KeyNote - A third alternative for an OpenBSD VPN

Contributed by jose on 2002-09-28 from the standards-compliant dept.

" OpenBSD FAQ #13 is NOT the end all and be all of how to program an OpenBSD VPN! The FAQ does a good job of explaining two methods, but doesn't mention a far better third alternative. The first method, shared secret passphrases, is good for testing a VPN on two nodes. It doesn't securely scale well at all on three or more nodes because if you break into one site, you have broken into them all. The second method, X509 digital certificates, relies on a centralized PKI to do its work. This may mean paying companies like Verisign to support an infrastructure that has its own flaws. For more information on this point, read chapter 15 of "Secrets and Lies" by Bruce Schneier. The third alternative is called KeyNote, which is a decentralized trust management system. The primary documents that define KeyNote are RFC2704 and RFC2796. The web pages of some of the authors of the RFC papers are below:
http://www.crypto.com/
http://www.cs.columbia.edu/~angelos/
http://www.cs.yale.edu/homes/jf/home.html
To implement a KeyNote VPN, read the man pages of these entries: keynote, isakmpd, isakmpd.conf, isakmpd.policy, ipsec, ipsecadm, vpn. Also, read the academic papers linked from the sites above. They contain example code, observations, and notes of possible future use of KeyNote. Has anyone else out there successfully programmed a KeyNote VPN like me?"

I have always wanted to look at setting up Keynote, now I have some good reasons and resources.

(Comments are closed)

Comments

By Alejandro Belluscio () nospam@hotmail.com on 2002-09-28 21:00 mailto:nospam@hotmail.com

For implementing the PKI you can make (and are strongly encouraged to) your own CA. Simply read 'man openssl' (I don't know what the new version is called, thou). The only thing you should do is to have your CA key safely store offline. Just use it to sign the certificates on know safe machine.
By mra () on 2002-10-01 17:39

In addition to saying "read the man pages, the rfcs, and the researcher's personal sites," would you be willing to add to Chapter 13 with the steps you had to take in setting up a KeyNote VPN.

Your solution looks really nice, especially in an ad-hoc way. The stumbling blocks at this point seem to be a lack of howto level documentation.
By Herge () rguiller@free.fr on 2002-10-05 20:26 mailto:rguiller@free.fr

Keynotes RFC are RFC 2704 and RFC 2792 , not RFC 2796.

Latest Articles

Fri, Apr 26
- 08:33 Passphrase timeout for disk decryption at boot added (potential battery lifesaver) (2)
Wed, Apr 24
- 04:35 Game of Trees 0.98 released (2)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]