THIS PROJECT HAS BEEN DEPRECATED - REAL IPSEC here
The Linux version is completely modular and requires no patches to either iptables or the kernel. It should work on all 2.4 kernels!
We currently plan releasing implementations for:
A:~# iptables -t mangle -A OUTPUT -d B -j SIGN --sign-with-secret=s3cr3t B:~# iptables -t mangle -A PREROUTING -m verify --verify-secret=s3cr3t -j UNSIGN.. And vice-versa.
2001-09-09 |
Lots of thinking going on. Encryption turns out, like signing, to be harder
than I thought. SPS has been a real learning experience so far! I think we
will be using 'Cipher Block Chaining' mode, CBC, with a random but specified
IV. A lot of people have been telling me that 'encryption is easy, use
OpenSSL'. Sorry, no, encryption is *never* easy. Even with a quality
library. In the words of Zedz's Alex de Joode, 'Cryptography is easy (...) to
fuck up'.
Besides crypto, NAT has also been an issue. It is vital that SPS signs only *after* performing NAT, or is otherwise aware of the ultimate source address. It is not yet clear how this fits in with iptables. Brad Chapman has patches which might help - we're still pondering. |
2001-08-29 | YES! It functions! Some renaming needs to be done and a lot of cleaning up, but the syntax described above WORKS! Replace UNSIGN by STRIPSPS and it will function! |
2001-08-28 | I'm looking for ipsec minded people who can tell me if it is easy to implement the simplicity mentioned above using AH - it would be great to get into a best of both worlds situation where we have the non-intrusiveness of the current SPS Linux code while following a standard, too. |
2001-08-26 | Added some relevant links and a Thanks To section. Decided to concentrate on symmetric encryption/signing first, asymmetric is very slow. Algorithms will probably be SHA-1 HMAC (RFC 2104) and Blowfish. Asymmetric needs more thinking. |
2001-08-26 | Added SPEC file, outlining some ideas about the protocol |