summaryrefslogtreecommitdiff
path: root/doc/web.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/web.html')
-rw-r--r--doc/web.html749
1 files changed, 749 insertions, 0 deletions
diff --git a/doc/web.html b/doc/web.html
new file mode 100644
index 000000000..0c084d289
--- /dev/null
+++ b/doc/web.html
@@ -0,0 +1,749 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<HTML>
+<HEAD>
+<TITLE>Introduction to FreeS/WAN</TITLE>
+<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
+<STYLE TYPE="text/css"><!--
+BODY { font-family: serif }
+H1 { font-family: sans-serif }
+H2 { font-family: sans-serif }
+H3 { font-family: sans-serif }
+H4 { font-family: sans-serif }
+H5 { font-family: sans-serif }
+H6 { font-family: sans-serif }
+SUB { font-size: smaller }
+SUP { font-size: smaller }
+PRE { font-family: monospace }
+--></STYLE>
+</HEAD>
+<BODY>
+<A HREF="toc.html">Contents</A>
+<A HREF="mail.html">Previous</A>
+<A HREF="glossary.html">Next</A>
+<HR>
+<H1><A name="weblink">Web links</A></H1>
+<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
+<P>The main project web site is<A href="http://www.freeswan.org/">
+ www.freeswan.org</A>.</P>
+<P>Links to other project-related<A href="intro.html#sites"> sites</A>
+ are provided in our introduction section.</P>
+<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
+<P>Some user-contributed patches have been integrated into the FreeS/WAN
+ distribution. For a variety of reasons, those listed below have not.</P>
+<P>Note that not all patches are a good idea.</P>
+<UL>
+<LI>There are a number of &quot;features&quot; of IPsec which we do not implement
+ because they reduce security. See this<A href="compat.html#dropped">
+ discussion</A>. We do not recommend using patches that implement these.
+ One example is aggressive mode.</LI>
+<LI>We do not recommend adding &quot;features&quot; of any sort unless they are
+ clearly necessary, or at least have clear benefits. For example,
+ FreeS/WAN would not become more secure if it offerred a choice of 14
+ ciphers. If even one was flawed, it would certainly become less secure
+ for anyone using that cipher. Even with 14 wonderful ciphers, it would
+ be harder to maintain and administer, hence more vulnerable to various
+ human errors.</LI>
+</UL>
+<P>This is not to say that patches are necessarily bad, only that using
+ them requires some deliberation. For example, there might be perfectly
+ good reasons to add a specific cipher in your application: perhaps GOST
+ to comply with government standards in Eastern Europe, or AES for
+ performance benefits.</P>
+<H4>Current patches</H4>
+<P>Patches believed current::</P>
+<UL>
+<LI>patches for<A href="http://www.strongsec.com/freeswan/"> X.509
+ certificate support</A>, also available from a<A href="http://www.twi.ch/~sna/strongsec/freeswan/">
+ mirror site</A></LI>
+<LI>patches to add<A href="http://www.irrigacion.gov.ar/juanjo/ipsec">
+ AES and other ciphers</A>. There is preliminary data indicating AES
+ gives a substantial<A href="performance.html#perf.more"> performance
+ gain</A>.</LI>
+</UL>
+<P>There is also one add-on that takes the form of a modified FreeS/WAN
+ distribution, rather than just patches to the standard distribution:</P>
+<UL>
+<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
+ support</A></LI>
+</UL>
+<P>Before using any of the above,, check the<A href="mail.html"> mailing
+ lists</A> for news of newer versions and to see whether they have been
+ incorporated into more recent versions of FreeS/WAN.</P>
+<H4>Older patches</H4>
+<UL>
+<LI><A href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
+ acceleration</A></LI>
+<LI>a<A href="http://tzukanov.narod.ru/"> series</A> of patches that
+<UL>
+<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler</LI>
+<LI>add GOST to OpenSSL</LI>
+<LI>add GOST to the International kernel patch</LI>
+<LI>let FreeS/WAN use International kernel patch ciphers</LI>
+</UL>
+</LI>
+<LI>Neil Dunbar's patches for<A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
+ certificate support</A>, using code from<A href="http://www.openssl.org">
+ Open SSL</A>.</LI>
+<LI>Luc Lanthier's<A href="ftp://ftp.netwinder.org/users/f/firesoul/">
+ patches</A> for<A href="glossary.html#PKIX"> PKIX</A> support.</LI>
+<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
+ to add<A href="glossary.html#blowfish"> Blowfish</A>,<A href="glossary.html#IDEA">
+ IDEA</A> and<A href="glossary.html#CAST128"> CAST-128</A> to FreeS/WAN</LI>
+<LI>patches for FreeS/WAN 1.3, Pluto support for<A href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">
+ external authentication</A>, for example with a smartcard or SKEYID.</LI>
+<LI><A href="http://www.zengl.net/freeswan/download/">patches and
+ utilities</A> for using FreeS/WAN with PGPnet</LI>
+<LI><A href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">
+Blowfish encryption and Tiger hash</A></LI>
+<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
+patches</A> for aggressive mode support</LI>
+</UL>
+<P>These patches are for older versions of FreeS/WAN and will likely not
+ work with the current version. Older versions of FreeS/WAN may be
+ available on some of the<A href="intro.html#sites"> distribution sites</A>
+, but we recommend using the current release.</P>
+<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
+<P>Finally, there are some patches to other code that may be useful with
+ FreeS/WAN:</P>
+<UL>
+<LI>a<A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
+ patch</A> to make IPsec, PPTP and SSH VPNs work through a Linux
+ firewall with<A href="glossary.html#masq"> IP masquerade</A>.</LI>
+<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
+Linux VPN Masquerade HOWTO</A></LI>
+</UL>
+<P>Note that this is not required if the same machine does IPsec and
+ masquerading, only if you want a to locate your IPsec gateway on a
+ masqueraded network. See our<A href="firewall.html#NAT"> firewalls</A>
+ document for discussion of why this is problematic.</P>
+<P>At last report, this patch could not co-exist with FreeS/WAN on the
+ same machine.</P>
+<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
+<P>The introductory section of our document set lists several<A href="intro.html#distwith">
+ Linux distributions</A> which include FreeS/WAN.</P>
+<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
+<UL>
+<LI><A href="http://openpgp.net/random">/dev/random</A> support page,
+ discussion of and code for the Linux<A href="glossary.html#random">
+ random number driver</A>. Out-of-date when we last checked (January
+ 2000), but still useful.</LI>
+<LI>other programs related to random numbers:
+<UL>
+<LI><A href="http://www.mindrot.org/audio-entropyd.html">audio entropy
+ daemon</A> to gather noise from a sound card and feed it into
+ /dev/random</LI>
+<LI>an<A href="http://www.lothar.com/tech/crypto/"> entropy-gathering
+ daemon</A></LI>
+<LI>a driver for the random number generator in recent<A href="http://sourceforge.net/projects/gkernel/">
+ Intel chipsets</A>. This driver is included as standard in 2.4 kernels.</LI>
+</UL>
+</LI>
+<LI>a Linux<A href="http://www.marko.net/l2tp/"> L2TP Daemon</A> which
+ might be useful for communicating with Windows 2000 which builds L2TP
+ tunnels over its IPsec connections</LI>
+<LI>to use opportunistic encryption, you need a recent version of<A href="glossary.html#BIND">
+ BIND</A>. You can get one from the<A href="http://www.isc.org">
+ Internet Software Consortium</A> who maintain BIND.</LI>
+</UL>
+<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
+<UL>
+<LI>other Linux<A href="#linuxipsec"> IPsec implementations</A></LI>
+<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
+ implementation of Sun's<A href="glossary.html#SKIP"> SKIP</A> protocol</LI>
+<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPsec VPN
+ daemon for Linux which creates tunnels using<A href="glossary.html#Blowfish">
+ Blowfish</A> encryption</LI>
+<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
+ GPLd tunnel-building program with Linux and Win32 versions. The name is
+ from<STRONG> Z</STRONG>lib compression,<STRONG> B</STRONG>lowfish
+ encryption and<STRONG> D</STRONG>iffie-Hellman key exchange.</LI>
+<LI>There are at least two PPTP implementations for Linux
+<UL>
+<LI>Moreton Bay's<A href="http://www.moretonbay.com/vpn/pptp.html">
+ PoPToP</A></LI>
+<LI><A href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</A>
+</LI>
+</UL>
+</LI>
+<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
+ (crypto IP encapsulation) project, using their own lightweight protocol
+ to encrypt between routers</LI>
+<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
+</UL>
+<P>There is a list of<A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
+ Linux VPN</A> software in the<A href="http://www.securityportal.com/lskb/kben00000001.html">
+ Linux Security Knowledge Base</A>.</P>
+<H2><A name="ipsec.link">The IPsec Protocols</A></H2>
+<H3><A name="general">General IPsec or VPN information</A></H3>
+<UL>
+<LI>The<A href="http://www.vpnc.org"> VPN Consortium</A> is a group for
+ vendors of IPsec products. Among other things, they have a good
+ collection of<A href="http://www.vpnc.org/white-papers.html"> IPsec
+ white papers</A>.</LI>
+<LI>A VPN mailing list with a<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
+ home page</A>, a FAQ, some product comparisons, and many links.</LI>
+<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
+<LI>a<A href="http://www.epm.ornl.gov/~dunigan/vpn.html"> collection</A>
+ of VPN links, and some explanation</LI>
+</UL>
+<H3><A name="overview">IPsec overview documents or slide sets</A></H3>
+<UL>
+<LI>the FreeS/WAN<A href="ipsec.html"> document section</A> on these
+ protocols</LI>
+</UL>
+<H3><A name="otherlang">IPsec information in languages other than
+ English</A></H3>
+<UL>
+<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
+German</A></LI>
+<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
+<LI>Feczak Szabolcs' thesis in<A href="http://feczo.koli.kando.hu/vpn/">
+ Hungarian</A></LI>
+<LI>Davide Cerri's thesis and some presentation slides<A href="http://www.linux.it/~davide/doc/">
+ Italian</A></LI>
+</UL>
+<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
+<UL>
+<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
+ Linux FreeS/WAN and giving various ways of obtaining both RFCs and
+ Internet Drafts.</LI>
+<LI><A href="http://www.vpnc.org/vpn-standards.html">VPN Standards</A>
+ page maintained by<A href="glossary.html#VPNC"> VPNC</A>. This covers
+ both RFCs and Drafts, and classifies them in a fairly helpful way.</LI>
+<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
+<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
+ related to IPsec</LI>
+<LI>US government<A href="http://www.itl.nist.gov/div897/pubs"> site</A>
+ with their<A href="glossary.html#FIPS"> FIPS</A> standards</LI>
+<LI>Archives of the ipsec@tis.com mailing list where discussion of
+ drafts takes place.
+<UL>
+<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A></LI>
+<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
+</UL>
+</LI>
+</UL>
+<H3><A name="analysis">Analysis and critiques of IPsec protocols</A></H3>
+<UL>
+<LI>Counterpane's<A href="http://www.counterpane.com/ipsec.pdf">
+ evaluation</A> of the protocols</LI>
+<LI>Simpson's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
+ IKE Considered Dangerous</A> paper. Note that this is a link to an
+ archive of our mailing list. There are several replies in addition to
+ the paper itself.</LI>
+<LI>Fate Labs<A href="http://www.fatelabs.com/loki-vpn.pdf"> Virual
+ Private Problems: the Broken Dream</A></LI>
+<LI>Catherine Meadows' paper<CITE> Analysis of the Internet Key Exchange
+ Protocol Using the NRL Protocol Analyzer</CITE>, in<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
+ PDF</A> or<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
+ Postscript</A>.</LI>
+<LI>Perlman and Kaufmnan
+<UL>
+<LI><A href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">
+Key Exchange in IPsec</A></LI>
+<LI>a newer<A href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">
+ PDF paper</A>,<CITE> Analysis of the IPsec Key Exchange Standard</CITE>
+.</LI>
+</UL>
+</LI>
+<LI>Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
+ papers</A> page including his:
+<UL>
+<LI><CITE>Security Problems in the TCP/IP Protocol Suite</CITE> (1989)</LI>
+<LI><CITE>Problem Areas for the IP Security Protocols</CITE> (1996)</LI>
+<LI><CITE>Probable Plaintext Cryptanalysis of the IP Security Protocols</CITE>
+ (1997)</LI>
+</UL>
+</LI>
+<LI>An<A href="http://www.lounge.org/ike_doi_errata.html"> errata list</A>
+ for the IPsec RFCs.</LI>
+</UL>
+<H3><A name="IP.background">Background information on IP</A></H3>
+<UL>
+<LI>An<A href="http://ipprimer.windsorcs.com/"> IP tutorial</A> that
+ seems to be written mainly for Netware or Microsoft LAN admins entering
+ a new world</LI>
+<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
+ Authority</LI>
+<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
+ Classless Inter-Domain Routing</LI>
+<LI>Also see our<A href="biblio.html"> bibliography</A></LI>
+</UL>
+<H2><A name="implement">IPsec Implementations</A></H2>
+<H3><A name="linuxprod">Linux products</A></H3>
+<P>Vendors using FreeS/WAN in turnkey firewall or VPN products are
+ listed in our<A href="intro.html#turnkey"> introduction</A>.</P>
+<P>Other vendors have Linux IPsec products which, as far as we know, do
+ not use FreeS/WAN</P>
+<UL>
+<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
+ provide an open source Linux driver for their PCI hardware VPN card.
+ This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
+ specialised crypto chips, and claimed encryption performance of 45
+ Mbit/sec. The PC sees it as an Ethernet board.</LI>
+<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
+ offer a Linux-based VPN with hardware encryption</LI>
+<LI><A href="http://www.watchguard.com/">Watchguard</A> use Linux in
+ their Firebox product.</LI>
+<LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
+ toolkit for using their<A href="glossary.html#PKI"> PKI</A> for IPsec
+ authentication</LI>
+<LI>According to a report on our mailing list,<A href="http://www.axent.com">
+ Axent</A> have a Linux version of their product.</LI>
+</UL>
+<H3><A name="router">IPsec in router products</A></H3>
+<P>All the major router vendors support IPsec, at least in some models.</P>
+<UL>
+<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
+ IPsec information</LI>
+<LI>Ascend, now part of<A href="http://www.lucent.com/"> Lucent</A>,
+ have some IPsec-based products</LI>
+<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
+ of Nortel, use IPsec in their Contivity switch product line</LI>
+<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A> have
+ a number of VPN products, some using IPsec</LI>
+</UL>
+<H3><A name="fw.web">IPsec in firewall products</A></H3>
+<P>Many firewall vendors offer IPsec, either as a standard part of their
+ product, or an optional extra. A few we know about are:</P>
+<UL>
+<LI><A href="http://www.borderware.com/">Borderware</A></LI>
+<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
+ Laurent</A></LI>
+<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
+<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2</LI>
+</UL>
+<P>Vendors using FreeS/WAN in turnkey firewall products are listed in
+ our<A href="intro.html#turnkey"> introduction</A>.</P>
+<H3><A name="ipsecos">Operating systems with IPsec support</A></H3>
+<P>All the major open source operating systems support IPsec. See below
+ for details on<A href="#BSD"> BSD-derived</A> Unix variants.</P>
+<P>Among commercial OS vendors, IPsec players include:</P>
+<UL>
+<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
+Microsoft</A> have put IPsec in their Windows 2000 and XP products</LI>
+<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
+ announce a release of OS390 with IPsec support via a crypto
+ co-processor</LI>
+<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
+Sun</A> include IPsec in Solaris 8</LI>
+<LI><A href="http://www.hp.com/security/products/extranet-security.html">
+Hewlett Packard</A> offer IPsec for their Unix machines</LI>
+<LI>Certicom have IPsec available for the<A href="http://www.certicom.com/products/movian/movianvpn_tech.html">
+ Palm</A>.</LI>
+<LI>There were reports before the release that Apple's Mac OS X would
+ have IPsec support built in, but it did not seem to be there when we
+ last checked. If you find, it please let us know via the<A href="mail.html">
+ mailing list</A>.</LI>
+</UL>
+<H3><A NAME="29_3_5">IPsec on network cards</A></H3>
+<P>Network cards with built-in IPsec acceleration are available from at
+ least Intel, 3Com and Redcreek.</P>
+<H3><A name="opensource">Open source IPsec implementations</A></H3>
+<H4><A name="linuxipsec">Other Linux IPsec implementations</A></H4>
+<P>We like to think of FreeS/WAN as<EM> the</EM> Linux IPsec
+ implementation, but it is not the only one. Others we know of are:</P>
+<UL>
+<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
+ lightweight implementation of IPsec for Linux. Does not require kernel
+ recompilation.</LI>
+<LI>Petr Novak's<A href="ftp://ftp.eunet.cz/icz/ipnsec/"> ipnsec</A>,
+ based on the OpenBSD IPsec code and using<A href="glossary.html#photuris">
+ Photuris</A> for key management</LI>
+<LI>A now defunct project at<A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
+ U of Arizona</A> (export controlled)</LI>
+<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
+ (export controlled)</LI>
+</UL>
+<H4><A name="BSD">IPsec for BSD Unix</A></H4>
+<UL>
+<LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
+ several large Japanese companies co-operating on IPv6 and IPsec</LI>
+<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
+ implementation of IPv6 and of IPsec for IPv4 (export controlled)</LI>
+<LI><A href="http://www.openbsd.org">OpenBSD</A> includes IPsec as a
+ standard part of the distribution</LI>
+<LI><A href="http://www.r4k.net/ipsec">IPsec for FreeBSD</A></LI>
+<LI>a<A href="http://www.netbsd.org/Documentation/network/ipsec/"> FAQ</A>
+ on NetBSD's IPsec implementation</LI>
+</UL>
+<H4><A name="misc">IPsec for other systems</A></H4>
+<UL>
+<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
+ Technolgy</A> have implemented IPsec for Solaris, Java and Macintosh</LI>
+</UL>
+<H3><A name="interop.web">Interoperability</A></H3>
+<P>The IPsec protocols are designed so that different implementations
+ should be able to work together. As they say &quot;the devil is in the
+ details&quot;. IPsec has a lot of details, but considerable success has been
+ achieved.</P>
+<H4><A name="result">Interoperability results</A></H4>
+<P>Linux FreeS/WAN has been tested for interoperability with many other
+ IPsec implementations. Results to date are in our<A href="interop.html">
+ interoperability</A> section.</P>
+<P>Various other sites have information on interoperability between
+ various IPsec implementations:</P>
+<UL>
+<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop results</A>
+ from a bakeoff in Atlanta, September 1999.</LI>
+<LI>a French company, HSC's,<A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
+ interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
+ pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
+<LI><A href="http://www.icsa.net/">ICSA</A> offer certification programs
+ for various security-related products. See their list of<A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
+ certified IPsec</A> products. Linux FreeS/WAN is not currently on that
+ list, but several products with which we interoperate are.</LI>
+<LI>VPNC have a page on why they are not yet doing<A href="http://www.vpnc.org/interop.html">
+ interoperability</A> testing and a page on the<A href="http://www.vpnc.org/conformance.html">
+ spec conformance</A> testing that they are doing</LI>
+<LI>a<A href="http://www.commweb.com/article/COM20000912S0009"> review</A>
+ comparing a dozen commercial IPsec implemetations. Unfortunately, the
+ reviewers did not look at Open Source implementations such as FreeS/WAN
+ or OpenBSD.</LI>
+<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
+results</A> from interoperability tests at a conference. FreeS/WAN was
+ not tested there.</LI>
+<LI>test results from the<A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
+ IPSEC 2000</A> conference</LI>
+</UL>
+<H4><A name="test1">Interoperability test sites</A></H4>
+<UL>
+<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
+ project with free IPsec validation software</LI>
+<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
+ Standards and Technology</A></LI>
+<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A></LI>
+</UL>
+<H2><A name="linux.link">Linux links</A></H2>
+<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
+<UL>
+<LI>Linux<A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
+ Getting Started</A> HOWTO document</LI>
+<LI>A getting started guide from the<A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
+ U of Oregon</A></LI>
+<LI>A large<A href="http://www.herring.org/techie.html"> link collection</A>
+ which includes a lot of introductory and tutorial material on Unix,
+ Linux, the net, . . .</LI>
+</UL>
+<H3><A name="general">General Linux sites</A></H3>
+<UL>
+<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
+<LI><A href="http://slashdot.org">Slashdot</A> &quot;News for Nerds&quot;</LI>
+<LI><A href="http://www.linux.org">Linux Online</A></LI>
+<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
+<LI><A href="http://www.tux.org">tux.org</A></LI>
+</UL>
+<H3><A name="docs.ldp">Documentation</A></H3>
+<P>Nearly any Linux documentation you are likely to want can be found at
+ the<A href="http://metalab.unc.edu/LDP"> Linux Documentation Project</A>
+ or LDP.</P>
+<UL>
+<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
+ guide to Linux information sources</LI>
+<LI>The LDP's HowTo documents are a standard Linux reference. See this<A href="http://www.linuxdoc.org/docs.html#howto">
+ list</A>. Documents there most relevant to a FreeS/WAN gateway are:
+<UL>
+<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
+ HOWTO</A></LI>
+<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
+Networking Overview HOWTO</A></LI>
+<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
+Security HOWTO</A></LI>
+</UL>
+</LI>
+<LI>The LDP do a series of Guides, book-sized publications with more
+ detail (and often more &quot;why do it this way?&quot;) than the HowTos. See this<A
+href="http://www.linuxdoc.org/guides.html"> list</A>. Documents there
+ most relevant to a FreeS/WAN gateway are:
+<UL>
+<LI><A href="http://www.tml.hut.fi/~viu/linux/sag/">System
+ Administrator's Guide</A></LI>
+<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
+ Adminstrator's Guide</A></LI>
+<LI><A href="http://www.seifried.org/lasg/">Linux Administrator's
+ Security Guide</A></LI>
+</UL>
+</LI>
+</UL>
+<P>You may not need to go to the LDP to get this material. Most Linux
+ distributions include the HowTos on their CDs and several include the
+ Guides as well. Also, most of the Guides and some collections of HowTos
+ are available in book form from various publishers.</P>
+<P>Much of the LDP material is also available in languages other than
+ English. See this<A href="http://www.linuxdoc.org/links/nenglish.html">
+ LDP page</A>.</P>
+<H3><A name="advroute.web">Advanced routing</A></H3>
+<P>The Linux IP stack has some new features in 2.4 kernels. Some HowTos
+ have been written:</P>
+<UL>
+<LI>several HowTos for the<A href="http://netfilter.samba.org/unreliable-guides/">
+ netfilter</A> firewall code in newer kernels</LI>
+<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
+2.4 networking</A> HowTo</LI>
+<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
+2.4 routing</A> HowTo</LI>
+</UL>
+<H3><A name="linsec">Security for Linux</A></H3>
+<P>See also the<A href="#docs.ldp"> LDP material</A> above.</P>
+<UL>
+<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
+Trinity OS guide to setting up Linux</A></LI>
+<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
+<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
+ filesystem</LI>
+<LI><A href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
+ HowTo</A> (outdated when last checked, had an Oct 2000 revision date in
+ March 2002)</LI>
+</UL>
+<H3><A name="firewall.linux">Linux firewalls</A></H3>
+<P>Our<A href="firewall.html"> FreeS/WAN and firewalls</A> document
+ includes links to several sets of<A href="firewall.html#examplefw">
+ scripts</A> known to work with FreeS/WAN.</P>
+<P>Other information sources:</P>
+<UL>
+<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
+<LI><A href="http://netfilter.samba.org/unreliable-guides/">netfilter</A>
+ firewall code in 2.4 kernels</LI>
+<LI>Our list of general<A href="#firewall.web"> firewall references</A>
+ on the web</LI>
+<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool for
+ automatically configuring Linux firewalls</LI>
+<LI>the web cache software<A href="http://www.squid-cache.org/"> squid</A>
+ and<A href="http://www.squidguard.org/"> squidguard</A> which turns
+ Squid into a filtering web proxy</LI>
+</UL>
+<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
+<UL>
+<LI><A href="http://lwn.net/current/dists.php3">Linux distribution
+ vendors</A></LI>
+<LI><A href="http://www.linux.org/groups/">Linux User Groups</A></LI>
+</UL>
+<H2><A name="crypto.link">Crypto and security links</A></H2>
+<H3><A name="security">Crypto and security resources</A></H3>
+<H4><A name="std.links">The standard link collections</A></H4>
+<P>Two enormous collections of links, each the standard reference in its
+ area:</P>
+<DL>
+<DT>Gene Spafford's<A href="http://www.cerias.purdue.edu/coast/hotlist/">
+ COAST hotlist</A></DT>
+<DD>Computer and network security.</DD>
+<DT>Peter Gutmann's<A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
+ Encryption and Security-related Resources</A></DT>
+<DD>Cryptography.</DD>
+</DL>
+<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
+<UL>
+<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
+ FAQ</A></LI>
+<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
+<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
+ Programming FAQ</A></LI>
+<LI>FAQs for specific programs are listed in the<A href="#tools"> tools</A>
+ section below.</LI>
+</UL>
+<H4><A name="cryptover">Tutorials</A></H4>
+<UL>
+<LI>Gary Kessler's<A href="http://www.garykessler.net/library/crypto.html">
+ Overview of Cryptography</A></LI>
+<LI>Terry Ritter's<A href="http://www.ciphersbyritter.com/LEARNING.HTM">
+ introduction</A></LI>
+<LI>Peter Gutman's<A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
+ cryptography</A> tutorial (500 slides in PDF format)</LI>
+<LI>Amir Herzberg of IBM's sildes for his course<A href="http://www.hrl.il.ibm.com/mpay/course.html">
+ Introduction to Cryptography and Electronic Commerce</A></LI>
+<LI>the<A href="http://www.gnupg.org/gph/en/manual/c173.html"> concepts
+ section</A> of the<A href="glossary.html#GPG"> GNU Privacy Guard</A>
+ documentation</LI>
+<LI>Bruce Schneier's self-study<A href="http://www.counterpane.com/self-study.html">
+ cryptanalysis</A> course</LI>
+</UL>
+<P>See also the<A href="#interesting"> interesting papers</A> section
+ below.</P>
+<H4><A name="standards">Crypto and security standards</A></H4>
+<UL>
+<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
+ international computer and network security standards to replace the
+ &quot;Rainbow&quot; series</LI>
+<LI>AES<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
+ Advanced Encryption Standard</A> which will replace DES</LI>
+<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
+ standard</A></LI>
+<LI>our collection of links for the<A href="#ipsec.link"> IPsec</A>
+ standards</LI>
+<LI>history of<A href="http://www.visi.com/crypto/evalhist/index.html">
+ formal evaluation</A> of security policies and implementation</LI>
+</UL>
+<H4><A name="quotes">Crypto quotes</A></H4>
+<P>There are several collections of cryptographic quotes on the net:</P>
+<UL>
+<LI><A href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</A></LI>
+<LI><A href="http://www.samsimpson.com/cquotes.php">Sam Simpson</A></LI>
+<LI><A href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
+ Kutchling</A></LI>
+</UL>
+<H3><A name="policy">Cryptography law and policy</A></H3>
+<H4><A name="legal">Surveys of crypto law</A></H4>
+<UL>
+<LI>International survey of<A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
+ crypto law</A>.</LI>
+<LI>International survey of<A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
+ digital signature law</A></LI>
+</UL>
+<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
+<UL>
+<LI>The<A href="glossary.html#EFF"> EFF</A>'s archives on<A href="http://www.eff.org/pub/Privacy/">
+ privacy</A> and<A href="http://www.eff.org/pub/Privacy/ITAR_export/">
+ export control</A>.</LI>
+<LI><A href="http://www.gilc.org">Global Internet Liberty Campaign</A></LI>
+<LI><A href="http://www.cdt.org/crypto">Center for Democracy and
+ Technology</A></LI>
+<LI><A href="http://www.privacyinternational.org/">Privacy International</A>
+, who give out<A href="http://www.bigbrotherawards.org/"> Big Brother
+ Awards</A> to snoopy organisations</LI>
+</UL>
+<H4><A name="other.policy">Other information on crypto policy</A></H4>
+<UL>
+<LI><A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</A>, the<A href="glossary.html#IAB">
+ IAB</A> and<A href="glossary.html#IESG"> IESG</A> Statement on
+ Cryptographic Technology and the Internet.</LI>
+<LI>John Young's collection of<A href="http://cryptome.org/"> documents</A>
+ of interest to the cryptography, open government and privacy movements,
+ organized chronologically</LI>
+<LI>AT&amp;T researcher Matt Blaze's Encryption, Privacy and Security<A href="http://www.crypto.com">
+ Resource Page</A></LI>
+<LI>A good<A href="http://cryptome.org/crypto97-ne.htm"> overview</A> of
+ the issues from Australia.</LI>
+</UL>
+<P>See also our documentation section on the<A href="politics.html">
+ history and politics</A> of cryptography.</P>
+<H3><A name="crypto.tech">Cryptography technical information</A></H3>
+<H4><A name="cryptolinks">Collections of crypto links</A></H4>
+<UL>
+<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
+<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
+ Gutman's links</A></LI>
+<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
+</LI>
+<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
+</UL>
+<H4><A name="papers">Lists of online cryptography papers</A></H4>
+<UL>
+<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
+<LI><A href="http://www.cryptography.com/resources/papers">
+cryptography.com</A></LI>
+<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
+</UL>
+<H4><A name="interesting">Particularly interesting papers</A></H4>
+<P>These papers emphasize important issues around the use of
+ cryptography, and the design and management of secure systems.</P>
+<UL>
+<LI><A href="http://www.counterpane.com/keylength.html">Key length
+ requirements for security</A></LI>
+<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
+ Cryptosystems Fail</A></LI>
+<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
+ encryption</A></LI>
+<LI><A href="http://www.counterpane.com/pitfalls.html">Security pitfalls
+ in cryptography</A></LI>
+<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
+ Trust</A>, Ken Thompson on Trojan horse design</LI>
+<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
+ Compelled Disclosure</A>, how to maintain privacy in the face of legal
+ or other coersion</LI>
+</UL>
+<H3><A name="compsec">Computer and network security</A></H3>
+<H4><A name="seclink">Security links</A></H4>
+<UL>
+<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
+<LI>DMOZ open directory project<A href="http://dmoz.org/Computers/Security/">
+ computer security</A> links</LI>
+<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
+<LI>Mike Fuhr's<A href="http://www.fuhr.org/~mfuhr/computers/security.html">
+ link collection</A></LI>
+<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
+ emphasis on intrusion detection</LI>
+</UL>
+<H4><A name="firewall.web">Firewall links</A></H4>
+<UL>
+<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
+</LI>
+<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
+</UL>
+<H4><A name="vpn">VPN links</A></H4>
+<UL>
+<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
+<LI>First VPN's<A href="http://www.firstvpn.com/research/rhome.html">
+ white paper</A> collection</LI>
+</UL>
+<H4><A name="tools">Security tools</A></H4>
+<UL>
+<LI>PGP -- mail encryption
+<UL>
+<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
+ commercial versions</LI>
+<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
+ the NAI product for non-commercial use</LI>
+<LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
+<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
+<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
+</UL>
+ A message in our mailing list archive has considerable detail on<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
+ available versions</A> of PGP and on IPsec support in them.
+<P><STRONG>Note:</STRONG> A fairly nasty bug exists in all commercial
+ PGP versions from 5.5 through 6.5.3. If you have one of those,<STRONG>
+ upgrade now</STRONG>.</P>
+</LI>
+<LI>SSH -- secure remote login
+<UL>
+<LI><A href="http://www.ssh.fi">SSH Communications Security</A>, for the
+ original software. It is free for trial, academic and non-commercial
+ use.</LI>
+<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD team's
+ free replacement</LI>
+<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
+ implementations for many systems</LI>
+<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
+<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
+, an SSH client for Windows</LI>
+</UL>
+</LI>
+<LI>Tripwire saves message digests of your system files. Re-calculate
+ the digests and compare to saved values to detect any file changes.
+ There are several versions available:
+<UL>
+<LI><A href="http://www.tripwiresecurity.com/">commercial version</A></LI>
+<LI><A href="http://www.tripwire.org/">Open Source</A></LI>
+</UL>
+</LI>
+<LI><A href="http://www.snort.org">Snort</A> and<A href="http://www.lids.org">
+ LIDS</A> are intrusion detection system for Linux</LI>
+<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A> System
+ Administrators Tool for Analysing Networks</LI>
+<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
+<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
+ Venema's page</A> with various tools</LI>
+<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
+, various tools to analyze network traffic, mostly scripts to organise
+ and format tcpdump(8) output for specific purposes</LI>
+<LI><A name="ssmail">ssmail -- sendmail patched to do</A><A href="glossary.html#carpediem">
+ opportunistic encryption</A>
+<UL>
+<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
+ links to code and to a Usenix paper describing it, in PDF</LI>
+</UL>
+</LI>
+<LI><A href="http://www.openca.org/">Open CA</A> project to develop a
+ freely distributed<A href="glossary.html#CA"> Certification Authority</A>
+ for building a open<A href="glossary.html#PKI"> Public Key
+ Infrastructure</A>.</LI>
+</UL>
+<H3><A name="people">Links to home pages</A></H3>
+<P>David Wagner at Berkeley provides a set of links to<A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
+ home pages</A> of cryptographers, cypherpunks and computer security
+ people.</P>
+<HR>
+<A HREF="toc.html">Contents</A>
+<A HREF="mail.html">Previous</A>
+<A HREF="glossary.html">Next</A>
+</BODY>
+</HTML>
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-14 12:56:28 +0000