Crypto and IPSec Merged into 2.5 229
Corbet writes "Linus has just merged the new crypto API and IPSec implementation into his 2.5 BitKeeper tree. This is the first time that serious cryptographic code has made an appearance in the mainline kernel, and it will hopefully lead to more secure communications for all Linux users in the future."
Wow! (Score:2, Interesting)
Can't wait until release, this thing is going to rock.
Excellent - no more FreeSWAN patches (Score:3, Insightful)
Jon.
Re:Excellent - no more FreeSWAN patches (Score:5, Informative)
With the atitude that the frees/wan project maintains, we will never see freeswan merged with mainstream kernel... hell... they still refuse to take patches from us citiziens and residents (that includes linus)
Re:Excellent - no more FreeSWAN patches (Score:2, Interesting)
Re:Excellent - no more FreeSWAN patches (Score:2)
Re:Excellent - no more FreeSWAN patches (Score:5, Insightful)
Because it's a large project, it's really complex, and it's a bitch to keep up with things.
I should know - I'm the author of Super FreeS/WAN, a pseudo fork with includes alot of patches (NAT-T, X.509 Certs, AES/Blowfish/etc... ) @ http://www.freeswan.ca/code/super-freeswan
It takes a few hours a day to stay on top of things. One the major ones is user support. IPSec is not easy to configure currently, especially once you introduce X.509 certs & MS Windows clients using any number of clients. So there's hundred of questions about configs, how tos, etc...
If you want to fork it, please, go ahead. Just remember that a fork isn't just the code - you take users with you.
Re:Excellent - no more FreeSWAN patches (Score:2)
I was going to use your fork, but I lost my job.
Re:Excellent - no more FreeSWAN patches (Score:2, Interesting)
I run OSPF + BGP over FreeS/WAN using GRE, which seems to be the simplest way to do it - there's been alot of dicussion lately on the lists about doing this.
Sorry to hear about the job loss, but when you get back on your feet and want to continue, just flip me a note and I'll give you a CVS repository if you want to start with.
ken@freeswan.ca
Re:Excellent - no more FreeSWAN patches (Score:2)
Re:Excellent - no more FreeSWAN patches (Score:2)
Considering the US's asinine stance on crypto export, that's just good sense.
That said, there's no reason the frees/wan code couldn't go into the kernel in a stable form, but still be maintained separately overseas.
Re:Excellent - no more FreeSWAN patches (Score:3, Insightful)
Not to mention they refuse to include support for the faster [freeswan.org] (but less secure) type of IPSec, thereby causing me to run Win2k on my router for a short while. I believe they even say it's fully valid to use IPSec in this manner (in fact it's part of the spec, so without it they shouldn't be calling it IPSec, IMHO), but they just don't want to support it in the faq, 100% due to attitude.
Developers may have a right to any attitude they desire, but they should understand their software is just going to be replaced (in the mainstream) by software from someone with less attitude. Let's hope that's what happens with freeswan. I think we don't need another OSS [4front-tech.com]-style crippled set of kernel software. (Did they move to ALSA [alsa-project.org] yet? I hope so!)
Just my 2 cents.
Re:Excellent - no more FreeSWAN patches (Score:3, Interesting)
AES is truly the way to go. There are a number of aspects of FreeS/WAN where they felt things the standards required to be available were too weak to be secure. They are mostly compliant with the specs, but I agree with them that certain things really have no use in security except to make things easier on organizations like the NSA...
Re:Excellent - no more FreeSWAN patches (Score:2)
Re:Excellent - no more FreeSWAN patches (Score:2)
If talking latency, your Satellite uplink penalty is far greater than the 1-2 milliseconds added by stronger crypto, so it wouldn't be noticed...
If talking bandwidth, having a relatively narrow pipe means even a wimpy processor can more than saturate the link even doing 3DES. AES is even better, secure *and* less intensive. AFAIK, 3DES consumes no more traffic than DES, just slightly larger, rarely exchanged keys.
Single DES is nearly completely pointless. It provides insufficient security. Relying on DES to protect data relies on some bad assumptions.
Re:Excellent - no more FreeSWAN patches (Score:2)
Re:Excellent - no more FreeSWAN patches (Score:3, Insightful)
Simpler setups for important security features are great and definitely do depend on this infrastructure being in the default kernel distributions. (I kind of like the idea of cryptographic filesystems enabled by default on laptop computers that could stolen.)
But, as we all know, that's not enough.
That simple setup has to be exceedingly well-designed so that 2-minute Click-through VPN installations are not left vulnerable due to some trade-off for more convenience.
Everyone knows and has deservedly berated Microsoft for making poor choices in this matter; let's not have widely-deployed commercial Linux distributions make the same mistake.
exportation issues? (Score:5, Interesting)
Re:exportation issues? (Score:5, Funny)
But then again... (Score:2)
Re:exportation issues? (Score:2)
Last I checked he was in England anyway, serving in the Lucasian Professorship at Cambridge.
Re:exportation issues? (Score:2)
Re:exportation issues? (Score:2)
In the Stephen Hawking example, its like letting him leave, but removing the batteries from his speech board.
Re:exportation issues? (Score:5, Informative)
Also in 740.13, to, in part, take into account the "open source" approach to software development, unrestricted encryption source code not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code can, without review, be released from "EI" controls and exported and reexported under License Exception TSU.
Jon.
Great. . . (Score:2, Funny)
Re:exportation issues? (Score:5, Interesting)
that these "relaxations" are declarations (yes,
those like a King makes), and can be withdrawn by Bush at any time, without any democratic process.
That's why Gilmore and Daniel are taking the stance they are taking.
Crypto is your fundamental right, not a fluffy
allowance from your Emperor.
Re:exportation issues? (Score:2)
An awful lot of people use the kernel, and interfering with its distribution would generate lots of waves, interfere with lots of businesses, anger lots of tech journalists, etc.
Politically, I just don't see how they could muck with it.
fundamental right? (Score:2)
Re:fundamental right? (Score:2)
If enough people believe that something is a fundamental right then it is. The poster was just trying to convince more people to believe in his version of fundamental rights which happens to include encryption. You are trying to convince more people to believe that they have no way to affect what our society considers to be fundamental rights and give up in despair.
Good luck to both of you.
Re:exportation issues? (Score:2)
Yes, but it was exactly the same kind of executive decree that made crypto illegal to export to begin with. There is no law in the US that states that crypto is a munition or that it can't be exported.
At this point, it really just doesn't make sense to hold off on adopting crytpo out of fear that the US is going to surprise everybody and yank our crypto rights out from under us. The cat, as they say, is out of the bag. It won't go back in. The government is welcome to try to re-regulate crypto export, but it won't work. (They actually tried this briefly after 9/11, and the proposals died silently.)
This news about crypto in the Linux kernel is wonderful. The more crypto is out there, integrated into our daily lives, the harder it will be for somebody to try to take it away from us.
noah
Makes you feel sorry about those tattoos (Score:2)
If only the people [cypherspace.org] who got [cypherspace.org] those Perl RSA tattoos [cypherspace.org] could have known...
-B
Re:exportation issues? (Score:5, Funny)
It sounds like something completifically inventorated, but sure enough the dictionary verificates its existification. I am extremifically annoyarated to be denyified this oppurtunitization to drop a Bush joke.
--
Damn the Emperor!
Re:exportation issues? (Score:3, Funny)
"Exportation" is a perfectly cromulent word.
Re:exportation issues? (Score:3, Funny)
Re:exportation issues? (Score:2)
Too bad it's not Freeswan (Score:5, Interesting)
Freeswan is still not in the kernel. I find it a
bit sad that Dave Miller and John Gilmore can't
figure out a proper way to resolve their problem
(John wants no US hands on the code, Dave wants
no code he can't touch in the kernel)
But at least the beginning is there, and if the
USAGI ipsec gets in, it should learn to talk to the userland tools, such as Freeswan, because Freeswan has extra features that "stock ipsec" doesn't have, such as Opportunistic Encryption.
Re:Too bad it's not Freeswan (Score:3, Informative)
FreeSWAN may be good for crypto, but bad for actually getting your work done. Regardless, the new IPSec code gets the hard part integrated, an ipv4 implementation should be trivial.
Aggressive Mode is "Optional", not "Required". (Score:2)
The only reason I can think of why you want this, is when you have a dynamic IP address and you want to use a Preshared key. Get a fixed IP or start using X.509 certs.
Aggressive Mode exposes some information, plus it might make DDoS easier to do.
Re:Aggressive Mode is "Optional", not "Required". (Score:3, Interesting)
So I see. Basically any home user using an ISP shouldn't expect to ever have any kind of crypto at all because it is slightly weak.
Next up: Master quits making front door locks. States that most homes have windows and therefore their locks are ineffective, so they will quit selling them altogether.
A lack of Agressive Mode (among other things) is the _only_ reason my previous ISP didn't support Linux. In fact, they wanted to support Linux, and eventually switched over to a non-encrypted system and released a Linux client for it.
So, who really wins in the end? Nobody. Ho hum.
Re:Too bad it's not Freeswan (Score:2, Informative)
Aggressive Mode gets around this by collapsing two steps of the negotiation and transmitting a username in the clear. This is considered "insecure" by the FreeSwan team.
What's more "insecure"? Using AM or using a broken implementation of PPTP?
Re:Too bad it's not Freeswan (Score:2)
I find IPSec harder and more complex to support for remote users compared to PPTP, on both the workstation and network sides. IPSec is pretty simple for dedicated tunnels.
Re:Too bad it's not Freeswan (Score:5, Insightful)
Two examples are the need for a "nexthop" parameter, when the kernel already has this information in its routing tables; and the need to turn off route filtering. Both make it clear that freeswan is not properly integrated (and if you look at the freeswan docs, you'll see that this general problem been on the "to fix" list for a long time).
Re:Too bad it's not Freeswan (Score:3, Interesting)
I've seen these complaints about the non-integration of FreeS/WAN before, but usually because people fail to understand the system. They make recommendations so you know exactly what is going on and give the ability to override certain settings just in case, but most of the time the extremely verbose ways of dealing with the parameters as recommended in many howtos is overkill, and could be omitted...
Re:Too bad it's not Freeswan (Score:3, Informative)
I actually tried to approach the FreeSWAN folk to considering instrumenting their code with our policy-role-based configuration management support infrastructure, but they said "no US no way" and I didn't really have a choice if I wanted my patches rolled back into the project. The Cerberus and PlutoPlus developers, on the other hand, have been much more polite and helpful.
Kernel bloat ? (Score:4, Insightful)
This is also great for creating products like VPN gateways et al, but is it time to consider a different structure for kernel builds, with modules being seperately managed with a smarter installation procedure.
Re:Kernel bloat ? (Score:5, Insightful)
Re:Kernel bloat ? (Score:4, Insightful)
Joe-Schmo is goign to use the binary kernel supplied by his Distribution anyway, and probably never upgrade it, until he goes and downloads a whole new ISO image. The actual running kernel stays really small due to the use of such things as MODULES, allowing only what is needed to be running at any given moment to run.
Bitch Bitch Bitch. Stop bitchin' about stuff you really don't have any idea about. The kernel is for all intents and purposes, small, and is indcredibly featureful for its size. So deal.
Re:Kernel bloat ? (Score:3, Interesting)
[KungFu] rmadmin:~$ ls -sh linux-2.5.44.tar.gz
36M linux-2.5.44.tar.gz
[KungFu] rmadmin:~$ gunzip linux-2.5.44.tar.gz
[KungFu] rmadmin:~$ ls -sh linux-2.5.44.tar
160M linux-2.5.44.tar
[KungFu] rmadmin:~$
Wanna rephrase your statement?
Re:Kernel bloat ? (Score:3, Informative)
Unzipped only counts in terms of disc space. 160MB is small change for most machines. If its not, compile the kernel somewhere else and ship it over.
Still, it further proves my point, because that means we're goign from 160MB source to 10MB compiled code.
My whole point is people bitch about bloat when the kernel is anything but bloated. For all the stuff it contains (which is a lot), submitted by all those different people (which is a lot), its incredibly lean.
Re:Kernel bloat ? (Score:3)
I'm sorry. This really doesn't make sense. Just because the kernel is smaller than some other package doesn't mean it can't be bloated. When I download the kernel source, I get sources not only for my build platform but also for a myriad of other architectures that I don't have. This _is_ bloat. It's good that Linux runs on so many architectures, it's good that the kernel has so many featurs, but anyone saying that all this source code they get but never use is bloat is just correct.
In my opinion, GNOME, X, and KDE come with a lot of bloat that I don't want to cope with. I don't use GNOME or KDE, but I do use X, because I lack a better alternative. The Linux kernel is a fantastic piece of software, exactly because it offers so many features (that many don't need). The source download is pretty huge (and unnecessarily so), but once compiled it's greatly efficient. Any new features is a win, and if you don't want it, you can disable it at configure time.
Re:Kernel bloat ? (Score:5, Informative)
Don't compare a 43 MB binary download to a 32MB source download. That's apples to oranges.
Re:Kernel bloat ? (Score:2)
Re:Kernel bloat ? (Score:2)
NetBSD has KAME [kame.net] IPsec in the kernel source tree, but the GENERIC kernels have the option commented out (I don't know why):
% grep IPSEC /usr/src/sys/arch/i386/conf/GENERIC
#options IPSEC # IP security
#options IPSEC_ESP # IP security (encryption part; define w/IPSEC)
#options IPSEC_DEBUG # debug for IP security
I've got a NetBSD machine at home running a VPN to the office LAN and it works great.
Re:Kernel bloat ? (Score:2, Informative)
A problem with KAME IPSEC (and, I think, pretty much every non-free/swan IPSEC implementation) is that they don't do opportunistic encryption. You need pre-arranged certs or shared keys. If it did have something like that, I bet more people would use IPSEC by default.
(Annoying problem if people do start doing that: tcpdump becomes pretty much useless as a diagnostics tool.)
Re:Kernel bloat ? (Score:5, Informative)
Sources themselves are huge compared to the bins they create especially considering source trees for projects like the kernel and X, which have support for many architectures. Much of the source code doesn't even get into the binary in the end.
Re:Kernel bloat ? (Score:2)
Granted, I do understand that source will always take up more space than the final code, but bandwidth isn't free, so developers shouldn't come up with build systems that have no consideration whatsoever for download size.
Of course, it would be nice if source-based distributions were smart enough to notice that I already have version x.y.z.tar.bz2 and download the x.y.z-x.y.z+1 patch and apply it rather than going directly for the monster tarball...
Whether 32MB is too much is debatable. However, I would argue that a 1MB tarball is undebatably fine. When you get into source files that go into the tends of MBs you start to get into a realm where users start to wonder what the heck is in there...
Re:Kernel bloat ? (Score:2)
Re:Kernel bloat ? (Score:3, Informative)
Re:Kernel bloat ? (Score:2)
Re:Kernel bloat ? (Score:2, Informative)
But the 32MB is for the compressed source, not for the binary. By the time you've compiled and compressed the binary image, it's typically down to about 5-700 KB, and I'd assume that if you have an embedded system with clearly defined minimal hardware you can probably get it a bit smaller than that. It's certainly not tiny, but the size of the end product (which is what really matters for the vast majority of people) is very reasonable.
Re:Kernel bloat ? (Score:5, Interesting)
Due to kernel modules and the fact that you can "roll your own," the kernel can be as bloated as you want, the only downside is the size of the download. The current installation procedure works well enough for this, though the only feature it really lacks imho is querying dependencies satisfied by an entry.
Really though, kernels can and will always fit on teeny floppies, providing they're trimmed down enough. Regarding your comment about the end user getting the kitchen sink, have you ever looked at how distros handle this?
Most make a generic trimmed down kernel cross-compiled for the architecture and build all the modules. It may be the case that the distro copies hoards of modules, but that still isn't going to be as big a package as, say, glibc. If "joe-shmoe" doesn't have Bluetooth or scsi hardware, the corresponding modules won't get loaded, and as a result the bloatedness of the /lib/modules// directory won't bleed into the performance of the actual running kernel.
Re:Kernel bloat ? (Score:2, Insightful)
This is great that these things are comming as standard in the kernel, but so many things are "standard" now its getting pretty large for joe-schmo average user who will get a full kitchen sink kernel with their distro.
Three kinds of bloat (Score:5, Insightful)
Hypothetical: I can't believe OpenOffice is so bloated compared to EDLIN from MS-DOS!
Maybe it's "feature loaded" instead of bloated? While it is true that you can use OpenOffice to duplicate tasks that you might have done in EDLIN, it is capable of so much more.
There is another kind of bloat which is not caused by features. This kind of bloat does not appear to be present in Linux. The kind of bloat I'm talking about is caused by "optimization". I don't mean optimizing for fast code or small code, but optimizing for "release date". Hey Mr. Customer, would take that new spreadsheet upgrade six months sooner if it required 25% more computing resources to run? All consumers I know would answer Yes. So this is a type of optimization. Optimizing for development time instead of optimizing for computer resources. Given the current low and decreasing cost of computer resources, there is some balance of this that makes sense. Just as once upon a time the "bloat" and value of high level programming languages was hugely debated. Now everyone uses high level languages to optimize for development time. The fact that I could spend six extra months doing it smaller and faster in assembler doesn't matter. Well, today it's the same thing. I don't mean that bad code is written on purpose, just that development time is valued above comptuer resources and machine optimizations, profiling, etc. Again, Linux does not appear to "suffer" from this type of "optimization".
Another type of bloat is just from plain bad programming. It was not a purposeful decision to optimize development time, it was just the the program is badly written. Linux does not appear to suffer from this kind of bloat either.
bloat (Score:4, Insightful)
- In Apps, Games, whatever, it would be a lot nicer to be able to add features, rather than have the whole bloated thing copied/downloaded/installed onto your drive. (Cygwin has a nice setup.exe program that actually lets the user *pick* what he wants *before* the download. Very nice.)
- Programs that say "Standby while we figure out what system you are running" and then copy every bloated driver for every type system, and its various peripherals, that ever existed onto your hard drive, anyway. Maybe this is not a problem anymore with the huge disks that exists these days, but it does signify sloppy development work that is usually mirrored in the app.
Re:Kernel bloat ? (Score:4, Informative)
For example, on a random HP 11.0 box here:
-rwxr-xr-x 1 root sys 18946872 May 9 08:43
That is a 19 megabyte binary kernel. It would be interesting to see how big the source is...
Re:Kernel bloat ? (Score:2)
1.4 meg for a functional system is bloat? what do you call Microsoft then?
the kernel CANT get bloated... that's the great part of only using what you want and the rest doesnt exist.
Re:Kernel bloat ? (Score:2)
"Equivalent", if Norton Commander came with an
IP stack,
and a packet-filter system,
and a dhcp server,
and a secure, hardened nameserver,
and mutiuser capabilities with secure virtual terminals,
and 386 real-mode support,
and access to compressed ramdisks,
and a text editor with regex support..
etc....
Re:Kernel bloat ? (Score:2)
I can do all of that in one floppy disk(ALL AT ONCE!)... check out one of the hundreds of linux on a floppy distros or the linux router project....
What about... (Score:2, Interesting)
developers and users in those places be?
Looking for FreeSWAN? Try freeswan.ca (Score:5, Informative)
I've mirrored the downloads [umtstrial.co.uk] as they're so useful.
Re:Looking for FreeSWAN? Try freeswan.ca (Score:5, Funny)
Oh well, so much for hiding in anonymity.
ken@freeswan.ca
IPSec lets us get Win2k from the flank (Score:5, Insightful)
I hope we're not far from seeing adoption of Linux in places like the financial services industry. If the distributors can make IPSec painless to configure, Linux will make inroads in such industries very quickly.
Re:IPSec lets us get Win2k from the flank (Score:5, Interesting)
Many of the non-us distribuions ship with ipsec, but the big problem is creating some very easy way that can allow elmer fud to create a host to host or a subnet to host or a subnet to subnet ipsec tunnel in under 10 minutes. Preferably 2 minutes.
What is going to start shifting many businesses to linux is seeing applications such as AutoCAD run on linux. Seeing APIs for controling PLCs on factory floors. If we are able to woo the design and engineering firms to linux.... we will have a powerful foothold on the market.
Re:IPSec lets us get Win2k from the flank (Score:2)
Have you tried openoffice?
Re:IPSec lets us get Win2k from the flank (Score:5, Insightful)
You'll probably snag a lot more users by showing cross-OS compatability as opposed to desktop replacement. As in most cases, it would likely be linux server, windows desktop, with VPN being a nice communication feature in both.I know that I would like my VPN's to work properly between OS's, without the half-baked configurations in FreeSwan.
Mergint trends (Score:3, Funny)
First ICQ and AIM merge.
Then Crypto and IPSec merge.
Next you're gonna tell me that cats and dogs have merged.
What's the world coming to?
Re:Mergint trends (Score:4, Funny)
Redhat and SuSE merge, and bring yast to redhat.
BSD and LINUX will merge.
The vim and emacs teams join together and will bring out a new editor together in teamwork.
Linus agrees on using CVS.
The english world will make a big grammar reform, enabling a polyphonic script again.
Star Wars will meet Star Treck.
America decides to officaly use the metric system.
The brits drive on the right side of the road.
Export Ramifications? (Score:4, Insightful)
Just curious.. i know how hard of a time everyone else ( like BSD ) has with this garbage.
Information should never be restricted on the basis of governmental boundries. Phfft.
Banned in the USA (Score:2, Funny)
VPN w/Firewall (Score:2, Interesting)
Re:VPN w/Firewall (Score:2, Informative)
FreeS/WAN + NAT-Traversal patch manages this fine, by encapsulating the packets in UDP.
Re:VPN w/Firewall (Score:2)
No... http://open-source.arkoon.net - NAT-T patch for 1.98b. Works on kernel 2.4.*.
Freeswan (Score:2)
Watching kernel dev out-of-band (Score:3, Interesting)
What's cool about this is that people are watching kernel development without having to read the lkml or being on irc or whatever. People can now just watch the patches flow into the bk system. I think that's kind of cool. It's like a Kernel News Network.
Crypto Export Regulations (Score:3, Insightful)
That, and the DMCA which prohibits reversing of any of the encryption that would be found in the new kernel, would create a risk for many of the users downloading the software if they were from anywhere outside the US (and, for US users downloading the software, because it couldn't be explained to them.)
I'm sure the U.S. government is going to have a lot of fun with this...
we love crypto (Score:3, Funny)
Or the banning of Linux in several countries. Whichever comes first, you know.
Re:we love crypto (Score:2)
I'm not sure... I think there's a flaw in your argument somewhere. I think the profit made by linux vendors would improve from the artifical scarcity of a black market. I think that people would think of guys in outfits out of the Matrix when they thought of Linux users, instead of fat guys with beards. I think Linux would become more widely known.
But, would banning Linux actually cause more users? Somehow I doubt it. If we find a jurisdiction where suicide isn't illegal and make it so, then we're not going to see a doubling of suicide rates or anything like that. (Note to self. Is there a jurisdiction where suicide is legal? This would be... interesting... to test.) The goal of legislation is to repress the growth in usage of something the government doesn't want you to use. The legislation didn't cause the growth - it just failed to stop it. The growth is already there, as the law generally does not legislate truly fringe elements. (For instance, there are plenty of drugs that you can get by mail order now that are at least as 'druggy' as marajuana and lsd, but they arn't illegal because of the exceptional minority of users.)
More Pervasive Insecurities? (Score:4, Insightful)
I am not very knowledgeable about security issues, but I am curious if the inclusion of security modules in the kernel will provide for a single point of failure. In other words, as more programs become dependent on the kernel module for security, if an exploit becomes available, will all these dependent programs become exploitable?
I ask this specifically because of the problem the IE ran into, where it depended on security APIs from Windows, the Windows API had an exploitable bug, and ta-da, IE had an exploitable bug.stick to the Physics (Score:2)
Re:stick to the Physics (Score:2, Funny)
Re:Keeping stuff away from terrorists? (Score:5, Insightful)
Freedom of speech also implies freedom of anonymous, or even encrypted speech, a concept that politicians have destroyed completely with "campaign reform."
Re:Keeping stuff away from terrorists? (Score:3, Insightful)
Western crypto restrictions had nothing to do with breaching the Berlin Wall, for example.
Re:Keeping stuff away from terrorists? (Score:2, Insightful)
6. No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
And this from the Free Software Definition [fsf.org]:
The freedom to run the program, for any purpose (freedom 0).
So, the community can not (does not) restrict terrorists from using any GPL'd (or compatibly licensed) software. And by the way, one man's terrorist is another man's freedom fighter. As it stands the community does not want to engage in moral discussions about who uses its software and for what purpose.
I have no idea what the government can do about it, but how could it prohibit the use of something that is widely available? That's the reason why it would be completely useless to restrict the distribution of strong crypto to NATO countries only for example. In order for a crypto algorithm to be deemed secure by the security community, it has to be published and proven secure through years of peer review. Even if access to programs incorporating this crypto stuff could be restricted, anyone with access to academic publications (and decent programming skills) could write software based on the published algorithms.
Re:If I want IPSec stuff (Score:5, Insightful)
But on the other hand, who wants to read the article when you can, instead, spout off and look like an idiot?
Re:If I want IPSec stuff (Score:4, Informative)
I agree! The linux kernel is at least 2 years behind in any IPsec implementation compared to OpenBSD or even FreeBSD. What's going on here? Does that make sense? Usually it's the Linux folks that are ahead of the game, but not this time.
[slashdot.org]
I guess the Linux folks wanted to make EXTRA SURE they didn't leave any BSD code in the kernel without a copyright before they added it to CVS.
Go ahead... troll me! I dare you!
Re:If I want IPSec stuff (Score:2, Informative)
[freeswan.ca]
Here is a massive document with 25-30 other products listed, with instructions, sample configs, and links to more information.
Re:If I want IPSec stuff (Score:2)
I have had no trouble getting the KAME IPsec implementation (the one in {Net,Free}BSD) to talk to FreeS/WAN. Using either pre-shared keys or X509 certificates. In fact, I use exactly such a setup to keep my home network on a VPN with my colocated server. It works flawlessly.
Yes, I had to patch Linux to make it work, but the Debian FreeS/WAN packages make this really easy.
I've written some documentation [morgul.net] describing how I got KAME to talk to FreeS/WAN. Most of the docs really relate to X509 certificate authentication, but there's some discussion of the various IKE parameters that need to be changed. Different implementations choose different defaults for things like key lifetime and stuff, and you need to know how to get them to agree in order to get them to communicate happily.
noah
Re:What SUCKS about Freeswan? (Score:2, Insightful)
If you need answers quick and easy, well that is why you have paid consultants. Go hire them. Till then SHUT UP & RTFM.
Re:Eh? (Score:2, Funny)
Re:bad idea.. (Score:2, Informative)
Re:Linus? (Score:2)