[fc-discuss] Financial Cryptography Update: A VPN for the common man!

iang@iang.org iang@iang.org
Sat, 24 Dec 2005 13:32:03 +0000 (GMT)


((((((( Financial Cryptography Update: A VPN for the common man! )))))))

                           December 24, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000617.html



------------------------------------------------------------------------

In the rumbling debate about VPNs and how they should be done, here's a
new entrant as found in an interview with Damien Miller:

http://www.securityfocus.com/columnists/375
===========8<===========8<========
The upcoming OpenSSH version 4.3 will add support for tunneling. What
type of uses is this feature suited for? 
 
Damien Miller: Reyk and Markus' new tunneling support allows you to
make a real VPN using OpenSSH without the need for any additional
software. This goes well beyond the TCP port forwarding that we have
supported for years - each end of a ssh connection that uses the new
tunnel support gets a tun(4) interface which can pass packets between
them. This is similar to the type of VPN supported by OpenVPN or other
SSL-VPN systems, only it runs over SSH. It is therefore really easy to
set up and automatically inherit the ability to use all of the
authentication schemes supported by SSH (password, public key,
Kerberos, etc.) 
The tunnel interfaces that form the endpoints of the tunnel can be
configured as either a layer-3 or a layer-2 link. In layer-3 mode you
can configure the tun(4) interfaces with IP or IPv6 addresses and route
packets over them like any other interface - you could even run a
dynamic routing protocol like OSPF over them if you were so inclined.
In layer-2 mode, you can make them part of a bridge(4) group to bridge
raw ethernet frames between the two ends. 
A practical use of this might be securely linking back to your home
network while connected to an untrusted wireless net, being able to
send and receive ICMP pings and to use UDP based services like DNS. 
Like any VPN system that uses a reliable transport like TCP, an
OpenSSH's tunnel can alter packet delivery dynamics (e.g. a dropped
transport packet will stall all tunnelled traffic), so it probably
isn't so good for things like VOIP over a lossy network (use IPsec for
that), but it is still very useful for most other things.
========>8===============>8========

The problem with VPNs has been partly key management nightmares (a.k.a
x.509) and partly install and configuration nightmares.  For those
reasons, VPNs only really made it into areas where corporates could pay
people to get them up and going.

Adding it to SSH solves both those issues and promises to bring about
VPNs for the common Unix machine (including all Macs now).

Crazy Prediction Time :- within a year of this being released and
available, SSH will be the most popular VPN.  Within two years, we'll
even forget that VPN stood for anything other than a way in which we
use SSH.

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/