SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

Yavipind is a secure tunnel aka 2 peers securely forwarding packets toward each other. It forwards any kind of packet (IPv4, IPv6 or other) sent over the virtual point-to-point device (e.g. tun0).

It runs in linux userspace (currently only 2.4.x kernel).

Yavipin features:
When designing the protocol and writting the software, the author used the following criteria: the security MUST as strong as reasonably possible, yavipin SHOULD be network efficient, easy to use and install. Network efficiency:

  • small packet overhead: 26bytes (e.g. ESP with DES+MD5 is 32byte)
  • Packet compression: Forwarded packets may be compressed using deflate (gzip). (WORK: add stat about efficiency)
  • NAT compatible: yavipin's tunnel may be establish over NAT as all packets of a tunnel are sent over a single UDP/IPv4 connection. Moreover the peer unreachability detection periodically send packets which prevent the NAT engine from timing out the connection state.
  • Peer unreachabilty detection: If the other peer becomes unreachable, it will be detected. It is done ala IPv6 neighbours discovery (rfc2461.7).
  • Gracefull shutdown: If a peer purposely stops, it will notify the other which is immediatly aware of it.

Usage's simplicity:

  • Fully in userspace: No need to recompile the kernel
  • reuse existing tools: As yavipin use a virtual device, it is possible to apply to the tunnel any tool designed for network device. For example, it is possible to set up a firewall using ipchains/netfilter or to do traffic shapping using the kernel's traffic control (see tc).

Security's strength:

  • packet security: each packet exchanged during the connection is encrypted using blowfish CFB and authenticated with HMAC-MD5 96bits.
  • protection against packet replay: It uses strict anti-replay and no packet can be accepted twice. A eavedropper can't take a packet, keep it for a while and make it accept a second time by the destination.
  • Efficient session key renewal: It uses hash chains for efficiency. It allows smooth key transition not to cause any packet loss during the renewal. It provides forward secrecy inside the connection.
  • Protect DoS ala TCP syn : It uses cookie exchange (rfc2522.3) during the connection establishement.
  • Forward secrecy : Even if the attacker cracks the box, he won't be able to decrypt network traffic older than a given delay (default 10min). The diffie-hellman private key and the session key are periodically renewed and securely erased from memory.


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.