----- Forwarded message from Guus Sliepen <guus@tinc-vpn.org> ----- Date: Fri, 6 Sep 2013 23:36:34 +0200 From: Guus Sliepen <guus@tinc-vpn.org> To: freedombox-discuss@lists.alioth.debian.org Subject: Re: [Freedombox-discuss] [James Vasile] tinc rollout and fbox User-Agent: Mutt/1.5.21 (2010-09-15) On Sat, Aug 10, 2013 at 03:37:06PM -0400, Sandy Harris wrote:
" On the 15th of September 2003, Peter Gutmann posted a security analysis of tinc 1.0.1. He argues that the 32 bit sequence number used by tinc is not a good IV, that tinc?s default length of 4 bytes for the MAC is too short, and he doesn?t like tinc?s use of RSA during authentication. We do not know of a security hole in this version of tinc, but tinc?s security is not as strong as TLS or IPsec. We will address these issues in tinc 2.0.
Gutmann is a well-known and respected expert. His best-known paper was one back in the 90s on reading "erased" disk drives and what bit patterns it took to block that. Most "secure erase" utilities around use those suggestions (even though current drives are quite different, so those may be inappropriate now). He has done /a lot/ of other stuff as well.
The current Tinc release is 1.0.21
My reading of that is that Tinc has known problems and they probably will not be fixed soon. To me, that means it is not ready for serious consideration as a component for FreedomBox.
The documentation is perhaps a little outdated. All problems mentioned by Gutmann have been adressed in a new protocol that has been included in tinc 1.1pre3 and later. If people are interested in using tinc to connect freedomboxes together, I would be happy to help fix any problems that might come up. Even if tinc (as it is) is not suitable for the Freedombox, I am very interested in discussing what the requirements are for the Freedombox regarding VPN functionality. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@tinc-vpn.org> _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5