Hosting Provided By

linux-ipsec: Phase II PFS

From: Kai Martius <admin(at)imib.med.tu-dresden.de>
Date: Tue Aug 25 1998 - 04:06:26 EDT

Hi, Hugh.

Yesterday I managed to add PFS capability to Pluto's quick mode. Because I use an "old" snapshot of FreeS/WAN sources (Jul22), you must have a look how to merge this into the current version. Basically I added yet another goal to whack (the old one, without long options) named "PFS", which itselfs sets / unsets a new bit in the GOAL bitmask.

To hold DH values in quick mode I just use the "old" state entries from phase I, because (from my point of view) these are not needed anymore. st->st_shared_used is set/unset during quick mode depending on presence / absence of KE payloads. Finally, compute_proto_keymat decides on this field to include g^xy in KEYMAT. It works well, I've tested it against SSH-ISAKMP-testsite, they produce the same key material. However, they seem to support 768-DH-group only, or there is something wrong in on of the implementations, yet...

Adding this stuff, I came to your SPD-things in spdb.c/h. One problem was, that IPSEC-proposals/transforms must have a group description according to IKE draft (5.5), if PFS is used. So I added this statically in spdb.c, but now it's there, even if no PFS is used. This doesn't seem to be a problem (test run with SSH - without PFS - was successful), but it would be better to have consistent proposals, I'd say. But at this point, the SPD-stuff is a bit mystique to me, yet (could you please explain it to me in some words?) Further, if Pluto is responder in quick mode, the incoming SA transforms are not evaluated for this consistency (i.e. a group description), I suppose.

Two other "proposals":
1. Would you agree to split ipsec_doi.c further to make the code more clear? I'd suggest to keep some "help" functions there and move the mainmode stuff to a file like mmode.c and the quick mode things to qmode.c. So, aggressive mode later could be placed in amode.c. hash- and key generation fuctions might stay in ipsec_doi or even could be moved in a seperate file...

2. "whack" has many options in the meantime, and they will become even more. While the program is (like the name tells) a hack, it's very useful for testing and demonstration purposes. So I could imagine a web-based interface with some descriptive fields and listboxes, and a webserver, which generates a correct whack command by a kind of CGI script. Assuming (future) arguments, like domain names or address ranges, parsing them is much better done by a PERL script than in whack or pluto itself (However, I'm not very familiar with PERL...)

*Someone out there who could write such a script??*

Greetings
Kai

Do you need help?

# Kai Martius #
Received on Tue Aug 25 05:12:24 1998

This message: [ Message body ]
Next message: Kai Martius: "linux-ipsec: PFS diff"
Previous message: Kai Martius: "linux-ipsec: Snapshop Aug26 + PFS"
In reply to Kai Martius: "linux-ipsec: IPSec article"
Next in thread: Henry Spencer: "Re: linux-ipsec: Phase II PFS"
Reply: Henry Spencer: "Re: linux-ipsec: Phase II PFS"
Reply: Hugh Redelmeier: "Re: linux-ipsec: Phase II PFS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:26 EDT