From aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 22 May 2006 05:12:18 +0000 Subject: Import initial strongswan 2.7.0 version into SVN. --- doc/src/web.html | 905 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 905 insertions(+) create mode 100644 doc/src/web.html (limited to 'doc/src/web.html') diff --git a/doc/src/web.html b/doc/src/web.html new file mode 100644 index 000000000..19df6ffa6 --- /dev/null +++ b/doc/src/web.html @@ -0,0 +1,905 @@ + + + + + FreeS/WAN web links + + + + + +

Web links

+ +

The Linux FreeS/WAN Project

+ +

The main project web site is www.freeswan.org.

+ +

Links to other project-related sites are +provided in our introduction section.

+ +

Add-ons and patches for FreeS/WAN

+ +

Some user-contributed patches have been integrated into the FreeS/WAN +distribution. For a variety of reasons, those listed below have not.

+ +

Note that not all patches are a good idea.

There are a number of "features" of IPsec which we do not implement + because they reduce security. See this discussion. We do not recommend using + patches that implement these. One example is aggressive mode.
We do not recommend adding "features" of any sort unless they are + clearly necessary, or at least have clear benefits. For example, + FreeS/WAN would not become more secure if it offerred a choice of 14 + ciphers. If even one was flawed, it would certainly become less secure + for anyone using that cipher. Even with 14 wonderful ciphers, it would be + harder to maintain and administer, hence more vulnerable to various human + errors.

+ +

This is not to say that patches are necessarily bad, only that using them +requires some deliberation. For example, there might be perfectly good +reasons to add a specific cipher in your application: perhaps GOST to comply +with government standards in Eastern Europe, or AES for performance +benefits.

+ +

Current patches

+ +

Patches believed current::

patches for X.509 + certificate support, also available from a mirror site
patches to add AES + and other ciphers. There is preliminary data indicating AES gives a + substantial performance + gain.

+ +

There is also one add-on that takes the form of a modified FreeS/WAN +distribution, rather than just patches to the standard distribution:

IPv6 + support

+ +

Before using any of the above,, check the mailing +lists for news of newer versions and to see whether they have been +incorporated into more recent versions of FreeS/WAN.

+ +

Older patches

hardware + acceleration
a series of patches that +
- provide GOST, a Russian gov't. standard cipher, in MMX + assembler
- add GOST to OpenSSL
- add GOST to the International kernel patch
- let FreeS/WAN use International kernel patch ciphers
+
Neil Dunbar's patches for certificate + support, using code from Open + SSL.
Luc Lanthier's patches for PKIX support.
patches + to add Blowfish, IDEA and CAST-128 to FreeS/WAN
patches for FreeS/WAN 1.3, Pluto support for external + authentication, for example with a smartcard or SKEYID.
patches and + utilities for using FreeS/WAN with PGPnet
Blowfish + encryption and Tiger hash
patches + for aggressive mode support

+ +

These patches are for older versions of FreeS/WAN and will likely not work +with the current version. Older versions of FreeS/WAN may be available on +some of the distribution sites, but we +recommend using the current release.

+ +

VPN masquerade patches

+ +

Finally, there are some patches to other code that may be useful with +FreeS/WAN:

a patch + to make IPsec, PPTP and SSH VPNs work through a Linux firewall with IP masquerade.
Linux + VPN Masquerade HOWTO

+ +

Note that this is not required if the same machine does IPsec and +masquerading, only if you want a to locate your IPsec gateway on a +masqueraded network. See our firewalls +document for discussion of why this is problematic.

+ +

At last report, this patch could not co-exist with FreeS/WAN on the same +machine.

+ +

Distributions including FreeS/WAN

+ +

The introductory section of our document set lists several Linux distributions which include +FreeS/WAN.

+ +

Things FreeS/WAN uses or could use

/dev/random support page, + discussion of and code for the Linux random number driver. Out-of-date when we + last checked (January 2000), but still useful.
other programs related to random numbers: +
- audio entropy + daemon to gather noise from a sound card and feed it into + /dev/random
- an entropy-gathering + daemon
- a driver for the random number generator in recent Intel chipsets. + This driver is included as standard in 2.4 kernels.
+
a Linux L2TP Daemon which + might be useful for communicating with Windows 2000 which builds L2TP + tunnels over its IPsec connections
to use opportunistic encryption, you need a recent version of BIND. You can get one from the Internet Software Consortium who maintain + BIND.

+ +

Other approaches to VPNs for Linux

other Linux IPsec implementations
ENskip, a free + implementation of Sun's SKIP + protocol
vpnd, a non-IPsec VPN daemon + for Linux which creates tunnels using Blowfish encryption
Zebedee, a simple GPLd + tunnel-building program with Linux and Win32 versions. The name is from + Zlib compression, Blowfish encryption + and Diffie-Hellman key exchange.
There are at least two PPTP implementations for Linux +
- Moreton Bay's PoPToP
- PPTP-Linux
+
CIPE + (crypto IP encapsulation) project, using their own lightweight protocol + to encrypt between routers
tinc, a VPN Daemon

+ +

There is a list of Linux +VPN software in the Linux Security +Knowledge Base.

+ +

The IPsec Protocols

+ +

General IPsec or VPN information

The VPN Consortium is a group for + vendors of IPsec products. Among other things, they have a good + collection of IPsec white + papers.
A VPN mailing list with a home page, a FAQ, + some product comparisons, and many links.
VPN pointer page
a collection of + VPN links, and some explanation

+ +

IPsec overview documents or slide sets

the FreeS/WAN document section on these + protocols

+ +

IPsec information in languages other than +English

German
Japanese
Feczak Szabolcs' thesis in Hungarian
Davide Cerri's thesis and some presentation slides Italian

+ +

RFCs and other reference documents

Our document listing the RFCs relevant to Linux + FreeS/WAN and giving various ways of obtaining both RFCs and Internet + Drafts.
VPN Standards page + maintained by VPNC. This covers both + RFCs and Drafts, and classifies them in a fairly helpful way.
RFC archive
Internet Drafts + related to IPsec
US government site + with their FIPS standards
Archives of the ipsec@tis.com mailing list where discussion of drafts + takes place. +
- Eastern + Canada
- California.
+

+ +

Analysis and critiques of IPsec protocols

Counterpane's evaluation of the + protocols
Simpson's IKE + Considered Dangerous paper. Note that this is a link to an archive of + our mailing list. There are several replies in addition to the paper + itself.
Fate Labs Virual Private + Problems: the Broken Dream
Catherine Meadows' paper Analysis of the Internet Key Exchange + Protocol Using the NRL Protocol Analyzer, in PDF + or Postscript.
Perlman and Kaufmnan +
- Key + Exchange in IPsec
- a newer PDF + paper, Analysis of the IPsec Key Exchange + Standard.
+
Bellovin's papers page + including his: +
- Security Problems in the TCP/IP Protocol Suite + (1989)
- Problem Areas for the IP Security Protocols (1996)
- Probable Plaintext Cryptanalysis of the IP Security + Protocols (1997)
+
An errata list + for the IPsec RFCs.

+ +

Background information on IP

An IP tutorial that seems + to be written mainly for Netware or Microsoft LAN admins entering a new + world
IANA, Internet Assigned Numbers + Authority
CIDR, + Classless Inter-Domain Routing
Also see our bibliography

+ +

IPsec Implementations

+ +

Linux products

+ +

Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in +our introduction.

+ +

Other vendors have Linux IPsec products which, as far as we know, do not +use FreeS/WAN

Redcreek + provide an open source Linux driver for their PCI hardware VPN card. This + card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more specialised + crypto chips, and claimed encryption performance of 45 Mbit/sec. The PC + sees it as an Ethernet board.
Paktronix + offer a Linux-based VPN with hardware encryption
Watchguard use Linux in their + Firebox product.
Entrust offer a developers' + toolkit for using their PKI for IPsec + authentication
According to a report on our mailing list, Axent have a Linux version of their + product.

+ +

IPsec in router products

+ +

All the major router vendors support IPsec, at least in some models.

Cisco IPsec + information
Ascend, now part of Lucent, have + some IPsec-based products
Bay Networks, now part of + Nortel, use IPsec in their Contivity switch product line
3Com have a + number of VPN products, some using IPsec

+ +

IPsec in firewall products

+ +

Many firewall vendors offer IPsec, either as a standard part of their +product, or an optional extra. A few we know about are:

+ +

Vendors using FreeS/WAN in turnkey firewall products are listed in our introduction.

+ +

Operating systems with IPsec support

+ +

All the major open source operating systems support IPsec. See below for +details on BSD-derived Unix variants.

+ +

Among commercial OS vendors, IPsec players include:

Microsoft + have put IPsec in their Windows 2000 and XP products
IBM + announce a release of OS390 with IPsec support via a crypto + co-processor
Sun + include IPsec in Solaris 8
Hewlett + Packard offer IPsec for their Unix machines
Certicom have IPsec available for the Palm.
There were reports before the release that Apple's Mac OS X would have + IPsec support built in, but it did not seem to be there when we last + checked. If you find, it please let us know via the mailing list.

+ +

IPsec on network cards

+ +

Network cards with built-in IPsec acceleration are available from at least +Intel, 3Com and Redcreek.

+ +

Open source IPsec implementations

+ +

Other Linux IPsec implementations

+ +

We like to think of FreeS/WAN as the Linux IPsec implementation, +but it is not the only one. Others we know of are:

pipsecd, a + lightweight implementation of IPsec for Linux. Does not require kernel + recompilation.
Petr Novak's ipnsec, based + on the OpenBSD IPsec code and using Photuris for key management
A now defunct project at U of + Arizona (export controlled)
NIST Cerebus (export + controlled)

+ +

IPsec for BSD Unix

KAME, several + large Japanese companies co-operating on IPv6 and IPsec
US Naval Research Lab + implementation of IPv6 and of IPsec for IPv4 (export controlled)
OpenBSD includes IPsec as a + standard part of the distribution
IPsec for FreeBSD
a FAQ + on NetBSD's IPsec implementation

+ +

IPsec for other systems

Helsinki U of + Technolgy have implemented IPsec for Solaris, Java and Macintosh

+ +

Interoperability

+ +

The IPsec protocols are designed so that different implementations should +be able to work together. As they say "the devil is in the details". IPsec +has a lot of details, but considerable success has been achieved.

+ +

Interoperability results

+ +

Linux FreeS/WAN has been tested for interoperability with many other IPsec +implementations. Results to date are in our interoperability section.

+ +

Various other sites have information on interoperability between various +IPsec implementations:

interop + results from a bakeoff in Atlanta, September 1999.
a French company, HSC's, interoperability + test data covers FreeS/WAN, Open BSD, KAME, Linux pipsecd, Checkpoint, + Red Creek Ravlin, and Cisco IOS
ICSA offer certification programs + for various security-related products. See their list of + certified IPsec products. Linux FreeS/WAN is not currently on that + list, but several products with which we interoperate are.
VPNC have a page on why they are not yet doing interoperability testing and + a page on the spec + conformance testing that they are doing
a review + comparing a dozen commercial IPsec implemetations. Unfortunately, the + reviewers did not look at Open Source implementations such as FreeS/WAN + or OpenBSD.
results + from interoperability tests at a conference. FreeS/WAN was not tested + there.
test results from the IPSEC + 2000 conference

+ +

Interoperability test sites

TAHI, a Japanese IPv6 testing + project with free IPsec validation software
National Institute of + Standards and Technology
SSH Communications + Security

+ +

Linux links

+ +

Basic and tutorial Linux information

Linux Getting + Started HOWTO document
A getting started guide from the U of + Oregon
A large link + collection which includes a lot of introductory and tutorial material + on Unix, Linux, the net, . . .

+ +

General Linux sites

Freshmeat Linux news
Slashdot "News for Nerds"
Linux Online
Linux HQ
tux.org

+ +

Documentation

+ +

Nearly any Linux documentation you are likely to want can be found at the +Linux Documentation Project or +LDP.

Meta-FAQ + guide to Linux information sources
The LDP's HowTo documents are a standard Linux reference. See this list. Documents there + most relevant to a FreeS/WAN gateway are: +
+
The LDP do a series of Guides, book-sized publications with more detail + (and often more "why do it this way?") than the HowTos. See this list. Documents there most + relevant to a FreeS/WAN gateway are: +
+

+ +

You may not need to go to the LDP to get this material. Most Linux +distributions include the HowTos on their CDs and several include the Guides +as well. Also, most of the Guides and some collections of HowTos are +available in book form from various publishers.

+ +

Much of the LDP material is also available in languages other than +English. See this LDP +page.

+ +

Advanced routing

+ +

The Linux IP stack has some new features in 2.4 kernels. Some HowTos have +been written:

several HowTos for the netfilter + firewall code in newer kernels
2.4 + networking HowTo
2.4 + routing HowTo

+ +

Security for Linux

+ +

Linux firewalls

+ +

Our FreeS/WAN and firewalls document includes +links to several sets of scripts known +to work with FreeS/WAN.

+ +

Other information sources:

IP Masquerade resource page
netfilter + firewall code in 2.4 kernels
Our list of general firewall references on + the web
Mason, a tool for + automatically configuring Linux firewalls
the web cache software squid + and squidguard which turns Squid + into a filtering web proxy

+ +

Miscellaneous Linux information

+ +

Crypto and security links

+ +

Crypto and security resources

+ +

The standard link collections

+ +

Two enormous collections of links, each the standard reference in its +area:

Gene Spafford's COAST hotlist: Computer and network security.
Peter Gutmann's Encryption and + Security-related Resources: Cryptography.

+ +

Frequently Asked Question (FAQ) documents

Cryptography + FAQ
Firewall FAQ
Secure Unix + Programming FAQ
FAQs for specific programs are listed in the tools + section below.

+ +

Tutorials

Gary Kessler's Overview of + Cryptography
Terry Ritter's introduction
Peter Gutman's cryptography + tutorial (500 slides in PDF format)
Amir Herzberg of IBM's sildes for his course Introduction to + Cryptography and Electronic Commerce
the concepts + section of the GNU Privacy Guard + documentation
Bruce Schneier's self-study cryptanalysis + course

+ +

See also the interesting papers section +below.

+ +

Crypto and security standards

Common Criteria, new + international computer and network security standards to replace the + "Rainbow" series
AES + Advanced Encryption Standard which will replace DES
IEEE P-1363 public key + standard
our collection of links for the IPsec + standards
history of formal + evaluation of security policies and implementation

+ +

Crypto quotes

+ +

There are several collections of cryptographic quotes on the net:

+ +

Cryptography law and policy

+ +

Surveys of crypto law

International survey of crypto + law.
International survey of digital signature + law

+ +

Organisations opposing crypto restrictions

The EFF's archives on privacy and export + control.
Global Internet Liberty Campaign
Center for Democracy and + Technology
Privacy + International, who give out Big Brother Awards to snoopy + organisations

+ +

Other information on crypto policy

RFC 1984, the IAB and IESG Statement on Cryptographic Technology + and the Internet.
John Young's collection of documents + of interest to the cryptography, open government and privacy movements, + organized chronologically
AT&T researcher Matt Blaze's Encryption, Privacy and Security Resource Page
A good overview of + the issues from Australia.

+ +

See also our documentation section on the history +and politics of cryptography.

+ +

Key length + requirements for security
Why + Cryptosystems Fail
Risks of escrowed + encryption
Security pitfalls in + cryptography
Reflections on Trusting + Trust, Ken Thompson on Trojan horse design
Security against + Compelled Disclosure, how to maintain privacy in the face of legal or + other coersion

+ +

Computer and network security

+ +

Security links

COAST Hotlist
DMOZ open directory project computer security + links
Bennet Yee
Mike Fuhr's link + collection
links with an emphasis + on intrusion detection

+ +

Firewall links

+ +

VPN links

VPN Consortium
First VPN's white + paper collection

+ +

Security tools

PGP -- mail encryption +
- PGP Inc. (part of NAI) for + commercial versions
- MIT distributes + the NAI product for non-commercial use
- international distribution + site
- GNU Privacy Guard (GPG)
- PGP FAQ
+ A message in our mailing list archive has considerable detail on available + versions of PGP and on IPsec support in them. +
Note: A fairly nasty bug exists in all commercial PGP + versions from 5.5 through 6.5.3. If you have one of those, + upgrade now.
+
SSH -- secure remote login +
- SSH Communications Security, for + the original software. It is free for trial, academic and + non-commercial use.
- Open SSH, the Open BSD team's + free replacement
- freessh.org, links to free + implementations for many systems
- SSH FAQ
- Putty, + an SSH client for Windows
+
Tripwire saves message digests of your system files. Re-calculate the + digests and compare to saved values to detect any file changes. There are + several versions available: +
- commercial + version
- Open Source
+
Snort and LIDS are intrusion detection system for + Linux
SATAN System + Administrators Tool for Analysing Networks
NMAP Network Mapper
Wietse + Venema's page with various tools
Internet Traffic + Archive, various tools to analyze network traffic, mostly scripts to + organise and format tcpdump(8) output for specific purposes
ssmail -- sendmail patched to do opportunistic encryption +
- web page with + links to code and to a Usenix paper describing it, in PDF
+
Open CA project to develop a + freely distributed Certification Authority + for building a open Public Key + Infrastructure.

+ +

Links to home pages

+ +

David Wagner at Berkeley provides a set of links to home pages of +cryptographers, cypherpunks and computer security people.

+ + -- cgit v1.2.3