<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: Naoki <i_naoki,AT,mbf,DOT,nifty,DOT,com>
Subject: Re: Redhat9 CIPE
From: Renato Salles <rsalles,AT,rsnetservices,DOT,com,DOT,br>
Date: Fri, 25 Jul 2003 02:24:31 -0300 (BRT)
Cc: cipe-l,AT,inka,DOT,de
In-reply-to: <003501c35255$76f79260$c801a8c0@naoki3>

On Fri, 25 Jul 2003, Naoki wrote:

> Dear RSalles,
> 
>  Thank you again.
> 
>  If I do so, NetBIOS packets can be seen everyone.
> It is not good for security...
>  So, I tryed to insert these packets into VPN.

It's what CIPE is supposed to do: encrypt the traffic trough the udp port, 
and decrypt at the peer's side. By traffic i mean everything sended to 
the other end trough the tunnel. It's supposed to encrypt the "data" 
sendeded to the peer: well, udp/137-138-139 goes trough the tunnel 
encrypted also and decripted at arriving. 
No other way of udp traffic between this to reserved addresses are 
possible: the only route to the remote peer is the the other point of the 
vpn link. There is no another route to follow to arrive to the other end 
of the link but the CIPE address. (I'm starting with the suposition that 
you're not fool enough to create a parallel traffic bypassing the cipe 
interface toward the remote LAN).

Living the "remote" vpn link, 
the data is decripted and can be readed by listening sockets and 
stablished connections. I think the hole picture can be painted like that. 
If you ask if this data can be "dumped" at the LAN side, well, it can. 
Because the traffic living - when it has arrived to the peer2 - the vpn 
link is de-crypted.
If you need to hide the data from your LAN clients, you must create a 
point-to-point tunneling vpn link, and not forward it to the hole subnet.
I would appreciate very much if someaone reading this message finds a 
serious error at the information i'm sending to the list and, please 
correct me if it's the case.
I understand that, when the VPN link is stablished, every packet goes 
crypted toward the other end.

Read this doc about the protocol used by CIPE:
http://sites.inka.de/~W1011/devel/CIPE-Protocol.txt

Search also for a doc at the main site of CIPE explaining why it is not a 
good idea to use a VPN link trough tcp.

YMMV, but starting to understand how a SSL or TSL connection works is a 
good starting point. I don't say that cipe does his job the same way, but 
remember the "key" parameter, and what you can do with the PKCIPE 
ancillary utility.

>  Or, you mean, Should I 
>these packets into VPN ? >  Though I tryed to do it, I could not do it.
That's what i doubt. Show me your setup and how did you sniffed the data 
traversing the tunnel.

> 
>  Were there any mistakes in my previous test ?
> I'm sorry to say that please refer previous test issue.

Hope this help,

RSalles
> 
> Best regards,
> 
> ----- Original Message ----- 
> From: "Renato Salles" <rsalles,AT,rsnetservices,DOT,com,DOT,br>
> To: "Naoki" <i_naoki,AT,mbf,DOT,nifty,DOT,com>
> Cc: <cipe-l,AT,inka,DOT,de>
> Sent: Friday, July 25, 2003 5:17 AM
> Subject: Re: Redhat9 CIPE
> 
> 
> > I don't think so. If you use iptables, you must permit to forward udp
> > packets at port 137-138-139 from the peer's address to your LAN, or you'll
> > have so long delays in authentication and browsing that the win32 machine
> > will just give up. I made myself like that around here and everything goes
> > like a charm.
> >
> > HTH,
> >
> > RSalles
> >
> >
> > On Fri, 25 Jul 2003, Naoki wrote:
> >
> > > Maybe,
> > >
> > >  I found the reason just now.
> > >
> > >  CIPE cannot treat UDP(port137:139) packet for encapsulation.
> > >
> > >  Is that correct ?
> > >
> > >  If correct, I must build Samba in Firewall system......
> > >
> > >  Are not there is a good idea ?
> > >
> > > ----- Original Message ----- 
> > > From: "Naoki" <i_naoki,AT,mbf,DOT,nifty,DOT,com>
> > > To: <cipe-l,AT,inka,DOT,de>
> > > Sent: Friday, July 25, 2003 12:38 AM
> > > Subject: Re: Redhat9 CIPE
> > >
> > >
> > > > By the way,
> > > >
> > > >  Are there any ways to see NetBIOS name without wins server ?
> > > >
> > > >  Though I knew the necessity of wins server standardly, I expect
> > > > that I can see NetBIOS name without wins server.
> > > >
> > > >  I guess, if iptables accepts port 137:139 for CIPE, I can see it.
> > > >
> > > >  How is my guess ?
> > >
> > > --
> > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > > Other commands available with "help" in body to the same address.
> > > CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> > >
> >
> >
> 


<< | Thread Index | >> ]    [ << | Date Index | >> ]