Tinc's response to "Linux's answer to MS-PPTP"
Guus Sliepen
guus at sliepen.eu.org
Sun Sep 28 05:05:18 EDT 2003
On Sat, Sep 27, 2003 at 07:58:14PM +0100, M Taylor wrote:
> Perhaps a HMAC per "chunk", rather than per the payload of a single UDP
> datagram. I suspect per every 5 UDP datagrams, roughly ~7000 bytes of
> payload may work. This will increase latency.
That would not work either. It would have the same problems as a packet
that has been split into 5 fragments: if one of the fragments gets lost,
the whole packet will be discarded. Fragment reassembly is also
something that is not completely trivial, in the past there have been
some simple DoS attacks for various operating systems that did not
implement IP fragment reassembly correctly.
Each UDP packet must stand on its own, just like the network packet that has
been encapsulated within it.
> This should be redone from scratch, I would look at either using
> Diffie Hellman Key Exchange combined with digital signatures or the updated
> Needham Schroeder Public Key Protocol. Exchange two symmetric keys,
> one used for bulk data encryption, the other used for the HMAC
> authentication.
I think I prefer the Diffie-Hellman key exchange; the Needham Schroeder
public key protocol needs more round trips and one more RSA
encryption/decryption step.
> I expect this is a reference to "Why TCP Over TCP Is A Bad Idea"
> <http://sites.inka.de/~bigred/devel/tcp-tcp.html>
Yes.
> If Guus Sliepen and Ivo Timmermans are willing to seriously rethink their
> high tolerance for unncessary weakness, I think tinc 2.0 could end up being
> a secure piece of software. I hope Guus and Ivo circulate their version 2.0
> protocol before they do any coding, so that any remaining flaws can be easily
> fixed in the paper design without changing a single line of code, saving time
> and effort.
Those are the first encouraging words I've heard since Peter Gutmann's
writeup was posted on Slashdot, thank you! We do plan to get rid of all
the weaknesses, and once we know what we want and we have a draft, I'll
post it in this mailing list.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20030928/f3f812e4/attachment.pgp>
More information about the cryptography
mailing list