Anyone worked on, or know of a freely available, one of these beasts?
-----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, vax@linkdead.paranoia.com writes:
Anyone worked on, or know of a freely available, one of these beasts?
What threat model does this address? It'd be link encryption, where the best security is found in end-to-end encryption. - -- Roy M. Silvernail [ ] roy@scytale.com DNRC Minister Plenipotentiary of All Things Confusing, Software Division PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey@scytale.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMlNH/xvikii9febJAQHpGwP+Kas52dEW1v7+rGNvpsOEhHhPFT03l41k EMhqHd9ULlSS5glNMoadPkhX6uAg7I0TEZSl1uNt3wdNp1EMQg63k3Qlxmu9OT0Q RBKLXE+PIknWP9MXF73EI8RtEeqI+OsOfzXVNthXThlc+fKAtRc3eaBb0W6w/bpK xV0PoUEBm74= =T2Gb -----END PGP SIGNATURE-----
In message <961002.235706.1R8.rnr.w165w@sendai.scytale.com>, Roy M. Silvernail writes:
What threat model does this address?
snooping the link
It'd be link encryption, where the best security is found in end-to-end encryption.
Encrypting at higher levels involves a different effort/cost tradeoff that doesn't do much better at addressing the threat mentioned above. AFAIK, application-level involves modification of every app we are interested in, and network or transport level should probably best wait for IPv6. I think link-layer is best for what we need. Come to think of it I've never seen papers on this kind of issue, probably because I haven't looked. Anyone got any URLs/bibliorefs to a paper on the benefits of encryption or authentication at the different levels of the OSI or other network models? Thinking about it a bit more, if you only encrypt, say, telnet then you've got a pretty predictable plaintext stream. If you encrypt the entire link level properly then it might be much harder to isolate the nonvariant bits of the protocols since the port and that kind of header info is not available to the attacker at that level.
-----BEGIN PGP SIGNED MESSAGE----- In article <961002.235706.1R8.rnr.w165w@sendai.scytale.com>, Roy M. Silvernail <roy@scytale.com> wrote:
In list.cypherpunks, vax@linkdead.paranoia.com writes:
Anyone worked on, or know of a freely available, one of these beasts?
What threat model does this address? It'd be link encryption, where the best security is found in end-to-end encryption.
pppd doesn't necessarily run over a modem; you can "tunnel" it over another IP connection. I have in fact done this very thing. Use ssh to (encrypted) log in to the ppp server, and start pppd at each end. It's been a while; I think I had to tweak something to make it work over a pty instead of a serial port. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMlXhZkZRiTErSPb1AQEidQP8DEYaAcDyJMFY7AyRL4Q03tD+REiqqKPZ 1I8stlu7sx9OVFAgitqAWeWdi5HeXop0YpyAP9yYFxI9JTw6TgXfpP2P38pJ3vvU jebEyK+pVJnCw16As6rJJTNYlUFGlEqceuK8Bj4xNyrG1E4oGx8AEig4CT8RjGhk AOj4aFd7y+8= =aZOj -----END PGP SIGNATURE-----
pppd doesn't necessarily run over a modem; you can "tunnel" it over another IP connection.
I have in fact done this very thing. Use ssh to (encrypted) log in to the ppp server, and start pppd at each end. It's been a while; I think I had to tweak something to make it work over a pty instead of a serial port.
- Ian
You need to use my ssh tunneling patch: ftp://suburbia.net/pub/mailinglists/best-of-security/179 -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+
Ian Goldberg <iang@cs.berkeley.edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
In article <961002.235706.1R8.rnr.w165w@sendai.scytale.com>, Roy M. Silvernail <roy@scytale.com> wrote:
In list.cypherpunks, vax@linkdead.paranoia.com writes:
Anyone worked on, or know of a freely available, one of these beasts?
What threat model does this address? It'd be link encryption, where the best security is found in end-to-end encryption.
pppd doesn't necessarily run over a modem; you can "tunnel" it over another IP connection.
I have in fact done this very thing. Use ssh to (encrypted) log in to the ppp server, and start pppd at each end. It's been a while; I think I had to tweak something to make it work over a pty instead of a serial port.
Here's a little script for tunnelling SLIP over a ssh session on Linux: (sleep 2;\ /usr/local/bin/ssh -l username -e none remotehost</dev/ttyqe>&/dev/ttyqe)& (echo "port ptyqe";\ echo "wait ord: 15";\ echo "send secretpw\\n";\ echo "wait (shellprompt)> 60";\ echo "send slip\\n";\ echo get \$rmtip 192.168.0.1;\ echo get \$locip 192.168.0.2;\ echo "mode CSLIP";sleep 15)|/sbin/dip -tv PPP is a little more complicated; I found it's easier if you put the ssh on the pty instead of the tty side. You can't do this from a shell script, because the pty can only be opened once. This will take care of that: main(ac,av)int ac;char **av;{ int fd; fd=open("/dev/tty",O_RDWR); ioctl(fd,TIOCNOTTY); close(fd); fd=open("/dev/ptyqf",O_RDWR); if(fd<=0) exit(1); dup2(fd,0); dup2(fd,1); dup2(fd,2); execl("/usr/local/bin/ssh","ssh","-l","username","-e","none","-c","idea", "-t","remotehost","mesg n;/usr/sbin/ppp -direct mylink",(char *)0); exit(1); } Do remember that you can't route the ip addresses that you're tunneling inside the tunnel! So be sure to assign some alternate ip addresses to each end of the link. 192.168.x.x will work; those addresses aren't assigned to anyone. I used /dev/ttyqf for the tty, that is usually unused. If you have more than 30 users online then you'll need to increase it.
participants (5)
-
iang@cs.berkeley.edu -
Julian Assange -
Matthew Ghio -
roy@sendai.scytale.com -
VaX#n8