[Freedombox-discuss] [James Vasile] tinc rollout and fbox

[Guus Sliepen]

On Sat, Aug 10, 2013 at 03:37:06PM -0400, Sandy Harris wrote:

> " On the 15th of September 2003, Peter Gutmann posted a security
> analysis of tinc 1.0.1. He argues that the 32 bit sequence number used
> by tinc is not a good IV, that tinc?s default length of 4 bytes for
> the MAC is too short, and he doesn?t like tinc?s use of RSA during
> authentication. We do not know of a security hole in this version of
> tinc, but tinc?s security is not as strong as TLS or IPsec. We will
> address these issues in tinc 2.0.
> 
> Gutmann is a well-known and respected expert. His best-known
> paper was one back in the 90s on reading "erased" disk drives
> and what bit patterns it took to block that. Most "secure erase"
> utilities around use those suggestions (even though current
> drives are quite different, so those may be inappropriate now).
> He has done /a lot/ of other stuff as well.
> 
> The current Tinc release is 1.0.21
> 
> My reading of that is that Tinc has known problems and
> they probably will not be fixed soon. To me, that means
> it is not ready for serious consideration as a component
> for FreedomBox.

The documentation is perhaps a little outdated. All problems mentioned by
Gutmann have been adressed in a new protocol that has been included in tinc
1.1pre3 and later.

If people are interested in using tinc to connect freedomboxes together, I
would be happy to help fix any problems that might come up. Even if tinc (as it
is) is not suitable for the Freedombox, I am very interested in discussing what
the requirements are for the Freedombox regarding VPN functionality.

-- 
Met vriendelijke groet / with kind regards,
      Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130906/59eb34d1/attachment.sig>