(Illustration by Gaich Muramatsu)
Greg, Sounds great, and a far cry improvement over today's Coda.. IPsec can solve many but not all of the Coda security problems. It cannot address the issue of untrusted clients--if you limit connectivity to IPsec pairs, then those pairs are completely trusted. Access to a token is sufficient to reveal the server secret, so any user with access can create tokens for any other user. It also doesn't protect the client from use of the Mariner port, and as we use a portmapper and dynamic port allocation, identifying Coda ports is more difficult than it used to be. On 21 Feb 2000, Greg Troxel wrote: > I've successfully run Coda over IPSEC with manual keying. > This is with recent Coda, and FreeBSD 3.3 + KAME snap 19991227. > > The configuration below is for the client (10.0.0.1). > The server's config is similar, but with out/in reversed for spd > entries. > > This doesn't handle the tcp sideeffects rpc2 port, but I haven't seen > any of those. > > The problem of xor tokens can be mitigated by this due to > * not exposing the tokens on the net > * only accepting coda packets from authorized (by ipsec) peers, so > knowing the token doesn't help as much for an attacker not on an > authorized machine > > #!/bin/sh > > setkey -v -c << EOF > > # clog from/to 10.0.0.1 > spdadd 10.0.0.1/32[any] 192.168.2.2/32[370] udp > -P out ipsec esp/transport//require ; > spdadd 192.168.2.2/32[370] 10.0.0.1/32[any] udp > -P in ipsec esp/transport//require ; > # venus control from/to 10.0.0.1 > spdadd 10.0.0.1/32[2430] 192.168.2.2/32[2432] udp > -P out ipsec esp/transport//require ; > spdadd 192.168.2.2/32[2432] 10.0.0.1/32[2430] udp > -P in ipsec esp/transport//require ; > # venus sideeffects from/to 10.0.0.1 > spdadd 10.0.0.1/32[2431] 192.168.2.2/32[2433] udp > -P out ipsec esp/transport//require ; > spdadd 192.168.2.2/32[2433] 10.0.0.1/32[2431] udp > -P in ipsec esp/transport//require ; > EOF > > setkey -v -c << EOF > > add 10.0.0.1 192.168.2.2 esp 0x34101 > -m transport -r 0 > -E 3des-cbc [foo] > -A hmac-sha1 [bar] > ; > > add 192.168.2.2 10.0.0.1 esp 0x34102 > -m transport -r 0 > -E 3des-cbc [foo] > # -A hmac-sha1 [bar] > ; > > EOF > > Here's a key-gen script I found handy: > > #!/bin/sh > dd if=/dev/random bs=1 count=$1 2>/dev/null | \ > hexdump -e "6/4 \"%04x\" \"\\n\"" > > > Greg Troxel <gdt_at_ir.bbn.com> > > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network ServicesReceived on 2000-02-26 10:55:22