… | |
… | |
127 | .\} |
127 | .\} |
128 | .rm #[ #] #H #V #F C |
128 | .rm #[ #] #H #V #F C |
129 | .\" ======================================================================== |
129 | .\" ======================================================================== |
130 | .\" |
130 | .\" |
131 | .IX Title "GVPE 5" |
131 | .IX Title "GVPE 5" |
132 | .TH GVPE 5 "2004-06-11" "1.7" "GNU Virtual Private Ethernet" |
132 | .TH GVPE 5 "2005-01-27" "1.7" "GNU Virtual Private Ethernet" |
133 | .SH "NAME" |
133 | .SH "NAME" |
134 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
134 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
135 | .SH "DESCRIPTION" |
135 | .SH "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
137 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
137 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
138 | nodes over an untrusted network. |
138 | nodes over an untrusted network. |
139 | .PP |
139 | .IP "\(bu" 4 |
|
|
140 | .IX Xref "Virtual" |
140 | \&\*(L"Virtual\*(R" means that no physical network is created (of course), but an |
141 | Virtual means that no physical network is created (of course), but an |
141 | ethernet is emulated by creating multiple tunnels between the member |
142 | ethernet is emulated by creating multiple tunnels between the member |
142 | nodes. |
143 | nodes. |
143 | .IX Xref "Virtual" |
144 | .IP "\(bu" 4 |
144 | .PP |
145 | .IX Xref "Private" |
145 | \&\*(L"Private\*(R" means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
146 | Private means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
146 | inject (\*(L"spoof\*(R") packets. |
147 | inject (\*(L"spoof\*(R") packets. |
147 | .IX Xref "Private" |
148 | .Sp |
148 | .PP |
|
|
149 | In the case of gvpe, even participating nodes cannot sniff packets send to |
149 | In the case of gvpe, even participating nodes cannot sniff packets send to |
150 | other nodes or spoof packets as if sent from other nodes. |
150 | other nodes or spoof packets as if sent from other nodes. |
151 | .PP |
151 | .IP "\(bu" 4 |
|
|
152 | .IX Xref "Network" |
152 | \&\*(L"Network\*(R" means that more than two parties can participate in the |
153 | Network means that more than two parties can participate in the network, |
153 | network, so for instance it's possible to connect multiple branches of a |
154 | so for instance it's possible to connect multiple branches of a company |
154 | company into a single network. Many so-called \*(L"vpn\*(R" solutions only create |
155 | into a single network. Many so-called \*(L"vpn\*(R" solutions only create |
155 | point-to-point tunnels. |
156 | point-to-point tunnels. |
156 | .IX Xref "Network" |
|
|
157 | .Sh "\s-1DESIGN\s0 \s-1GOALS\s0" |
157 | .Sh "\s-1DESIGN\s0 \s-1GOALS\s0" |
158 | .IX Subsection "DESIGN GOALS" |
158 | .IX Subsection "DESIGN GOALS" |
159 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
159 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
160 | .IX Item "SIMPLE DESIGN" |
160 | .IX Item "SIMPLE DESIGN" |
161 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
161 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
… | |
… | |
213 | \& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
213 | \& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
214 | .Ve |
214 | .Ve |
215 | .PP |
215 | .PP |
216 | This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 |
216 | This uses a 16 byte \s-1HMAC\s0 checksum to authenticate packets (I guess 8\-12 |
217 | would also be pretty secure ;) and will additionally prefix each packet |
217 | would also be pretty secure ;) and will additionally prefix each packet |
218 | with 8 bytes of random data. |
218 | with 8 bytes of random data. In the long run, people should move to |
|
|
219 | \&\s-1SHA\-224\s0 and beyond, but support in openssl is missing as of writing this |
|
|
220 | document. |
219 | .PP |
221 | .PP |
220 | In general, remember that \s-1AES\-128\s0 seems to be more secure and faster than |
222 | In general, remember that \s-1AES\-128\s0 seems to be more secure and faster than |
221 | \&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer |
223 | \&\s-1AES\-192\s0 or \s-1AES\-256\s0, more randomness helps against sniffing and a longer |
222 | \&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0 or \s-1RIPEMD160\s0 are |
224 | \&\s-1HMAC\s0 helps against spoofing. \s-1MD4\s0 is a fast digest, \s-1SHA1\s0 or \s-1RIPEMD160\s0 are |
223 | better, and Blowfish is a fast cipher (and also quite secure). |
225 | better, and Blowfish is a fast cipher (and also quite secure). |