ppp.Keys(4)ppp.Keys(4)NAME
ppp.Keys - PPP encryption keys file format
RESTRICTIONS
Encryption is not available in software exported from the USA. The HP
command does not support the option; customers may contact to obtain
encryption functionality.
DESCRIPTION
The keys file named in the option on the command line contains key val‐
ues used by HP PPP's implementation of link-level encryption. Before
transmission, packets with source and destination addresses matching
the endpoints on a keys file line are encrypted using DES with the key
specified on that keys file line. Upon reception, packets with source
and destination addresses matching those on a keys file line are
decrypted using DES with the key specified on that keys file line.
Format
Each key specification is on its own single line of up to 1023 charac‐
ters. Comments in the keys file begin with a "#" and extend to the end
of the line; blank lines, or lines beginning with a "#", are ignored.
Fields are separated by horizontal white space (blanks or tabs).
The first two words on a key line are compared with the source and des‐
tination addresses of each packet to be transmitted and each received
packet. The endpoint address specifications may contain either host or
network names, or host or network addresses. If a network is speci‐
fied, either by name or by address, then the corresponding network mask
must also be specified if it is of a different size than the default
for that class of network. The mask is separated from the network name
or address by a slash and may be specified either as a series of deci‐
mal numbers separated by periods, or as a single 32-bit hexadecimal
number, optionally with a C-style prefix.
The remainder of the key line is a 56 bit (14 digit) hexadecimal number
(without the C-style prefix), used as the DES key between the specified
pair of hosts or networks. The digits may be separated by horizontal
white space for readability. If the key contains fewer or more than 14
hexadecimal digits, the line is ignored. If the key is weak or semi-
weak, a warning message will be printed in the log file and the speci‐
fied key will be used for encryption anyway.
EXAMPLES
The following keys file provides with keys for use when encrypting or
decrypting traffic between the indicated pairs of hosts or networks:
#
# Keys - PPP encryption keys file
#
# Format:
#endpoint endpoint key
frobozz.foo.com glitznorf.baz.edu feed face f00d aa
147.225.0.0 38.145.211.0/0xffffffc0 b1ff a c001 d00d 1
128.49.16.0/0xffffff00 198.137.240.100 0123456789abcd
193.124.250.136 143.231.1.0/0xffffff00 e1c3870e1c3870
RECOMMENDATIONS
Avoid using weak or semi-weak keys. These are weak DES keys:
00000000000000
FFFFFFFFFFFFFF
1E3C78F1E3C78F
E1C3870E1C3870
These are semi-weak DES keys:
01FC07F01FC07F
FE03F80FE03F80
1FC07F00FE03F8
E03F80FF01FC07
01C007001E0078
E003800F003C00
1FFC7FF0FFC3FF
FE3FF8FFE1FF87
003C00F001C007
1E007800E00380
E1FF87FF1FFC7F
FFC3FF0FFE3FF8
SECURITY CONCERNS
The keys file should be mode 600 or 400, and owned by root.
Packets' IP headers are not encrypted, though their TCP, UDP, or ICMP
headers are encrypted along with the user data portion. This allows
encrypted packets to traverse normal internetworks, but permits snoop‐
ers to analyze traffic by its endpoints.
Since the TCP, UDP, or ICMP header is encrypted, protocol-based filters
along the packet's path will be unable to discern whether it is SMTP,
Telnet, or any other network service. This means that encrypted traf‐
fic will only permeate packet-filtering firewalls if the firewall
allows all traffic between the endpoints, regardless of traffic type.
HP PPP/SLIP software for HP-UX systems, when deployed as the endpoint
gateways of the encrypted traffic, decrypt incoming encrypted traffic
before applying their configured packet filtering rules.
AUTHOR
was developed by the Progressive Systems.
SEE ALSOpppd(1), ppp.Auth(4), ppp.Devices(4), ppp.Dialers(4), ppp.Filter(4),
ppp.Systems(4).
RFC 792, RFC 1548, RFC 1332, RFC 1334.
ppp.Keys(4)