Re: [Vtun-devel] current development
Status: Inactive
Brought to you by:
mtbishop
From: Dale F. <dpf...@fo...> - 2003-12-06 20:40:12
|
Hi Bishop, Glad to meet you. I use this software every day, so I figured I'd see how= I could help out. Generally speaking, I want to add support for multiple ciphers and multip= le modes. Since I didn't see a roadmap on the mailing lists, or on the websi= te (maybe I overlooked it?) I wanted to fly this idea past you first. Specifically, I was looking at AES and mode EAX as the goal. The reason I= 'm looking at EAX is because it combines CTR mode encryption with OMAC authentication, which will help to fend off attacks on those levels. It's not a small project. It requires: * adding mode and cipher options to the conf file * changing lfb_encrypt to accept different ciphers and modes * saving the previous cipher block (openSSL might do this for blowfish an= d CAST, but it doesn't appear to support AES and a few other ciphers) * packet reordering and dropping (necessary for UDP) * some protocol for exchanging nonces * and, of course, the new ciphers and modes with them. There do exist fre= e libraries and source that could be massaged in (as long as credit is give= n), or if that isn't appealing for some reason, most cipher algorithms are fr= ee themselves and these could be coded from scratch. I know there's a significant number of people that use vtun over SSH, so = the question may be, why bother with all this? Well, first off, a high-bandwi= dth UDP stream carried over TCP is a nightmare and overkill. Think live video= . Instead of dropping packets and moving on, the packets keep getting retransmitted until acknowledged, which can result in very late packets w= hich are now worthless and have now delayed every other packet causing underru= ns and.. well, it's a nightmare. Lastly, SSH doesn't even support EAX. I'd r= ather put the effort into vtun rather than SSH -- vtun is much better suited fo= r connecting networks. What do you think? -Dale bishop said: > > What kind of improvements were you thinking for vtun? > |