On Sun, May 10, 2015 at 2:49 PM, Jonathan Bennett <[email protected]>
wrote:
> Michael,
>
> Those changes have been made. The Luci interface is getting more polished,
> too.
>
Excellent.
>
> In regards to fwknop and --key-gen: What sources of randomness does
> --key-gen use to generate keys? I could probably add a button to generate
> the keys and populate the needed fields automagically, but routers can have
> problems with sources of entropy. In theory, we could even have the router
> autogen keys when the luci app is installed, but the entropy concern still
> applies. Thoughts?
>
When using symmetric keys and HMAC keys, they are generated by the client
(fwknopd does not offer the --key-gen option), and random data is read from
/dev/urandom and then base64-encoded:
https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L48
https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L55
I should probably add an option to read from /dev/random instead in case
the user doesn't mind blocking for a while like gpg's key generation
process. Thoughts? But, on an embedded system, I completely understand
where you are coming from with the entropy concern. Maybe just have people
use their client systems? Not sure there is a great solution if the OS
itself does not provide a good source of entropy.
Thanks,
--Mike
>
> ~Jonathan Bennett
>
> On Sat, May 9, 2015 at 8:52 PM, Michael Rash <[email protected]>
> wrote:
>
>>
>>
>> On Sat, May 9, 2015 at 3:43 PM, Jonathan Bennett <[email protected]>
>> wrote:
>>
>>> Hello, all. I keep fwknop up to date in the OpenWrt project. I've
>>> intended to improve the user friendliness of running fwknopd on a router
>>> for a while now, and I've finally started work on it.
>>>
>>
>> Hello Jonathan,
>>
>> Awesome - ease of use is definitely an aspect of the fwknop project that
>> needs to be improved through efforts like yours.
>>
>>
>>>
>>> I pushed an update to 2.6.6 into openwrt just last night. I've put
>>> together a new web based config, and done a pull request into the openwrt
>>> project. it is waiting for critiques or to be pulled. Latest screengrab of
>>> the work is here: http://http://incomsystems.biz/fwknop_interface.png
>>>
>>> It is still a bit rough, but it seems to be working well enough. You can
>>> add as many access.conf stanzas as needed, and config options are not
>>> limited to what I've baked in to the interface.
>>>
>>
>> Excellent. Are other config options allowed through the "Add" box below
>> the one for the encryption key? Just a quick suggestion - if you are
>> looking to have a set of default config options, I think the ones you have
>> (SOURCE, HMAC_KEY, and KEY) are good. For the two keys, it might be handy
>> to accept base64-encoded versions (maybe if a box is checked?). This would
>> allow for keys that are created with the client --key-gen mode. Also, it
>> could be handy to have three additional options: OPEN_PORTS,
>> FW_ACCESS_TIMEOUT and REQUIRE_SOURCE_ADDRESS. These are probably the most
>> often customized options. Lastly, since this is for OpenWRT, I wonder if
>> people will use any of the NAT modes?
>>
>> Thanks,
>>
>> --Mike
>>
>>
>>
>>> Any comments welcome.
>>>
>>> ~Jonathan Bennett
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Fwknop-discuss mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Fwknop-discuss mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>
>>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
