| … | |
… | |
| 189 | .SH "COMPILETIME CONFIGURATION" |
189 | .SH "COMPILETIME CONFIGURATION" |
| 190 | .IX Header "COMPILETIME CONFIGURATION" |
190 | .IX Header "COMPILETIME CONFIGURATION" |
| 191 | Please have a look at the \f(CW\*(C`gvpe.osdep(5)\*(C'\fR manpage for platform-specific |
191 | Please have a look at the \f(CW\*(C`gvpe.osdep(5)\*(C'\fR manpage for platform-specific |
| 192 | information. |
192 | information. |
| 193 | .PP |
193 | .PP |
| 194 | Here are a few recipes for compiling your gvpe: |
194 | Here are a few recipes for compiling your gvpe, showing the extremes |
|
|
195 | (fast, small, insecure \s-1OR\s0 slow, large, more secure), between you should |
|
|
196 | choose: |
| 195 | .Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" |
197 | .Sh "\s-1AS\s0 \s-1LOW\s0 \s-1PACKET\s0 \s-1OVERHEAD\s0 \s-1AS\s0 \s-1POSSIBLE\s0" |
| 196 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
198 | .IX Subsection "AS LOW PACKET OVERHEAD AS POSSIBLE" |
| 197 | .Vb 1 |
199 | .Vb 1 |
| 198 | \& ./configure --enable-hmac-length=4 --enable-rand-length=0 |
200 | \& ./configure --enable-hmac-length=4 --enable-rand-length=0 |
| 199 | .Ve |
201 | .Ve |
| 200 | .PP |
202 | .PP |
| 201 | Minimize the header overhead of \s-1VPN\s0 packets (the above will result in only |
203 | Minimize the header overhead of \s-1VPN\s0 packets (the above will result in |
| 202 | 4 bytes of overhead over the raw ethernet frame). |
204 | only 4 bytes of overhead over the raw ethernet frame). This is a insecure |
|
|
205 | configuration because a \s-1HMAC\s0 length of 4 makes collision attacks based on |
|
|
206 | the birthday paradox easy, though. |
| 203 | .Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" |
207 | .Sh "\s-1MINIMIZE\s0 \s-1CPU\s0 \s-1TIME\s0 \s-1REQUIRED\s0" |
| 204 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
208 | .IX Subsection "MINIMIZE CPU TIME REQUIRED" |
| 205 | .Vb 1 |
209 | .Vb 1 |
| 206 | \& ./configure --enable-cipher=bf --enable-digest=md4 |
210 | \& ./configure --enable-cipher=bf --enable-digest=md4 |
| 207 | .Ve |
211 | .Ve |
| 208 | .PP |
212 | .PP |
| 209 | Use the fastest cipher and digest algorithms currently available in gvpe. |
213 | Use the fastest cipher and digest algorithms currently available in |
|
|
214 | gvpe. \s-1MD4\s0 has been broken and is quite insecure, though. |
| 210 | .Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" |
215 | .Sh "\s-1MAXIMIZE\s0 \s-1SECURITY\s0" |
| 211 | .IX Subsection "MAXIMIZE SECURITY" |
216 | .IX Subsection "MAXIMIZE SECURITY" |
| 212 | .Vb 1 |
217 | .Vb 1 |
| 213 | \& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
218 | \& ./configure --enable-hmac-length=16 --enable-rand-length=8 --enable-digest=sha1 |
| 214 | .Ve |
219 | .Ve |
