-#* Design of new, multi-subnet secnet protocol
+* Design of new, multi-subnet secnet protocol
-Like the first version, we're tunnelling IP packets inside UDP
-packets. To defeat various restrictions which may be imposed on us by
-network providers (like the prohibition of incoming TCP connections)
-we're sticking with UDP for everything this time, including key setup.
+Like the first (1995/6) version, we're tunnelling IP packets inside
+UDP packets. To defeat various restrictions which may be imposed on us
+by network providers (like the prohibition of incoming TCP
+connections) we're sticking with UDP for everything this time,
+including key setup.
Other new features include being able to deal with subnets hidden
behind changing 'real' IP addresses, and the ability to choose
tunnel endpoint, but this is not vital. Individual tunnels are
identified by their two endpoint names.
-
-The configuration is held in memory as a data structure as follows:
-
-The root is a Dictionary. Dictionaries hold (key,value) pairs. Keys
-are atoms. Values are lists, dictionaries or closures. Lists can hold
-the following types: string, number.
-
-Closures cannot be constructed directly; they are added to the
-'default' dictionary before the configuration file is read. Invocation
-of a closure can return any type of value.
-
-
-Configuration file format: the file describes a dictionary.
-
-key value;
-
-value is item[,item...]
-
-item can be "string", number, path (looks up in dictionary),
-{dictionary}, value(value), value{dictionary}. If item is a list it
-is copied into the list - we can't have lists of lists.
-
-A path is [/]key[\[index\]][/key[\[index\]]...], defining a lookup
-from the current dictionary (or parents) or the root. If a key refers
-to a list of more than one item then an index number (base 0) in
-square brackets can be used to specify the list item number.
-
-Items of the form value1(value2) invoke executable value1 with an
-argument of value2. The return value can be a string or dictionary,
-but not a list. (Invocation happens after the entire configuration
-file has been read.)
-
-Items of the form value{dict} invoke executable value with an argument
-of a single-element list, containing dict. It's just syntactic sugar
-for value({dict}).
-
-
-When a key is used (rather than defined) it is looked up in the
-current dictionary, and if it isn't found it is looked up in the
-(lexical) parent, until the root is reached.
-
-
-
-
-What sorts of crypto-related things do we need to define?
-
-sources of randomness
-block algorithms
-block cipher modes?
-hash functions
-padding functions
-public key signature algorithms
-public key crypto key stores
-key setup algorithms
-
-
** Protocols
*** Protocol environment:
Messages:
-1) A->B: *,iA,msg1,A,B,nA
+1) A->B: *,iA,msg1,A,B,protorange-A,nA
-2) B->A: iA,iB,msg2,B,A,nB,nA
+2) B->A: iA,iB,msg2,B,A,chosen-protocol,nB,nA
(The order of B and A reverses in alternate messages so that the same
code can be used to construct them...)
-3) A->B: {iB,iA,msg3,A,B,nA,nB,g^x mod m}_PK_A^-1
+3) A->B: {iB,iA,msg3,A,B,protorange-A,chosen-protocol,nA,nB,g^x mod m}_PK_A^-1
If message 1 was a replay then A will not generate message 3, because
it doesn't recognise nA.
If message 2 was from an attacker then B will not generate message 4,
because it doesn't recognise nB.
-4) B->A: {iA,iB,msg4,B,A,nB,nA,g^y mod m}_PK_B^-1
+If an attacker is trying to manipulate the chosen protocol, B can spot
+this when it sees A's message 3.
+
+4) B->A: {iA,iB,msg4,B,A,protorange-B,chosen-protocol,nB,nA,g^y mod m}_PK_B^-1
At this point, A and B share a key, k. B must keep retransmitting
message 4 until it receives a packet encrypted using key k.
+A can abandon the exchange if the chosen protocol is not the one that
+it would have chosen knowing the acceptable protocol ranges of A and
+B.
+
5) A: iB,iA,msg5,(ping/msg5)_k
6) B: iA,iB,msg6,(pong/msg6)_k
sent when a key times out, or the tunnel is forcibly terminated for
some reason.
+XXX not yet implemented.
+
8) i?,i?,NAK/msg8
If the link-layer can't work out what to do with a packet (session has
if they can only forge packets then they won't be able to stop the
ping/pong working. Trust in NAKs can be rate-limited...
-Alternative idea: if you receive a packet you can't decode, because
-there's no key established, then initiate key setup...
+Alternative idea (which is actually implemented): if you receive a
+packet you can't decode, because there's no key established, then
+initiate key setup...
+
+Keepalives are probably a good idea.
**** Protocol sub-goal 3: send a packet