Re: linux-ipsec: Another draft effort: vpn mini-howto

> > > One thing I'd look for in a howto is some characterization of how
> > > effective, convenient, and trustable the system is.

I would not characterize FreeS/WAN with any of these adjectives yet.

It's getting better, but:

  effective: maybe, but you won't know if it isn't.   convenient: still quite arcane to understand and set up, both the

	      physical network (e.g. IP numbering) and the software.
	      Doesn't yet recover from crashes at one end, a major
	      operational problem.
  trustable:  nobody has tried to break it, so we don't know if it can
	      be done.  We know a variety of ways it's likely
	      to fall over if attacked.   In most of them it fails
	      by stopping packets from getting through, which is better
	      than failing by passing packets in the clear, since humans
	      will notice and investigate.  Some of these are fixable,
	      some are inherently unfixable but can be ameliorated.

(This lack of confidence is a problem shared by most new security software, and indeed, by new encryption algorithms themselves. You simply can't tell by looking at them how strong they are. Only years of fending off ingenious attempts to break in will lead to any confidence that the system is truly secure against a determined attacker. How do you know PGP, or DES, is really secure? Whose opinion are you trusting on that, and why? How much testing did *they* actually do? Might they have a vested interest?)

At this stage it helps a lot to have "early adopter" feedback on the software. Mass deployment would just swamp us with complaints we would already know about. Configuration should get much simpler over time, including resistance to misconfiguration that leaves the net insecure. We know pretty much how to push that along, though suggestions are welcome.

It would be a real help if someone wanted to attack a FreeS/WAN-protected network by sending it packets from the outside, to try to force it to reveal traffic, or to jam up. There's lots of new software in here; bugs are likely. The only way we'll find them is by looking for them, in various environments beyond our programmers' testbeds. (I'm not suggesting that you try to crash our internal testbeds, but that you try to crash your own! Maybe after a few releases we should declare an open season on one of our testbeds, but now it would just distract us from being able to make progress.)

Many thanks to all of our early adopters and interested parties. Your contributions of time, energy, documentation, puzzles, and code are a big morale booster for the core team, since it shows that you care.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

        John Received on Thu Sep 10 02:30:36 1998