OpenBSD Journal

KeyNote - A third alternative for an OpenBSD VPN

Contributed by jose on from the standards-compliant dept.

anonymous writes:
" OpenBSD FAQ #13 is NOT the end all and be all of how to program an OpenBSD VPN! The FAQ does a good job of explaining two methods, but doesn't mention a far better third alternative. The first method, shared secret passphrases, is good for testing a VPN on two nodes. It doesn't securely scale well at all on three or more nodes because if you break into one site, you have broken into them all. The second method, X509 digital certificates, relies on a centralized PKI to do its work. This may mean paying companies like Verisign to support an infrastructure that has its own flaws. For more information on this point, read chapter 15 of "Secrets and Lies" by Bruce Schneier. The third alternative is called KeyNote, which is a decentralized trust management system. The primary documents that define KeyNote are RFC2704 and RFC2796. The web pages of some of the authors of the RFC papers are below:

http://www.crypto.com/
http://www.cs.columbia.edu/~angelos/
http://www.cs.yale.edu/homes/jf/home.html

To implement a KeyNote VPN, read the man pages of these entries: keynote, isakmpd, isakmpd.conf, isakmpd.policy, ipsec, ipsecadm, vpn. Also, read the academic papers linked from the sites above. They contain example code, observations, and notes of possible future use of KeyNote. Has anyone else out there successfully programmed a KeyNote VPN like me?"

I have always wanted to look at setting up Keynote, now I have some good reasons and resources.

(Comments are closed)


Comments
  1. By Alejandro Belluscio () nospam@hotmail.com on mailto:nospam@hotmail.com

    For implementing the PKI you can make (and are strongly encouraged to) your own CA. Simply read 'man openssl' (I don't know what the new version is called, thou). The only thing you should do is to have your CA key safely store offline. Just use it to sign the certificates on know safe machine.

  2. By mra () on

    In addition to saying "read the man pages, the rfcs, and the researcher's personal sites," would you be willing to add to Chapter 13 with the steps you had to take in setting up a KeyNote VPN.

    Your solution looks really nice, especially in an ad-hoc way. The stumbling blocks at this point seem to be a lack of howto level documentation.

  3. By Herge () rguiller@free.fr on mailto:rguiller@free.fr

    Keynotes RFC are RFC 2704 and RFC 2792 , not RFC 2796.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]