summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorKjell Wooding <kjell@cvs.openbsd.org>1999-02-12 21:35:28 +0000
committerKjell Wooding <kjell@cvs.openbsd.org>1999-02-12 21:35:28 +0000
commitb1b6a913b3767892c9e108e431e8d447e11d0890 (patch)
tree59b448a240e4db9d67172383094b408f32fb2530 /share/man
parente8cdeef9a74dad02c4be144e2625364e72715e94 (diff)
Added recommended key lengths for variable ciphers. Cleaned up BUGS.
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man8/vpn.825
1 files changed, 16 insertions, 9 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index 316189611a3..241388f6564 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.8 1999/02/12 04:54:46 kjell Exp $
+.\" $OpenBSD: vpn.8,v 1.9 1999/02/12 21:35:27 kjell Exp $
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -79,7 +79,7 @@ being unguessable, it is very important that the keys be chosen using a
strong random source. One practical method of generating them
is by using the
.Xr random 4
-device. Eg:
+device. To produce 160 bits of randomness, for example, do a:
.Bd -literal
dd if=/dev/urandom bs=1024 count=1 | sha1
.Ed
@@ -88,12 +88,18 @@ Different cipher types may require different sized keys.
.Pp
.Bl -column "Cipher" "Key Length" -compact
.It Em Cipher Key Length
-.It Li DES Ta "8 bytes"
-.It Li 3DES Ta "24 bytes"
-.It Li BLF Ta "Variable"
-.It Li CAST Ta "Variable"
+.It Li DES Ta "56 bits"
+.It Li 3DES Ta "168 bits"
+.It Li BLF Ta "Variable (160 bits recommended)"
+.It Li CAST Ta "Variable (160 bits recommended)"
.El
.Pp
+Use of DES as an encryption algorithm is not recommended
+(except for backwards compatibility) due to its short key length.
+Note that when using DES (or 3DES), the most significant bit of each
+byte is ignored. This means that 8 bytes are required to form a 56-bit
+DES key, and 24 bytes are required to form a 168 bit 3DES key.
+.Pp
Initialization vectors (IV) are always 8 byte hexadecimal values.
.Ss Creating Security Associations
Before the IPSec flows can be defined, two Security Associations (SAs)
@@ -317,9 +323,10 @@ Firewall configuration file
.Sh BUGS
When using
.Xr photurisd 8
-in VPN mode, both of your security gateways need to be in the protected
-network; that is, the gateway IP and network mask = network. This means
-that it is only possible to tunnel private networks using manual keying.
+in VPN mode, both of the security gateways IP addresses must fall within
+their protected netranges.
+In situations where the gateway IP is outside the desired netrange, such
+as with private networks (RFC 1597), manual keying must be used.
This should be fixed in the next release.
.Sh SEE ALSO
.Xr ipf 1 ,