linux-ipsec: ANNOUNCE: ipnsec-0.8 for Linux

Hello everybody,

I'd like to announce a new IPSec implementation for Linux. The implementation is based on the existing Linux-ipsec 0.7 and the code in OpenBSD.

The implementation is still under development, but I had a feeling that by releasing it early to others will make it stable faster, provided that there are enough people willing to test or comment on the code.

The implementation should be compatible with that in OpenBSD in terms of talking to each other and in the range of supported transormations (ie. ciphers and hashes).

Please note that the version released today does not support the tunneling mode yet. A fixed version should be available by the end of this week.

You can get the early version at
ftp://ftp.eunet.cz/icz/ipnsec/ipnsec-0.8.tar.gz

Here is the README-0.8 file describing some of the features.

Enjoy,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Petr Novak

This is the first preliminary release of a merged implementations of IPSec from Linux and OpenBSD, running on Linux.

You can fetch this (and the later versions) from ftp://ftp.eunet.cz/icz/ipnsec/

You can find the (old) Linux implementation at http://www.xs4all.nl/~freeswan/

You can find the OpenBSD code at
http://www.openbsd.org/

Both the Linux and OpenBSD versions have been originally written by John Ioannidis and the OpenBSD has been heavily modified by Angelos D. Keromytis and Niels Provos (and possibly others).

I (Petr Novak, <pn@i.cz>) took both of the code bases and tried to merge the newer functions from OpenBSD into the existing Linux code. The code bases were ipsec-linux ver. 0.7 and OpenBSD 2.2 with all modifications up to March 9, 1998.

The versioning of this software is a continuation of that of the ipsec-linux code, but this does not mean that the ipsec-linux will not evolve further on its own.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

This version is somewhere half on the way, as it still lacks some of the essential functions of OpenBSD. On the other hand, it should be at least as stable as the existing Linux code, but it should be more interoperable with other IPSec implementations.

The code has been tested with Linux kernel 2.0.32 and 2.0.33. The development environment and the testbed is based on Redhat Linux 4.2.

Here is a rough sketch of the major changes from the ipsec for Linux 0.7 and some random remarks:

• the IP stack kernel interface has not changed (yet), I plan to steal that either from ENskip or to inspire in OpenBSD to fix the known problems with transport mode routing etc.
• what *has* changed is the userland to kernel level interface to IPSec. The paradigm of netlink interface has been preserved, but the format of the messages is more close to the OpenBSD PF_ENCAP than to the original Linux code. The reasoning is that I would like to use the OpenBSD user-level code, rather than to stick with the existing Linux utilities (which have been a victim of recent criticism from the interoperability tester team).
• the main area of differences is the code of the actual transformations (ie. esp and ah header processing). The file-per-xform approach of the original Linux code has been replaced with the file-per-standard approach of the OpenBSD code. The new files are called ipsec_{ah,esp}_{old,new}.c and the changes there required changing the ipsec_{ah,esp}.h files. To make the structure of the files cleaner, I have moved all the ciphers and hashes code to separate directories (ciphers, hashes) and I have included all the transforms from OpenBSD (ie. Blowfish, CAST and RIPEMD-160).

  The libdeslite has been enhanced with 3-DES in ecb mode and the cbc mode   routines have been deleted for both DES and 3-DES.   The ipsec_esp_{old,new}.c code does a central   cipher-independent CBC processing and uses only ECB mode external ciphers.   This is in line with the recent IETF draft draft-ietf-ipsec-ciph-cbc-01,   although the implementation allows backwards compatibility with some older   drafts (IV derived from the replay protection field).

  The implementation does not include the IDEA and RC5 ciphers mentioned in the   draft. They were not in the OpenBSD code, as IDEA is patented in several   countries (including most EU countries and the USA).   If included, it should at least be possible to turn it off.   As there are not that many IPSec
  implementations with IDEA, it is not a major interoperability requirement   at this moment. I have not yet investigated the status of RC5 and I will   include that cipher once confirmed that it can be distributed freely.

  The interoperability of all the transforms with existing OpenBSD has been   tested with manual keying (using ipsecadm - see later) and they seem to work   in all possible combinations, except when OpenBSD tries to receive   keyed SHA-1 old-style AH packets, where the problem is at the OpenBSD   side (a bug has been opened including fix with the OpenBSD team).

  Some of the transforms might not work with the old Linux code   base, due to different key slicing and possibly other differences   (at least the length of the replay protection field has changed).   As the OpenBSD code seems to be more up-to-date and is a much   more stable implementation at this moment, I gave priority to compatibilty   with that, rather than with the existing Linux code.   Unfortunately, I have not tested which actual transforms do and which   do not work interoperably with the old Linux code.

• the tunnel mode does not work at the moment, as the logic is different in both of the original implementations. I will finish porting and testing the tunnelling mode in several days, as that is a showstopper for any tests over the Internet.
• it is not possible to print the keys in /proc/net/ipsec-spi any more in most of the cases, as any constant per-packet processing is now done in the key schedule routine (xxx_init), rather than for every packet. This means that the key schedules and hash contexts are available, but the original keys are not. Also, the format of /proc/net/ipsec-spi has changed substantially.
• the expiration and statistics processing of OpenBSD are not implemented yet.
• the flows of OpenBSD are not implemented yet (ie. we still use the existing eroute code of the Linux implementation - watch this space)
• the main user interface for setting up IPSec is the ipsecadm utility, replacing the setsa and spigrp utilities. The ipsecadm is taken from OpenBSD (you will find it in sbin/ipsecadm) and the only changes were in the includes and the kernel interface (although the format of the actual messages has remained - the only real difference is the replacement of using /dev/ipsec instead of the PF_ENCAP socket). The manual page (ipsecadm.1) and usage printed in case of running the program without arguments are the same as in OpenBSD and should be all relevant to the existing code, except the tunnelling mode does not work yet.

  The diagnostics performed at the kernel level (ie. checking of key   lengths, IV lengths etc) are still poorly reported, but you will find   a desription of the problem in /var/log/messages (or wherever   else you log your kernel messages). The user level code should perform   the same sanity checks as the kernel does and report them sensibly to the   user (someone to volunteer for implementing this?).

• the photurisd and pluto key management daemons are not supposed to work with this release yet.
• this release is a development snapshot and will be replaced by enhanced versions on about weekly basis (at least initially). Anyone who wants to run any tests over the Internet (with this or any other IPSec implementation), please mail me (pn@i.cz) and I will setup our end to talk to you.
• the code is stable while being used, the only kernel oops I have seen are while bringing down the system. This does not mean there are no memory leaks, but I have fixed (possibly) the TDB memory leaks mentioned in the old XXX comments. I am not sure wheather I have created some race conditions with this or not (anyone to check?).
• all the new code has been written in Praha, Czech republic and is therefore free of any export restrictions. The OpenBSD code has been legally exported from Canada (well, actually I have fetched my copy from Sweden). No US originated code has been (knowingly) included.
• The code is not under RCS or CVS at the moment, as it seems to be too unstable and still large parts of files are deleted or replaced. The comments at the beginning of files about changes and versions are not always updated, I plan to start the versioning from scratch once the code reaches some of my other objectives (ie. new IP kernel interface, expiration messages etc. to enable full interopeability with ISAKMP/Oakley and Photuris). If you need to know what has changed, you need to make the diffs yourself.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

  The docs directory has not been updated or touched, so you need to read   that and *then* the ipsecadm man page.

If anything goes wrong, do not blame me, nor the authors of most of the code. This code is provided AS IS, with no warranties or other blah blah. In any case, I'd like to hear from those who had any success or trouble with this code, so that it can do what somebody might think is useful.

Praha, 12th March 1998
Petr Novak
ICZ, a.s.
<pn@i.cz> Received on Thu Mar 12 16:42:15 1998