 MAXIMIZE SECURITY |
102 | |
107 | |
103 | ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
108 | ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
104 | |
109 | |