diff options
author | Peter Simons <simons@cryp.to> | 2013-09-10 23:32:55 +0200 |
---|---|---|
committer | Peter Simons <simons@cryp.to> | 2013-09-10 23:32:55 +0200 |
commit | 0afcc637d7c2c2ad2418399c3ed6c831f1292cad (patch) | |
tree | b1d92e8a81f64045579531d48e6b5428fe414789 /modules | |
parent | c4092f2a8d0e63102bec1725ad6fc9046b04c687 (diff) | |
download | nixlib-0afcc637d7c2c2ad2418399c3ed6c831f1292cad.tar nixlib-0afcc637d7c2c2ad2418399c3ed6c831f1292cad.tar.gz nixlib-0afcc637d7c2c2ad2418399c3ed6c831f1292cad.tar.bz2 nixlib-0afcc637d7c2c2ad2418399c3ed6c831f1292cad.tar.lz nixlib-0afcc637d7c2c2ad2418399c3ed6c831f1292cad.tar.xz nixlib-0afcc637d7c2c2ad2418399c3ed6c831f1292cad.tar.zst nixlib-0afcc637d7c2c2ad2418399c3ed6c831f1292cad.zip |
Add support for opportunistic TCP encryption.
Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it *does* protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/misc/ids.nix | 1 | ||||
-rw-r--r-- | modules/module-list.nix | 1 | ||||
-rw-r--r-- | modules/services/networking/tcpcrypt.nix | 77 |
3 files changed, 79 insertions, 0 deletions
diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index ca1cc4dc1996..0dec1c8b1674 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -100,6 +100,7 @@ amule = 90; minidlna = 91; elasticsearch = 92; + tcpcryptd = 666; # When adding a uid, make sure it doesn't match an existing gid. diff --git a/modules/module-list.nix b/modules/module-list.nix index 1c863c3d1d7f..717828fbd70d 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -148,6 +148,7 @@ ./services/networking/dnsmasq.nix ./services/networking/ejabberd.nix ./services/networking/firewall.nix + ./services/networking/tcpcrypt.nix ./services/networking/flashpolicyd.nix ./services/networking/freenet.nix ./services/networking/git-daemon.nix diff --git a/modules/services/networking/tcpcrypt.nix b/modules/services/networking/tcpcrypt.nix new file mode 100644 index 000000000000..3d8eeab155f0 --- /dev/null +++ b/modules/services/networking/tcpcrypt.nix @@ -0,0 +1,77 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + + cfg = config.networking.tcpcrypt; + +in + +{ + + ###### interface + + options = { + + networking.tcpcrypt.enable = mkOption { + default = false; + description = '' + Whether to enable opportunistic TCP encryption. If the other end + speaks Tcpcrypt, then your traffic will be encrypted; otherwise + it will be sent in clear text. Thus, Tcpcrypt alone provides no + guarantees -- it is best effort. If, however, a Tcpcrypt + connection is successful and any attackers that exist are + passive, then Tcpcrypt guarantees privacy. + ''; + }; + }; + + config = mkIf cfg.enable { + + users.extraUsers = singleton { + name = "tcpcryptd"; + uid = config.ids.uids.tcpcryptd; + description = "tcpcrypt daemon user"; + }; + + jobs.tcpcrypt = { + description = "tcpcrypt"; + + startOn = "started network-interfaces"; + + path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ]; + + preStart = '' + sysctl -n net.ipv4.tcp_ecn >/run/pre-tcpcrypt-ecn-state + sysctl -w net.ipv4.tcp_ecn=0 + + iptables -t raw -N nixos-tcpcrypt + iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t raw -I PREROUTING -j nixos-tcpcrypt + + iptables -t mangle -N nixos-tcpcrypt + iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt + ''; + + exec = "tcpcryptd -x 0x10"; + + postStop = '' + if [ -f /run/pre-tcpcrypt-ecn-state ]; then + sysctl -w net.ipv4.tcp_ecn=$(cat /run/pre-tcpcrypt-ecn-state) + fi + + iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true + iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true + + iptables -t raw -F nixos-tcpcrypt || true + iptables -t raw -X nixos-tcpcrypt || true + + iptables -t mangle -F nixos-tcpcrypt || true + iptables -t mangle -X nixos-tcpcrypt || true + ''; + }; + }; + +} |