From 9e6707f68e536baa0cfd43372e312b7a63a5464b Mon Sep 17 00:00:00 2001 From: Pekka Riikonen Date: Mon, 12 Nov 2001 17:20:38 +0000 Subject: [PATCH] updates. --- doc/FAQ | 460 ++++++++++++++++------ doc/draft-riikonen-silc-commands-02.nroff | 24 +- 2 files changed, 356 insertions(+), 128 deletions(-) diff --git a/doc/FAQ b/doc/FAQ index 44d90566..951940c0 100644 --- a/doc/FAQ +++ b/doc/FAQ @@ -1,133 +1,355 @@ -Frequently Asked Questions - - -Q: What is SILC? -A: SILC (Secure Internet Live Conferencing) is a protocol which provides - secure conferencing services in the Internet over insecure channel. - SILC superficially resembles IRC although internally they are very - different. Biggest similarity between SILC and IRC is that they both - provide conferencing services and that SILC has almost same commands - as IRC. Other than that they are nothing alike. Biggest differences - are that SILC is secure what IRC is not in any way. The network model - is also entirely different compared to IRC. - - -Q: Why SILC in the first place? -A: Simply for fun, nothing more. An actually for need back then when - it was started. SILC has been very interesting and educational - project. - - -Q: When SILC will be completed? -A: SILC still has a lot things to do. The time of completion is much - related to how many interested people is willing to join the effort. - It will be ready when it is ready. The reason for release of the - current development version is just to get it out and people aware - that something like this exist. - - -Q: Why use SILC? Why not IRC with SSL? -A: Sure, that is possible, although, does that secure the entire IRC - network? And does that increase or decrease the lags and splits in - the IRC network? Does that provide user based security where some - specific private message are secured.? Does that provide security - where some specific channel messages are secured? Security is not - just about applying encryption to traffic and SILC is not just about - `encrypting the traffic'. You cannot make insecure protocol suddenly - secure just by encrypting the traffic. SILC is not meant to be IRC - replacement. IRC is good for some things, SILC is good for same and - some other things. - - -Q: Can I use SILC with IRC client? What about can I use IRC with SILC - client? -A: Answer for both question is no. IRC client is in no way compatible - with SILC server. SILC client cannot currently use IRC but this may - change in the future if IRC support is added to the SILC client. - After that one could use both SILC and IRC with the same client. - Although, even then one cannot talk from SILC network to IRC network. - That just is not possible. - - -Q: Why client/server protocol is based on IRC? Would it be more - interesting to implement something extensible and more powerful? -A: They are not, not the least. Have you read the protocol - specification? The client superficially resembles IRC client but - everything that happens under the hood is nothing alike IRC. SILC - could *never* support IRC because the entire network toppology is - different (hopefully more scalable and powerful). So no, SILC protocol - (client or server) is not based on IRC. Instead, I've taken good - things from IRC and leaved all the bad things behind and not even tried - to burden myself with the IRC caveats that will burden IRC and future - IRC projects til the end. SILC client resembles IRC client because it - is easier for new users to start using SILC when they already know all - the commands. - - -Q: Why SILC? Why not IRC3? -A: Question that is justified no doubt of that. I didn't start doing SILC - to be replacement for IRC. SILC was something that didn't exist in - 1996 or even today except that SILC is now released. However, I did + Frequently Asked Questions + + [16]1. General Questions + [17] 1.1 What is SILC? + [18] 1.2 When was SILC Project started? + [19] 1.3 Why SILC in the first place? + [20] 1.4 What license covers the SILC release? + [21] 1.5 Why SILC? Why not IRC3? + [22] 1.6 What platforms SILC supports? + [23] 1.7 Where can I find more information? + [24] 1.8 I would like to help out, what can I do? + + [25]2. Protocol Questions + [26] 2.1 What is the status of SILC protocol in the IETF? + [27] 2.2 How much the SILC protocol is based on IRC? + [28] 2.3 Why use SILC? Why not IRC with SSL? + [29] 2.4 Can I talk from SILC network to IRC network? + [30] 2.5 Does SILC support file transfer? + [31] 2.6 Does SILC support DCC or alike? + [32] 2.7 I am behind a firewall, can I use SILC? + [33] 2.8 How secure SILC really is? + [34] 2.9 Does SILC support instant messaging? + [35] 2.10 Why SILC does not have LINKS command like in IRC? + [36] 2.11 Why SILC does not have STATS command like in IRC? + [37] 2.12 Is anyone outside a channel able to see the channel + messages? + [38] 2.13 I have suggestions to SILC Protocol, what can I do? + + [39]3. Client Questions + [40] 3.1 Where can I find SILC clients? + [41] 3.2 Can I use SILC with IRC client and vice versa? + + [42]4. Server Questions + [43] 4.1 Where can I find SILC servers? + [44] 4.2 Can I run own SILC server? + [45] 4.3 What is the difference between SILC server and SILC + router? + [46] 4.4 Why server says permission denied to write to a log file? + [47] 4.5 When I connect to to my server, it says "server does not + support one of your proposed cipher", what is wrong? + + [48]5. Toolkit Questions + [49] 5.1 What is SILC Toolkit? + [50] 5.2 Is the SILC Toolkit Reference Manual Available? + [51] 5.3 How do I compile the Toolkit on Unix? + [52] 5.4 How do I compile the Toolkit on Win32? + [53] 5.5 Does the Toolkit package include any sample code? + + 1. General Questions + + Q: What is SILC? + A: SILC (Secure Internet Live Conferencing) is a protocol which + provides secure conferencing services in the Internet over insecure + channel. SILC is IRC like although internally they are very different. + Biggest similarity between SILC and IRC is that they both provide + conferencing services and that SILC has almost same commands as IRC. + Other than that they are nothing alike. + + Biggest differences are that SILC is secure what IRC is not in any + way. The network model is also entirely different compared to IRC. + + Q: When was SILC Project started? + A: The SILC development started in 1996 and early 1997. But, for + various reasons it suspended many times until it finally got some wind + under its wings in 1999. First public release was in summer 2000. + + Q: Why SILC in the first place? + A: Simply for fun, nothing more. And actually for need back in the + days when it was started. When SILC was first developed there really + did not exist anything like this. SILC has been very interesting and + educational project. + + Q: What license covers the SILC release? + A: The SILC software developed here at silcnet.org, the SILC Client, + the SILC Server and the SILC Toolkit are covered by the GNU General + Public License. + + Q: Why SILC? Why not IRC3? + A: Question that is justified no doubt of that. SILC was not started + to become a replacement for IRC. SILC was something that didn't exist + in 1996 or even today except that SILC is now released. However, I did check out the IRC3 project in 1997 when I started coding and planning the SILC protocol. - But, IRC3 is problematic. Why? Because it still doesn't exist. The - project is at the same spot where it was in 1997 when I checked it out. - And it was old project back then as well. Couple of months ago I - checked it again and nothing were happening. That's the problem of IRC3 - project. The same almost happened to SILC as well as I wasn't making - real progress over the years. I talked to the original author of IRC, - Jarkko Oikarinen, in 1997 and he directed me to the IRC3 project, - although he said that IRC3 is a lot of talking and not that much of - anything else. I am not trying to put down the IRC3 project but its - problem is that no one in the project is able to make a decision what - is the best way to go about making the IRC3 and I wasn't going to be - part of that. The fact is that if I would've gone to IRC3 project, - nor IRC3 or SILC would exist today. I think IRC3 could be something - really great if they just would get their act together and start - coding the thing. - - -Q: How secure SILC really is? -A: A good question which I don't have a answer. SILC has been tried to - make as secure as possible. However, there is no security protocol - or security software that has not been vulnerable to some sort of - attacks. SILC is in no means different from this. So, it is suspected - that there are security holes in the SILC. These holes just needs to - be found so that they can be fixed. + But, IRC3 is problematic. Why? Because it still doesn't exist. The + project is almost at the same spot where it was in 1997 when I checked + it out. And it was old project back then as well. That's the problem + of IRC3 project. The same almost happened to SILC as well as I wasn't + making real progress over the years. I talked to the original author + of IRC, Jarkko Oikarinen, in 1997 and he directed me to the IRC3 + project, although he said that IRC3 is a lot of talking and not that + much of anything else. I am not trying to put down the IRC3 project + but its problem is that no one in the project is able to make a + decision what is the best way to go about making the IRC3 and I wasn't + going to be part of that. The fact is that if I would've gone to IRC3 + project, nor IRC3 or SILC would exist today. I think IRC3 could be + something really great if they just would get their act together and + start coding the thing. + + Q: What platforms SILC supports? + A: The SILC Client is available on various Unix systems and is + reported to work under cygwin on Windows. The SILC Server also works + on various Unix systems. However, the server has not been tested under + cygwin as far as we know. The SILC Toolkit is distributed for all + platforms, Unix, Cygwin and native Windows. + + Q: Where can I find more information? + A: For more technical information we suggest reading the SILC Protocol + specifications. You might also want to take a look at the + [54]documentation page on the web page. + + Q: I would like to help out, what can I do? + A: You might want to take a look at the [55]Contributing page and the + [56]TODO list. You might also want to join the SILC development + mailing list. + + 2. Protocol Questions + + Q: What is the status of SILC protocol in the IETF? + A: The SILC protocol specifications has been submitted currently as + individual submissions. There does not currently exist a working group + for this sort of project. Our goal is to fully standardize the SILC + and thus submit it as RFC to the [57]IETF at a later time. + + Q: How much SILC Protocol is based on IRC? + A: SILC is not based on IRC. The client superficially resembles IRC + client but everything that happens under the hood is nothing alike + IRC. SILC could *never* support IRC because the entire network + toppology is different (hopefully more scalable and powerful). So no, + SILC protocol (client or server) is not based on IRC. Instead, We've + taken good things from IRC and left all the bad things behind and not + even tried to burden the SILC with the IRCs problems that will burden + IRC and future IRC projects till the end. SILC client resembles IRC + client because it is easier for new users to start using SILC when + they already know all the commands. + + Q: Why use SILC? Why not IRC with SSL? + A: Sure, that is possible, although, does that secure the entire IRC + network? And does that increase or decrease the lags and splits in the + IRC network? Does that provide user based security where some specific + private message are secured? Does that provide security where some + specific channel messages are secured? And I know, you can answer yes + to some of these questions. But, security is not just about applying + encryption to traffic and SILC is not just about `encrypting the + traffic`. You cannot make insecure protocol suddenly secure just by + encrypting the traffic. SILC is not meant to be IRC replacement. IRC + is good for some things, SILC is good for same and some other things. + + Q: Can I talk from SILC network to IRC network? + A: Simple answer for this is No. The protocols are not compatible + which makes it impossible to directly talk from SILC network to IRC + network or vice versa. Developing a gateway between these two networks + would technically be possible but from security point of view strongly + not recommended. We have no plans for developing such a gateway. + + Q: Does SILC support file transfer? + A: Yes. The SILC protocol support SFTP as mandatory file transfer + protocol. It provides simple client to client file transfer, but also + a possibility for file and directory manipulation. Even though the + SFTP is the file transfer protocol the support for file transferring + has been done so that practically any file transfer protocol may be + used with SILC protocol. + + Q: Does SILC support DCC or alike? + A: SILC does not support the DCC commonly used in IRC. It does not + need it since it has builtin support for same features that DCC have. + You can transfer files securely and encrypted directly with another + client. You can also negotiate secret key material with another client + directly to use it in private message encryption. The private messages + are not, however sent directly between clients. The protocol, on the + hand does not prohibit sending messages directly between clients if + the implementation would support it. The current SILC Client + implementation does not support it. This means that private messages + travel through the SILC Network. SILC protocol also has a capability + to support DCC and CTCP like protocols with SILC. None of them, + however have not been defined to be used with SILC at the present + time. + + Q: I am behind a firewall, can I use SILC? + A: Yes. If your network administrator can open the port 706 (TCP) you + can use SILC without problems. You may also compile your SILC client + with SOCKS support which will proxy your SILC session through the + firewall. + + Q: How secure SILC really is? + A: A good question which I don't have an answer for. We have tried to + make SILC as secure as possible. However, there is no security + protocol or security software that has not been vulnerable to some + sort of attacks. SILC is in no means different from this. So, it is + suspected that there are security holes in the SILC. These holes just + need to be found so that they can be fixed. But to give you some parameters of security SILC uses the most secure - crytographic algorithms such as Blowfish, RC5, Twofish, etc. SILC - does not have DES or 3DES as DES is insecure and 3DES is just too - slow. SILC also uses cryptographically strong random number generator - when it needs random numbers. Public key cryptography uses RSA - and Diffie Hellman algorithms. Key lengths for ciphers are initially - set to 128 bits but many algorithm supports longer keys. For public - key algorithms the starting key length is 1024 bits. - - But the best answer for this question is that SILC is as secure as - its weakest link. SILC is open and the protocol is open and in public - thus open for security analyzes. + crytographic algorithms such as AES(Rijndael), Twofish, Blowfish, RC5, + etc. SILC does not have DES or 3DES as DES is insecure and 3DES is + just too slow. SILC also uses cryptographically strong random number + generator when it needs random numbers. Public key cryptography uses + RSA (PKCS #1) and Diffie-Hellman algorithms. Key lengths for ciphers + are initially set to 256. For public key algorithms the starting key + length is 1024 bits. + + But the best answer for this question is that SILC is as secure as its + weakest link. SILC is open and the protocol is open and in public thus + open for security analysis. To give a list of attacks that are ineffective against SILC: - o Man-in-the-middle attacks are ineffective if proper public key - infrastructure is used. SILC is vulnerable to this attack if - the public keys used in the SILC are not verified to be trusted. + - Man-in-the-middle attacks are ineffective if proper public key + infrastructure is used. SILC is vulnerable to this attack if the + public keys used in the SILC are not verified to be trusted (as any + other protocol for that matter). + - IP spoofing is ineffective (because of encryption and trusted keys). + - Attacks that change the contents of the data or add extra data to + the packets are ineffective (because of encryption and integrity + checks). + - Passive attacks (listenning network traffic) are ineffective + (because of encryption). Everything is encrypted including + authentication data such as passwords when they are needed. + - Any sort of cryptanalytic attacks are tried to make ineffective by + using the best cryptographic algorithms out there. + + Q: Does SILC support instant messaing? + A: SILC is not an instant message (IM) system, like ICQ and the + others. SILC is more IRC like system, "real-time", connection-oriented + chat and that kind of stuff. But I guess IRC is too called an Instant + Messaging system. + + Q: Why SILC does not have LINKS command like in IRC? + A: It was felt that this information as an own command in SILC is not + necessary. Moreover, the topology of the network might be undisclosed + information even though the servers and routers in the network are + still open. We feel that the network topology information, if it is + wanted to be public, and the list of accessible servers can be made + available in other ways than providing command like LINKS, which shows + the active server links in IRC. + + Q: Why SILC does not have STATS command like in IRC? + A: This too was considered as information that the protocol should not + address. We feel that server implementations will need to implement + some sort of adminstrative plugin, or module which provides various + means of accessing statistical and other information in the server. + And, we do consider this implementation issue, not protocol design + issue. + + Q: Is anyone outside a channel able to see the channel messages? + A: A short answer is simply No. A longer answer involves assumptions + about security conditions. Initially channel keys are generated by the + server, so if the server would get compromised it would be possible + for an adversary to see the messages. However, users on the channel + can prevent this even if the server would be compromised. It is + possible to set so called channel private key that only the users on + the channel know about. The servers does not know about the key, and + therefore cannot see the messages even if they would be compromised. + So, longer answer results into same as the short one; No. + + Q: I have suggestions to SILC Protocol, what can I do? + A: All suggestions and improvements are of course welcome. You should + read the protocol specifications first to check out whether your idea + is covered by them already. The best place to make your idea public is + the SILC development mailing list. + + 3. Client Questions + + Q: Where can I find SILC clients? + A: The SILC client is available for free download from the silcnet.org + web page. Some people have also mentioned words Java and Perl when + talking about SILC clients. Nothing has appeared yet, though. + + Q: Can I use SILC with IRC client and vice versa? + A: Generally the answer would be no for both. However, there exist + already at least one IRC client that supports SILC, the [58]Irssi + client. The current SILC client is actually based on the user + interface of the Irssi client. So, yes it is possible to use SILC with + some IRC clients and vice versa. But, this does not mean that you can + talk from SILC network to IRC network, that is not possible. + + 4. Server Questions + + Q: Where can I find SILC servers? + A: The SILC server is available for free download from the silcnet.org + web page. We are not aware of any other SILC server implementations, + so far. + + Q: Can I run own SILC server? + A: Yes of course. Download the SILC server package, compile and + install it. Be sure to check out the installation instructions and the + README file. You also should decide whether you want to run SILC + server or SILC router. + + Q: What is the difference between SILC server and SILC router? + A: The topology of the SILC network includes SILC routers and the SILC + servers (and SILC clients of course). Normal SILC server does not have + direct connections with other SILC servers. They connect directly to + the SILC router. SILC Routers may have several server connections and + they may connect to several SILC routers. The SILC routers are the + servers in the network that know everything about everything. The SILC + servers know only local information and query global information from + the router when necessary. + + If you are running SILC server you want to run it as router only if + you want to have server connections in it and are prepared to accept + server connections. You also need to get the router connected to some + other router to be able to join the SILC network. You may run the + server as normal SILC server if you do not want to accept other server + connections or cannot run it as router. + + Q: Why server says permission denied to write to a log file? + A: The owner of the log files must be same user that the server is run + under, by default it is user `nobody'. Just change the permissions and + try again. + + Q: When I connect to my server it says "server does not support one of + your proposed ciphers", what is wrong? + A: Most likely the ciphers and others has not been compiled as SIMs + (modules) and they are configured as modules in the silcd.conf. If + they are not compiled as modules remove the module paths from the + ciphers and hash functions from the silcd.conf, so that the server use + the builtin ciphers. Then try connecting to the server again. It is + also possible that the client IS proposing some ciphers that your + server does not support. + + 5. Toolkit Questions - o IP spoofing is ineffective (because of encryption and trusted - keys). + Q: What is SILC Toolkit? + A: SILC Toolkit is a package intended for software developers who + would like to develope their own SILC based applications or help in + the development of the SILC. The Toolkit includes SILC Protocol Core + library, SILC Crypto library, SILC Key Exchange (SKE) library, SILC + Math library, SILC Modules (SIM) library, SILC Utility library, SILC + Client library and few other libraries. - o Attacks that change the contents of the data or add extra - data to the packets are ineffective (because of encryption and - integrity checks). + Q: Is the SILC Toolkit Reference Manual Available? + A: Yes, partially completed reference manual is available in the + Toolkit releases as HTML package and they are available from the + silcnet.org website as well at the [59]documentation page. - o Passive attacks (listenning network traffic) are ineffective - (because of encryption). Everything is encrypted including - authentication data such as passwords when they are needed. + Q: How do I compile the Toolkit on Unix? + A: You should read the INSTALL file from the package and follow its + instructions. The compilation on Unix is as simple as compiling any + other SILC package. Give, `./configure' command and then `make' + command. - o Any sort of cryptanalytic attacks are tried to make ineffective - by using the best cryptographic algorithms out there. + Q: How do I compile the Toolkit on Win32? + A: We have prepared instructions to compile the Toolkit on Win32 in + the Toolkit package. Please, read the README.WIN32 file from the + package for detailed instructions how to compile the Toolkit for + Cygwin, MinGW and native Win32 systems. We have also prepared ready + MSVC++ Workspace files in the win32/ directory in the package that + will compile automatically the Toolkit. + Q: Does the Toolkit package include any sample code? + A: Yes, naturally. It includes sample codes for two different SILC + Client implementations, and SILC Server. Win32 samples are included in + the win32/ directory, for simple client. -More to come later... diff --git a/doc/draft-riikonen-silc-commands-02.nroff b/doc/draft-riikonen-silc-commands-02.nroff index f9575ad5..df912168 100644 --- a/doc/draft-riikonen-silc-commands-02.nroff +++ b/doc/draft-riikonen-silc-commands-02.nroff @@ -8,7 +8,7 @@ .ds RF FORMFEED[Page %] .ds CF .ds LH Internet Draft -.ds RH XXX +.ds RH 13 November 2001 .ds CH .na .hy 0 @@ -16,8 +16,8 @@ .nf Network Working Group P. Riikonen Internet-Draft -draft-riikonen-silc-commands-02.txt XXX -Expires: XXX +draft-riikonen-silc-commands-02.txt 13 November 2001 +Expires: 13 May 2002 .in 3 @@ -75,12 +75,12 @@ Table of Contents 2 SILC Commands ................................................. 2 2.1 SILC Commands Syntax ...................................... 2 2.2 SILC Commands List ........................................ 4 - 2.3 SILC Command Status Types ................................. 32 - 2.3.1 SILC Command Status Payload ......................... 32 - 2.3.2 SILC Command Status List ............................ 32 -3 Security Considerations ....................................... 37 + 2.3 SILC Command Status Types ................................. 33 + 2.3.1 SILC Command Status Payload ......................... 33 + 2.3.2 SILC Command Status List ............................ 33 +3 Security Considerations ....................................... 38 4 References .................................................... 38 -5 Author's Address .............................................. 39 +5 Author's Address .............................................. 40 .ti 0 @@ -1928,6 +1928,12 @@ security of this protocol. Requirement Levels", BCP 14, RFC 2119, March 1997. + + + + + + .ti 0 5 Author's Address @@ -1939,5 +1945,5 @@ Finland EMail: priikone@silcnet.org -This Internet-Draft expires XXX +This Internet-Draft expires 13 May 2002 -- 2.24.0