From aaa0331ecf95ced1e913ac9be50168cf0e7cbb82 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Tue, 30 Jan 2007 12:21:07 +0000 Subject: [svn-upgrade] Integrating new upstream version, strongswan (2.8.2) --- doc/web.html | 749 ----------------------------------------------------------- 1 file changed, 749 deletions(-) delete mode 100644 doc/web.html (limited to 'doc/web.html') diff --git a/doc/web.html b/doc/web.html deleted file mode 100644 index 0c084d289..000000000 --- a/doc/web.html +++ /dev/null @@ -1,749 +0,0 @@ - - - -Introduction to FreeS/WAN - - - - -Contents -Previous -Next -

Web links

The Linux FreeS/WAN Project

The main project web site is - www.freeswan.org.

Links to other project-related sites - are provided in our introduction section.

Add-ons and patches for FreeS/WAN

Some user-contributed patches have been integrated into the FreeS/WAN - distribution. For a variety of reasons, those listed below have not.

Note that not all patches are a good idea.

There are a number of "features" of IPsec which we do not implement - because they reduce security. See this - discussion. We do not recommend using patches that implement these. - One example is aggressive mode.
We do not recommend adding "features" of any sort unless they are - clearly necessary, or at least have clear benefits. For example, - FreeS/WAN would not become more secure if it offerred a choice of 14 - ciphers. If even one was flawed, it would certainly become less secure - for anyone using that cipher. Even with 14 wonderful ciphers, it would - be harder to maintain and administer, hence more vulnerable to various - human errors.

This is not to say that patches are necessarily bad, only that using - them requires some deliberation. For example, there might be perfectly - good reasons to add a specific cipher in your application: perhaps GOST - to comply with government standards in Eastern Europe, or AES for - performance benefits.

Current patches

Patches believed current::

patches for X.509 - certificate support, also available from a - mirror site
patches to add - AES and other ciphers. There is preliminary data indicating AES - gives a substantial performance - gain.

There is also one add-on that takes the form of a modified FreeS/WAN - distribution, rather than just patches to the standard distribution:

IPv6 - support

Before using any of the above,, check the mailing - lists for news of newer versions and to see whether they have been - incorporated into more recent versions of FreeS/WAN.

Older patches

hardware - acceleration
a series of patches that -
- provide GOST, a Russian gov't. standard cipher, in MMX assembler
- add GOST to OpenSSL
- add GOST to the International kernel patch
- let FreeS/WAN use International kernel patch ciphers
-
Neil Dunbar's patches for - certificate support, using code from - Open SSL.
Luc Lanthier's - patches for PKIX support.
patches - to add Blowfish, - IDEA and CAST-128 to FreeS/WAN
patches for FreeS/WAN 1.3, Pluto support for - external authentication, for example with a smartcard or SKEYID.
patches and - utilities for using FreeS/WAN with PGPnet
-Blowfish encryption and Tiger hash
-patches for aggressive mode support

These patches are for older versions of FreeS/WAN and will likely not - work with the current version. Older versions of FreeS/WAN may be - available on some of the distribution sites -, but we recommend using the current release.

VPN masquerade patches

Finally, there are some patches to other code that may be useful with - FreeS/WAN:

a - patch to make IPsec, PPTP and SSH VPNs work through a Linux - firewall with IP masquerade.
-Linux VPN Masquerade HOWTO

Note that this is not required if the same machine does IPsec and - masquerading, only if you want a to locate your IPsec gateway on a - masqueraded network. See our firewalls - document for discussion of why this is problematic.

At last report, this patch could not co-exist with FreeS/WAN on the - same machine.

Distributions including FreeS/WAN

The introductory section of our document set lists several - Linux distributions which include FreeS/WAN.

Things FreeS/WAN uses or could use

/dev/random support page, - discussion of and code for the Linux - random number driver. Out-of-date when we last checked (January - 2000), but still useful.
other programs related to random numbers: -
- audio entropy - daemon to gather noise from a sound card and feed it into - /dev/random
- an entropy-gathering - daemon
- a driver for the random number generator in recent - Intel chipsets. This driver is included as standard in 2.4 kernels.
-
a Linux L2TP Daemon which - might be useful for communicating with Windows 2000 which builds L2TP - tunnels over its IPsec connections
to use opportunistic encryption, you need a recent version of - BIND. You can get one from the - Internet Software Consortium who maintain BIND.

Other approaches to VPNs for Linux

other Linux IPsec implementations
ENskip, a free - implementation of Sun's SKIP protocol
vpnd, a non-IPsec VPN - daemon for Linux which creates tunnels using - Blowfish encryption
Zebedee, a simple - GPLd tunnel-building program with Linux and Win32 versions. The name is - from Zlib compression, Blowfish - encryption and Diffie-Hellman key exchange.
There are at least two PPTP implementations for Linux -
- Moreton Bay's - PoPToP
- PPTP-Linux -
-
CIPE - (crypto IP encapsulation) project, using their own lightweight protocol - to encrypt between routers
tinc, a VPN Daemon

There is a list of - Linux VPN software in the - Linux Security Knowledge Base.

The IPsec Protocols

General IPsec or VPN information

The VPN Consortium is a group for - vendors of IPsec products. Among other things, they have a good - collection of IPsec - white papers.
A VPN mailing list with a - home page, a FAQ, some product comparisons, and many links.
VPN pointer page
a collection - of VPN links, and some explanation

IPsec overview documents or slide sets

the FreeS/WAN document section on these - protocols

IPsec information in languages other than - English

-German
Japanese
Feczak Szabolcs' thesis in - Hungarian
Davide Cerri's thesis and some presentation slides - Italian

RFCs and other reference documents

Our document listing the RFCs relevant to - Linux FreeS/WAN and giving various ways of obtaining both RFCs and - Internet Drafts.
VPN Standards - page maintained by VPNC. This covers - both RFCs and Drafts, and classifies them in a fairly helpful way.
RFC archive
Internet Drafts - related to IPsec
US government site - with their FIPS standards
Archives of the ipsec@tis.com mailing list where discussion of - drafts takes place. -
- Eastern Canada
- California.
-

Analysis and critiques of IPsec protocols

Counterpane's - evaluation of the protocols
Simpson's - IKE Considered Dangerous paper. Note that this is a link to an - archive of our mailing list. There are several replies in addition to - the paper itself.
Fate Labs Virual - Private Problems: the Broken Dream
Catherine Meadows' paper Analysis of the Internet Key Exchange - Protocol Using the NRL Protocol Analyzer, in - PDF or - Postscript.
Perlman and Kaufmnan -
- -Key Exchange in IPsec
- a newer - PDF paper, Analysis of the IPsec Key Exchange Standard -.
-
Bellovin's - papers page including his: -
- Security Problems in the TCP/IP Protocol Suite (1989)
- Problem Areas for the IP Security Protocols (1996)
- Probable Plaintext Cryptanalysis of the IP Security Protocols - (1997)
-
An errata list - for the IPsec RFCs.

Background information on IP

An IP tutorial that - seems to be written mainly for Netware or Microsoft LAN admins entering - a new world
IANA, Internet Assigned Numbers - Authority
CIDR, - Classless Inter-Domain Routing
Also see our bibliography

IPsec Implementations

Linux products

Vendors using FreeS/WAN in turnkey firewall or VPN products are - listed in our introduction.

Other vendors have Linux IPsec products which, as far as we know, do - not use FreeS/WAN

Redcreek - provide an open source Linux driver for their PCI hardware VPN card. - This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more - specialised crypto chips, and claimed encryption performance of 45 - Mbit/sec. The PC sees it as an Ethernet board.
Paktronix - offer a Linux-based VPN with hardware encryption
Watchguard use Linux in - their Firebox product.
Entrust offer a developers' - toolkit for using their PKI for IPsec - authentication
According to a report on our mailing list, - Axent have a Linux version of their product.

IPsec in router products

All the major router vendors support IPsec, at least in some models.

Cisco - IPsec information
Ascend, now part of Lucent, - have some IPsec-based products
Bay Networks, now part - of Nortel, use IPsec in their Contivity switch product line
3Com have - a number of VPN products, some using IPsec

IPsec in firewall products

Many firewall vendors offer IPsec, either as a standard part of their - product, or an optional extra. A few we know about are:

Vendors using FreeS/WAN in turnkey firewall products are listed in - our introduction.

Operating systems with IPsec support

All the major open source operating systems support IPsec. See below - for details on BSD-derived Unix variants.

Among commercial OS vendors, IPsec players include:

-Microsoft have put IPsec in their Windows 2000 and XP products
IBM - announce a release of OS390 with IPsec support via a crypto - co-processor
-Sun include IPsec in Solaris 8
-Hewlett Packard offer IPsec for their Unix machines
Certicom have IPsec available for the - Palm.
There were reports before the release that Apple's Mac OS X would - have IPsec support built in, but it did not seem to be there when we - last checked. If you find, it please let us know via the - mailing list.

IPsec on network cards

Network cards with built-in IPsec acceleration are available from at - least Intel, 3Com and Redcreek.

Open source IPsec implementations

Other Linux IPsec implementations

We like to think of FreeS/WAN as the Linux IPsec - implementation, but it is not the only one. Others we know of are:

pipsecd, a - lightweight implementation of IPsec for Linux. Does not require kernel - recompilation.
Petr Novak's ipnsec, - based on the OpenBSD IPsec code and using - Photuris for key management
A now defunct project at - U of Arizona (export controlled)
NIST Cerebus - (export controlled)

IPsec for BSD Unix

KAME, - several large Japanese companies co-operating on IPv6 and IPsec
US Naval Research Lab - implementation of IPv6 and of IPsec for IPv4 (export controlled)
OpenBSD includes IPsec as a - standard part of the distribution
IPsec for FreeBSD
a FAQ - on NetBSD's IPsec implementation

IPsec for other systems

Helsinki U of - Technolgy have implemented IPsec for Solaris, Java and Macintosh

Interoperability

The IPsec protocols are designed so that different implementations - should be able to work together. As they say "the devil is in the - details". IPsec has a lot of details, but considerable success has been - achieved.

Interoperability results

Linux FreeS/WAN has been tested for interoperability with many other - IPsec implementations. Results to date are in our - interoperability section.

Various other sites have information on interoperability between - various IPsec implementations:

interop results - from a bakeoff in Atlanta, September 1999.
a French company, HSC's, - interoperability test data covers FreeS/WAN, Open BSD, KAME, Linux - pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS
ICSA offer certification programs - for various security-related products. See their list of - certified IPsec products. Linux FreeS/WAN is not currently on that - list, but several products with which we interoperate are.
VPNC have a page on why they are not yet doing - interoperability testing and a page on the - spec conformance testing that they are doing
a review - comparing a dozen commercial IPsec implemetations. Unfortunately, the - reviewers did not look at Open Source implementations such as FreeS/WAN - or OpenBSD.
-results from interoperability tests at a conference. FreeS/WAN was - not tested there.
test results from the - IPSEC 2000 conference

Interoperability test sites

TAHI, a Japanese IPv6 testing - project with free IPsec validation software
National Institute of - Standards and Technology
SSH Communications Security

Linux links

Basic and tutorial Linux information

Linux - Getting Started HOWTO document
A getting started guide from the - U of Oregon
A large link collection - which includes a lot of introductory and tutorial material on Unix, - Linux, the net, . . .

General Linux sites

Freshmeat Linux news
Slashdot "News for Nerds"
Linux Online
Linux HQ
tux.org

Documentation

Nearly any Linux documentation you are likely to want can be found at - the Linux Documentation Project - or LDP.

Meta-FAQ - guide to Linux information sources
The LDP's HowTo documents are a standard Linux reference. See this - list. Documents there most relevant to a FreeS/WAN gateway are: -
- Kernel - HOWTO
- -Networking Overview HOWTO
- -Security HOWTO
-
The LDP do a series of Guides, book-sized publications with more - detail (and often more "why do it this way?") than the HowTos. See this list. Documents there - most relevant to a FreeS/WAN gateway are: -
-

You may not need to go to the LDP to get this material. Most Linux - distributions include the HowTos on their CDs and several include the - Guides as well. Also, most of the Guides and some collections of HowTos - are available in book form from various publishers.

Much of the LDP material is also available in languages other than - English. See this - LDP page.

Advanced routing

The Linux IP stack has some new features in 2.4 kernels. Some HowTos - have been written:

several HowTos for the - netfilter firewall code in newer kernels
-2.4 networking HowTo
-2.4 routing HowTo

Security for Linux

Linux firewalls

Our FreeS/WAN and firewalls document - includes links to several sets of - scripts known to work with FreeS/WAN.

Other information sources:

IP Masquerade resource page
netfilter - firewall code in 2.4 kernels
Our list of general firewall references - on the web
Mason, a tool for - automatically configuring Linux firewalls
the web cache software squid - and squidguard which turns - Squid into a filtering web proxy

Miscellaneous Linux information

Crypto and security links

Crypto and security resources

The standard link collections

Two enormous collections of links, each the standard reference in its - area:

Gene Spafford's - COAST hotlist: Computer and network security.
Peter Gutmann's - Encryption and Security-related Resources: Cryptography.

Frequently Asked Question (FAQ) documents

Cryptography - FAQ
Firewall FAQ
Secure Unix - Programming FAQ
FAQs for specific programs are listed in the tools - section below.

Tutorials

Gary Kessler's - Overview of Cryptography
Terry Ritter's - introduction
Peter Gutman's - cryptography tutorial (500 slides in PDF format)
Amir Herzberg of IBM's sildes for his course - Introduction to Cryptography and Electronic Commerce
the concepts - section of the GNU Privacy Guard - documentation
Bruce Schneier's self-study - cryptanalysis course

See also the interesting papers section - below.

Crypto and security standards

Common Criteria, new - international computer and network security standards to replace the - "Rainbow" series
AES - Advanced Encryption Standard which will replace DES
IEEE P-1363 public key - standard
our collection of links for the IPsec - standards
history of - formal evaluation of security policies and implementation

Crypto quotes

There are several collections of cryptographic quotes on the net:

Cryptography law and policy

Surveys of crypto law

International survey of - crypto law.
International survey of - digital signature law

Organisations opposing crypto restrictions

The EFF's archives on - privacy and - export control.
Global Internet Liberty Campaign
Center for Democracy and - Technology
Privacy International -, who give out Big Brother - Awards to snoopy organisations

Other information on crypto policy

RFC 1984, the - IAB and IESG Statement on - Cryptographic Technology and the Internet.
John Young's collection of documents - of interest to the cryptography, open government and privacy movements, - organized chronologically
AT&T researcher Matt Blaze's Encryption, Privacy and Security - Resource Page
A good overview of - the issues from Australia.

See also our documentation section on the - history and politics of cryptography.

Key length - requirements for security
Why - Cryptosystems Fail
Risks of escrowed - encryption
Security pitfalls - in cryptography
Reflections on Trusting - Trust, Ken Thompson on Trojan horse design
Security against - Compelled Disclosure, how to maintain privacy in the face of legal - or other coersion

Computer and network security

Security links

COAST Hotlist
DMOZ open directory project - computer security links
Bennet Yee
Mike Fuhr's - link collection
links with an - emphasis on intrusion detection

Firewall links

COAST firewalls -
Firewalls Resource page

VPN links

VPN Consortium
First VPN's - white paper collection

Security tools

PGP -- mail encryption -
- PGP Inc. (part of NAI) for - commercial versions
- MIT distributes - the NAI product for non-commercial use
- international distribution site
- GNU Privacy Guard (GPG)
- PGP FAQ
- A message in our mailing list archive has considerable detail on - available versions of PGP and on IPsec support in them. -
Note: A fairly nasty bug exists in all commercial - PGP versions from 5.5 through 6.5.3. If you have one of those, - upgrade now.
-
SSH -- secure remote login -
- SSH Communications Security, for the - original software. It is free for trial, academic and non-commercial - use.
- Open SSH, the Open BSD team's - free replacement
- freessh.org, links to free - implementations for many systems
- SSH FAQ
- Putty -, an SSH client for Windows
-
Tripwire saves message digests of your system files. Re-calculate - the digests and compare to saved values to detect any file changes. - There are several versions available: -
- commercial version
- Open Source
-
Snort and - LIDS are intrusion detection system for Linux
SATAN System - Administrators Tool for Analysing Networks
NMAP Network Mapper
Wietse - Venema's page with various tools
Internet Traffic Archive -, various tools to analyze network traffic, mostly scripts to organise - and format tcpdump(8) output for specific purposes
ssmail -- sendmail patched to do - opportunistic encryption -
- web page with - links to code and to a Usenix paper describing it, in PDF
-
Open CA project to develop a - freely distributed Certification Authority - for building a open Public Key - Infrastructure.

Links to home pages

David Wagner at Berkeley provides a set of links to - home pages of cryptographers, cypherpunks and computer security - people.

-Contents -Previous -Next - - -- cgit v1.2.3