RE: [suse-security] IPSec system design questions (slightly OT)
I would appreciate comments on some IPSec design issues. A transportation manufacture recently requested proposals for a Linux based system to put Internet and email services on their vehicles. This system would let passengers plug a laptop into the on board network. A number of protocols were specified including IPSec. They also specified Linux kernel 2.4.x. It seemed to me that they intended IPSec to be used from transportation vehicle to satellite to fixed server. The VP of Technology here has recently discussed using IPSec on board vehicle from web server, email server and file server to passenger seats - typically many hundreds of passengers. The transportation manufacture specified: "The file server will not preclude a user from initiating and completing a supported VPN connection from their user device through the transportation manufacturer network using the IPSec and PPTP protocol, as a minimum. The system should allow the user to switch between IPSec VPN and non-VPN without need of rebooting the laptop. The system will only pass IP based protocols between the laptop passenger interface and the file server. Passenger laptops will be assigned default gateway address via DHCP. The default gateway should reside in the server. The system will by default, route user outbound packets to a configurable gateway." Is it feasible to support IPSec from a passenger's laptop when implementations of IPSec vary and either ESP or AH modes might be used? If feasible what performance hit would be involved? I have heard estimates of 40% when encryption is used (mileage may vary I suppose based on CPU speed and resources). I assumed that a "default gateway at the server" implied that the IPSec pipe started or ended there. Since the transportation manufacturer called out other security requirements to the passenger seat, I assumed that IPSec to the seat was not required. Examples of requested security: "Multiple passengers will not be connected to shared physical media. Laptop users will not be permitted to view packets from another user's network session. Each passenger's laptop's user interface will be isolated to its own link layer subnetwork. The passenger laptop will not be able to access unauthorized IP address. The system will be immune to DoS attacks. The server will ensure that passenger laptop's can only pass packets with that user's assigned IP address." My main question are, 1) "Does the transportation manufacturer really want IPSec extended directly to the passenger's laptop?" 2) "Would it even be feasible to automate re configuration of IPSec software running on a passenger laptop to avoid compatibility issues?" 3) "What would the performance cost be of running ESP or AH IPSec on a laptop that might also be viewing an MPEG2 movie, web browsing or playing a game?" I would appreciate any opinions you care to offer. The job you save may be my own. <s> Thanks, Ed
* Ed wrote on Fri, Jun 29, 2001 at 21:21 -0700:
PPTP protocol, as a minimum. The system should allow the user to switch between IPSec VPN and non-VPN without need of rebooting the laptop.
This sentence is interesting... Why booting?! Even Win2K does not need to reboot for mouse-movement changes to take effect...
The system will only pass IP based protocols between the laptop passenger interface and the file server. Passenger laptops will be assigned default gateway address via DHCP. The default gateway should reside in the server.
Well, DHCP is pretty clear. But a gateway in a server? I don't understand it.
The system will by default, route user outbound packets to a configurable gateway."
Who configures what gateway?
Is it feasible to support IPSec from a passenger's laptop when implementations of IPSec vary and either ESP or AH modes might be used?
First, when offering IP routeing (even when the connection verhicle-satelite-some-center is IPSec or whatever transparent encrypted) a user can do IPSec on it's own to it's own server (IPSec is just an IP protocol). Second, it's not necessary that the passengers have a tunnel from laptop to some implementation of the transportation thing, I don't see a reason for that, but who knows :)
If feasible what performance hit would be involved? I have heard estimates of 40% when encryption is used (mileage may vary I suppose based on CPU speed and resources).
No, you cannot say it so. If you have a E1 (2Mbit) uplink you can fill taht with IPSec, too. Of course not with an i486 :) If you have more bandwidth, you need fast machines, maybe hardware-accelerated and so. Of course the delay timeings become larger. If not the link but the computing power is the limit, of course bandwidth get lost, pretty clear.
I assumed that a "default gateway at the server" implied that the IPSec pipe started or ended there.
Well, you should make such things clear. Was that spec a final or development version?
Since the transportation manufacturer called out other security requirements to the passenger seat, I assumed that IPSec to the seat was not required.
It's always hard to make assumptions after reading a spec. You should try to consult that company to know what they assume from it's own spec.
Examples of requested security: "Multiple passengers will not be connected to shared physical media. Laptop users will not be permitted to view packets from another user's network session.
Is a switch enough?
Each passenger's laptop's user interface will be isolated to its own link layer subnetwork. The passenger laptop will not be able to access unauthorized IP address.
Probably not, or at least some clever switch...
The system will be immune to DoS attacks.
Really? Nice. :)
The server will ensure that passenger laptop's can only pass packets with that user's assigned IP address."
By verifing hardware address? Or require them each client on an own wire to an own net adapter/card?
1) "Does the transportation manufacturer really want IPSec extended directly to the passenger's laptop?"
Ask him :) Who whould know that... Well, it a spec is not telling that, the spec it not good. Anyway, you have to talk with them, since a spec is theory and business is practice :)
2) "Would it even be feasible to automate re configuration of IPSec software running on a passenger laptop to avoid compatibility issues?"
Should the passenger IPSec interact with the vehicle system? For what reason? How do transport company and customer should exchange keys and so on? I don't get the idea and advantages of that... I would call them by phone :)
3) "What would the performance cost be of running ESP or AH IPSec on a laptop that might also be viewing an MPEG2 movie, web browsing or playing a game?"
On which bandwidth? On ISDN (64Kbit), I wouldn't see any problem, on E1 (2Mbit) it would get viewable slower (on ordinary laptops) and E3 (34M) the laptop would use any power for encryption/decryption (I think a intel PC isn't able to 3DES 34M datastream for IPSec). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
I just noticed that the password length is being truncated to 8 characters. How can I up that to say 40 characters? I tried setting in YaST1 and YaST2 and when I set it to 40 it still truncates it back down to 8.
I just noticed that the password length is being truncated to 8 characters. This comes from not using md5 passwords, but crypt() passwords. there is a howto somewhere at http://www.susesecurity.com/faq/ ah, I just read it:
How do I enable MD5 Password Encryption The documentation to enable MD5 password encryption is in /usr/share/doc/packages/pam/md5.config on your SuSE 7 machine. regards Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
got md5 on it now. a matter of adding md5 to all the little itty bitty files... Sheez. I thought that would be turned on by default already. hehehe On Wednesday 11 July 2001 06:50 am, you wrote:
I just noticed that the password length is being truncated to 8 characters.
This comes from not using md5 passwords, but crypt() passwords. there is a howto somewhere at http://www.susesecurity.com/faq/ ah, I just read it:
How do I enable MD5 Password Encryption The documentation to enable MD5 password encryption is in /usr/share/doc/packages/pam/md5.config on your SuSE 7 machine.
regards Markus
edit /etc/login.defs and change the value of PASS_MAX_LEN from 8 to 40. On Wed, 11 Jul 2001, phil wrote:
I just noticed that the password length is being truncated to 8 characters. How can I up that to say 40 characters? I tried setting in YaST1 and YaST2 and when I set it to 40 it still truncates it back down to 8.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
participants (5)
-
dog@intop.net -
Ed -
Markus Gaugusch -
phil -
Steffen Dettmer