BSD Security

OpenBSD and IPSec, leading the pack.

Copyright © 1998 Ejovi Nuwere

This is a two part article focusing on OpenBSD's IPSec Development. Part one is an introduction to OpenBSD's Photurisd and its current implemantion, including a brief interview with Photurisd creator Niels Provos.

What is IPSec?

IPsec stands for "IP Security". The IPsec working group of the IETF is developing standards for cryptographic authentication and for encryption within IP. The base specifications are defined in RFCs 1825, 1826 and 1827. OpenBSD, known for its high security standards, continues to set the trend when it comes to encryption. OpenBSD is the first Unix-like operating system to ship with IPSec tools, which give users the ability to easily setup encrypted tunnels and Virtual Private Networks (VPN's).

What is Photurisd?

Along with IPSec tools, OpenBSD also has a Session Key management daemon called Photuris. Originally described in Internet draft 'draft-simpson-photuris' by Phil Karn and William Allen Simpson, Photurisd is an IPSec key management daemon used to generate session keys and establish security associations for IPSec. The implementation was done in 1997 by Niels Provos and first appeared in OpenBSD 2.1.

Recently I was able to interview Niels Provos, an OpenBSD developer and the creator of Photurisd. Niels has been working with Angelos D. Keromytis, the OpenBSD developer who initialy ported IPSec to OpenBSD. (Part two of this article will contain an interview with Angelos.)

URL's of interest

- Begin Interview -

DaemonNews: How's it going?

Niels Provos: Going well.

DN: Neils Provos is the correct spelling of your name?

NP: No, it's Niels actually, but most here seem to get that wrong. ;)

DN: Ok...So do you have an exact purpose as an OpenBSD developer? Were you brought in for a specific reason?

NP: No, mostly abusing the fact that I was in Germany and could write cryptocode basically and when I started, it was with bcrypt first and the IPSec and Key Management stuff with Angelos (Angelos D. Keromytis).

DN: Explain bcrypt?

NP: bcrypt is a new password hashing scheme which uses Bruce Schneier's blowfish. David Mazieres came up with a scheme to encode a password in the key state blowfish keeps. The very cool thing about it that you can specify how many rounds of blowfish you want to use. This means that you can adapt the security of your password to the ever growing speed of computers.

DN: So in OpenBSD password hashing, bcrypt is the password scheme and it utilizes blowfish?

NP: That would be correct.

DN: So how did you get involved in the IPSec stuff?

NP: Oh, Angelos ported the IPSec John Ioannidis did for BSDi to NetBSD and OpenBSD when he was in Greece, but he moved to the States so somebody out of the States had to continue work on it. That is how I got involved and that's also the reason why I wrote Photurisd.

DN: When did you write Photurisd?

NP: During the summer of 1997; it took some time. Now it is pretty stable and functional, the only remaining problem is really configuration.

DN: How so?

NP: Some people have problems setting VPN's up because the documentation is too technical or the configuration may be hard for some, until you get the hang of it.

DN: Where does Photurisd fit in with IPSec?

NP: Key management...it will allow you to change your encryption keys every couple of minutes if you like. Hmm, let us say you have a network application which requires security, the application would tell the kernel: hey, I want this connection encrypted, the kernel would see if it already has encryption set up and if not, it would tell Photurisd: hey, please establish encryption keys between me and this remote host. All automatically, the application does not have to do know about it. You also get rid of all those long hex numbers used for manual keying.

DN: How does the application tell the kernel?

NP: Good question, as of now there is no standardized way of doing it. In OpenBSD we use setsockopt as is described in IPSec.4; this is stuff which needs more work in the future.

DN: How does one know a connection is encrypted?

NP: This is something you should be able to do with getsockopt which also needs work, but basically if you use setsockopt the kernel makes sure that the connection is encrypted, if that is not possible, you get a network down error message.

DN: What if I wanted a secure connection across the net in general, no matter what application I used, from one specific network to another, is that possible now?

NP: Yes, that is possible, but as I said the configuration isnt as optimal as it could be, we plan on changing this in the next release [2.4].

DN: Ok, what is stable about it now? What can you say "will" work?

NP: IPSec works prefectly when you set it up, you can do that with ipsecadm or with photurisd, people in Canada are using IPSec in OpenBSD to massively encrypt their traffic. So it is stable.

DN: Anything you can say will not work?

NP: Nah, everything should work.

DN: Does Photurisd support other OS's? If so which?

NP: Photuris will run on AIX, Linux or Solaris but without IPSec support.

DN: Would I have any problems setting up my OpenBSD box with a non-OpenBSD router, firewall, machine which is IPSec compliant?

NP: No, we interoperate with nearly everyone, if you do manual key setup you should be able to talk with nearly every IPSec implementation out there.

DN: Hmm...

NP: Trying to find questions? Ask me how I like beer in the states ;)

DN: Ok, How do you like beer in the states?

NP: Ann Arbor [MI] is one of the greatest places in the world. I would drown myself in beer, if I didnt lack so much money. ;)

- End of Interview-

	OpenBSD and IPSec, leading the pack. Copyright © 1998 Ejovi Nuwere This is a two part article focusing on OpenBSD's IPSec Development. Part one is an introduction to OpenBSD's Photurisd and its current implemantion, including a brief interview with Photurisd creator Niels Provos. What is IPSec? IPsec stands for "IP Security". The IPsec working group of the IETF is developing standards for cryptographic authentication and for encryption within IP. The base specifications are defined in RFCs 1825, 1826 and 1827. OpenBSD, known for its high security standards, continues to set the trend when it comes to encryption. OpenBSD is the first Unix-like operating system to ship with IPSec tools, which give users the ability to easily setup encrypted tunnels and Virtual Private Networks (VPN's). What is Photurisd? Along with IPSec tools, OpenBSD also has a Session Key management daemon called Photuris. Originally described in Internet draft 'draft-simpson-photuris' by Phil Karn and William Allen Simpson, Photurisd is an IPSec key management daemon used to generate session keys and establish security associations for IPSec. The implementation was done in 1997 by Niels Provos and first appeared in OpenBSD 2.1. Recently I was able to interview Niels Provos, an OpenBSD developer and the creator of Photurisd. Niels has been working with Angelos D. Keromytis, the OpenBSD developer who initialy ported IPSec to OpenBSD. (Part two of this article will contain an interview with Angelos.) URL's of interest http://www.openbsd.org/crypto.html http://wserver.physnet.uni-hamburg.de/provos/photuris/ http://www.cis.upenn.edu/~angelos/Papers/ipsec.ps.gz - Begin Interview - DaemonNews: How's it going? Niels Provos: Going well. DN: Neils Provos is the correct spelling of your name? NP: No, it's Niels actually, but most here seem to get that wrong. ;) DN: Ok...So do you have an exact purpose as an OpenBSD developer? Were you brought in for a specific reason? NP: No, mostly abusing the fact that I was in Germany and could write cryptocode basically and when I started, it was with bcrypt first and the IPSec and Key Management stuff with Angelos (Angelos D. Keromytis). DN: Explain bcrypt? NP: bcrypt is a new password hashing scheme which uses Bruce Schneier's blowfish. David Mazieres came up with a scheme to encode a password in the key state blowfish keeps. The very cool thing about it that you can specify how many rounds of blowfish you want to use. This means that you can adapt the security of your password to the ever growing speed of computers. DN: So in OpenBSD password hashing, bcrypt is the password scheme and it utilizes blowfish? NP: That would be correct. DN: So how did you get involved in the IPSec stuff? NP: Oh, Angelos ported the IPSec John Ioannidis did for BSDi to NetBSD and OpenBSD when he was in Greece, but he moved to the States so somebody out of the States had to continue work on it. That is how I got involved and that's also the reason why I wrote Photurisd. DN: When did you write Photurisd? NP: During the summer of 1997; it took some time. Now it is pretty stable and functional, the only remaining problem is really configuration. DN: How so? NP: Some people have problems setting VPN's up because the documentation is too technical or the configuration may be hard for some, until you get the hang of it. DN: Where does Photurisd fit in with IPSec? NP: Key management...it will allow you to change your encryption keys every couple of minutes if you like. Hmm, let us say you have a network application which requires security, the application would tell the kernel: hey, I want this connection encrypted, the kernel would see if it already has encryption set up and if not, it would tell Photurisd: hey, please establish encryption keys between me and this remote host. All automatically, the application does not have to do know about it. You also get rid of all those long hex numbers used for manual keying. DN: How does the application tell the kernel? NP: Good question, as of now there is no standardized way of doing it. In OpenBSD we use setsockopt as is described in IPSec.4; this is stuff which needs more work in the future. DN: How does one know a connection is encrypted? NP: This is something you should be able to do with getsockopt which also needs work, but basically if you use setsockopt the kernel makes sure that the connection is encrypted, if that is not possible, you get a network down error message. DN: What if I wanted a secure connection across the net in general, no matter what application I used, from one specific network to another, is that possible now? NP: Yes, that is possible, but as I said the configuration isnt as optimal as it could be, we plan on changing this in the next release [2.4]. DN: Ok, what is stable about it now? What can you say "will" work? NP: IPSec works prefectly when you set it up, you can do that with ipsecadm or with photurisd, people in Canada are using IPSec in OpenBSD to massively encrypt their traffic. So it is stable. DN: Anything you can say will not work? NP: Nah, everything should work. DN: Does Photurisd support other OS's? If so which? NP: Photuris will run on AIX, Linux or Solaris but without IPSec support. DN: Would I have any problems setting up my OpenBSD box with a non-OpenBSD router, firewall, machine which is IPSec compliant? NP: No, we interoperate with nearly everyone, if you do manual key setup you should be able to talk with nearly every IPSec implementation out there. DN: Hmm... NP: Trying to find questions? Ask me how I like beer in the states ;) DN: Ok, How do you like beer in the states? NP: Ann Arbor [MI] is one of the greatest places in the world. I would drown myself in beer, if I didnt lack so much money. ;) - End of Interview- Ejovi Nuwere, joewee@monkey.org

OpenBSD and IPSec, leading the pack.

Copyright © 1998 Ejovi Nuwere

Ejovi Nuwere, joewee@monkey.org