[olug] TINC

Rob Townley rob.townley at gmail.com
Wed Nov 14 20:16:16 UTC 2012


IPsec Pre Shared Key for enterprise wireless is worse than PPTP according
to https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/  .
Make sure IPsec is used with certificates instead.

tinc is an educational project sponsored by a university aiming to grow
awareness of encryption over the public internet.  It does not have a
marketing department.  Criticism is welcome.    Think of Schneier *"Secrecy
and security aren't the same, even though it may seem that way. Only bad
security relies on secrecy; good security works even if all the details of
it are public."* <https://en.wikipedia.org/wiki/Bruce_Schneier#cite_note-20>
tinc like much security software can have   'Encryption = 'none', a setup
with no security at all to have a gaming extranet or just plain EOIP.
For mainstream use, security software needs to be secure even when Grandma
installs it.  Hamachi does that but is not as flexible as tinc.

Peter Gutman tore apart many different VPNs in his assessment, but still
ranked tinc the best of those in his comparison.   The only real criticism
he had was that it still used Defense Encryption Standard DES keys just
like a Win2003 based ActiveDirectory would use and MSCHAPv2 for WPA2 uses
till this day.   We are not talking triple DES, just plain DES.  However
tinc didn't use MSCHAP, it uses RSA to establish the session keys.  tinc
also used one of the other AES contenders  BlowFish  since 2000.  BlowFish
has not been broken.   It was not till Win2003R2 that MS upgraded to a
little better arc4 keys.  The fact is there are many MS ActiveDirectory
domains out there that still use DES to this day.  Why? Not only because of
MSCHAPv2 for WPA2 but much more worrisome because even if all your ADS
servers are Win2008R2, they can still run in Win2000 ADS compatibility mode
which would mean DES keys.   DES was broken in the 90's and now the
CloudCracker can break open DES traffic in 24hours.

i have learned much more by using this open source project than other VPNs
- open source or not.



On Tue, Nov 13, 2012 at 6:04 PM, Christopher Cashell <topher-olug at zyp.org>wrote:

> On Tue, Nov 13, 2012 at 5:04 PM, Sam Flint <harmonicnm7h at gmail.com> wrote:
> > Does anyone have experience with tinc vpn?
>
> It was not looked on particularly favorably in a comparison some years
> ago by well known cryptographer Peter Gutmann:
> http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
>
> Admittedly, that review was from 2003.  However, one of the things
> that post discusses in length, and does a great job of illustrating,
> is that security software like VPNs are difficult to get right, and
> very easy to get wrong.
>
> OpenVPN seems to have emerged as the closest thing to a de facto
> standard for non-IPsec.  Personally, I would stick with either IPsec
> or OpenVPN for any VPN needs unless I had a *really* good reason to
> use something else.
>
> Personal experience with IPsec and OpenVPN would leave me leaning
> towards OpenVPN for everything that didn't require compatibility with
> non-OpenVPN connections (appliances, routers/firewalls, other
> third-party situations), in which case I'd use IPsec.
>
> > --
> > Sam Flint
>
> --
> Christopher
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list