Subject: Re: ipsec on raylink
To: None <firstname.lastname@example.org, email@example.com>
From: Michael Richardson <firstname.lastname@example.org>
Date: 02/26/2000 21:36:03
>>>>> "Wolfgang" == Wolfgang Rupprecht <email@example.com> writes:
Wolfgang> I've been ripping my hair out trying to figure out how to
Wolfgang> securely use the ipsec stuff in -current to allow a secure
Wolfgang> connection between my local ether and the raylink machines.
Wolfgang> I'd really like to nfs mount my home directories over the
Wolfgang> raylink, but there is no way I'm going to do that without some
Wolfgang> crypto in there. (Only the fbi and cia are confident enough to
Wolfgang> export their nfs disks r/w to the world.)
Are you using -current? newer than 1.4Q or so?
(i.e. new or old KAME policy code...)
Wolfgang> can't figure out a similar setup for the two-network case. All
Wolfgang> the ideas I've had end up with either no communication or no
Wolfgang> encryption. Does anyone have a working example?
Wolfgang> Are the setkey-loaded ipsec rules longest-prefix match (like
Wolfgang> CIDR) or first or last match? I was wondering if one could do
Wolfgang> a "deny all" and then open it up if certain conditions were
I think so, yes.
Wolfgang> As an aside, which encryption modes are appropriate for UDP?
Wolfgang> Can one use xxx-cbc? I was wondering what happens with a
Wolfgang> dropped UDP packet. Does the -cbc at both ends get out of sync
The CBC mode only applies within the packet. Each packet contains a new
IV, so each packet is independant.
Wolfgang> and the communication stops? In practice does one have to use
Wolfgang> ah with esp to prevent forged packets from being constructed
Wolfgang> and injected? Comments to RTFM welcome as long as they include
Wolfgang> pointers to TFM. ;-)
Not anymore. ESP includes an AH-like integrity check. In fact, the
VPN-people in the IPsec WG would like to get rid of AH and just use ESP with
null encryption for "authentication" --- that's because they don't see the
point of AH for defending against things like the Yahoo/eBay denial of
service. To do that would require IPsec to be ubiquitous. For VPN vendors
ubiquitous IPsec would put them out of the market. (I don't suggest that the
engineers are malicious in this way, they are just listening to their
marketing, who never get requests for AH in their gateways, since nobody
who'd spend real money for a gateway would want AH anyway)
:!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
Michael Richardson | Cow#2: No. I'm a duck.
Home: firstname.lastname@example.org. PGP key available.