<title>How to use Photuris with IPSec</title>
<body>
<h1>How to use Photuris with IPSec ?</h1>

<h2>What is IPSec ?</h2>
<a href=http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html>IP Security</a>
is a framework providing authentication/integrity 
and privacy to network traffic. Authenticated data can not be modified by
third parties and encryption conceals the content of packets.

<h2>What has Photuris to do with IPSec ?</h2>
In order to transmit encrypted or authenticated data between two hosts,
those two hosts have to aggree on session keys which are used as input
for the encryption and authenication functions.
<p>
The <a href=draft-simpson-photuris-current.txt>Photuris protocol</a>
exchanges keys in such a way that no eavesdropper
will have knowledge of the session keys. It also allows for frequent
changes of the session keys, forward secrecy and party privacy protection.
<h2>How to get it working ?</h2>
This information does not apply to OpenBSD Version 2.2 and later, since
Photuris is being shipped with the operating system. You can use the
following information as guideline for other systems though.
<h3>Compiling the daemon</h3>
Get the <a href=Photuris-current.tar.gz>Photuris sources</a> and also the following
libraries: <a href=gmp-2.0.2.tar.gz>gmp-2.0.2</a> and <a href=libdes-4.01.tar.gz>libdes-4.01</a>. Put those libraries in one dir and if you like you can
do the following steps afterwards:
<pre>
1. tar -xvzf Photuris-src.tar.gz
2. tar -xvzf gmp-2.0.2.tar.gz; cd gmp-2.0.2; ./configure; make
3. mkdir des; cd des; tar -xvzf ../libdes-4.01.tar.gz; make
4. cd Photuris
</pre>
Edit the Makefile and remove -DDEBUG, if you dont want to see what happens.
Remove -DIPSEC if you dont want to actually setup encrypted
and authenticated connections within the kernel, the daemon will also
bind to a non privileged port then.
<pre>
5. make
6. start ./photurid on two hosts.
7. ./startkey host1 (for example ./startkey 134.100.33.22)
</pre>
If you compiled the photuris daemon with -DDEBUG you should see an exchange
of values now and finally the shared secret from which the session keys
are derived.
<p>
If you compiled the photuris daemon with -IPSEC and also have a kernel
with IPSEC compiled into it, you could start for example 
<pre>
8. tcpdump proto 51 &
9. telnet host1
</pre>
and see the authenticated packets flowing between the two hosts.
The output of
<pre>
10. cat /kern/ipsec
11. netstat -rn
</pre>
will show you some information also.
<h3>Enabling IPSEC in the OpenBSD kernel</h3>
Add the following two lines into your kernel config file:
<pre>
config IPSEC
pseudo-device enc 1
</pre>
<h3>Possible configuration</h3>
There are three files which can be configured locally.
<ul>
<li><a href=photuris.conf>photuris.conf</a> - contains the moduli for the Diffie-Hellmann Keyexchange,
the offered schemes and various timeouts.
<li><a href=attributes.conf>attributes.conf</a> - the attributes which are offered to different parties
<li><a href=secrets.conf>secrets.conf</a> - the preconfigured symmetric secrets which should hopefully
soon be replaced by public keys.
</ul>
You might also need an additional entry in /etc/services:
<pre>
photuris        468/udp         # photuris keymangement daemon 
</pre>
<p>
<hr>
If you have any questions write mail to <a href=mailto:provos@physnet.uni-hamburg.de>provos@physnet.uni-hamburg.de</a>