From eugen@leitl.org Fri Sep 13 03:54:59 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [cryptography] very little is missing for working BTNS in Openswan Date: Fri, 13 Sep 2013 09:54:54 +0200 Message-ID: <20130913075454.GO10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2168563128180889158==" --===============2168563128180889158== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from Nico Williams ----- Date: Thu, 12 Sep 2013 14:04:08 -0500 From: Nico Williams To: Eugen Leitl Cc: cryptography(a)randombit.net, Cryptography List Subject: Re: [cryptography] very little is missing for working BTNS in Opensw= an User-Agent: Mutt/1.5.21 (2010-09-15) On Mon, Sep 09, 2013 at 10:25:03AM +0200, Eugen Leitl wrote: > Just got word from an Openswan developer: >=20 > " > To my knowledge, we never finished implementing the BTNS mode. >=20 > It wouldn't be hard to do --- it's mostly just conditionally commenting out > code. > " > There's obviously a large potential deployment base for > BTNS for home users, just think of Openswan/OpenWRT. Note: you don't just want BTNS, you also want RFC5660 -- "IPsec channels". You also want to define a channel binding for such channels (this is trivial). To summarize: IPsec protects discrete *packets*, not discrete packet *flows*. This means that -depending on configuration- you might be using IPsec to talk to some peer at some address at one moment, and the next you might be talking to a different peer at the same address, and you'd never know the difference. IPsec channels consist of ensuring that the peer's ID never changes during the life of a given packet flow (e.g., TCP connection). BTNS pretty much requires IPsec configurations of that make you vulnerable in this way. I think it should be obvious now that "IPsec channels" is a necessary part of any BTNS implementation. Nico --=20 ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============2168563128180889158==--