-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathvde_cryptcab.1.html
235 lines (186 loc) · 5.91 KB
/
vde_cryptcab.1.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
Content-type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of VDE_CRYPTCAB</TITLE>
</HEAD><BODY>
<H1>VDE_CRYPTCAB</H1>
Section: User Commands (1)<BR>Updated: December 6, 2006<BR><A HREF="#index">Index</A>
<A HREF="/#/man/index">Return to Main Contents</A><HR>
<A NAME="lbAB"> </A>
<H2>NAME</H2>
vde_cryptcab - Virtual Distributed Ethernet encrypted cable manager
<A NAME="lbAC"> </A>
<H2>SYNOPSIS</H2>
<B>vde_cryptcab </B>
[
<B>-p </B>
<I>portnum </I>
]
[
<B>-s </B>
<I>socketpath </I>
]
[
<B>-c </B>
<I>[remote_user@]host[:remote_portnum] </I>
]
[
<B>-P </B>
<I>pre_shared.key </I>
]|
[
<B>-x</B>
]
[
<B>-v</B>
<I>[v][v][v]</I>
]
[
<B>-k</B>
]
[
<B>-d</B>
]
<BR>
<A NAME="lbAD"> </A>
<H2>DESCRIPTION</H2>
A
<B>vde_cryptcab</B>
is a distributed cable manager for VDE switches.
It allows two VDE switches on two machines to communicate
using a ChaCha encrypted channel.
<P>
When used in client mode (i.e., with -c option), it generates a random
ChaCha key, and uses
<B>scp (1)</B>
to transfer the key to the remote server.
<P>
On the client side, the environment variable SCP_EXTRA_OPTIONS may be set in order
to append options to the scp command line (this is useful for example when dropbear or
another non-standard ssh client is used to transfer the ChaCha key).
<P>
After a 4-way handshake phase to verify client credentials, server and
client will exchange VDE datagrams encapsulating them into cryptograms
that are sent via udp to each remote host.
<P>
On server side, one could run:
<DL COMPACT><DT><DD>
<BR>
<B>vde_cryptcab -s /tmp/vde2.ctl -p 2100</B>
</DL>
To start a multi-peer cryptcab server, accepting udp datagrams on port
2100, that connects each authenticated remote client to a different
port of the switch. In fact, a new instance of
<B>vde_plug (1)</B>
is started and connected to the switch through local unix socket.
<P>
The command
<DL COMPACT><DT><DD>
<BR>
<B>vde_cryptcab -s /tmp/vde2.ctl -c <A HREF="mailto:[email protected]">[email protected]</A>:2100</B>
</DL>
will connect a client to the remote server, running on udp port 2100.
At this point, on server side a verify for user "foo" credentials is required,
typically it could be: host-based authentication, password challenge
or public key authentication. See
<B>ssh (1)</B>
for more details about it.
<P>
If the two vde_switches run as daemon and they are connected to tap interfaces
a level 2 encrypted tunnel is established.
<P>
<A NAME="lbAE"> </A>
<H2>OPTIONS</H2>
<DL COMPACT>
<DT><B>-p </B><I>portnum</I>
<DD>
It is possible to decide which local udp port to use.
When this option is not specified, cryptcab will use default udp port number,
7667.
<DT><B>-c </B><I>[remote_user@]host[:remote_portnum]</I>
<DD>
run vde_cryptcab in client mode, trying to connect to
<B>host .</B>
Both
<B>remote_user </B>
and
<B>remote_portnum </B>
parameters are not required.
If not specified, the same user running vde_cryptcab is used for
authentication on server, and default udp port 7667 is used.
<DT><B>-s </B><I>socketpath</I>
<DD>
specify the UNIX socket to be used by local programs for joining the VDE.
The default value is "/tmp/vde.ctl".
<DT><B>-P </B><I>pre_shared.keypath</I>
<DD>
if specified, vde_cryptcab will run in pre-shared key mode, instead of generating a
random key to transmit with ssh.
Given option is the path to the pre-shared symmetric key file to use for data encryption.
The same key has to be used on both client and server.
<DT><B>-x</B>
<DD>
Disable symmetric key encryption.
<DT><B>-k </B>
<DD>
Send periodic "keepalive" packets to avoid server timeouts. Useful when you want to keep a low-traffic link available.
<DT><B>-d </B>
<DD>
Run as daemon.
<DT><B>-v</B>
<DD>
Verbose. (Use -vv -vvv or -vvvv for more verbosity)
</DL>
<A NAME="lbAF"> </A>
<H2>KNOWN ISSUES</H2>
Encapsulating IP packets into session+udp layer results in real datagrams larger
than tap device mtu. Since vde_cryptcab gets confused by packet fragmentation, the
tap device mtu must be set to a smaller value than real interface mtu. Use
<B><A HREF="/#/man/man8/ip.8.html">ip</A></B>(8)
or
<B><A HREF="/#/man/man8/ifconfig.8.html">ifconfig</A></B>(8)
to set up your tap device mtu.
<P>
<P>
Explicitly disabling encryption leads to obvious security problems. It is advised to avoid unencrypted mode (-x) in non-controlled networks.
<P>
<A NAME="lbAG"> </A>
<H2>NOTICE</H2>
Virtual Distributed Ethernet is not related in any way with
<A HREF="http://www.vde.com">www.vde.com</A> ("Verband der Elektrotechnik, Elektronik und Informationstechnik"
i.e. the German "Association for Electrical, Electronic & Information
Technologies").
<P>
<A NAME="lbAH"> </A>
<H2>SEE ALSO</H2>
<B><A HREF="/#/man/man1/vde_switch.1.html">vde_switch</A></B>(1),
<B><A HREF="/#/man/man1/vdeq.1.html">vdeq</A></B>(1),
<B><A HREF="/#/man/man1/vde_plug.1.html">vde_plug</A></B>(1),
<B><A HREF="/#/man/man1/vde_plug2tap.1.html">vde_plug2tap</A></B>(1),
<B><A HREF="/#/man/man1/scp.1.html">scp</A></B>(1),
<B><A HREF="/#/man/man1/ssh.1.html">ssh</A></B>(1).
<BR>
<A NAME="lbAI"> </A>
<H2>AUTHORS </H2>
VDE is a project by Renzo Davoli <<A HREF="mailto:[email protected]">[email protected]</A>>.
<P>
vde_cryptcab is a VDE component by Daniele Lacamera <<A HREF="mailto:[email protected]">[email protected]</A>>
<P>
<HR>
<A NAME="index"> </A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">OPTIONS</A><DD>
<DT><A HREF="#lbAF">KNOWN ISSUES</A><DD>
<DT><A HREF="#lbAG">NOTICE</A><DD>
<DT><A HREF="#lbAH">SEE ALSO</A><DD>
<DT><A HREF="#lbAI">AUTHORS </A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 15:22:07 GMT, November 27, 2023
</BODY>
</HTML>