Video in TIB AV-Portal: OpenIKED

Formal Metadata

A portable IKEv2 VPN implementation
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
This talk introduces the OpenIKED project, the latest portable subproject of OpenBSD. OpenIKED is a FREE implementation of the most advanced Internet security "Internet Key Exchange version 2 (IKEv2)" Virtual Private Network (VPN) protocol using the strongest security, authentication and encryption techniques. The project was born in need of a modern Internet Protocol Security (IPsec) implementation for OpenBSD, but also for interoperability with the integrated IKEv2 client since Windows 7 and to provide a compliant solution for the US Government IPv6 (USGv6) standard. The project is still under active development; it was started by Reyk Floeter as "iked" for OpenBSD in 2010 but ported to other platforms including Linux, FreeBSD and NetBSD in late 2012 using the "OpenIKED" project name.
Firewall (computing) Firewall (computing) Moment (mathematics) Device driver Control flow Computer network Hecke operator Open set Open set Information technology consulting Code Software Visualization (computer graphics) Natural number Touch typing Information security Family Wireless LAN Wide area network
Default (computer science) Implementation Email Open source Multiplication sign Projective plane 1 (number) Bit Open set Mereology First-person shooter Revision control Virtuelles privates Netzwerk Personal digital assistant Bayesian network Codec Communications protocol Communications protocol Error message Physical system Exception handling
Complex (psychology) Implementation Overhead (computing) State of matter Open set Client (computing) Icosahedron Subset Revision control Type theory Bayesian network Natural number Different (Kate Ryan album) Internetworking IRIS-T Personal digital assistant Communications protocol Extension (kinesiology) Physical system Mobile Web Overhead (computing) Key (cryptography) Cellular automaton Computer network Virtualization Bit Schl├╝sselverteilung Density of states Cartesian coordinate system Information privacy Type theory Wind tunnel Digital rights management Internetworking Personal digital assistant Different (Kate Ryan album) Gotcha <Informatik> Video game Key (cryptography) Information security Communications protocol
Demon Implementation Divisor Computer file Multiplication sign Password Function (mathematics) Icosahedron Disk read-and-write head IP address Rule of inference Formal language Revision control Coefficient of determination Conservation law Software framework Configuration space Communications protocol Information security Formal grammar Social class Authentication Demon Arm Usability Bit Hecke operator Line (geometry) Formal language Graphical user interface Password Formal grammar Statement (computer science) Configuration space
Gateway (telecommunications) Multiplication sign Range (statistics) Source code Resonator Client (computing) Icosahedron Mereology IP address Public key certificate Bit rate Different (Kate Ryan album) Phase transition EAP-Protokoll Encryption Information security HTTP cookie Physical system Area Structural load Closed set Moment (mathematics) Infinity Perturbation theory Internetworking Auditory masking Phase transition Order (biology) Configuration space Right angle Remote procedure call Metric system Asynchronous Transfer Mode Point (geometry) Trail Implementation Server (computing) Functional (mathematics) Overhead (computing) Control flow Code Number Revision control Goodness of fit Operator (mathematics) Computer worm Selectivity (electronic) Address space Metropolitan area network Authentication Default (computer science) Multiplication Dependent and independent variables Key (cryptography) Server (computing) Computer network Client (computing) Denial-of-service attack Limit (category theory) Pseudozufallszahlen Radius Software Function (mathematics) Password Universe (mathematics) Revision control Key (cryptography) HTTP cookie Communications protocol Window Local ring
Point (geometry) Implementation Game controller Server (computing) Installation art Computer file Direction (geometry) Modal logic Disintegration Virtual machine Open set Client (computing) Public key certificate Usability Revision control Computer configuration Flag Damping Configuration space Implementation Public key certificate Key (cryptography) Closed set Control flow Cryptography Flow separation Order (biology) Configuration space Software testing Communications protocol Window
Domain name System call State of matter Process modeling Sheaf (mathematics) Open set Icosahedron Code Public key certificate Variance Revision control Data model Goodness of fit Root Network socket Operating system Physical law Endliche Modelltheorie Series (mathematics) Implementation Summierbarkeit Chi-squared distribution Authentication Metropolitan area network Inheritance (object-oriented programming) Key (cryptography) Weight Moment (mathematics) Mass Directory service Cryptography Public-key cryptography Open set Sign (mathematics) Message passing Process (computing) Software Multi-agent system Telecommunication Website Communications protocol Routing
Aliasing Laptop Asynchronous Transfer Mode Server (computing) Multiplication sign Curve 1 (number) Set (mathematics) Ellipse Open set Client (computing) Mereology Area Revision control Different (Kate Ryan album) Operator (mathematics) Set (mathematics) Encryption Information security Logic gate Address space Physical system Authentication Mobile Web Bit Staff (military) Group action Cryptography Opcode Vector potential Befehlsprozessor Kernel (computing) Encryption Window Asynchronous Transfer Mode
Observational study Patch (Unix) Multiplication sign Authentication Mobile Web Range (statistics) Password Client (computing) Streaming media IP address Public key certificate Number Revision control Type theory Bit rate Spherical cap Radius Active contour model Configuration space Extension (kinesiology) Logic gate Associative property Information security Address space Form (programming) Physical system Mobile Web Default (computer science) Gateway (telecommunications) Key (cryptography) Software developer Interface (computing) Moment (mathematics) Client (computing) Cartesian coordinate system Mathematics Kernel (computing) Telecommunication Configuration space Key (cryptography) Window Asynchronous Transfer Mode Address space
Web page Point (geometry) Standard deviation Server (computing) Source code 3 (number) Online help Client (computing) Open set Icosahedron Code Revision control Architecture Writing Cryptography Flow separation Authorization Configuration space Addressing mode Validity (statistics) Default (computer science) Operations research Arm Software developer Web page Projective plane Client (computing) Mereology Open set Code Coding theory Intrusion detection system Lie group Revision control Configuration space Right angle Information security Family Window Data buffer
Ocean current Slide rule Implementation Patch (Unix) Open set Mereology Event horizon Portable communications device Twitter Number Revision control Mathematics Different (Kate Ryan album) Kernel (computing) Operating system Cuboid Software framework Process (computing) Physical system Compact space Standard deviation Moment (mathematics) Projective plane Core dump Bit Maxima and minima Limit (category theory) Cryptography Open set BSD UNIX Code Type theory Word Software Network topology Revision control Summierbarkeit Object (grammar) Information security Physical system Distortion (mathematics) Asynchronous Transfer Mode
Freeware Displacement Mapping Virtual machine Set (mathematics) Open set Number Revision control Graphical user interface Semiconductor memory Kernel (computing) Core dump Configuration space Address space Physical system Operations research Default (computer science) Gateway (telecommunications) Constraint (mathematics) Public key certificate Eigenvalues and eigenvectors Core dump .NET Framework Open set Graphical user interface Message passing Kernel (computing) Compiler Revision control Interface (computing) System programming Mathematical optimization Window
Freeware Software developer 1 (number) Cloud computing Open set Cryptography Mereology Event horizon Open set Number Revision control Estimator Kernel (computing) Computer configuration Software Implementation Error message
them among the put the and a book he actually and so in 2004 a I and I had my 1st codon open is the and that was opened if he is open how edge driver I really enjoyed agents talk today and to see that 8 8 cirrhosis know the nice friendly company and they're released every saying it but then they got bought by Qualcomm and we see what happens now is actually yeah good to see what's happening there yeah I did some of the wireless stuff but later I decided doing all this work on the open house kind of burned me out so I never touched on any wireless stuff again almost and turn my company into a an open based firewall vendor and since then I'm concentrating focusing on of nature of wired stuff so the previously so have like a brother called the lack that lack sorry I don't like this name but I like the fact that they poured a trunk and then we also got some useful contributions from the lack spectral these trucks so when I left out the 1st company In 2011 and had so you're all slacking didn't heck for almost a year well actually I had to tackle touch from visual basic stuff and off of importance but no I didn't have for you and then I continued as a consultant and the in what consulting people aboard old Mr. networking and this month I found and my the new company as the narrow networks and no last but not least the shameless that I'm hiring commercial break and yeah I'm hiring people who are interested to work on open BSD-based never products but at the moment it's only Germany in Hanover so but no problem we have other like north Americans moving over and over so no no it's
not it's not all the ones and 6 so let's talk about i also known as Open IE and that's my 1st portable project its stuff in outside it's stuff for open but i cti is actually something that turned into saying that works almost everywhere and so but it started an open based in the 1st part of the talk is relieved a bit optimistic specific cited why do
we need another BPM or so in open is specifically we do have support for some began protocol of built in the we have IP sexy the traditional like is that like version 1 there was you ISOcat PDA I we don't use raccoon we have Isaac and and it works really well done hatched and maintained and is there a for long time no the was working 96 or 97 so obvious it was the 1st so the what open source system that ship was IP SEKT enabled by default yeah actually and open me if you will the the only a BSD system that has IP 2nd enabled by default except megawatts but this doesn't really count so and we also have some to TPC over IP sex apart now Pb-Pb like all the side as um available was i i j is and the PPV like some japanese people showed up there is that we have a new PPP implementation then they become you decided a bit to fit in the optimistic 300 error works really well open as H I actually did this experimental thing F of ATP some years ago where you can use a ton and tunnel it over open SSH it's built in and I Valley they didn't put a few weeks ago it still works on Mac OS as well and you can do with layer to tunneling over openness and won't open the beginners imports but to so so that's something you could ignore about whenever somebody ask about BBN on the mailing lists you can be sure that somebody else on through all use open the don't well just 6 to what you want and what and many other as VPNs exudes other BPM protocols proprietor various things actually SST-PT is something based on PPP so it wouldn't be too hard to to add to and Pb-Pb but it's scary said tunneling PPP over HTTP yes so it's layering of flaring and that's Microsoft's essence of of everything here is not perfect actually but what is so
all these different BPM protocols have different use cases so SSL VPN is mostly for for lights is see it's by along the road to once to excess like some internal company applications from everywhere it's good for these role worry uh and that's good to truth excessive VPN data when you only have http I'm access to the internet so it's slow and doesn't work for all the traffic but for like typical things that it works and the Cyc works better about the original version of I question 1 is is a hard to configure or done work really well was not depending on all the different buttons you have to push if you want to bucket was not better than it becomes less secure and if you want to have a more secure than it doesn't work because that so you always have trade off with serious no i Thinking POI version 1 Open BBN is for the religious people I don't know what what is so special about it but people defended with cell life actually I don't know I there but what 1 saying that that is different to what except as is PM I the 2nd many others protocols there's only open BPS so you only have so 1 open BPS do Linux GPL type of implementation so so yeah but it's the same based basically and they do that yeah and in the past that was the only the way to set up a VPN quickly on system but open BBN is not so common anymore what's going away because of all these mobile device state of the Apple of what people by using PP again because it's easiest to set up whispers IUS device and on and on I you cannot show you all the acceptance and yet BGP Leslie BN is not a real the that began in this case doesn't encrypted data but that some crazy tunneling virtue natural virtualization and the other approach you have the same yeah so that's why I call it the end but natural yeah yeah so OK there's most of but I'm honest and have their the problems and we need a standardized widely adopted secure flexible and low overhead protocol and not all of these things that uh Metro opened and actually 4 4 b is the people it's still a GP of stuff so and then we like to have this included every cell I
person 1 of there are also naming confusion is that I I Cor Isaac AMP Oakley actually there are 2 different protocols but they're glued to each other yes the Internet Key Exchange the I which runs on top of another protocol the Isak Kim the Internet Security Association and key management protocol and this is again there's Internet you or that so naturally these guys at the idea that you you for all of us can have some different layers and it's possible to who haven't different key exchange protocol running on top of ISOcat or it's possible to to run all the stuff not on IP but on IPX or whatever but I think except of C O the you mean Doc nobody else ever did so this was complex useless I'm it's widely adopted and interoperable but there's a problem every when the death of a little bit different and that's why we don't support the IP 6 find on the Iris phones of more precise a campy because his is using some proprietary extension yeah all Apple that is using this is cool client on Iowa and this is recommender supported they added these these things but we don't support yeah but I as the preferred like a protocol with different reference implementation here
so I circadian PET what it actually approval 98 i in the class and yields the make last wasn't of Mr. Developer now he became a beer brewer in Sweden the fact you and any of 1 of the had security guys at who will these I supports like all this Isaac layering and all the framework and the design of the demon had made in a way that you could all these different your ideas and in exchange for the to it's very module are of the funny thing is there's only I implementation and there's only UDP GUI all the layering of there are but there's they're not using so they could have implemented easier but it was nice for the paper to have this divide so the configuration was not the style who remembers the ERM and then they had the 2nd configuration using the keynote policy language which was another research paper by wanted and FIL it was quite complicated and some Lawton features I version 1 of still missing and Isaac in PD X also for example is the user password authentication which was not really a standard but widely adopted and I can't stick is like that you automatically get an IP address from the pier and all this is not really finished so and there are many problems with it but it's still used everywhere but especially for data to gage feature so later I The
2nd for 96 CTL showed up the time that was initially written by above hunts there are we call called the unpronounceable the so basically it was having an own tool with an arm configuration file or it's still there and the CIP a conference which uses the nice grammar and translates it into the dog in dialyzer can PDC but instead of generating an output config file it heats the generated conservation directly and Isaac and byron FIFO soccer so it's a heck of it's a working head candidates it's still better than the previous thing basically but the grammar was designed to be a bit more like the PF grammar like signal lines rule statements so then the
Iike version true protocol came up and what it it was around for quite some time by time we we looked at it in an open biassed and nobody really wanted to touch isa competing to to add support for it because it's possible to do boson but you there are many differences so and the the code of Isaac PD is not really writable anymore so and I question to 6 6 of many problems so they removed this stupid blaring so you have 1 protocol Iike version 2 and the idea was to have 1 hour C fault the protocol all then additional RFCs showed up but then they merge them into 1 updated again that's 5 9 and 6 In I Gaussian 1 you had these 2 different modes a great deal aggressive mode and and main mode and the problem was aggressive of for example was widely used by its is good it it worked with this roaming universe of but it was less secure that saying in his main mode at the problem that use the the external IP address as part of the authentication the when you had like changing IP addresses this role it it couldn't really really don't consider wrote Rory else was dynamic IP addresses the some limitations so aggressive mode was was the work around but there were some security problems and aggressive so I question to introduce the new fall way handshake and that is supposedly secure but very flexible and works well with this yeah mobile user it's a embedded additional features like some cookies for example well we we don't have the cookies implemented at the moment there are optional but to protect the Baha'i debris from like denial-of-service kind of things you you can switch to come into a knowledge when you really requests session cookies from the remote appears but up to the VPN gateway to decide as always want to do it or switch to it based on the load we we don't do it at the moment but the blurry supported at some point or in another seeing as they introduced a new concept of traffic selectors so when I question 1 1 of security policy you configure had just 1 pair off like source network and destination it for all source whatever addressing this nation and in an 8 I question to policy you can have multiple track 6 electrodes so the traffic selector is basically source-destination from and 0 0 1 to 10 in 0 1 something and so and then you get multiple offset so these the overhead smaller if you if you want to connect the gateways with many internal networks it can basically do it at 1 exchange the way to do this yeah B the face to which is now called the child as a man is automatic in 2 ways have an instinct right here OK still 1 thing is you you can have multiple networks and 1 1 and like what the the I guess the phase 1 and you can have multiple of his face to policies using the essays encryption part the policies are like the the flow of and there is an additional feature about automating it we don't support it gets that's traffic select narrow rate so the for example the windows I Gaussian to climb it's integrated and the and Singh stubbornness system which is also a point why you don't need can any more than so the kind set by default that you just have to configure the remote data AIP and install a certification that's all so it works in a way that it connects to the remote site and as proposed let's just asked for like any to any it's like 0 0 0 2 0 the complete range so I want to have access to to any 6 to the complete network and I question 1 you would have specified this you want to connect to a if you do any any than all the infinite traffic is going over the the now was traffic select honoring the the the data can respond the books in both ways and say well I give you this part which is within the range and and this is a way traffic select honoring that's very nice because then you can basically negotiated then and to you can do scary thing the problem is here with the implementation by some really this was mostly designed by Microsoft BI question 2 from our C. written by they did something good Microsoft managed to to write in our a new protocol that simpler than the previous 1 and many things area makes sense so all them background the you but the while actually the reason so it can do this 1 actually they bought them bought a small company and then they put the Microsoft stick around traditionally n n In I question 1 use were specific you're your your ideas your policies was MIT mosques In Iverson person to vague n they a introduced range the so the idea is nice you can say 0 I P addresses 1 2 3 is going all the time but you have you have ranges the problem is in the of the of the same I think all if you don't know about previous these new networking step but I think and BST it's normally implemented as part of the routing so we cannot really use ranges really we'd have of be that truck and that much so for the implementation currently all I can do is to to look at the Rangers and takes the close of matching and that masks breaks and up and little subnets and just send the number of traffic if yes that's it it's what it's stupid but thought of we don't and changing those on the metrics that would be the left
so what time of so traffic selectors I repeat like from to the you in and I use but still specify netmask so is either you have an IP address all slash 24 I do not support or expose ranges in the configuration and so phase 1 is not called ideas and face to with local child because it's fun to rename right so initiator responder is still the same pseudorandom functions so you you can configure the order is now that is used to generate the the random keys you can configure it and that's also negotiated which is a good shots as you can switch to a better on resonance and Don has to update the protocol and say also that introduced support for EAP so you don't need X also anymore Microsoft of course they did it and this chapter version to but in Syria can do any other a year people follow the idea at moment only supports the server side of the MSG operation to so you can configure users and passwords in the configuration and then that that's enough but because it's mandatory and to work with the Windows client so in the winter sky and you have to specify username password and then the problem here is at the moment we have to consider the username password and I the cons and the password and plain text we can and use is the off because and as Chairperson 2 dozen on all this we need SIS NTL mn cryptic warts and all this crap Hugh hot yeah we re going to add the radio support later we have some radius code in and D and we because we're going to looking at all can we turn this into a shareable code for the an entity PPV may be related people well
order spending and I think so I is the new implementation I started it from scratch because looked at the other options and I didn't like them there is that at this point the was recommend to which is not really related to recommend 1 because if at all that's used shredding and C + + and well I'll laden and I don't really want to have this and Bayes and then the Linux strong strong they ordered the right person to but strong so is you ch so so in open the they I decided to implemented from scratch I liked fact to implement the VBEM protocol from scratch in so it's following open basic design privilege separation or styles would call it boxing but basically the earliest version of some sandboxing the configuration from the grandmother close to IP SEKT conference based on it but now it's integrated so that uh like the kind direct deposit configuration file you can reloaded and they don't have 3rd wrapper anymore yeah and some some of the things I wanted to make this certification to usability better so we integrated a little tool and for the trip to MPD had some custom crypto quote inadmissible or we have openly as a silent obviously slightly patched version of it so let's just use openness of for all the trip instead of using all these young men and whatever so
i'd CTL acetyl control put tools that you can use it and runtime more features will be added to like more neutral the start and all that about the ICT LCA is a way to relieve quickly configure a few certificates and holes so like here you create CA certification to haul so local 1 of the the peer and that's basically all you you just get the keys you copy it to the other machine and then it's done so you don't have to figure out all which openness as commandments which do I have to specify to generate a certificate and all that so it's not a fully featured CA so a VCR L and all this is not really there is it this yes of course so everything was X 5 1 9 important but in Microsoft edit like restriction in there so my question to client so you have to take care that the certificates include some options there are not really the the star note for example it seems the client only accept certificates that has server flag and if you have the clients slack than than it refuses to and so on so in this at all these necessary flexed work with Windows of so the internal
design of ideas based on these and more due process proves that model and basically when you run I gave you have seems 1 actually for processes running there's a parent process from this keeps on running with with full privileges reflect root privileges and it it's Fox all flights the CIA process the i person to process and there's like in ICA from 1 process but it's doing nothing in its empty but in Serie it would allow all that you can handle both protocols is assigned time but at the moment it's just and a stop physically how 1 nice thing for example if the CA process the SMTP open SMTP people better in very important to called mostly the same code and openness and TPD into this idea because all the crypto handling like private keys and and all that is is isolated and an extra process um this year fools change routes to ETC I and then the set directories all the keys and certificates and so the I question to processes the old facing the network on processing so this is doing all the protocol magic and all that when it needs to sign a picnic are was a certification then a communicating over these what we call that I messages some open this is specific to the Protocol that it's working over Unix domain so that it can be and so then it requests yea or can you send me the apartment at that that the overhead fairly small because this is only happening 4 of the the initial authentication pick so but it's isolated and the the private keys are not visible and the networking site an all met some pt is doing the same so when signing the meals and all that but there is no excess direct access to the private keys which is a good thing and ICT of talks to the parent over another UNIX socket of are unlike the doctor what is the 1st book what such that's OK I'm sorry a little data lots of an and the communication to the crime as a yielding the PFT version 2 phrase which is a standard socket that available on every operating system and a lot more about
this later all this was in Japan that very famous intersection in Tokyo and so it it's kind of this place like the the the process model you have the parent the the and the you have like all the the messages going back and force everywhere this section isn't the famous for work the traffic of the like doing 1 traffic light favor I think up to 30 thousand people and half of crossing something like that like in state for the weighting and when it's like reading that how to should we enter a had you and you know cross and there's even a Hollywood movie about the stuff
fell yes strong crypto open this is well known for strong crypto when we were at the binding on all the time so IT support all the mortar and cyphers FH a to the fault and these fancy new ATS mode GC & and also interesting alias GCM combines encryption and authentication and in 1 AS operation so it's a hallmark combined Mode Cypher so what was encrypting the package you get the gene that would just also all tend to catering the packet and the good thing about the it's reasonably secure its use by different governments and so on and so will the rest of potential problems recently but it still considered to be security do it right so the good thing is that you can offload this GCM to the CPU like all modern Intel CPU for example have is a x and i instructions where can there you have CPU opcodes to do the AS well while all then all the new ones I think really OK very soul so Indian if you have like a server is on what laptop you have any as an and so you get an this and serious have a really big performance benefit here because although encryption is basically want not for free but it's really cheap enough and we have support for this of easier mode and open is the FIL the kernel can can can do it and openness is also supported for the use of UserLand parts of what PCM might be again it was mentioned in the previous talk as well and he did some work and he even negotiated was intro to get some bits and pieces so something really cool work so just install open because the In the 64 on modern system and you will have a as and I that enabled by the so
interoperability is also important so the initial intent was to make it work with Windows clients and because the benefit over open DPN here is it's just there these Windows Vista and newer hess's I person to support building and unlike the old iCoseg support and the nose the eye person to it is very easy to configure it just a minute folks settings you at BP and configure the gate address and that's the basic you have to install a scientific by ones and but everything else is retrieved and yet we tested interoperability with strong strong then some of the things of were and intensive was was OpenSolaris but they also have like version to support and also interesting black 10 the new staff they they are also going the right person to road which is really interesting because I question 2 was mobile like an extended is really optimal and for for mobility even if you IP switches it can we cover and so on so I don't have a BlackBerry 10 but I would be happy about donations to test the um if you think about you was I don't know well other muscles 1 due next painter here maybe he can help me
of what is good also going to be I question to road so everything is moving toward Cyprus and to accept that we haven't seen any developments regarding our version 2 from applicants so I don't know I would be happy to talk to somebody from Apple at to see if there's anything going on there because of Apple would go to like Russian troops we would have it everywhere and then you have like built in BP and support in all the system so that's that's the way to go hopefully Apple will we'll do it someday and get rid of this How to TCP IP sexist whatever stuff the while an and not a big problem because and which you can basically it would as an apple we could theoretically plot I P 2 and rate but there's already an strong Swan port of like version 2 for Android but on idea as you cannot install your own you can find the because API it's private the PSQ so that yeah so additional work we want to have traffic select honoring that the somebody with C S Os a public-key authentication so that you don't have to use certificates just public if that works with ISA but not yet in IT that this the patch up but I didn't clean it up here and Moabite is really nice and improved the mobility so more like allows to restart a running I the session by updating the external IP address so if you move to a different place so you got a new dynamic IP address we can update the European addressed result like renegotiate the yes and you can reuse secession by sending an update physically it's important moment it's not supported by but uh or what was constant I don't want to the BlackBerry 10 things doesn't decline for example when the wind been no support that but it's optional it's an extension here I was like again at every 24 also get a new IP address it a German only saying 1 you get study appears this it was so German telecom just introduce the plants that you have just a number of gigabytes until they drop like on missing 70 something like that and then then they limit your your bank was true 384 kilobits per 2nd form 50 megabits yeah and then watch 2
movies and then but that so a configuration how does it look I mean this is a simple configuration waited gate where you have 1 slow appear and everything else is configurable but based on the fault we believe and saying defaults the so it's using the right cyphers and all this and so are defaults on only give and a more complicated version if you want to connect the Windows client have to specify user so the profit is in clear text for the reasons I took before and then you have to what this is optional here you say OK you CAP was and shopping and then you can assign an IP address to the pure like the intron medium and the other something I want to do here as well that basically like the old config mode a to allow like ranges so you can do with it's key like pools of address and tag that's something that's only available on open it's not on the portable version because I added this feature 2 to Isaac Imperial some years ago so all the the problem was that 2nd on the external interface you only see the encrypted packets you don't know what's in there but user and streams by the time I can like POS tags to the the and ball from the kernel based on the 1 security of associations so you can filter but traffic even on the external interface because even the cream encryptor peccable have internally still those related text which is a really nice teacher very simple actually but this is not available in the other
BST while but still have a few more minutes so I wanted to connect that has make it here that the problem is it's not really only about my MacBook you have Windows you that they can use the integrated I to client but you also have to make use of more and more of them also in company so I wanted to be able to connect to to them and that there is no at this point there was no client available for the there's also like strong strong available with I don't know so I thought of porting it to 0 x and so actually when I started porting I 206 said and porting it to 0 as x so now I can probably also ported to previous and the other is isn't and and the notes as well so I had the idea of creating a portable version so I can be turned into open like the arms the yeah then I asked somebody like Mark from Sweden was the brother of 1 of our developers Alexander Hall and he he made me this open Opper and which is very important when you create a new open you see project the author course world you no then obvious have code and then you get a posse scene and like the 1980's and 90's like web page right that's why what it at this at this point I hosted everything on get help because it and have a server running and maybe I'm moving up for for this same get help as not too bad to because it's and get have death just the portable version of like and the original version is in the open is the source so and of
course IT find some golds for the project lean clean secure interoperable and configurable and then there's small printed things that is also available on the web page yeah that's my attempt to marketing for open like to so general
words about the part of it is is portability is and victory that's a paper by Damian Miller and who was maintaining the openness of a portable and this is basically the same concept that we have for other portable projects their so version that is 1 developed an open in open the CVS tree and this distortion is only written for open BEST so we don't have any if they whatever system in there uh it's 1 system designed for open the skin and this makes a very clean and easier to maintain for for the developers and open then there's a portable version which basically is like a big patch that at all the the is that and and configured because an optimistic be just have the BEST made and and read the slide and all the stuff you usually have in these and portable or not portable de software projects so this part this version is posted and get up at the moment and you can you can actually cvfdt there the the the GetVersion against opened senior see all the changes that I have in the the at the moment I'm doing everything because they didn't phone FIL then find anyone to take care about this portability stuff the openness and TPD guys they have someone with dedicated for the port of portable version so for
portability what we we need like some work Unix-like operating system strong crypto is required because like low crypto the exportable stuff is best hours a 512 bits so this is not defined for like version 2 so you could even use it because there are no official the types defined for it and all the necessary version 1 . 0 that matters because like on some systems like many consumers to be is is you have to install open as a sum of 1 because they're still on 0 9 6 or whatever and live event that's for the US in Kronos I O & and in the current needs IP receipts and supports IP 6 the so it's hard to to turn it and the common competent below I P 6 that which is mostly everything except biassed is using the common unbudgeable like that Albany is is PFT version 2 variant is a little bit different because it was written before common showed up in that their version so and that's hoarding at 206 made it very easy for me to it to to the other BEST is free in that is the and even then not because they all have a common competent that but the minutes there are some limitations Linux guys will once decidable OK if the version to from B is the it's not invented here and let's do something useful they have their extra framework for object or whatever and the th modulus still there but it's not supported anymore or whatever they keep on updating it but officially they said that's not support I sold the annoying thing about Linux as the best 1 box they implemented sh a to the reference implementation F of S H A 2 h max I was using a little bit different truncation and then the standard was using a longer trends that truncation and we fix that an open is the all the other systems either fixed that got support medically both modes but announced was appears key version throughout the it's not fixed and every request just like 1 number they have got update in the common every request to to fix this this reject and this is what I just use x from there you can specify they they're afraid of breaking compatibility to offer I Question 2 implementations that use the pre-standard versions which is probably just 1 but I don't know so yeah we
support the core version open if he's a fault and if they don't use a portable stuff directly from optimistic current and then always x and Bahrain same stuff supported Linux I installed most of the stuff in virtual machines because I didn't want to waste real after for faster but the other systems but I did had my fund was like the notes and compiling a kernel to edit debug message and then around run out of memory and of the space and and and all the nodes this constraint what in Freebase actually also ran out of displacement combined here close to about it was not so bad but 1 thing is and I know has anyone previous person here please and enable IP why still disabled by default maybe that's a reason because you're only a cool guy you compile your and kernel version whatever it should be enabled and generic we fix set a number of years ago as but yet we had to the same seeing a number of years ago and was just as we have in the little switch the check of eigenvectors turned on or off yeah and then you don't have all these over that's cheap what I tried DragonFly BSD story I gave up and asked me Christians and and understand and that was how much showing up and then I don't have enough memory for it and all that so but the would do is in serious portable to things like what
and last thing I also added like the GUI but that's not really but the idea is to have something that is as simple as the the the windows to it so you that you only have to configure a data address everything is based on the faults 0 1 this is something set of I think that if if you could know use of node running of this yeah OK conclusions the
pianist is still important not everything is HE GPS in the world and so on yeah I keep hearing that so why do we need the ppm at all the IP 2nd not that people hated but while I like it still a preferred and it will not disappear because of like me to all the networking vendors adopting and all that and will let's wait for Apple so and open ideas still fairly new as I said in the beginning I had my sabbatical basically lacking year and so the development of IT was slow Mike was doing a few things and but but yeah I will start Foster again of yeah and so it's not perfect yet but it can give it a try no I need to find someone who is during the ports part like I said well I need a freebies version that's pick 9 that forms like the latest version of this so the only thing p I'm not sure about the picket shows the openness is a version of that event 1 you have to pick pick them and you have to install them from from no no it's not a could show that the use ports 4 of but yet should work on on all it should work on really old previous and B is the versions of well because of P of Cuba into API is only that they their the crypto yeah and maybe some kernel parts will be but freebies just turn off a number of society is not perfect yet because it's not exposed to the manual page but we have so many modern stifles and open because the and and it is to they're just rejected and you try to but GCM for example yeah so banker and commercial
come to the year is the common Malta will be an amazing conference estimating of the other ones but you should go there donate to open this these and by CDs and even books the and keep buying out brood years that I will direct read yes I reject any other Canadian so that he could and this is all the country fusion yeah and follow me on true during the company has been error thank you but the


  542 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)