Meenakshi:
Hello again. Some replies:
> For the point 5 mentioned by you after authentication, I also need to
> know that
> Is the control channel which is setup between User1 and User2 secure
> enough to send the 16-char random string (symmetric password) used for
> Data Channel? I assume that the string sent over control channel is
> encrypted somehow.
Yes, the control channel is symmetrically encrypted. I am not
sure how the symmetric keys are generated.
> Also I assume that the control channel is used only to send the
> symmetric password so that a data channel gets created for all data
> transactions.
Yes, correct.
> Does the Control channel gets reused once a data channel is created or
> is no longer needed ?
I suppose it is no longer needed, as a Zebedee connection could
be opened and used for all subsequent control channel needs. The control
channel is still needed, of course.
> Is their some lifetime concept for the data channel?
> If I think of IKE (Internet Key Exchange) protocol used to negotiate
> keys for IPSEC, Can I relate this Control channel to be similar to IKE
> Phase1 and Data Channel to be similar to IKE Phase2 though I see lot of
> difference in the IKE and Kaboodle implementation. It seems in Kaboodle
> data keys are not negotiated/generated by both ends rather a symmetric
> password from one end is transferred to the other party and then used
> by both to make the data traffic secure.
I believe the Zebedee channel will periodically renegotiate
data-channel encryption keys. I don't think the Control channel does,
however, you're right. Probably the best model for the future would be:
1. After authentication, Kaboodle used something like DH key exchange
on port 4282 (maybe UDP).
2. Once that key is exchanged, Kaboodle uses it to establish a
Zebedee-based control channel on TCP port 4282.
3. All subsequent control-channel exchanges done across the Zebedee
based control channel.
I'd have much easier answers to your questions if this is
how it was done. :)
-Scott
> On Sun, 8 Dec 2002 16:00:36 -0800 (PST), "meenakshi arora"
> <[EMAIL PROTECTED]> said:
>
> --- "Scott C. Best" <[EMAIL PROTECTED]> wrote:
> Date: Sat, 7 Dec 2002 21:52:57 +0000 (GMT)
> From: "Scott C. Best" <[EMAIL PROTECTED]>
> To: meenakshi arora <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Kaboodle VPN overview
>
> Meenakshi:
>
> Hello! The biggest limitation of the current VPN
> feature
> is the lack of peer review. :) That is, I believe it
> works as follows:
>
> 1. User1 on LAN1 downloads Kaboodle and registers
> its VPN capabilities
> at www.GetEngaged.net. That is, they download a
> "registration
> file", essentially a signed secret-key.
> 2. User2 on LAN2 does the respective thing for their
> network.
> 3. User1 on LAN1 creates a Partnership file with
> User2 on the same
> site. Both users download and install the
> Partnership file,
> essentially a signed public key.
> 4. USer1 or User2 then initiate a connection.
> Kaboodle does a
> Gnutella search for the Partnership file
> associated with the
> connection. Once the file is found, it is
> authenticated on both
> sides using the secret-key information from #1.
> 5. After authentication, a "control channel" is
> setup using TCP port
> 4282. An 16-char random string is transferred
> across this channel.
> 6. Using that string as a symmetric password, a
> Zebedee connection
> is initiated from one side to the other, using a
> user-defined
> TCP port (defaults to 11965, the Zebedee
> default).
> 7. All data transactions now go across this "data
> channel".
>
> Version 0.99 (which you can get from the "alpha"
> directory
> on ftp.Kaboodle.org) should do all of this. I know
> that using that
> connection, I can do all of the above and then VNC
> across the secure
> connection (I can see from tcp-dumping the LAN
> traffic that the
> right ports are being used). I have just not
> *confirmed* that the
> security model works exactly as I have specified
> above. One of the
> coders may have, unknowingly, taken a shortcut in
> the interest of
> functionality.
> Would you be able to review such a thing?
>
> thanks,
> Scott
>
> > > PS: It'd be great if you could join the
> > > Kaboodle-devel email list.
> > > I've CC'd it here in my reply.
> > >
> > > On Fri, 6 Dec 2002, meenakshi arora wrote:
> > >
> > > > Hello Scott,
> > > > Could you please send me the list of current
> > > > limitations of the VPN feature which I can start
> > > > working on. Also If you could send me other
> > > features
> > > > limitaions too I would like to review them.
> > > >
> > > > I would be needing your guidance to chose a
> > > direction
> > > > to start.
> > > >
> > > > Thanks,
> > > > Meenakshi
> > >
> > >
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > http://mailplus.yahoo.com
> >
> --
> Meenakshi Vohra
> [EMAIL PROTECTED]
>
> --
> http://fastmail.fm - IMAP accessible web-mail
>
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Kaboodle-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/kaboodle-devel
