[373] in athena10
Re: Debathen VPN Config Package
daemon@ATHENA.MIT.EDU (Evan Broder)
Tue Aug 5 00:14:27 2008
Message-ID: <4897D373.2000208@mit.edu>
Date: Mon, 04 Aug 2008 21:13:39 -0700
From: Evan Broder <broder@MIT.EDU>
MIME-Version: 1.0
To: Jonathan Reed <jdreed@mit.edu>
CC: athena10@mit.edu
In-Reply-To: <8FDC40DF-BAFB-4577-94D9-45F900EF5603@mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
A few quick comments
Jonathan Reed wrote:
> I certainly have thoughts, but I'm hardly the canonical source for a
> policy such as this.
>
> Regardless of how closely guarded the "secret" is or isn't, I think it
> should be under the same access restrictions as the MITnet-VPN.pcf -
> namely MIT-only. That may preclude a config package, and instead we
> may want to provide a stock answer documenting configuration of the
> VPN client, or perhaps a configuration file itself, certificate
> protected.
>
> Now that I think about it, a really clever hack would be a set of
> patches against vpnc which would allow it to use a Cisco config file,
> seeing as how it's supposed to be a replacement for Cisco's client.
> I believe the various key decryption tools rely on a bug in the Cisco
> libraries which expose the cleartext key in memory, but perhaps the
> decryption has been reverse-engineered at this point. But that's
> almost certainly more effort than it's worth.
The format has definitely been decrypted - see
<http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c>. I'm
assuming there would be DMCA issues with actually including that with
either vpnc or our own packages, right?
> However, I believe there is also a preference within IS&T for the
> official Cisco client, and it would probably be a good idea if Athena
> didn't completely ignore that.
One particular thing that I love being able to do with vpnc that I can't
do with the Cisco client is only route net-18 traffic through the VPN.
It's great when I'm using NAT-sensitive things like AFS but don't want
the added latency of my packets going across the country.
>
> Also, won't Zephyr (even krb5 zephyr) be sad behind a VPN? Although
> that could be an artifact of the way the Cisco client clobbers the
> networking stack, as opposed to vpnc which plays nice via tun0. We
> should probably document things that will break if we're going to
> pretend to support Athena behind a VPN.
I believe that Zephyr will work with vpnc, because the zhm would
actually be aware of what it's VPN IP address is. Nelson's been doing
BarnOwl development from behind the VPN recently, and says that he
hasn't had any problems.
>
> I will follow up offline on the key issue and IS&T software preferences.
>
> -Jon
- Evan
