<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style type="text/css">
html{overflow-y:scroll;background-color:#042424}
body{font-family:"Noto Sans","Droid Sans","DejaVu Sans","Arial",sans-serif;line-height:1.5}
tt,code{background-color:#f0f0f0;font-family:"Noto Sans Mono","Droid Sans Mono","DejaVu Sans Mono","Courier New",monospace,sans-serif;font-size:1em;}
pre{margin-left:3em}
p,ul,ol,blockquote,pre{font-size:1.0em;line-height:1.6}
li p{font-size:1.0em}
blockquote p{font-size:1.0em}
h1{font-size:1.5em}
h2{font-size:1.3em}
h3{font-size:1.0em}
h1 a{text-decoration:none}
table{border-collapse:collapse}
th,td{border:1px solid black}
table a{text-decoration:none}
table tr{font-size:1.0em;line-height:1.6em}
table tr{font-size:1.0em;line-height:1.5}
tbody tr:nth-child(12n+1){background-color:#f0ffff}
tbody tr:nth-child(12n+2){background-color:#f0ffff}
tbody tr:nth-child(12n+3){background-color:#f0ffff}
tbody tr:nth-child(12n+4){background-color:#f0ffff}
tbody tr:nth-child(12n+5){background-color:#f0ffff}
tbody tr:nth-child(12n+6){background-color:#f0ffff}
tbody tr:nth-child(12n+7){background-color:#fffff0}
tbody tr:nth-child(12n+8){background-color:#fffff0}
tbody tr:nth-child(12n+9){background-color:#fffff0}
tbody tr:nth-child(12n+10){background-color:#fffff0}
tbody tr:nth-child(12n+11){background-color:#fffff0}
tbody tr:nth-child(12n+12){background-color:#fffff0}
.headline{padding:0;font-weight:bold;font-size:1.0em;vertical-align:top;padding-bottom:0.5em;color:#ffffff;background-color:#042424}
.navt{display:block;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;margin:0;padding:0;vertical-align:center;font-size:1.0em}
.here{background-color:#042424}
.here{color:#ffffff}
.away{background-color:#042424}
.away a{text-decoration:none;display:block;color:#ffffff}
.away a:hover,.away a:active{text-decoration:underline}
.main{padding:5px}
.main{background-color:#ffffff}
.pagetitle{font-size:1.4em;font-weight:bold}
.logo img{width:100px}
@media only screen and (min-width:512px) {
  .fixed{margin:0;padding:0;width:160px;height:100%;position:fixed;overflow:auto}
  .main{margin-left:170px}
}
</style>
<title>
PQConnect: Compatibility</title>
</head>
<body>
<div class=fixed>
<div class=headline>
<div class=logo><img src=topleft.png></div>
PQConnect</div>
<div class="navt away"><a href=index.html>Intro</a>
</div><div class="navt away"><a href=user.html>For users</a>
</div><div class="navt away"><a href=sysadmin.html>For sysadmins</a>
</div><div class="navt here">Compatibility
</div><div class="navt away"><a href=security.html>Security</a>
</div><div class="navt away"><a href=crypto.html>Cryptography</a>
</div><div class="navt away"><a href=changes.html>Changes</a>
</div><div class="navt away"><a href=papers.html>Papers</a>
</div></div>
<div class=main>
<div class=pagetitle>PQConnect: Compatibility</div>
<h2><a name="backward">Backward compatibility</a></h2>
<p>Preserving connectivity is critical.
After you install the PQConnect client software,
your machine will connect to PQConnect servers
<em>and</em> will continue to connect to non-PQConnect servers.
PQConnect is designed so that the PQConnect client software
detects PQConnect servers <em>without</em> sending extra queries to non-PQConnect servers.
(Such queries might trigger hyperactive firewalls to break connectivity.)
Similarly,
if you are a sysadmin installing the PQConnect server software,
your machine will continue to allow connections from non-PQConnect clients.</p>
<p>This compatibility works using CNAME records, a standard DNS feature
(for example, <code>www.amazon.com</code> relies on CNAME records).
To announce PQConnect support for <code>www.your.server</code>,
you will rename the existing DNS records for <code>www.your.server</code>
(typically just an A record showing the server's IP address)
under a new name determined by PQConnect,
and you will set up a DNS CNAME record
pointing from <code>www.your.server</code> to the new name.
For example,
<code>www.pqconnect.net</code> has a CNAME record pointing to
<code>pq1u1hy1ujsuk258krx3ku6wd9rp96kfxm64mgct3s3j26udp57dbu1.pqconnect.net</code>,
which in turn has an A record listing the server's IP address.
Non-PQConnect clients follow the CNAME record
and connect to the server.
PQConnect clients recognize the CNAME record as a PQConnect announcement
and make an encrypted connection to the server.</p>
<h2><a name="forward">Forward compatibility</a></h2>
<p>PQConnect announcements include a version number <code>pq1</code>.
This supports smooth future upgrades
in which clients are upgraded to allow a modified <code>pq2</code> protocol,
and then servers can freely begin announcing <code>pq2</code>.</p>
<h2><a name="subdomain">Subdomains</a></h2>
<p>PQConnect is not limited to <code>www.your.server</code>.
You can also announce PQConnect support
for <code>imap.your.server</code>, <code>zulip.your.server</code>, or whatever other subdomains you want
within your DNS domains.</p>
<p>However,
you cannot set up a DNS CNAME record
specifically for the second-level name <code>your.server</code>
delegated from the top-level <code>.server</code> administrators.
DNS does not allow CNAME records to have exactly the same name as other records,
such as delegation records.
It would be possible for PQConnect to work around this restriction
by inserting PQConnect announcements into delegation records,
but currently PQConnect focuses on protecting subdomains.</p>
<h2>Operating systems <a name="operating-system"></h2>
<p>The initial PQConnect software release is for Linux.
The software installation
relies on packages supplied by Linux distributions.
Package names are not synchronized across Linux distributions.
The installation currently understands the names for
Debian; Debian derivatives such as Ubuntu and Raspbian; Arch; and Gentoo.
Adding further distributions should be easy.</p>
<p>Support for non-Linux operating systems is planned,
handling the different mechanisms
that different operating systems provide
for reading and writing IP-layer packets.
The PQConnect system as a whole
is designed to be compatible with any operating system.
The PQConnect software is written in Python.
The underlying C libraries for cryptography have already been ported to MacOS.</p>
<p>Accessing the IP layer is not the only way to implement the PQConnect protocol.
Existing user-level applications access the kernel's network stack
via system calls, normally via <code>libc</code>.
It is possible to modify those network packets by modifying the kernel,
by modifying <code>libc</code>,
or by pre-loading a PQConnect dynamic library,
still without touching the individual applications.
Also, most applications
access DNS at the servers designated in <code>/etc/resolv.conf</code>,
usually via <code>libc</code>,
so it is possible to modify DNS packets by changing <code>libc</code>,
by modifying <code>/etc/resolv.conf</code>
to point to local DNS software that handles PQConnect,
or by modifying existing local DNS software to handle PQConnect
(via plugins where applicable, or by code modifications).
These software choices can also be of interest to apply PQConnect to
applications that manage to dodge the current PQConnect software.</p>
<h2><a name="application">Applications</a></h2>
<p>Our experiments have found the PQConnect software
successfully wrapping post-quantum cryptography around a wide range of applications.
However,
there is no guarantee that PQConnect covers all applications.
For example,
an application might read a server address from a local file
without using DNS queries,
might use its own encrypted tunnel to a DNS proxy,
or might otherwise
deviate from the normal modular usage of DNS services
provided by the operating system.
These applications do not receive the benefits of PQConnect:
they will continue to make non-PQConnect-protected connections as usual.</p>
<p>A notable example is Firefox,
which automatically uses DNS over HTTPS in some cases
to send DNS queries to Cloudflare.
A DNS proxy (or DNS packet rewriting) can disable this by creating an IP address for <code>use-application-dns.net</code>;
this allows Firefox to benefit from PQConnect,
and is still compatible with passing DNS queries locally to a modular DNS-over-HTTPS client.
A user <em>manually</em> configuring Firefox to use DNS over HTTPS will prevent Firefox from using PQConnect.</p>
<h2><a name="tls">Transport-layer security</a></h2>
<p>SSH connections, TLS connections, etc. work smoothly over PQConnect.
The software managing those security mechanisms
doesn't notice that everything is protected inside a PQConnect tunnel.
The PQConnect software doesn't notice that the packets it's encrypting
already have another layer of encryption.</p>
<h2><a name="vpn">VPNs</a></h2>
<p>Conceptually,
running the PQConnect protocol
on top of a VPN protocol,
or vice versa,
is a simple matter of routing packets
in the desired order through PQConnect and the VPN.
So far we haven't written scripts to do this,
but if you have specific use cases then please share details in the
Compatibility channel on the <a href="index.html#chat">PQConnect chat server</a>.</p>
<h2><a name="firewall">Firewalls</a></h2>
<p>PQConnect encrypts and authenticates complete IP packets,
including port numbers.
After decrypting a packet,
PQConnect forwards the packet to the local machine
on whichever port number is specified by the client.
One consequence of this encryption
is that you cannot rely on a firewall outside your machine to block ports:
any desired port blocking must be handled by a firewall inside your machine.
Note that an external firewall also does not block
attackers who have compromised a router or network card
between the firewall and your computer.</p>
<p>You may be behind a firewall that restricts which ports you can use:
for example, the firewall may block low ports, or may block high ports.
PQConnect is flexible in which ports it uses.
The <code>-p</code> option for the <code>pqconnect</code> program chooses a client port.
The <code>-p</code> and <code>-k</code> options for the <code>pqconnect-server</code> program choose a crypto-server port and a key-server port.
All of these are UDP ports.</p>
<h2><a name="ip-versions">IP versions</a></h2>
<p>Our PQConnect tests have been with IPv4,
but the protocol should also work with IPv6.
The PQConnect handshake packets are small enough
that even multiple levels of surrounding tunnels
should stay below the 1500-byte Ethernet limit on packet sizes.</p>
<h2><a name="surveillance">Application-layer surveillance</a></h2>
<p>The PQConnect server software
automatically replaces client IP addresses with local addresses such as 10.10.0.5
when it delivers packets to applications running on your server.
Hiding client addresses can help protect privacy
against applications that are careless in handling client data,
and can help comply with privacy regulations.</p>
<p>If you need applications to be able to check client locations
to route clients to nearby servers for efficiency,
one option is to provide different DNS responses
to clients in different locations
(using, e.g., the "client location" feature in tinydns),
already pointing those clients to nearby servers at DNS time
rather than having the application perform this routing.
If you need to check client information in logs
for abuse tracking,
one option is to collate PQConnect logs and application logs,
still without exposing client IP addresses to the application.</p><hr><font size=1><b>Version:</b>
This is version 2024.12.26 of the "Compatibility" web page.
</font>
</div>
</body>
</html>