[OpenAFS] Re: OpenAFS over without VPN

[Andrew Deason]

On Sat, 05 Oct 2013 09:27:45 +0200
Jean-Marc Choulet <jm130794@gmail.com> wrote:

> For now, we use OpenAFS in a VPN tunnel for WAN access. Is it secure
> (or not) to use OpenVPN over WAN without our VPN ?

If you use a VPN, it will almost certainly be more secure (and faster,
compared to native openafs encryption with 'fs setcrypt'). Whether or
not using openafs without a vpn is "secure" depends on your
requirements.

Native openafs communication can be encrypted with a single-DES session
key, so if an attacker can break that DES key, they can impersonate the
user for the duration of that session, and only that session. It is
known that brute-forcing DES keys is feasible these days, but it does
take time and resources (and I believe for this specific attack you'd
need to intercept parts of a legit session). For the purposes of this
paragraph, a "session" means an AFS token; you get one whenever you
'aklog'. So, if that sounds like a problem for you, then you probably
want to keep your VPN.

Any modern VPN system would be using something stronger than DES, and so
would be more secure. If you need to encrypt the contents/payload of any
openafs communication, the VPN would also be faster, since more modern
crypto algorithms are almost all faster than the algorithm that openafs
currently uses (known as "fcrypt"; similar to DES), in addition to being
stronger.

-- 
Andrew Deason
adeason@sinenomine.net