… | |
… | |
131 | .\} |
131 | .\} |
132 | .rm #[ #] #H #V #F C |
132 | .rm #[ #] #H #V #F C |
133 | .\" ======================================================================== |
133 | .\" ======================================================================== |
134 | .\" |
134 | .\" |
135 | .IX Title "GVPE.PROTOCOL 7" |
135 | .IX Title "GVPE.PROTOCOL 7" |
136 | .TH GVPE.PROTOCOL 7 "2014-04-26" "2.25" "GNU Virtual Private Ethernet" |
136 | .TH GVPE.PROTOCOL 7 "2015-01-29" "2.25" "GNU Virtual Private Ethernet" |
137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
138 | .\" way too many mistakes in technical documents. |
138 | .\" way too many mistakes in technical documents. |
139 | .if n .ad l |
139 | .if n .ad l |
140 | .nh |
140 | .nh |
141 | .SH "The GNU-VPE Protocols" |
141 | .SH "The GNU-VPE Protocols" |
… | |
… | |
269 | The \s-1DATA\s0 portion differs between each packet type, naturally, and is the |
269 | The \s-1DATA\s0 portion differs between each packet type, naturally, and is the |
270 | only part that can be encrypted. Data packets contain more fields, as |
270 | only part that can be encrypted. Data packets contain more fields, as |
271 | shown: |
271 | shown: |
272 | .PP |
272 | .PP |
273 | .Vb 3 |
273 | .Vb 3 |
274 | \& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-+ |
274 | \& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-+ |
275 | \& | HMAC | TYPE | SRCDST | RAND | SEQNO | DATA | |
275 | \& | HMAC | TYPE | SRCDST | SEQNO | DATA | |
276 | \& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-+ |
276 | \& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-+ |
277 | .Ve |
277 | .Ve |
278 | .PP |
|
|
279 | \&\s-1RAND\s0 is a sequence of fully random bytes, used to increase the entropy of |
|
|
280 | the data for encryption purposes. |
|
|
281 | .PP |
278 | .PP |
282 | \&\s-1SEQNO\s0 is a 32\-bit sequence number. It is negotiated at every connection |
279 | \&\s-1SEQNO\s0 is a 32\-bit sequence number. It is negotiated at every connection |
283 | initialization and starts at some random 31 bit value. \s-1GVPE\s0 currently uses |
280 | initialization and starts at some random 31 bit value. \s-1GVPE\s0 currently uses |
284 | a sliding window of 512 packets/sequence numbers to detect reordering, |
281 | a sliding window of 512 packets/sequence numbers to detect reordering, |
285 | duplication and replay attacks. |
282 | duplication and replay attacks. |
286 | .PP |
283 | .PP |
287 | The encryption is done on \s-1RAND+SEQNO+DATA\s0 in \s-1CBC\s0 mode with zero \s-1IV \s0(or, |
284 | The encryption is done on \s-1SEQNO+DATA\s0 in \s-1CTR\s0 mode with \s-1IV\s0 generated from |
288 | equivalently, the \s-1IV\s0 is \s-1RAND+SEQNO,\s0 encrypted with the block cipher, |
285 | the seqno (for \s-1AES:\s0 seqno || seqno || seqno || (u32)0), which ensures |
289 | unless \s-1RAND\s0 size is decreased or increased over the default value). |
286 | uniqueness for a given key. |
290 | .PP |
|
|
291 | The random prefix itself is generated by using \s-1AES\s0 in \s-1CTR\s0 mode with a |
|
|
292 | random key and starting value, which should make them unpredictable even |
|
|
293 | before encrypting them again. The sequence number additionally ensures |
|
|
294 | that the \s-1IV\s0 is unique. |
|
|
295 | .SS "The authentication/key exchange protocol" |
287 | .SS "The authentication/key exchange protocol" |
296 | .IX Subsection "The authentication/key exchange protocol" |
288 | .IX Subsection "The authentication/key exchange protocol" |
297 | Before nodes can exchange packets, they need to establish authenticity of |
289 | Before nodes can exchange packets, they need to establish authenticity of |
298 | the other side and a key. Every node has a private \s-1RSA\s0 key and the public |
290 | the other side and a key. Every node has a private \s-1RSA\s0 key and the public |
299 | \&\s-1RSA\s0 keys of all other nodes. |
291 | \&\s-1RSA\s0 keys of all other nodes. |