linux-ipsec: Re: ipnsec & IPsec survey

Dear Ghislaine,

thank you for your interest in ipnsec. I work as a chairman and CEO of a consultancy company with over 50 staff. We work mainly for the central and local government, but we have also large contracts in the industry (utilities, manufacturing). We specialize on network design and outsourcing and security.

We had a requirement from the government sector for implementing an IPSec based solution with the deadline of March 31st 1998. After surveying the exiting implementations available at that time, the state of standards and drafts and our position regarding the US export restrictions, we have decided to contribute to a faster development of what was available for Linux at that time (linux IPSec version 0.7). We took the IPSec implementation available for Open BSD as our second source of ideas and tools and have put together something what we have hoped will be used to the benefit of other developers of the Linux based solution. We have tried to follow the Open Source model and have released all interim versions which were stable enough to enable testing of interoperability with other IPSec solutions. We have demonstrated 100% compatibility with Open BSD, although our source code was different from that of Open BSD.

At the same time, a group of developers mainly from Canada have created another branch in successors to IPSec for Linux and have created what is now known as KLIPS (part of the FreeS/WAN project). We have hoped for merging our and their code, but that has never happened. As the government project was cancelled and there was no interest at all in ipnsec (alhough quite a few people have downloaded the code, we did not get any positive or negative feedback except about 2 messages just after the release), we have ceased any further development of ipnsec and we encourage everybody to have a look at the FreeS/WAN project instead. This does not mean that we are not prepared to support anybody who has decided to use ipnsec in favour of other options.

As you can see, IPSec implementations and standards are a moving target and the scene today is completely different from that in late Winter this year. We were in a similar position as you are today and we have tried to boost the development by contributing our work and trying to recycle code from other available sources to create a best of breed solution. Our attempt was not widely accepted, but others were more successful and their solution is much better today.

I think that someone might be interested in our implementation simply for historical reasons. I would suggest you list it on your Web page with this comment and possibly a contact to myself for any questions.

I have received another IPSec implementation for Linux called lipsec from someone in Chile. It is available on the same FTP site as ipnsec for reference. This FTP site is ftp://ftp.eunet.cz/icz

Sincerely,

--
Petr Novak 
Chairman & CEO
ICZ a.s.
Zirovnicka 6
CZ-106 00 Praha 10
Ph:  +420 2 2424 5124
Fax: +420 2 2424 5125

On Mon, 16 Nov 1998, Ghislaine Labouret wrote:

> Hello,

> 

> I am a security consultant in HSC, a French company which is specialized in

> TCP/IP and Unix security.

> 

> We are very interested in IPsec and are currently working on a survey on

> IPsec/IKE implementations, which I plan to turn into a web page listing the main

> implementations.

> 

> Is your implementation, ipnsec, still evolving, or have you completely stopped

> working on it ? 

> 

> Could you possibly fill this survey ?

> 

> Thanks in advance.

> 

> Regards,

> 

> --

> Ghislaine Labouret

> Network security consultant

> Hervé Schauer Consultants (HSC)

> 

> 

> 

> +------------------------------------------------+

> | Checklist for implemented IPsec / IKE features |

> +------------------------------------------------+

> 

> How to fill this form:

> [ ] not supported

> [.] partially implemented or planned (please specify)

> [X] supported

> [?] don't know

> 

> Feel free to add any '[ ] Other' line and/or comments if needed. 

> 

> -------------------

> General information

> -------------------

> 

> Compagny / organism / project / person:

> 

> Product name and version: 

> (Please fill a different checklist for each product)

> 

> Product type (check all that apply): 

>  [ ] Router 

>  [ ] Firewall 

>  [ ] IPSEC Gateway 

>  [ ] IPSEC Host 

>  [ ] Client Software 

>  [ ] Other:

> 

> Platform(s):

> 

> IP versions:

>  [ ] IPv4

>  [ ] IPv6

> 

> Where is the product developped ? Can it freely be exported from that country ?

> 

> Can the product product be used in France (i.e. is it authorized by the SCSSI) ?

> Under certain conditions ?

> 

> 

> --------------

> IPsec features

> --------------

> 

> Protocols:

>  [ ] AH transport mode

>  [ ] AH tunnel mode 

>  [ ] ESP transport mode

>  [ ] ESP tunnel mode 

>  [ ] IP compression

> 

> SA combinaisons:

>  [ ] Transport adjacency

>  [ ] Iterated tunneling

>  [ ] Nested tunneling

> 

> AH authentication transforms:

>  [ ] HMAC-MD5 (MUST) 

>  [ ] KPDK-MD5

>  [ ] HMAC-SHA-1 (MUST) 

>  [ ] DES-MAC

>  [ ] HMAC-RIPE-MD

> 

> ESP cipher algorithms:

>  [ ] ESP_NULL (MUST)

>  [ ] DES-CBC (MUST)

>  [ ] DES_IV32

>  [ ] DES_IV64

>  [ ] 3DES (SHOULD)

>  [ ] RC5 

>      Key length(s):

>  [ ] CAST 

>      Key length(s): 

>  [ ] IDEA 

>  [ ] 3IDEA 

>  [ ] BLOWFISH 

>      Key length(s):

>  [ ] RC4 

>      Key length(s):

>  

> ESP authentication transforms:

>  [ ] HMAC-MD5 (MUST) 

>  [ ] KPDK-MD5

>  [ ] HMAC-SHA-1 (MUST) 

>  [ ] DES-MAC

>  [ ] HMAC-RIPE-MD

> 

> IPCOMP Transforms:

>  [ ] OUI

>  [ ] DEFLATE

>  [ ] LZS

>  [ ] V42BIS

> 

> Key and SA management:

>  [ ] Manual

>  [ ] Photuris

>  [ ] IKE (please answer the IKE part of the survey below)

>  [ ] Other (please give the caracteristics of your key management system)

> 

> -----------

> SPD and SAD

> -----------

> 

> Selectors:

> (How to answer : S=source only, D=destination only, X=both)

>  [ ] IPv4 Adress

>     [ ] single

>     [ ] subnet (network adress / netmask)

>     [ ] range (first adress - last adress)

>     [ ] wildcard

>  [ ] IPv6 Adress

>     [ ] single

>     [ ] subnet (network adress / netmask)

>     [ ] range (first adress - last adress)

>     [ ] wildcard

>  [ ] Transport Layer Protocol

>  [ ] Port number

>  [ ] Name

>     [ ] Fully-qualified domain name (foo.bar.com)

>     [ ] Fully-qualified username (piper@foo.bar.com)

>     [ ] ASN.1 X.500 Distinguished Name [X.501]

>     [ ] ASN.1 X.500 General Name [X.509]

>  [ ] Text string (vendor specific info for pre-sahred 

> 

> keys)

>  [ ] Data sensitivity level (IPSO/CIPSO labels)

>  [ ] Other:

> 

> >>> End of the survey if you are only doing manual SA management <<<

> 

> -----------------------------

> IKE (with IPsec DOI) features

> -----------------------------

> 

> Possible DOIs during phase 1:

>  [ ] Generic ISAKMP

>  [ ] IPSEC 

> 

> Negotiation Modes: 

>  [ ] Main Mode (MUST)

>  [ ] Aggressive Mode (SHOULD)

>  [ ] Base Quick Mode (MUST)

>  [ ] Quick Mode with optional KE payload for PFS (MUST)

>  [ ] New Groups Mode (SHOULD)

> 

> Phase 1 authentication methods:

>  [ ] Pre-shared key (MUST)

>  [ ] DSS Signature (SHOULD)

>  [ ] RSA Signature (SHOULD)

>  [ ] Encryption with RSA (SHOULD)

>  [ ] Revised Encryption with RSA

>  [ ] DH-less RSA Encryption

>  [ ] GSS-API

> 

> ISAKMP SA encryption algorithms:

>  [ ] DES-CBC (MUST)

>  [ ] 3DES-CBC (SHOULD) 

>  [ ] CAST-CBC

>      Key lenght(s):

>  [ ] RC5-R16-B64-CBC

>      Key lenght(s):

>  [ ] IDEA-CBC

>  [ ] BLOWFISH-CBC

>      Key lenght(s):

> 

> ISAKMP SA hash algorithms:

>  [ ] MD5 (MUST)

>  [ ] SHA (MUST)

>  [ ] Tiger (SHOULD)

> 

> ISAKMP SA Pseudo-Random Function (PRF)

>  [ ] Default (HMAC version of hash algorithm) 

>  [ ] Other:

> 

> SA Life Type and Duration:

>  [ ] For ISAKMP SA (MUST)

>      [ ] Seconds 

>      [ ] Kilobytes 

>  [ ] For IPsec SA (MUST)

>      [ ] Seconds 

>      [ ] Kilobytes 

> 

> DH groups: 

>  [ ] Definition by group descrition:

>      [ ] Default 768-bit MODP Group (Oakley group number 1) (MUST)

>      [ ] Alternate 1024-bit MODP Group (Oakley group number 2) (SHOULD)

>      [ ] EC2N Group on GP[2^155] (Oakley group number 3) (SHOULD)

>      [ ] EC2N Group on GP[2^185]  (Oakley group number 4) (SHOULD)

>      [ ] Other:

>  [ ] Definition by group attributes:

>      [ ] Group Type:

>          [ ] MODP

>          [ ] ECP

>          [ ] EC2N

>      [ ] Group Prime/Irreducible Polynomial 

>      [ ] Group Generator one and two 

>      [ ] Group Curve A and B 

>      [ ] Field Size 

>      [ ] Group Order 

> 

> Supported ISAKMP versions:

>  [ ] 0.1 (anterior to draft v10)

>  [ ] 1.0 (draft v10)

> 

> ISAKMP Payloads: 

>  [ ] Security Association (SA), Proposal (P) and Transform (T) Payloads

>  [ ] Key Exchange Payload (KE)

>  [ ] Nonce Payload (NONCE)

>  [ ] Hash Payload (HASH)

>  [ ] Signature Payload (SIG)

>  [ ] Identification Payload (ID)

>  [ ] Certificate Payload (CERT)

>  [ ] Certificate Request Payload (CR)

>  [ ] Notification Payload (N)

>  [ ] Delete Payload (D)

>  [ ] Vendor ID Payload (VID)

>  [ ] Attribute Payload (ATTR)

> 

> Additional ISAKMP Exchange Types:

>  [ ] Informational (MUST)

>  [ ] Transaction

> 

> Identification (ID payload): 

> >for generic phase 1 exchange only

>  [ ] IPV4_ADDR

>  [ ] IPV4_ADDR_SUBNET

>  [ ] IPV6_ADDR

>  [ ] IPV6_ADDR_SUBNET

> >for phase 1 or 2 with IPsec DOI

>  [ ] Upper layer protocol

>  [ ] Port number

>  [ ] IPV4_ADDR

>  [ ] FQDN (fully-qualified domain name "foo.bar.com")

>  [ ] USER_FQDN (fully-qualified username "piper@foo.bar.com")

>  [ ] IPV4_ADDR_SUBNET (network adress / netmask)

>  [ ] IPV6_ADDR

>  [ ] IPV6_ADDR_SUBNET

>  [ ] IPV4_ADDR_RANGE (first adress - last adress)

>  [ ] IPV6_ADDR_RANGE

>  [ ] DER_ASN1_DN (ASN.1 X.500 Distinguished Name 

> 

> [X.501])

>  [ ] DER_ASN1_GN (ASN.1 X.500 General Name [X.509])

>  [ ] KEY_ID (vendor specific info for pre-sahred keys)

> 

> Certificate Types (CERT and CR payloads):

>  [ ] PKCS #7 wrapped X.509 certificate

>  [ ] X.509 Certificate - Signature

>  [ ] X.509 Certificate - Key Exchange

>  [ ] X.509 Certificate - Attribute

>  [ ] Certificate Revocation List (CRL)

>  [ ] Authority Revocation List (ARL)

>  [ ] SPKI Certificate

>  [ ] PGP Certificate

>  [ ] DNS Signed Key

>  [ ] Kerberos Tokens

> 

> Notify message types (N payload):

>  [ ] Base ISAKMP error messages

>  [ ] Base ISAKMP status messages

>  [ ] Additional IPsec DOI status messages

> 

> IPsec DOI situations: 

>  [ ] Identity_Only (MUST)

>  [ ] Secrecy

>  [ ] Integrity

> 

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek