KeyNote - A third alternative for an OpenBSD VPN

Contributed by jose on 2002-09-28 from the standards-compliant dept.

" OpenBSD FAQ #13 is NOT the end all and be all of how to program an OpenBSD VPN! The FAQ does a good job of explaining two methods, but doesn't mention a far better third alternative. The first method, shared secret passphrases, is good for testing a VPN on two nodes. It doesn't securely scale well at all on three or more nodes because if you break into one site, you have broken into them all. The second method, X509 digital certificates, relies on a centralized PKI to do its work. This may mean paying companies like Verisign to support an infrastructure that has its own flaws. For more information on this point, read chapter 15 of "Secrets and Lies" by Bruce Schneier. The third alternative is called KeyNote, which is a decentralized trust management system. The primary documents that define KeyNote are RFC2704 and RFC2796. The web pages of some of the authors of the RFC papers are below:
http://www.crypto.com/
http://www.cs.columbia.edu/~angelos/
http://www.cs.yale.edu/homes/jf/home.html
To implement a KeyNote VPN, read the man pages of these entries: keynote, isakmpd, isakmpd.conf, isakmpd.policy, ipsec, ipsecadm, vpn. Also, read the academic papers linked from the sites above. They contain example code, observations, and notes of possible future use of KeyNote. Has anyone else out there successfully programmed a KeyNote VPN like me?"

I have always wanted to look at setting up Keynote, now I have some good reasons and resources.

(Comments are closed)

Comments

By Alejandro Belluscio () nospam@hotmail.com on 2002-09-28 21:00 mailto:nospam@hotmail.com

For implementing the PKI you can make (and are strongly encouraged to) your own CA. Simply read 'man openssl' (I don't know what the new version is called, thou). The only thing you should do is to have your CA key safely store offline. Just use it to sign the certificates on know safe machine.
By mra () on 2002-10-01 17:39

In addition to saying "read the man pages, the rfcs, and the researcher's personal sites," would you be willing to add to Chapter 13 with the steps you had to take in setting up a KeyNote VPN.

Your solution looks really nice, especially in an ad-hoc way. The stumbling blocks at this point seem to be a lack of howto level documentation.
By Herge () rguiller@free.fr on 2002-10-05 20:26 mailto:rguiller@free.fr

Keynotes RFC are RFC 2704 and RFC 2792 , not RFC 2796.

Latest Articles

Sat, Feb 15
- 10:16 Game of Trees 0.109 released (0)
Fri, Feb 07
- 19:26 OpenBGPD 8.8 released (0)
Thu, Jan 23
- 08:08 Game of Trees 0.108 released (0)
Wed, Jan 08
- 10:07 rpki-client 9.4 released (0)
Mon, Dec 30
- 03:57 Game of Trees 0.107 released (0)
Thu, Dec 19
- 16:38 rpki-client stricter aging policy for Trust Anchor certificates commited to -current (0)
- 08:04 FRAME sockets added to OpenBSD (0)
Wed, Dec 18
- 19:57 OpenBGPD 8.7 released (0)
Sat, Nov 30
- 18:42 Initial list of 21 EuroBSDcon 2024 videos released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]