unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 ppp.Keys(4)							 ppp.Keys(4)




 NAME
      ppp.Keys - PPP encryption keys file format

 RESTRICTIONS
      Encryption is not available in software exported from the USA.  The
      HP's pppd command does not support gw-crypt option, customer may
      contact salesATprogressive-systems.com to obtain encryption
      functionality.

 DESCRIPTION
      The keys file named in the gw-crypt option on the pppd command line
      contains key values used by HP PPP's implementation of link-level
      encryption.  Before transmission, packets with source and destination
      addresses matching the endpoints on a keys file line are encrypted
      using DES with the key specified on that keys file line.	Upon
      reception, packets with source and destination addresses matching
      those on a keys file line are decrypted using DES with the key
      specified on that keys file line.

    Format
      Each key specification is on its own single line of up to 1023
      characters.  Comments in the keys file begin with a `#' and extend to
      the end of the line; blank lines, or lines beginning with a `#', are
      ignored.	Fields are separated by horizontal white space (blanks or
      tabs).

      The first two words on a key line are compared with the source and
      destination addresses of each packet to be transmitted and each
      received packet.	The endpoint address specifications may contain
      either host or network names, or host or network addresses.  If a
      network is specified, either by name or by address, then the
      corresponding network mask must also be specified if it is of a
      different size than the default for that class of network.  The mask
      is separated from the network name or address by a slash (`/'), and
      may be specified either as a series of decimal numbers separated by
      periods, or as a single 32-bit hexadecimal number, optionally with a
      C-style `0x' prefix.

      The remainder of the key line is a 56 bit (14 digit) hexadecimal
      number (without the C-style `0x' prefix), used as the DES key between
      the specified pair of hosts or networks.	The digits may be separated
      by horizontal white space for readability.  If the key contains fewer
      or more than 14 hexadecimal digits, the line is ignored.	If the key
      is weak or semi-weak, a warning message will be printed in the log
      file and the specified key will be used for encryption anyway.

 EXAMPLE
      The following keys file provides pppd with keys for use when
      encrypting or decrypting traffic between the indicated pairs of hosts
      or networks:




 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 ppp.Keys(4)							 ppp.Keys(4)




	   #
	   #  Keys - PPP encryption keys file
	   #
	   #  Format:
	   #endpoint		   endpoint		   key
	   frobozz.foo.com	   glitznorf.baz.edu	   feed face f00d aa
	   147.225.0.0		   38.145.211.0/0xffffffc0 b1ff a c001 d00d 1
	   128.49.16.0/0xffffff00  198.137.240.100	   0123456789abcd
	   193.124.250.136	   143.231.1.0/0xffffff00  e1c3870e1c3870

 RECOMMENDATIONS
      Avoid using weak or semi-weak keys.  These are weak DES keys:

	   00000000000000
	   FFFFFFFFFFFFFF
	   1E3C78F1E3C78F
	   E1C3870E1C3870

      These are semi-weak DES keys:

	   01FC07F01FC07F
	   FE03F80FE03F80
	   1FC07F00FE03F8
	   E03F80FF01FC07
	   01C007001E0078
	   E003800F003C00
	   1FFC7FF0FFC3FF
	   FE3FF8FFE1FF87
	   003C00F001C007
	   1E007800E00380
	   E1FF87FF1FFC7F
	   FFC3FF0FFE3FF8

 SECURITY CONCERNS
      The keys file should be mode 600 or 400, and owned by root.

      Packets' IP headers are not encrypted, though their TCP, UDP, or ICMP
      headers are encrypted along with the user data portion.  This allows
      encrypted packets to traverse normal internetworks, but permits
      snoopers to analyze traffic by its endpoints.

      Since the TCP, UDP, or ICMP header is encrypted, protocol-based
      filters along the packet's path will be unable to discern whether it
      is SMTP, Telnet, or any other network service.  This means that
      encrypted traffic will only permeate packet-filtering firewalls if the
      firewall allows all traffic between the endpoints, regardless of
      traffic type.  HP PPP/SLIP software for HP-UX systems, when deployed
      as the endpoint gateways of the encrypted traffic, decrypt incoming
      encrypted traffic before applying their configured packet filtering
      rules.




 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000






 ppp.Keys(4)							 ppp.Keys(4)




 AUTHOR
      ppp.Keys was developed by the Progressive Systems.

 SEE ALSO
      tun(4), ppp.Auth(4), ppp.Devices(4), ppp.Dialers(4), ppp.Filter(4),
      ppp.Systems(4), pppd(1), RFC 792, RFC 1548, RFC 1332, RFC 1334.
















































 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000