750 lines
36 KiB
HTML
750 lines
36 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>Introduction to FreeS/WAN</TITLE>
|
|
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
|
|
<STYLE TYPE="text/css"><!--
|
|
BODY { font-family: serif }
|
|
H1 { font-family: sans-serif }
|
|
H2 { font-family: sans-serif }
|
|
H3 { font-family: sans-serif }
|
|
H4 { font-family: sans-serif }
|
|
H5 { font-family: sans-serif }
|
|
H6 { font-family: sans-serif }
|
|
SUB { font-size: smaller }
|
|
SUP { font-size: smaller }
|
|
PRE { font-family: monospace }
|
|
--></STYLE>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="toc.html">Contents</A>
|
|
<A HREF="mail.html">Previous</A>
|
|
<A HREF="glossary.html">Next</A>
|
|
<HR>
|
|
<H1><A name="weblink">Web links</A></H1>
|
|
<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
|
|
<P>The main project web site is<A href="http://www.freeswan.org/">
|
|
www.freeswan.org</A>.</P>
|
|
<P>Links to other project-related<A href="intro.html#sites"> sites</A>
|
|
are provided in our introduction section.</P>
|
|
<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
|
|
<P>Some user-contributed patches have been integrated into the FreeS/WAN
|
|
distribution. For a variety of reasons, those listed below have not.</P>
|
|
<P>Note that not all patches are a good idea.</P>
|
|
<UL>
|
|
<LI>There are a number of "features" of IPsec which we do not implement
|
|
because they reduce security. See this<A href="compat.html#dropped">
|
|
discussion</A>. We do not recommend using patches that implement these.
|
|
One example is aggressive mode.</LI>
|
|
<LI>We do not recommend adding "features" of any sort unless they are
|
|
clearly necessary, or at least have clear benefits. For example,
|
|
FreeS/WAN would not become more secure if it offerred a choice of 14
|
|
ciphers. If even one was flawed, it would certainly become less secure
|
|
for anyone using that cipher. Even with 14 wonderful ciphers, it would
|
|
be harder to maintain and administer, hence more vulnerable to various
|
|
human errors.</LI>
|
|
</UL>
|
|
<P>This is not to say that patches are necessarily bad, only that using
|
|
them requires some deliberation. For example, there might be perfectly
|
|
good reasons to add a specific cipher in your application: perhaps GOST
|
|
to comply with government standards in Eastern Europe, or AES for
|
|
performance benefits.</P>
|
|
<H4>Current patches</H4>
|
|
<P>Patches believed current::</P>
|
|
<UL>
|
|
<LI>patches for<A href="http://www.strongsec.com/freeswan/"> X.509
|
|
certificate support</A>, also available from a<A href="http://www.twi.ch/~sna/strongsec/freeswan/">
|
|
mirror site</A></LI>
|
|
<LI>patches to add<A href="http://www.irrigacion.gov.ar/juanjo/ipsec">
|
|
AES and other ciphers</A>. There is preliminary data indicating AES
|
|
gives a substantial<A href="performance.html#perf.more"> performance
|
|
gain</A>.</LI>
|
|
</UL>
|
|
<P>There is also one add-on that takes the form of a modified FreeS/WAN
|
|
distribution, rather than just patches to the standard distribution:</P>
|
|
<UL>
|
|
<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
|
|
support</A></LI>
|
|
</UL>
|
|
<P>Before using any of the above,, check the<A href="mail.html"> mailing
|
|
lists</A> for news of newer versions and to see whether they have been
|
|
incorporated into more recent versions of FreeS/WAN.</P>
|
|
<H4>Older patches</H4>
|
|
<UL>
|
|
<LI><A href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
|
|
acceleration</A></LI>
|
|
<LI>a<A href="http://tzukanov.narod.ru/"> series</A> of patches that
|
|
<UL>
|
|
<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler</LI>
|
|
<LI>add GOST to OpenSSL</LI>
|
|
<LI>add GOST to the International kernel patch</LI>
|
|
<LI>let FreeS/WAN use International kernel patch ciphers</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI>Neil Dunbar's patches for<A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
|
|
certificate support</A>, using code from<A href="http://www.openssl.org">
|
|
Open SSL</A>.</LI>
|
|
<LI>Luc Lanthier's<A href="ftp://ftp.netwinder.org/users/f/firesoul/">
|
|
patches</A> for<A href="glossary.html#PKIX"> PKIX</A> support.</LI>
|
|
<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
|
|
to add<A href="glossary.html#blowfish"> Blowfish</A>,<A href="glossary.html#IDEA">
|
|
IDEA</A> and<A href="glossary.html#CAST128"> CAST-128</A> to FreeS/WAN</LI>
|
|
<LI>patches for FreeS/WAN 1.3, Pluto support for<A href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">
|
|
external authentication</A>, for example with a smartcard or SKEYID.</LI>
|
|
<LI><A href="http://www.zengl.net/freeswan/download/">patches and
|
|
utilities</A> for using FreeS/WAN with PGPnet</LI>
|
|
<LI><A href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">
|
|
Blowfish encryption and Tiger hash</A></LI>
|
|
<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
|
|
patches</A> for aggressive mode support</LI>
|
|
</UL>
|
|
<P>These patches are for older versions of FreeS/WAN and will likely not
|
|
work with the current version. Older versions of FreeS/WAN may be
|
|
available on some of the<A href="intro.html#sites"> distribution sites</A>
|
|
, but we recommend using the current release.</P>
|
|
<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
|
|
<P>Finally, there are some patches to other code that may be useful with
|
|
FreeS/WAN:</P>
|
|
<UL>
|
|
<LI>a<A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
|
|
patch</A> to make IPsec, PPTP and SSH VPNs work through a Linux
|
|
firewall with<A href="glossary.html#masq"> IP masquerade</A>.</LI>
|
|
<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
|
|
Linux VPN Masquerade HOWTO</A></LI>
|
|
</UL>
|
|
<P>Note that this is not required if the same machine does IPsec and
|
|
masquerading, only if you want a to locate your IPsec gateway on a
|
|
masqueraded network. See our<A href="firewall.html#NAT"> firewalls</A>
|
|
document for discussion of why this is problematic.</P>
|
|
<P>At last report, this patch could not co-exist with FreeS/WAN on the
|
|
same machine.</P>
|
|
<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
|
|
<P>The introductory section of our document set lists several<A href="intro.html#distwith">
|
|
Linux distributions</A> which include FreeS/WAN.</P>
|
|
<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
|
|
<UL>
|
|
<LI><A href="http://openpgp.net/random">/dev/random</A> support page,
|
|
discussion of and code for the Linux<A href="glossary.html#random">
|
|
random number driver</A>. Out-of-date when we last checked (January
|
|
2000), but still useful.</LI>
|
|
<LI>other programs related to random numbers:
|
|
<UL>
|
|
<LI><A href="http://www.mindrot.org/audio-entropyd.html">audio entropy
|
|
daemon</A> to gather noise from a sound card and feed it into
|
|
/dev/random</LI>
|
|
<LI>an<A href="http://www.lothar.com/tech/crypto/"> entropy-gathering
|
|
daemon</A></LI>
|
|
<LI>a driver for the random number generator in recent<A href="http://sourceforge.net/projects/gkernel/">
|
|
Intel chipsets</A>. This driver is included as standard in 2.4 kernels.</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI>a Linux<A href="http://www.marko.net/l2tp/"> L2TP Daemon</A> which
|
|
might be useful for communicating with Windows 2000 which builds L2TP
|
|
tunnels over its IPsec connections</LI>
|
|
<LI>to use opportunistic encryption, you need a recent version of<A href="glossary.html#BIND">
|
|
BIND</A>. You can get one from the<A href="http://www.isc.org">
|
|
Internet Software Consortium</A> who maintain BIND.</LI>
|
|
</UL>
|
|
<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
|
|
<UL>
|
|
<LI>other Linux<A href="#linuxipsec"> IPsec implementations</A></LI>
|
|
<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
|
|
implementation of Sun's<A href="glossary.html#SKIP"> SKIP</A> protocol</LI>
|
|
<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPsec VPN
|
|
daemon for Linux which creates tunnels using<A href="glossary.html#Blowfish">
|
|
Blowfish</A> encryption</LI>
|
|
<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
|
|
GPLd tunnel-building program with Linux and Win32 versions. The name is
|
|
from<STRONG> Z</STRONG>lib compression,<STRONG> B</STRONG>lowfish
|
|
encryption and<STRONG> D</STRONG>iffie-Hellman key exchange.</LI>
|
|
<LI>There are at least two PPTP implementations for Linux
|
|
<UL>
|
|
<LI>Moreton Bay's<A href="http://www.moretonbay.com/vpn/pptp.html">
|
|
PoPToP</A></LI>
|
|
<LI><A href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</A>
|
|
</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
|
|
(crypto IP encapsulation) project, using their own lightweight protocol
|
|
to encrypt between routers</LI>
|
|
<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
|
|
</UL>
|
|
<P>There is a list of<A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
|
|
Linux VPN</A> software in the<A href="http://www.securityportal.com/lskb/kben00000001.html">
|
|
Linux Security Knowledge Base</A>.</P>
|
|
<H2><A name="ipsec.link">The IPsec Protocols</A></H2>
|
|
<H3><A name="general">General IPsec or VPN information</A></H3>
|
|
<UL>
|
|
<LI>The<A href="http://www.vpnc.org"> VPN Consortium</A> is a group for
|
|
vendors of IPsec products. Among other things, they have a good
|
|
collection of<A href="http://www.vpnc.org/white-papers.html"> IPsec
|
|
white papers</A>.</LI>
|
|
<LI>A VPN mailing list with a<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
|
|
home page</A>, a FAQ, some product comparisons, and many links.</LI>
|
|
<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
|
|
<LI>a<A href="http://www.epm.ornl.gov/~dunigan/vpn.html"> collection</A>
|
|
of VPN links, and some explanation</LI>
|
|
</UL>
|
|
<H3><A name="overview">IPsec overview documents or slide sets</A></H3>
|
|
<UL>
|
|
<LI>the FreeS/WAN<A href="ipsec.html"> document section</A> on these
|
|
protocols</LI>
|
|
</UL>
|
|
<H3><A name="otherlang">IPsec information in languages other than
|
|
English</A></H3>
|
|
<UL>
|
|
<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
|
|
German</A></LI>
|
|
<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
|
|
<LI>Feczak Szabolcs' thesis in<A href="http://feczo.koli.kando.hu/vpn/">
|
|
Hungarian</A></LI>
|
|
<LI>Davide Cerri's thesis and some presentation slides<A href="http://www.linux.it/~davide/doc/">
|
|
Italian</A></LI>
|
|
</UL>
|
|
<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
|
|
<UL>
|
|
<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
|
|
Linux FreeS/WAN and giving various ways of obtaining both RFCs and
|
|
Internet Drafts.</LI>
|
|
<LI><A href="http://www.vpnc.org/vpn-standards.html">VPN Standards</A>
|
|
page maintained by<A href="glossary.html#VPNC"> VPNC</A>. This covers
|
|
both RFCs and Drafts, and classifies them in a fairly helpful way.</LI>
|
|
<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
|
|
<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
|
|
related to IPsec</LI>
|
|
<LI>US government<A href="http://www.itl.nist.gov/div897/pubs"> site</A>
|
|
with their<A href="glossary.html#FIPS"> FIPS</A> standards</LI>
|
|
<LI>Archives of the ipsec@tis.com mailing list where discussion of
|
|
drafts takes place.
|
|
<UL>
|
|
<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A></LI>
|
|
<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
|
|
</UL>
|
|
</LI>
|
|
</UL>
|
|
<H3><A name="analysis">Analysis and critiques of IPsec protocols</A></H3>
|
|
<UL>
|
|
<LI>Counterpane's<A href="http://www.counterpane.com/ipsec.pdf">
|
|
evaluation</A> of the protocols</LI>
|
|
<LI>Simpson's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
|
|
IKE Considered Dangerous</A> paper. Note that this is a link to an
|
|
archive of our mailing list. There are several replies in addition to
|
|
the paper itself.</LI>
|
|
<LI>Fate Labs<A href="http://www.fatelabs.com/loki-vpn.pdf"> Virual
|
|
Private Problems: the Broken Dream</A></LI>
|
|
<LI>Catherine Meadows' paper<CITE> Analysis of the Internet Key Exchange
|
|
Protocol Using the NRL Protocol Analyzer</CITE>, in<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
|
|
PDF</A> or<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
|
|
Postscript</A>.</LI>
|
|
<LI>Perlman and Kaufmnan
|
|
<UL>
|
|
<LI><A href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">
|
|
Key Exchange in IPsec</A></LI>
|
|
<LI>a newer<A href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">
|
|
PDF paper</A>,<CITE> Analysis of the IPsec Key Exchange Standard</CITE>
|
|
.</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI>Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
|
|
papers</A> page including his:
|
|
<UL>
|
|
<LI><CITE>Security Problems in the TCP/IP Protocol Suite</CITE> (1989)</LI>
|
|
<LI><CITE>Problem Areas for the IP Security Protocols</CITE> (1996)</LI>
|
|
<LI><CITE>Probable Plaintext Cryptanalysis of the IP Security Protocols</CITE>
|
|
(1997)</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI>An<A href="http://www.lounge.org/ike_doi_errata.html"> errata list</A>
|
|
for the IPsec RFCs.</LI>
|
|
</UL>
|
|
<H3><A name="IP.background">Background information on IP</A></H3>
|
|
<UL>
|
|
<LI>An<A href="http://ipprimer.windsorcs.com/"> IP tutorial</A> that
|
|
seems to be written mainly for Netware or Microsoft LAN admins entering
|
|
a new world</LI>
|
|
<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
|
|
Authority</LI>
|
|
<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
|
|
Classless Inter-Domain Routing</LI>
|
|
<LI>Also see our<A href="biblio.html"> bibliography</A></LI>
|
|
</UL>
|
|
<H2><A name="implement">IPsec Implementations</A></H2>
|
|
<H3><A name="linuxprod">Linux products</A></H3>
|
|
<P>Vendors using FreeS/WAN in turnkey firewall or VPN products are
|
|
listed in our<A href="intro.html#turnkey"> introduction</A>.</P>
|
|
<P>Other vendors have Linux IPsec products which, as far as we know, do
|
|
not use FreeS/WAN</P>
|
|
<UL>
|
|
<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
|
|
provide an open source Linux driver for their PCI hardware VPN card.
|
|
This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
|
|
specialised crypto chips, and claimed encryption performance of 45
|
|
Mbit/sec. The PC sees it as an Ethernet board.</LI>
|
|
<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
|
|
offer a Linux-based VPN with hardware encryption</LI>
|
|
<LI><A href="http://www.watchguard.com/">Watchguard</A> use Linux in
|
|
their Firebox product.</LI>
|
|
<LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
|
|
toolkit for using their<A href="glossary.html#PKI"> PKI</A> for IPsec
|
|
authentication</LI>
|
|
<LI>According to a report on our mailing list,<A href="http://www.axent.com">
|
|
Axent</A> have a Linux version of their product.</LI>
|
|
</UL>
|
|
<H3><A name="router">IPsec in router products</A></H3>
|
|
<P>All the major router vendors support IPsec, at least in some models.</P>
|
|
<UL>
|
|
<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
|
|
IPsec information</LI>
|
|
<LI>Ascend, now part of<A href="http://www.lucent.com/"> Lucent</A>,
|
|
have some IPsec-based products</LI>
|
|
<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
|
|
of Nortel, use IPsec in their Contivity switch product line</LI>
|
|
<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A> have
|
|
a number of VPN products, some using IPsec</LI>
|
|
</UL>
|
|
<H3><A name="fw.web">IPsec in firewall products</A></H3>
|
|
<P>Many firewall vendors offer IPsec, either as a standard part of their
|
|
product, or an optional extra. A few we know about are:</P>
|
|
<UL>
|
|
<LI><A href="http://www.borderware.com/">Borderware</A></LI>
|
|
<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
|
|
Laurent</A></LI>
|
|
<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
|
|
<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2</LI>
|
|
</UL>
|
|
<P>Vendors using FreeS/WAN in turnkey firewall products are listed in
|
|
our<A href="intro.html#turnkey"> introduction</A>.</P>
|
|
<H3><A name="ipsecos">Operating systems with IPsec support</A></H3>
|
|
<P>All the major open source operating systems support IPsec. See below
|
|
for details on<A href="#BSD"> BSD-derived</A> Unix variants.</P>
|
|
<P>Among commercial OS vendors, IPsec players include:</P>
|
|
<UL>
|
|
<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
|
|
Microsoft</A> have put IPsec in their Windows 2000 and XP products</LI>
|
|
<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
|
|
announce a release of OS390 with IPsec support via a crypto
|
|
co-processor</LI>
|
|
<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
|
|
Sun</A> include IPsec in Solaris 8</LI>
|
|
<LI><A href="http://www.hp.com/security/products/extranet-security.html">
|
|
Hewlett Packard</A> offer IPsec for their Unix machines</LI>
|
|
<LI>Certicom have IPsec available for the<A href="http://www.certicom.com/products/movian/movianvpn_tech.html">
|
|
Palm</A>.</LI>
|
|
<LI>There were reports before the release that Apple's Mac OS X would
|
|
have IPsec support built in, but it did not seem to be there when we
|
|
last checked. If you find, it please let us know via the<A href="mail.html">
|
|
mailing list</A>.</LI>
|
|
</UL>
|
|
<H3><A NAME="29_3_5">IPsec on network cards</A></H3>
|
|
<P>Network cards with built-in IPsec acceleration are available from at
|
|
least Intel, 3Com and Redcreek.</P>
|
|
<H3><A name="opensource">Open source IPsec implementations</A></H3>
|
|
<H4><A name="linuxipsec">Other Linux IPsec implementations</A></H4>
|
|
<P>We like to think of FreeS/WAN as<EM> the</EM> Linux IPsec
|
|
implementation, but it is not the only one. Others we know of are:</P>
|
|
<UL>
|
|
<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
|
|
lightweight implementation of IPsec for Linux. Does not require kernel
|
|
recompilation.</LI>
|
|
<LI>Petr Novak's<A href="ftp://ftp.eunet.cz/icz/ipnsec/"> ipnsec</A>,
|
|
based on the OpenBSD IPsec code and using<A href="glossary.html#photuris">
|
|
Photuris</A> for key management</LI>
|
|
<LI>A now defunct project at<A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
|
|
U of Arizona</A> (export controlled)</LI>
|
|
<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
|
|
(export controlled)</LI>
|
|
</UL>
|
|
<H4><A name="BSD">IPsec for BSD Unix</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
|
|
several large Japanese companies co-operating on IPv6 and IPsec</LI>
|
|
<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
|
|
implementation of IPv6 and of IPsec for IPv4 (export controlled)</LI>
|
|
<LI><A href="http://www.openbsd.org">OpenBSD</A> includes IPsec as a
|
|
standard part of the distribution</LI>
|
|
<LI><A href="http://www.r4k.net/ipsec">IPsec for FreeBSD</A></LI>
|
|
<LI>a<A href="http://www.netbsd.org/Documentation/network/ipsec/"> FAQ</A>
|
|
on NetBSD's IPsec implementation</LI>
|
|
</UL>
|
|
<H4><A name="misc">IPsec for other systems</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
|
|
Technolgy</A> have implemented IPsec for Solaris, Java and Macintosh</LI>
|
|
</UL>
|
|
<H3><A name="interop.web">Interoperability</A></H3>
|
|
<P>The IPsec protocols are designed so that different implementations
|
|
should be able to work together. As they say "the devil is in the
|
|
details". IPsec has a lot of details, but considerable success has been
|
|
achieved.</P>
|
|
<H4><A name="result">Interoperability results</A></H4>
|
|
<P>Linux FreeS/WAN has been tested for interoperability with many other
|
|
IPsec implementations. Results to date are in our<A href="interop.html">
|
|
interoperability</A> section.</P>
|
|
<P>Various other sites have information on interoperability between
|
|
various IPsec implementations:</P>
|
|
<UL>
|
|
<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop results</A>
|
|
from a bakeoff in Atlanta, September 1999.</LI>
|
|
<LI>a French company, HSC's,<A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
|
|
interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
|
|
pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
|
|
<LI><A href="http://www.icsa.net/">ICSA</A> offer certification programs
|
|
for various security-related products. See their list of<A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
|
|
certified IPsec</A> products. Linux FreeS/WAN is not currently on that
|
|
list, but several products with which we interoperate are.</LI>
|
|
<LI>VPNC have a page on why they are not yet doing<A href="http://www.vpnc.org/interop.html">
|
|
interoperability</A> testing and a page on the<A href="http://www.vpnc.org/conformance.html">
|
|
spec conformance</A> testing that they are doing</LI>
|
|
<LI>a<A href="http://www.commweb.com/article/COM20000912S0009"> review</A>
|
|
comparing a dozen commercial IPsec implemetations. Unfortunately, the
|
|
reviewers did not look at Open Source implementations such as FreeS/WAN
|
|
or OpenBSD.</LI>
|
|
<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
|
|
results</A> from interoperability tests at a conference. FreeS/WAN was
|
|
not tested there.</LI>
|
|
<LI>test results from the<A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
|
|
IPSEC 2000</A> conference</LI>
|
|
</UL>
|
|
<H4><A name="test1">Interoperability test sites</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
|
|
project with free IPsec validation software</LI>
|
|
<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
|
|
Standards and Technology</A></LI>
|
|
<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A></LI>
|
|
</UL>
|
|
<H2><A name="linux.link">Linux links</A></H2>
|
|
<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
|
|
<UL>
|
|
<LI>Linux<A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
|
|
Getting Started</A> HOWTO document</LI>
|
|
<LI>A getting started guide from the<A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
|
|
U of Oregon</A></LI>
|
|
<LI>A large<A href="http://www.herring.org/techie.html"> link collection</A>
|
|
which includes a lot of introductory and tutorial material on Unix,
|
|
Linux, the net, . . .</LI>
|
|
</UL>
|
|
<H3><A name="general">General Linux sites</A></H3>
|
|
<UL>
|
|
<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
|
|
<LI><A href="http://slashdot.org">Slashdot</A> "News for Nerds"</LI>
|
|
<LI><A href="http://www.linux.org">Linux Online</A></LI>
|
|
<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
|
|
<LI><A href="http://www.tux.org">tux.org</A></LI>
|
|
</UL>
|
|
<H3><A name="docs.ldp">Documentation</A></H3>
|
|
<P>Nearly any Linux documentation you are likely to want can be found at
|
|
the<A href="http://metalab.unc.edu/LDP"> Linux Documentation Project</A>
|
|
or LDP.</P>
|
|
<UL>
|
|
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
|
|
guide to Linux information sources</LI>
|
|
<LI>The LDP's HowTo documents are a standard Linux reference. See this<A href="http://www.linuxdoc.org/docs.html#howto">
|
|
list</A>. Documents there most relevant to a FreeS/WAN gateway are:
|
|
<UL>
|
|
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
|
|
HOWTO</A></LI>
|
|
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
|
|
Networking Overview HOWTO</A></LI>
|
|
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
|
|
Security HOWTO</A></LI>
|
|
</UL>
|
|
</LI>
|
|
<LI>The LDP do a series of Guides, book-sized publications with more
|
|
detail (and often more "why do it this way?") than the HowTos. See this<A
|
|
href="http://www.linuxdoc.org/guides.html"> list</A>. Documents there
|
|
most relevant to a FreeS/WAN gateway are:
|
|
<UL>
|
|
<LI><A href="http://www.tml.hut.fi/~viu/linux/sag/">System
|
|
Administrator's Guide</A></LI>
|
|
<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
|
|
Adminstrator's Guide</A></LI>
|
|
<LI><A href="http://www.seifried.org/lasg/">Linux Administrator's
|
|
Security Guide</A></LI>
|
|
</UL>
|
|
</LI>
|
|
</UL>
|
|
<P>You may not need to go to the LDP to get this material. Most Linux
|
|
distributions include the HowTos on their CDs and several include the
|
|
Guides as well. Also, most of the Guides and some collections of HowTos
|
|
are available in book form from various publishers.</P>
|
|
<P>Much of the LDP material is also available in languages other than
|
|
English. See this<A href="http://www.linuxdoc.org/links/nenglish.html">
|
|
LDP page</A>.</P>
|
|
<H3><A name="advroute.web">Advanced routing</A></H3>
|
|
<P>The Linux IP stack has some new features in 2.4 kernels. Some HowTos
|
|
have been written:</P>
|
|
<UL>
|
|
<LI>several HowTos for the<A href="http://netfilter.samba.org/unreliable-guides/">
|
|
netfilter</A> firewall code in newer kernels</LI>
|
|
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
|
|
2.4 networking</A> HowTo</LI>
|
|
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
|
|
2.4 routing</A> HowTo</LI>
|
|
</UL>
|
|
<H3><A name="linsec">Security for Linux</A></H3>
|
|
<P>See also the<A href="#docs.ldp"> LDP material</A> above.</P>
|
|
<UL>
|
|
<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
|
|
Trinity OS guide to setting up Linux</A></LI>
|
|
<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
|
|
<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
|
|
filesystem</LI>
|
|
<LI><A href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
|
|
HowTo</A> (outdated when last checked, had an Oct 2000 revision date in
|
|
March 2002)</LI>
|
|
</UL>
|
|
<H3><A name="firewall.linux">Linux firewalls</A></H3>
|
|
<P>Our<A href="firewall.html"> FreeS/WAN and firewalls</A> document
|
|
includes links to several sets of<A href="firewall.html#examplefw">
|
|
scripts</A> known to work with FreeS/WAN.</P>
|
|
<P>Other information sources:</P>
|
|
<UL>
|
|
<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
|
|
<LI><A href="http://netfilter.samba.org/unreliable-guides/">netfilter</A>
|
|
firewall code in 2.4 kernels</LI>
|
|
<LI>Our list of general<A href="#firewall.web"> firewall references</A>
|
|
on the web</LI>
|
|
<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool for
|
|
automatically configuring Linux firewalls</LI>
|
|
<LI>the web cache software<A href="http://www.squid-cache.org/"> squid</A>
|
|
and<A href="http://www.squidguard.org/"> squidguard</A> which turns
|
|
Squid into a filtering web proxy</LI>
|
|
</UL>
|
|
<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
|
|
<UL>
|
|
<LI><A href="http://lwn.net/current/dists.php3">Linux distribution
|
|
vendors</A></LI>
|
|
<LI><A href="http://www.linux.org/groups/">Linux User Groups</A></LI>
|
|
</UL>
|
|
<H2><A name="crypto.link">Crypto and security links</A></H2>
|
|
<H3><A name="security">Crypto and security resources</A></H3>
|
|
<H4><A name="std.links">The standard link collections</A></H4>
|
|
<P>Two enormous collections of links, each the standard reference in its
|
|
area:</P>
|
|
<DL>
|
|
<DT>Gene Spafford's<A href="http://www.cerias.purdue.edu/coast/hotlist/">
|
|
COAST hotlist</A></DT>
|
|
<DD>Computer and network security.</DD>
|
|
<DT>Peter Gutmann's<A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
|
|
Encryption and Security-related Resources</A></DT>
|
|
<DD>Cryptography.</DD>
|
|
</DL>
|
|
<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
|
|
FAQ</A></LI>
|
|
<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
|
|
<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
|
|
Programming FAQ</A></LI>
|
|
<LI>FAQs for specific programs are listed in the<A href="#tools"> tools</A>
|
|
section below.</LI>
|
|
</UL>
|
|
<H4><A name="cryptover">Tutorials</A></H4>
|
|
<UL>
|
|
<LI>Gary Kessler's<A href="http://www.garykessler.net/library/crypto.html">
|
|
Overview of Cryptography</A></LI>
|
|
<LI>Terry Ritter's<A href="http://www.ciphersbyritter.com/LEARNING.HTM">
|
|
introduction</A></LI>
|
|
<LI>Peter Gutman's<A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
|
|
cryptography</A> tutorial (500 slides in PDF format)</LI>
|
|
<LI>Amir Herzberg of IBM's sildes for his course<A href="http://www.hrl.il.ibm.com/mpay/course.html">
|
|
Introduction to Cryptography and Electronic Commerce</A></LI>
|
|
<LI>the<A href="http://www.gnupg.org/gph/en/manual/c173.html"> concepts
|
|
section</A> of the<A href="glossary.html#GPG"> GNU Privacy Guard</A>
|
|
documentation</LI>
|
|
<LI>Bruce Schneier's self-study<A href="http://www.counterpane.com/self-study.html">
|
|
cryptanalysis</A> course</LI>
|
|
</UL>
|
|
<P>See also the<A href="#interesting"> interesting papers</A> section
|
|
below.</P>
|
|
<H4><A name="standards">Crypto and security standards</A></H4>
|
|
<UL>
|
|
<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
|
|
international computer and network security standards to replace the
|
|
"Rainbow" series</LI>
|
|
<LI>AES<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
|
|
Advanced Encryption Standard</A> which will replace DES</LI>
|
|
<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
|
|
standard</A></LI>
|
|
<LI>our collection of links for the<A href="#ipsec.link"> IPsec</A>
|
|
standards</LI>
|
|
<LI>history of<A href="http://www.visi.com/crypto/evalhist/index.html">
|
|
formal evaluation</A> of security policies and implementation</LI>
|
|
</UL>
|
|
<H4><A name="quotes">Crypto quotes</A></H4>
|
|
<P>There are several collections of cryptographic quotes on the net:</P>
|
|
<UL>
|
|
<LI><A href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</A></LI>
|
|
<LI><A href="http://www.samsimpson.com/cquotes.php">Sam Simpson</A></LI>
|
|
<LI><A href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
|
|
Kutchling</A></LI>
|
|
</UL>
|
|
<H3><A name="policy">Cryptography law and policy</A></H3>
|
|
<H4><A name="legal">Surveys of crypto law</A></H4>
|
|
<UL>
|
|
<LI>International survey of<A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
|
|
crypto law</A>.</LI>
|
|
<LI>International survey of<A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
|
|
digital signature law</A></LI>
|
|
</UL>
|
|
<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
|
|
<UL>
|
|
<LI>The<A href="glossary.html#EFF"> EFF</A>'s archives on<A href="http://www.eff.org/pub/Privacy/">
|
|
privacy</A> and<A href="http://www.eff.org/pub/Privacy/ITAR_export/">
|
|
export control</A>.</LI>
|
|
<LI><A href="http://www.gilc.org">Global Internet Liberty Campaign</A></LI>
|
|
<LI><A href="http://www.cdt.org/crypto">Center for Democracy and
|
|
Technology</A></LI>
|
|
<LI><A href="http://www.privacyinternational.org/">Privacy International</A>
|
|
, who give out<A href="http://www.bigbrotherawards.org/"> Big Brother
|
|
Awards</A> to snoopy organisations</LI>
|
|
</UL>
|
|
<H4><A name="other.policy">Other information on crypto policy</A></H4>
|
|
<UL>
|
|
<LI><A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</A>, the<A href="glossary.html#IAB">
|
|
IAB</A> and<A href="glossary.html#IESG"> IESG</A> Statement on
|
|
Cryptographic Technology and the Internet.</LI>
|
|
<LI>John Young's collection of<A href="http://cryptome.org/"> documents</A>
|
|
of interest to the cryptography, open government and privacy movements,
|
|
organized chronologically</LI>
|
|
<LI>AT&T researcher Matt Blaze's Encryption, Privacy and Security<A href="http://www.crypto.com">
|
|
Resource Page</A></LI>
|
|
<LI>A good<A href="http://cryptome.org/crypto97-ne.htm"> overview</A> of
|
|
the issues from Australia.</LI>
|
|
</UL>
|
|
<P>See also our documentation section on the<A href="politics.html">
|
|
history and politics</A> of cryptography.</P>
|
|
<H3><A name="crypto.tech">Cryptography technical information</A></H3>
|
|
<H4><A name="cryptolinks">Collections of crypto links</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
|
|
<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
|
|
Gutman's links</A></LI>
|
|
<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
|
|
</LI>
|
|
<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
|
|
</UL>
|
|
<H4><A name="papers">Lists of online cryptography papers</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
|
|
<LI><A href="http://www.cryptography.com/resources/papers">
|
|
cryptography.com</A></LI>
|
|
<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
|
|
</UL>
|
|
<H4><A name="interesting">Particularly interesting papers</A></H4>
|
|
<P>These papers emphasize important issues around the use of
|
|
cryptography, and the design and management of secure systems.</P>
|
|
<UL>
|
|
<LI><A href="http://www.counterpane.com/keylength.html">Key length
|
|
requirements for security</A></LI>
|
|
<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
|
|
Cryptosystems Fail</A></LI>
|
|
<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
|
|
encryption</A></LI>
|
|
<LI><A href="http://www.counterpane.com/pitfalls.html">Security pitfalls
|
|
in cryptography</A></LI>
|
|
<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
|
|
Trust</A>, Ken Thompson on Trojan horse design</LI>
|
|
<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
|
|
Compelled Disclosure</A>, how to maintain privacy in the face of legal
|
|
or other coersion</LI>
|
|
</UL>
|
|
<H3><A name="compsec">Computer and network security</A></H3>
|
|
<H4><A name="seclink">Security links</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
|
|
<LI>DMOZ open directory project<A href="http://dmoz.org/Computers/Security/">
|
|
computer security</A> links</LI>
|
|
<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
|
|
<LI>Mike Fuhr's<A href="http://www.fuhr.org/~mfuhr/computers/security.html">
|
|
link collection</A></LI>
|
|
<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
|
|
emphasis on intrusion detection</LI>
|
|
</UL>
|
|
<H4><A name="firewall.web">Firewall links</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
|
|
</LI>
|
|
<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
|
|
</UL>
|
|
<H4><A name="vpn">VPN links</A></H4>
|
|
<UL>
|
|
<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
|
|
<LI>First VPN's<A href="http://www.firstvpn.com/research/rhome.html">
|
|
white paper</A> collection</LI>
|
|
</UL>
|
|
<H4><A name="tools">Security tools</A></H4>
|
|
<UL>
|
|
<LI>PGP -- mail encryption
|
|
<UL>
|
|
<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
|
|
commercial versions</LI>
|
|
<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
|
|
the NAI product for non-commercial use</LI>
|
|
<LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
|
|
<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
|
|
<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
|
|
</UL>
|
|
A message in our mailing list archive has considerable detail on<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
|
|
available versions</A> of PGP and on IPsec support in them.
|
|
<P><STRONG>Note:</STRONG> A fairly nasty bug exists in all commercial
|
|
PGP versions from 5.5 through 6.5.3. If you have one of those,<STRONG>
|
|
upgrade now</STRONG>.</P>
|
|
</LI>
|
|
<LI>SSH -- secure remote login
|
|
<UL>
|
|
<LI><A href="http://www.ssh.fi">SSH Communications Security</A>, for the
|
|
original software. It is free for trial, academic and non-commercial
|
|
use.</LI>
|
|
<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD team's
|
|
free replacement</LI>
|
|
<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
|
|
implementations for many systems</LI>
|
|
<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
|
|
<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
|
|
, an SSH client for Windows</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI>Tripwire saves message digests of your system files. Re-calculate
|
|
the digests and compare to saved values to detect any file changes.
|
|
There are several versions available:
|
|
<UL>
|
|
<LI><A href="http://www.tripwiresecurity.com/">commercial version</A></LI>
|
|
<LI><A href="http://www.tripwire.org/">Open Source</A></LI>
|
|
</UL>
|
|
</LI>
|
|
<LI><A href="http://www.snort.org">Snort</A> and<A href="http://www.lids.org">
|
|
LIDS</A> are intrusion detection system for Linux</LI>
|
|
<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A> System
|
|
Administrators Tool for Analysing Networks</LI>
|
|
<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
|
|
<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
|
|
Venema's page</A> with various tools</LI>
|
|
<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
|
|
, various tools to analyze network traffic, mostly scripts to organise
|
|
and format tcpdump(8) output for specific purposes</LI>
|
|
<LI><A name="ssmail">ssmail -- sendmail patched to do</A><A href="glossary.html#carpediem">
|
|
opportunistic encryption</A>
|
|
<UL>
|
|
<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
|
|
links to code and to a Usenix paper describing it, in PDF</LI>
|
|
</UL>
|
|
</LI>
|
|
<LI><A href="http://www.openca.org/">Open CA</A> project to develop a
|
|
freely distributed<A href="glossary.html#CA"> Certification Authority</A>
|
|
for building a open<A href="glossary.html#PKI"> Public Key
|
|
Infrastructure</A>.</LI>
|
|
</UL>
|
|
<H3><A name="people">Links to home pages</A></H3>
|
|
<P>David Wagner at Berkeley provides a set of links to<A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
|
|
home pages</A> of cryptographers, cypherpunks and computer security
|
|
people.</P>
|
|
<HR>
|
|
<A HREF="toc.html">Contents</A>
|
|
<A HREF="mail.html">Previous</A>
|
|
<A HREF="glossary.html">Next</A>
|
|
</BODY>
|
|
</HTML>
|