Re: [Freedombox-discuss] [James Vasile] tinc rollout and fbox
----- Forwarded message from Guus Sliepen
" On the 15th of September 2003, Peter Gutmann posted a security analysis of tinc 1.0.1. He argues that the 32 bit sequence number used by tinc is not a good IV, that tinc?s default length of 4 bytes for the MAC is too short, and he doesn?t like tinc?s use of RSA during authentication. We do not know of a security hole in this version of tinc, but tinc?s security is not as strong as TLS or IPsec. We will address these issues in tinc 2.0.
Gutmann is a well-known and respected expert. His best-known paper was one back in the 90s on reading "erased" disk drives and what bit patterns it took to block that. Most "secure erase" utilities around use those suggestions (even though current drives are quite different, so those may be inappropriate now). He has done /a lot/ of other stuff as well.
The current Tinc release is 1.0.21
My reading of that is that Tinc has known problems and they probably will not be fixed soon. To me, that means it is not ready for serious consideration as a component for FreedomBox.
The documentation is perhaps a little outdated. All problems mentioned by
Gutmann have been adressed in a new protocol that has been included in tinc
1.1pre3 and later.
If people are interested in using tinc to connect freedomboxes together, I
would be happy to help fix any problems that might come up. Even if tinc (as it
is) is not suitable for the Freedombox, I am very interested in discussing what
the requirements are for the Freedombox regarding VPN functionality.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen
participants (1)
-
Eugen Leitl