Coda File System

Re: Coda over IPSEC

From: Robert Watson <robert_at_cyrus.watson.org>
Date: Sat, 26 Feb 2000 10:55:38 -0500 (EST)
Greg,

Sounds great, and a far cry improvement over today's Coda..  IPsec can
solve many but not all of the Coda security problems.  It cannot address
the issue of untrusted clients--if you limit connectivity to IPsec pairs,
then those pairs are completely trusted.  Access to a token is sufficient
to reveal the server secret, so any user with access can create tokens for
any other user. It also doesn't protect the client from use of the Mariner
port, and as we use a portmapper and dynamic port allocation, identifying
Coda ports is more difficult than it used to be.

On 21 Feb 2000, Greg Troxel wrote:

> I've successfully run Coda over IPSEC with manual keying.
> This is with recent Coda, and FreeBSD 3.3 + KAME snap 19991227.
> 
> The configuration below is for the client (10.0.0.1).
> The server's config is similar, but with out/in reversed for spd
> entries.
> 
> This doesn't handle the tcp sideeffects rpc2 port, but I haven't seen
> any of those.
> 
> The problem of xor tokens can be mitigated by this due to 
>  * not exposing the tokens on the net
>  * only accepting coda packets from authorized (by ipsec) peers, so
>    knowing the token doesn't help as much for an attacker not on an
>    authorized machine
> 
> #!/bin/sh
> 
> setkey -v -c << EOF
> 
> # clog from/to 10.0.0.1
> spdadd 10.0.0.1/32[any] 192.168.2.2/32[370] udp
> 	-P out ipsec esp/transport//require ;
> spdadd 192.168.2.2/32[370] 10.0.0.1/32[any] udp
> 	-P in ipsec esp/transport//require ;
> # venus control from/to 10.0.0.1
> spdadd 10.0.0.1/32[2430] 192.168.2.2/32[2432] udp
> 	-P out ipsec esp/transport//require ;
> spdadd 192.168.2.2/32[2432] 10.0.0.1/32[2430] udp
> 	-P in ipsec esp/transport//require ;
> # venus sideeffects from/to 10.0.0.1
> spdadd 10.0.0.1/32[2431] 192.168.2.2/32[2433] udp
> 	-P out ipsec esp/transport//require ;
> spdadd 192.168.2.2/32[2433] 10.0.0.1/32[2431] udp
> 	-P in ipsec esp/transport//require ;
> EOF
> 
> setkey -v -c << EOF
> 
> add 10.0.0.1 192.168.2.2 esp 0x34101
> 	-m transport -r 0
> 	-E 3des-cbc [foo]
> 	-A hmac-sha1 [bar]
> 	;
> 
> add 192.168.2.2 10.0.0.1 esp 0x34102
> 	-m transport -r 0
> 	-E 3des-cbc [foo]
> #	-A hmac-sha1 [bar]
> 	;
> 
> EOF
>  
> Here's a key-gen script I found handy:
> 
> #!/bin/sh
> dd if=/dev/random bs=1 count=$1 2>/dev/null | \
>   hexdump -e "6/4 \"%04x\" \"\\n\""
> 
> 
>         Greg Troxel <gdt_at_ir.bbn.com>
> 
> 


  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
Received on 2000-02-26 10:55:22