On 04/09/2018 08:32 PM, Michael Rash wrote:
> 
> Hi David,
> 
> That is interesting. What are the GPG key sizes that you are using?
> Anything beyond 2048 bits may produce encrypted SPA data that is too
> large to fit within a single (Ethernet) frame. There are tricks to get
> around this though, like this
> one: https://it-offshore.co.uk/security/85-fwknop-4096-bit-rsa-keys
> 
> When the incoming SPA packet from the client is truncated, are you
> seeing that within fwknopd output? If you use tcpdump (with a snaplen of
> zero - something like 'tcpdump -i eth0 -l -nn -s 0 -X') does the
> incoming packet appear to not be truncated but fwknopd says it is?
> 
> Thanks,

Hi Michael,

The SPA packet is definitely truncated on the receiving end, as viewed
with tcpdump.

None of my keys is longer than 2048 bits, so now this is even more
mysterious!

Regardless, I have created an additional signing key (ed25519), per the
link you sent. I've exported my keyring and imported it on the server,
but it appears as if the fwknop client is still creating a large SPA
packet. I'll look into this deeper tomorrow after I've slept on it...

Thanks for your help!

  ~David


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to