From: Martijn Lievaart <m@rtij.nl>
To: Gervasio Bernal <gervasiobernal@speedy.com.ar>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: New extension: CRYPT target
Date: Sun, 21 May 2006 19:51:17 +0200 [thread overview]
Message-ID: <4470A895.5090707@rtij.nl> (raw)
In-Reply-To: <44708E68.9080508@speedy.com.ar>
Gervasio Bernal wrote:
>Hi all!!!
>
>After some months of development we have finished this new extension.
>CRYPT is a new target extension for Netfilter/Iptables that enables the
>user to encrypt, decrypt and authenticate any IP protocol traffic using
>the Linux Cryptographic API.
>
>For example, if you want to encrypt FTP (TOP) traffic between host A and
>host B, you can do as follows:
>
>(on host A, 1.2.3.4, FTP client)
># iptables -t mangle -A POSTROUTING -d 1.2.3.5 -p tcp --dport 20:21 -j
>CRYPT --cipher blowfish --key topsecret --mode ecb --direction encrypt
># iptables -t mangle -A PREROUTING -s 1.2.3.5 -p 206 -j CRYPT --cipher
>3des --key topsecretkeyinascii12345 --mode cbc --direction decrypt
>
>
Minor critisism, this will not catch the data channels of ftp, only the
control channel. Active ftp uses a *source* port of 20, passive ftp
(which is more common nowadays) uses whatever port range the server uses
for data channels (typically something like 30000-31000).
Does -mode cbc use the iv from the last packet? If not, this seems like
a false sense of security. Protocols that use lots of small packets will
still more or less have the drawbacks of ecb.
M4
next prev parent reply other threads:[~2006-05-21 17:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-21 15:59 New extension: CRYPT target Gervasio Bernal
2006-05-21 17:01 ` Carl-Daniel Hailfinger
2006-05-21 21:15 ` Gervasio Bernal
2006-05-21 22:17 ` Carl-Daniel Hailfinger
2006-05-22 23:49 ` Gervasio Bernal
2006-05-23 16:27 ` Gervasio Bernal
2006-05-23 16:46 ` Carl-Daniel Hailfinger
2006-05-23 17:07 ` Patrick McHardy
2006-05-23 17:14 ` Carl-Daniel Hailfinger
2006-05-23 23:13 ` Gervasio Bernal
2006-05-24 5:03 ` Patrick Schaaf
2006-05-23 18:26 ` Michael Richardson
2006-05-21 22:57 ` Michael Richardson
2006-05-22 23:36 ` Gervasio Bernal
2006-05-23 13:08 ` Michael Richardson
2006-05-23 17:19 ` Gervasio Bernal
2006-05-21 17:51 ` Martijn Lievaart [this message]
2006-05-21 20:34 ` Cedric Blancher
2006-05-21 21:01 ` Gervasio Bernal
2006-05-21 22:54 ` Michael Richardson
2006-05-21 20:27 ` Gervasio Bernal
2006-05-25 16:11 ` Lennart Poettering
2006-05-26 18:12 ` Gervasio Bernal
2006-05-26 18:25 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2006-05-23 23:33 Gervasio Bernal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4470A895.5090707@rtij.nl \
--to=m@rtij.nl \
--cc=gervasiobernal@speedy.com.ar \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.