Re: linux-ipsec: Source

> IMHO, it is a Big Mistake(tm) to link the IPsec implementation, which is
> kernel-specific in it's nature, to any specific Linux distributions. If
> the source code is well organised and configurable (using GNU autoconf,
> for example), it should be usable with ANY distribution using a supported
> kernel.

To date, we have managed to avoid needing autoconf, and we would like to continue doing so -- it is a big and complicated piece of machinery which does not address all the potential problem areas. We'll use it if we must.

The potential problems are less with compilation -- although we have said many unkind words about the Linux header files, especially the senseless differences and duplications between user and kernel header files (which are particularly troublesome for us because some of our code has to compile in both environments) -- than with differences in system structure, like whether a system has the chkconfig command (or even uses the SysV-style runlevel structure at all). The bulk of the code should have few or no problems, but some of the highly desirable sysadmin stuff out on its edges is a potential headache.

We'd like to make this stuff run on as many Linux distributions as possible, but there is a limit to how much effort we can invest in coping with fiddly little differences, and also a limit to how many different systems we can conveniently test on. (This is an area where volunteer help would be very useful.)

> I know the kernel-guys will agree on this, and I think the long-term goal
> for a great project such as this should be inclusion in the stock kernel
> and/or the International patch (found on
> ftp.kerneli.org/pub/linux/kerneli/).

That is indeed a long-term goal of ours, although issues like US export laws may limit what can be done.

> So - to summarize it, I'd like to take on that job, but since I'm new with
> the project I'll start out with the DES library update.

Great! Keep us posted, preferably via the list. (For both legal and philosophical reasons, we prefer that as much communication as possible take place in an open forum rather than by private mail.)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> Another thing that I would propose as a future project, is a "make
> exportclean" feature that will remove all the crypto-stuff from the
> package and leave AH support.

Interesting idea, but I'm not sure it will make it into our distribution, since the management on this project is very strongly pro-encryption. Also, we don't have any export problems (and we are careful to keep it that way), although we realize that would-be users might.

> This could then be included in the stock kernel and exportable versions of
> the userspace utilities could be made available.

Unfortunately, even the *hooks* for adding crypto stuff -- which are pretty much inevitable in such a setup -- are subject to export control, as "enabling technology".

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)