[plug] CIPE / VPN

Cameron Patrick cameron at patrick.wattle.id.au
Tue Oct 21 16:41:29 WST 2003


On Tue, Oct 21, 2003 at 04:20:03PM +0800, Craig Ringer wrote:
| > has anyone had much experience with CIPE ( Crypto IP Encapsulation - VPN 
| > ) .  I am setting up a connection from a Telstra GPRS modem ( embedded 
| > linux server monitoring cooling towers) to a central data server.  Can 
| > anyone suggest any experiences with encrypted tunnels over the internet, 
| > notebly behind a NAT gateway.
| 
| It got bagged really badly by a security type recently - on the IETF 
| IPSec list, I think. OTOH, I can't seem to find it now, so all I can 
| tell you is that they guy's opinion of CIPE's security was less than 
| glowing. Alas, the "easy" alternatives are all apparently worse, 
| especially PPTP.

Yep, I remember that ... *googles*
http://www.mit.edu:8008/bloom-picayune/crypto/14238

Quotes:
	For all of these VPN apps, the authors state that they were
	motivated to create them as a reaction to the perceived
	complexity of protocols like SSL, SSH, and IPsec.  The means of
	reducing the complexity was to strip out all those nasty
	security features that made the protocols complex (and secure).
[...]
	Whenever someone thinks that they can replace SSL/SSH with
	something much better that they designed this morning over
	coffee, their computer speakers should generate some sort of
	penis-shaped sound wave and plunge it repeatedly into their
	skulls until they achieve enlightenment.

| No chance of just using ssh to tunnel the required traffic? Unless you 
| need to push UDP traffic through that should do the job nicely. 
| Alternately (arrggh) you could run ppp over ssh.

Tunnelling tcp over tcp is a Bad Thing, though.  At least cipe avoids
/that/ problem.

I'm currently using a program called vtun (the one which is described in
the link above as "even worse") but have been meaning to switch over to
openvpn which uses SSL and thus doesn't suffer from the brokenness of
some of these other crypto packages.  (Open SSL just has a new buffer
overflow discovered every three weeks... :-P)  Packages for openvpn
exist for sid but not for woody, in case you're a Debian type.

Cameron.

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug


More information about the plug mailing list