<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<STYLE TYPE="text/css"><!--
BODY { font-family: serif }
H1 { font-family: sans-serif }
H2 { font-family: sans-serif }
H3 { font-family: sans-serif }
H4 { font-family: sans-serif }
H5 { font-family: sans-serif }
H6 { font-family: sans-serif }
SUB { font-size: smaller }
SUP { font-size: smaller }
PRE { font-family: monospace }
--></STYLE>
</HEAD>
<BODY>
<A HREF="toc.html">Contents</A>
<A HREF="mail.html">Previous</A>
<A HREF="glossary.html">Next</A>
<HR>
<H1><A name="weblink">Web links</A></H1>
<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
<P>The main project web site is<A href="http://www.freeswan.org/">
www.freeswan.org</A>.</P>
<P>Links to other project-related<A href="intro.html#sites"> sites</A>
are provided in our introduction section.</P>
<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
<P>Some user-contributed patches have been integrated into the FreeS/WAN
distribution. For a variety of reasons, those listed below have not.</P>
<P>Note that not all patches are a good idea.</P>
<UL>
<LI>There are a number of "features" of IPsec which we do not implement
because they reduce security. See this<A href="compat.html#dropped">
discussion</A>. We do not recommend using patches that implement these.
One example is aggressive mode.</LI>
<LI>We do not recommend adding "features" of any sort unless they are
clearly necessary, or at least have clear benefits. For example,
FreeS/WAN would not become more secure if it offerred a choice of 14
ciphers. If even one was flawed, it would certainly become less secure
for anyone using that cipher. Even with 14 wonderful ciphers, it would
be harder to maintain and administer, hence more vulnerable to various
human errors.</LI>
</UL>
<P>This is not to say that patches are necessarily bad, only that using
them requires some deliberation. For example, there might be perfectly
good reasons to add a specific cipher in your application: perhaps GOST
to comply with government standards in Eastern Europe, or AES for
performance benefits.</P>
<H4>Current patches</H4>
<P>Patches believed current::</P>
<UL>
<LI>patches for<A href="http://www.strongsec.com/freeswan/"> X.509
certificate support</A>, also available from a<A href="http://www.twi.ch/~sna/strongsec/freeswan/">
mirror site</A></LI>
<LI>patches to add<A href="http://www.irrigacion.gov.ar/juanjo/ipsec">
AES and other ciphers</A>. There is preliminary data indicating AES
gives a substantial<A href="performance.html#perf.more"> performance
gain</A>.</LI>
</UL>
<P>There is also one add-on that takes the form of a modified FreeS/WAN
distribution, rather than just patches to the standard distribution:</P>
<UL>
<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
support</A></LI>
</UL>
<P>Before using any of the above,, check the<A href="mail.html"> mailing
lists</A> for news of newer versions and to see whether they have been
incorporated into more recent versions of FreeS/WAN.</P>
<H4>Older patches</H4>
<UL>
<LI><A href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
acceleration</A></LI>
<LI>a<A href="http://tzukanov.narod.ru/"> series</A> of patches that
<UL>
<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler</LI>
<LI>add GOST to OpenSSL</LI>
<LI>add GOST to the International kernel patch</LI>
<LI>let FreeS/WAN use International kernel patch ciphers</LI>
</UL>
</LI>
<LI>Neil Dunbar's patches for<A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
certificate support</A>, using code from<A href="http://www.openssl.org">
Open SSL</A>.</LI>
<LI>Luc Lanthier's<A href="ftp://ftp.netwinder.org/users/f/firesoul/">
patches</A> for<A href="glossary.html#PKIX"> PKIX</A> support.</LI>
<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
to add<A href="glossary.html#blowfish"> Blowfish</A>,<A href="glossary.html#IDEA">
IDEA</A> and<A href="glossary.html#CAST128"> CAST-128</A> to FreeS/WAN</LI>
<LI>patches for FreeS/WAN 1.3, Pluto support for<A href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">
external authentication</A>, for example with a smartcard or SKEYID.</LI>
<LI><A href="http://www.zengl.net/freeswan/download/">patches and
utilities</A> for using FreeS/WAN with PGPnet</LI>
<LI><A href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">
Blowfish encryption and Tiger hash</A></LI>
<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
patches</A> for aggressive mode support</LI>
</UL>
<P>These patches are for older versions of FreeS/WAN and will likely not
work with the current version. Older versions of FreeS/WAN may be
available on some of the<A href="intro.html#sites"> distribution sites</A>
, but we recommend using the current release.</P>
<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
<P>Finally, there are some patches to other code that may be useful with
FreeS/WAN:</P>
<UL>
<LI>a<A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
patch</A> to make IPsec, PPTP and SSH VPNs work through a Linux
firewall with<A href="glossary.html#masq"> IP masquerade</A>.</LI>
<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
Linux VPN Masquerade HOWTO</A></LI>
</UL>
<P>Note that this is not required if the same machine does IPsec and
masquerading, only if you want a to locate your IPsec gateway on a
masqueraded network. See our<A href="firewall.html#NAT"> firewalls</A>
document for discussion of why this is problematic.</P>
<P>At last report, this patch could not co-exist with FreeS/WAN on the
same machine.</P>
<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
<P>The introductory section of our document set lists several<A href="intro.html#distwith">
Linux distributions</A> which include FreeS/WAN.</P>
<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
<UL>
<LI><A href="http://openpgp.net/random">/dev/random</A> support page,
discussion of and code for the Linux<A href="glossary.html#random">
random number driver</A>. Out-of-date when we last checked (January
2000), but still useful.</LI>
<LI>other programs related to random numbers:
<UL>
<LI><A href="http://www.mindrot.org/audio-entropyd.html">audio entropy
daemon</A> to gather noise from a sound card and feed it into
/dev/random</LI>
<LI>an<A href="http://www.lothar.com/tech/crypto/"> entropy-gathering
daemon</A></LI>
<LI>a driver for the random number generator in recent<A href="http://sourceforge.net/projects/gkernel/">
Intel chipsets</A>. This driver is included as standard in 2.4 kernels.</LI>
</UL>
</LI>
<LI>a Linux<A href="http://www.marko.net/l2tp/"> L2TP Daemon</A> which
might be useful for communicating with Windows 2000 which builds L2TP
tunnels over its IPsec connections</LI>
<LI>to use opportunistic encryption, you need a recent version of<A href="glossary.html#BIND">
BIND</A>. You can get one from the<A href="http://www.isc.org">
Internet Software Consortium</A> who maintain BIND.</LI>
</UL>
<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
<UL>
<LI>other Linux<A href="#linuxipsec"> IPsec implementations</A></LI>
<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
implementation of Sun's<A href="glossary.html#SKIP"> SKIP</A> protocol</LI>
<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPsec VPN
daemon for Linux which creates tunnels using<A href="glossary.html#Blowfish">
Blowfish</A> encryption</LI>
<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
GPLd tunnel-building program with Linux and Win32 versions. The name is
from<STRONG> Z</STRONG>lib compression,<STRONG> B</STRONG>lowfish
encryption and<STRONG> D</STRONG>iffie-Hellman key exchange.</LI>
<LI>There are at least two PPTP implementations for Linux
<UL>
<LI>Moreton Bay's<A href="http://www.moretonbay.com/vpn/pptp.html">
PoPToP</A></LI>
<LI><A href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</A>
</LI>
</UL>
</LI>
<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
(crypto IP encapsulation) project, using their own lightweight protocol
to encrypt between routers</LI>
<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
</UL>
<P>There is a list of<A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
Linux VPN</A> software in the<A href="http://www.securityportal.com/lskb/kben00000001.html">
Linux Security Knowledge Base</A>.</P>
<H2><A name="ipsec.link">The IPsec Protocols</A></H2>
<H3><A name="general">General IPsec or VPN information</A></H3>
<UL>
<LI>The<A href="http://www.vpnc.org"> VPN Consortium</A> is a group for
vendors of IPsec products. Among other things, they have a good
collection of<A href="http://www.vpnc.org/white-papers.html"> IPsec
white papers</A>.</LI>
<LI>A VPN mailing list with a<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
home page</A>, a FAQ, some product comparisons, and many links.</LI>
<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
<LI>a<A href="http://www.epm.ornl.gov/~dunigan/vpn.html"> collection</A>
of VPN links, and some explanation</LI>
</UL>
<H3><A name="overview">IPsec overview documents or slide sets</A></H3>
<UL>
<LI>the FreeS/WAN<A href="ipsec.html"> document section</A> on these
protocols</LI>
</UL>
<H3><A name="otherlang">IPsec information in languages other than
English</A></H3>
<UL>
<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
German</A></LI>
<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
<LI>Feczak Szabolcs' thesis in<A href="http://feczo.koli.kando.hu/vpn/">
Hungarian</A></LI>
<LI>Davide Cerri's thesis and some presentation slides<A href="http://www.linux.it/~davide/doc/">
Italian</A></LI>
</UL>
<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
<UL>
<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
Linux FreeS/WAN and giving various ways of obtaining both RFCs and
Internet Drafts.</LI>
<LI><A href="http://www.vpnc.org/vpn-standards.html">VPN Standards</A>
page maintained by<A href="glossary.html#VPNC"> VPNC</A>. This covers
both RFCs and Drafts, and classifies them in a fairly helpful way.</LI>
<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
related to IPsec</LI>
<LI>US government<A href="http://www.itl.nist.gov/div897/pubs"> site</A>
with their<A href="glossary.html#FIPS"> FIPS</A> standards</LI>
<LI>Archives of the ipsec@tis.com mailing list where discussion of
drafts takes place.
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A></LI>
<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
</UL>
</LI>
</UL>
<H3><A name="analysis">Analysis and critiques of IPsec protocols</A></H3>
<UL>
<LI>Counterpane's<A href="http://www.counterpane.com/ipsec.pdf">
evaluation</A> of the protocols</LI>
<LI>Simpson's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
IKE Considered Dangerous</A> paper. Note that this is a link to an
archive of our mailing list. There are several replies in addition to
the paper itself.</LI>
<LI>Fate Labs<A href="http://www.fatelabs.com/loki-vpn.pdf"> Virual
Private Problems: the Broken Dream</A></LI>
<LI>Catherine Meadows' paper<CITE> Analysis of the Internet Key Exchange
Protocol Using the NRL Protocol Analyzer</CITE>, in<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
PDF</A> or<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
Postscript</A>.</LI>
<LI>Perlman and Kaufmnan
<UL>
<LI><A href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">
Key Exchange in IPsec</A></LI>
<LI>a newer<A href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">
PDF paper</A>,<CITE> Analysis of the IPsec Key Exchange Standard</CITE>
.</LI>
</UL>
</LI>
<LI>Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
papers</A> page including his:
<UL>
<LI><CITE>Security Problems in the TCP/IP Protocol Suite</CITE> (1989)</LI>
<LI><CITE>Problem Areas for the IP Security Protocols</CITE> (1996)</LI>
<LI><CITE>Probable Plaintext Cryptanalysis of the IP Security Protocols</CITE>
(1997)</LI>
</UL>
</LI>
<LI>An<A href="http://www.lounge.org/ike_doi_errata.html"> errata list</A>
for the IPsec RFCs.</LI>
</UL>
<H3><A name="IP.background">Background information on IP</A></H3>
<UL>
<LI>An<A href="http://ipprimer.windsorcs.com/"> IP tutorial</A> that
seems to be written mainly for Netware or Microsoft LAN admins entering
a new world</LI>
<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
Authority</LI>
<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
Classless Inter-Domain Routing</LI>
<LI>Also see our<A href="biblio.html"> bibliography</A></LI>
</UL>
<H2><A name="implement">IPsec Implementations</A></H2>
<H3><A name="linuxprod">Linux products</A></H3>
<P>Vendors using FreeS/WAN in turnkey firewall or VPN products are
listed in our<A href="intro.html#turnkey"> introduction</A>.</P>
<P>Other vendors have Linux IPsec products which, as far as we know, do
not use FreeS/WAN</P>
<UL>
<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
provide an open source Linux driver for their PCI hardware VPN card.
This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
specialised crypto chips, and claimed encryption performance of 45
Mbit/sec. The PC sees it as an Ethernet board.</LI>
<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
offer a Linux-based VPN with hardware encryption</LI>
<LI><A href="http://www.watchguard.com/">Watchguard</A> use Linux in
their Firebox product.</LI>
<LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
toolkit for using their<A href="glossary.html#PKI"> PKI</A> for IPsec
authentication</LI>
<LI>According to a report on our mailing list,<A href="http://www.axent.com">
Axent</A> have a Linux version of their product.</LI>
</UL>
<H3><A name="router">IPsec in router products</A></H3>
<P>All the major router vendors support IPsec, at least in some models.</P>
<UL>
<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
IPsec information</LI>
<LI>Ascend, now part of<A href="http://www.lucent.com/"> Lucent</A>,
have some IPsec-based products</LI>
<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
of Nortel, use IPsec in their Contivity switch product line</LI>
<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A> have
a number of VPN products, some using IPsec</LI>
</UL>
<H3><A name="fw.web">IPsec in firewall products</A></H3>
<P>Many firewall vendors offer IPsec, either as a standard part of their
product, or an optional extra. A few we know about are:</P>
<UL>
<LI><A href="http://www.borderware.com/">Borderware</A></LI>
<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
Laurent</A></LI>
<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2</LI>
</UL>
<P>Vendors using FreeS/WAN in turnkey firewall products are listed in
our<A href="intro.html#turnkey"> introduction</A>.</P>
<H3><A name="ipsecos">Operating systems with IPsec support</A></H3>
<P>All the major open source operating systems support IPsec. See below
for details on<A href="#BSD"> BSD-derived</A> Unix variants.</P>
<P>Among commercial OS vendors, IPsec players include:</P>
<UL>
<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
Microsoft</A> have put IPsec in their Windows 2000 and XP products</LI>
<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
announce a release of OS390 with IPsec support via a crypto
co-processor</LI>
<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
Sun</A> include IPsec in Solaris 8</LI>
<LI><A href="http://www.hp.com/security/products/extranet-security.html">
Hewlett Packard</A> offer IPsec for their Unix machines</LI>
<LI>Certicom have IPsec available for the<A href="http://www.certicom.com/products/movian/movianvpn_tech.html">
Palm</A>.</LI>
<LI>There were reports before the release that Apple's Mac OS X would
have IPsec support built in, but it did not seem to be there when we
last checked. If you find, it please let us know via the<A href="mail.html">
mailing list</A>.</LI>
</UL>
<H3><A NAME="29_3_5">IPsec on network cards</A></H3>
<P>Network cards with built-in IPsec acceleration are available from at
least Intel, 3Com and Redcreek.</P>
<H3><A name="opensource">Open source IPsec implementations</A></H3>
<H4><A name="linuxipsec">Other Linux IPsec implementations</A></H4>
<P>We like to think of FreeS/WAN as<EM> the</EM> Linux IPsec
implementation, but it is not the only one. Others we know of are:</P>
<UL>
<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
lightweight implementation of IPsec for Linux. Does not require kernel
recompilation.</LI>
<LI>Petr Novak's<A href="ftp://ftp.eunet.cz/icz/ipnsec/"> ipnsec</A>,
based on the OpenBSD IPsec code and using<A href="glossary.html#photuris">
Photuris</A> for key management</LI>
<LI>A now defunct project at<A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
U of Arizona</A> (export controlled)</LI>
<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
(export controlled)</LI>
</UL>
<H4><A name="BSD">IPsec for BSD Unix</A></H4>
<UL>
<LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
several large Japanese companies co-operating on IPv6 and IPsec</LI>
<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
implementation of IPv6 and of IPsec for IPv4 (export controlled)</LI>
<LI><A href="http://www.openbsd.org">OpenBSD</A> includes IPsec as a
standard part of the distribution</LI>
<LI><A href="http://www.r4k.net/ipsec">IPsec for FreeBSD</A></LI>
<LI>a<A href="http://www.netbsd.org/Documentation/network/ipsec/"> FAQ</A>
on NetBSD's IPsec implementation</LI>
</UL>
<H4><A name="misc">IPsec for other systems</A></H4>
<UL>
<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
Technolgy</A> have implemented IPsec for Solaris, Java and Macintosh</LI>
</UL>
<H3><A name="interop.web">Interoperability</A></H3>
<P>The IPsec protocols are designed so that different implementations
should be able to work together. As they say "the devil is in the
details". IPsec has a lot of details, but considerable success has been
achieved.</P>
<H4><A name="result">Interoperability results</A></H4>
<P>Linux FreeS/WAN has been tested for interoperability with many other
IPsec implementations. Results to date are in our<A href="interop.html">
interoperability</A> section.</P>
<P>Various other sites have information on interoperability between
various IPsec implementations:</P>
<UL>
<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop results</A>
from a bakeoff in Atlanta, September 1999.</LI>
<LI>a French company, HSC's,<A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
<LI><A href="http://www.icsa.net/">ICSA</A> offer certification programs
for various security-related products. See their list of<A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
certified IPsec</A> products. Linux FreeS/WAN is not currently on that
list, but several products with which we interoperate are.</LI>
<LI>VPNC have a page on why they are not yet doing<A href="http://www.vpnc.org/interop.html">
interoperability</A> testing and a page on the<A href="http://www.vpnc.org/conformance.html">
spec conformance</A> testing that they are doing</LI>
<LI>a<A href="http://www.commweb.com/article/COM20000912S0009"> review</A>
comparing a dozen commercial IPsec implemetations. Unfortunately, the
reviewers did not look at Open Source implementations such as FreeS/WAN
or OpenBSD.</LI>
<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
results</A> from interoperability tests at a conference. FreeS/WAN was
not tested there.</LI>
<LI>test results from the<A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
IPSEC 2000</A> conference</LI>
</UL>
<H4><A name="test1">Interoperability test sites</A></H4>
<UL>
<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
project with free IPsec validation software</LI>
<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
Standards and Technology</A></LI>
<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A></LI>
</UL>
<H2><A name="linux.link">Linux links</A></H2>
<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
<UL>
<LI>Linux<A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
Getting Started</A> HOWTO document</LI>
<LI>A getting started guide from the<A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
U of Oregon</A></LI>
<LI>A large<A href="http://www.herring.org/techie.html"> link collection</A>
which includes a lot of introductory and tutorial material on Unix,
Linux, the net, . . .</LI>
</UL>
<H3><A name="general">General Linux sites</A></H3>
<UL>
<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
<LI><A href="http://slashdot.org">Slashdot</A> "News for Nerds"</LI>
<LI><A href="http://www.linux.org">Linux Online</A></LI>
<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
<LI><A href="http://www.tux.org">tux.org</A></LI>
</UL>
<H3><A name="docs.ldp">Documentation</A></H3>
<P>Nearly any Linux documentation you are likely to want can be found at
the<A href="http://metalab.unc.edu/LDP"> Linux Documentation Project</A>
or LDP.</P>
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
guide to Linux information sources</LI>
<LI>The LDP's HowTo documents are a standard Linux reference. See this<A href="http://www.linuxdoc.org/docs.html#howto">
list</A>. Documents there most relevant to a FreeS/WAN gateway are:
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
Networking Overview HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
Security HOWTO</A></LI>
</UL>
</LI>
<LI>The LDP do a series of Guides, book-sized publications with more
detail (and often more "why do it this way?") than the HowTos. See this<A
href="http://www.linuxdoc.org/guides.html"> list</A>. Documents there
most relevant to a FreeS/WAN gateway are:
<UL>
<LI><A href="http://www.tml.hut.fi/~viu/linux/sag/">System
Administrator's Guide</A></LI>
<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
Adminstrator's Guide</A></LI>
<LI><A href="http://www.seifried.org/lasg/">Linux Administrator's
Security Guide</A></LI>
</UL>
</LI>
</UL>
<P>You may not need to go to the LDP to get this material. Most Linux
distributions include the HowTos on their CDs and several include the
Guides as well. Also, most of the Guides and some collections of HowTos
are available in book form from various publishers.</P>
<P>Much of the LDP material is also available in languages other than
English. See this<A href="http://www.linuxdoc.org/links/nenglish.html">
LDP page</A>.</P>
<H3><A name="advroute.web">Advanced routing</A></H3>
<P>The Linux IP stack has some new features in 2.4 kernels. Some HowTos
have been written:</P>
<UL>
<LI>several HowTos for the<A href="http://netfilter.samba.org/unreliable-guides/">
netfilter</A> firewall code in newer kernels</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
2.4 networking</A> HowTo</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
2.4 routing</A> HowTo</LI>
</UL>
<H3><A name="linsec">Security for Linux</A></H3>
<P>See also the<A href="#docs.ldp"> LDP material</A> above.</P>
<UL>
<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
Trinity OS guide to setting up Linux</A></LI>
<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
filesystem</LI>
<LI><A href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
HowTo</A> (outdated when last checked, had an Oct 2000 revision date in
March 2002)</LI>
</UL>
<H3><A name="firewall.linux">Linux firewalls</A></H3>
<P>Our<A href="firewall.html"> FreeS/WAN and firewalls</A> document
includes links to several sets of<A href="firewall.html#examplefw">
scripts</A> known to work with FreeS/WAN.</P>
<P>Other information sources:</P>
<UL>
<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
<LI><A href="http://netfilter.samba.org/unreliable-guides/">netfilter</A>
firewall code in 2.4 kernels</LI>
<LI>Our list of general<A href="#firewall.web"> firewall references</A>
on the web</LI>
<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool for
automatically configuring Linux firewalls</LI>
<LI>the web cache software<A href="http://www.squid-cache.org/"> squid</A>
and<A href="http://www.squidguard.org/"> squidguard</A> which turns
Squid into a filtering web proxy</LI>
</UL>
<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
<UL>
<LI><A href="http://lwn.net/current/dists.php3">Linux distribution
vendors</A></LI>
<LI><A href="http://www.linux.org/groups/">Linux User Groups</A></LI>
</UL>
<H2><A name="crypto.link">Crypto and security links</A></H2>
<H3><A name="security">Crypto and security resources</A></H3>
<H4><A name="std.links">The standard link collections</A></H4>
<P>Two enormous collections of links, each the standard reference in its
area:</P>
<DL>
<DT>Gene Spafford's<A href="http://www.cerias.purdue.edu/coast/hotlist/">
COAST hotlist</A></DT>
<DD>Computer and network security.</DD>
<DT>Peter Gutmann's<A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
Encryption and Security-related Resources</A></DT>
<DD>Cryptography.</DD>
</DL>
<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
<UL>
<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
FAQ</A></LI>
<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
Programming FAQ</A></LI>
<LI>FAQs for specific programs are listed in the<A href="#tools"> tools</A>
section below.</LI>
</UL>
<H4><A name="cryptover">Tutorials</A></H4>
<UL>
<LI>Gary Kessler's<A href="http://www.garykessler.net/library/crypto.html">
Overview of Cryptography</A></LI>
<LI>Terry Ritter's<A href="http://www.ciphersbyritter.com/LEARNING.HTM">
introduction</A></LI>
<LI>Peter Gutman's<A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
cryptography</A> tutorial (500 slides in PDF format)</LI>
<LI>Amir Herzberg of IBM's sildes for his course<A href="http://www.hrl.il.ibm.com/mpay/course.html">
Introduction to Cryptography and Electronic Commerce</A></LI>
<LI>the<A href="http://www.gnupg.org/gph/en/manual/c173.html"> concepts
section</A> of the<A href="glossary.html#GPG"> GNU Privacy Guard</A>
documentation</LI>
<LI>Bruce Schneier's self-study<A href="http://www.counterpane.com/self-study.html">
cryptanalysis</A> course</LI>
</UL>
<P>See also the<A href="#interesting"> interesting papers</A> section
below.</P>
<H4><A name="standards">Crypto and security standards</A></H4>
<UL>
<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
international computer and network security standards to replace the
"Rainbow" series</LI>
<LI>AES<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
Advanced Encryption Standard</A> which will replace DES</LI>
<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
standard</A></LI>
<LI>our collection of links for the<A href="#ipsec.link"> IPsec</A>
standards</LI>
<LI>history of<A href="http://www.visi.com/crypto/evalhist/index.html">
formal evaluation</A> of security policies and implementation</LI>
</UL>
<H4><A name="quotes">Crypto quotes</A></H4>
<P>There are several collections of cryptographic quotes on the net:</P>
<UL>
<LI><A href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</A></LI>
<LI><A href="http://www.samsimpson.com/cquotes.php">Sam Simpson</A></LI>
<LI><A href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
Kutchling</A></LI>
</UL>
<H3><A name="policy">Cryptography law and policy</A></H3>
<H4><A name="legal">Surveys of crypto law</A></H4>
<UL>
<LI>International survey of<A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
crypto law</A>.</LI>
<LI>International survey of<A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
digital signature law</A></LI>
</UL>
<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
<UL>
<LI>The<A href="glossary.html#EFF"> EFF</A>'s archives on<A href="http://www.eff.org/pub/Privacy/">
privacy</A> and<A href="http://www.eff.org/pub/Privacy/ITAR_export/">
export control</A>.</LI>
<LI><A href="http://www.gilc.org">Global Internet Liberty Campaign</A></LI>
<LI><A href="http://www.cdt.org/crypto">Center for Democracy and
Technology</A></LI>
<LI><A href="http://www.privacyinternational.org/">Privacy International</A>
, who give out<A href="http://www.bigbrotherawards.org/"> Big Brother
Awards</A> to snoopy organisations</LI>
</UL>
<H4><A name="other.policy">Other information on crypto policy</A></H4>
<UL>
<LI><A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</A>, the<A href="glossary.html#IAB">
IAB</A> and<A href="glossary.html#IESG"> IESG</A> Statement on
Cryptographic Technology and the Internet.</LI>
<LI>John Young's collection of<A href="http://cryptome.org/"> documents</A>
of interest to the cryptography, open government and privacy movements,
organized chronologically</LI>
<LI>AT&T researcher Matt Blaze's Encryption, Privacy and Security<A href="http://www.crypto.com">
Resource Page</A></LI>
<LI>A good<A href="http://cryptome.org/crypto97-ne.htm"> overview</A> of
the issues from Australia.</LI>
</UL>
<P>See also our documentation section on the<A href="politics.html">
history and politics</A> of cryptography.</P>
<H3><A name="crypto.tech">Cryptography technical information</A></H3>
<H4><A name="cryptolinks">Collections of crypto links</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
Gutman's links</A></LI>
<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
</LI>
<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
</UL>
<H4><A name="papers">Lists of online cryptography papers</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
<LI><A href="http://www.cryptography.com/resources/papers">
cryptography.com</A></LI>
<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
</UL>
<H4><A name="interesting">Particularly interesting papers</A></H4>
<P>These papers emphasize important issues around the use of
cryptography, and the design and management of secure systems.</P>
<UL>
<LI><A href="http://www.counterpane.com/keylength.html">Key length
requirements for security</A></LI>
<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
Cryptosystems Fail</A></LI>
<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
encryption</A></LI>
<LI><A href="http://www.counterpane.com/pitfalls.html">Security pitfalls
in cryptography</A></LI>
<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
Trust</A>, Ken Thompson on Trojan horse design</LI>
<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
Compelled Disclosure</A>, how to maintain privacy in the face of legal
or other coersion</LI>
</UL>
<H3><A name="compsec">Computer and network security</A></H3>
<H4><A name="seclink">Security links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
<LI>DMOZ open directory project<A href="http://dmoz.org/Computers/Security/">
computer security</A> links</LI>
<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
<LI>Mike Fuhr's<A href="http://www.fuhr.org/~mfuhr/computers/security.html">
link collection</A></LI>
<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
emphasis on intrusion detection</LI>
</UL>
<H4><A name="firewall.web">Firewall links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
</LI>
<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
</UL>
<H4><A name="vpn">VPN links</A></H4>
<UL>
<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
<LI>First VPN's<A href="http://www.firstvpn.com/research/rhome.html">
white paper</A> collection</LI>
</UL>
<H4><A name="tools">Security tools</A></H4>
<UL>
<LI>PGP -- mail encryption
<UL>
<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
commercial versions</LI>
<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
the NAI product for non-commercial use</LI>
<LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
</UL>
A message in our mailing list archive has considerable detail on<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
available versions</A> of PGP and on IPsec support in them.
<P><STRONG>Note:</STRONG> A fairly nasty bug exists in all commercial
PGP versions from 5.5 through 6.5.3. If you have one of those,<STRONG>
upgrade now</STRONG>.</P>
</LI>
<LI>SSH -- secure remote login
<UL>
<LI><A href="http://www.ssh.fi">SSH Communications Security</A>, for the
original software. It is free for trial, academic and non-commercial
use.</LI>
<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD team's
free replacement</LI>
<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
implementations for many systems</LI>
<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
, an SSH client for Windows</LI>
</UL>
</LI>
<LI>Tripwire saves message digests of your system files. Re-calculate
the digests and compare to saved values to detect any file changes.
There are several versions available:
<UL>
<LI><A href="http://www.tripwiresecurity.com/">commercial version</A></LI>
<LI><A href="http://www.tripwire.org/">Open Source</A></LI>
</UL>
</LI>
<LI><A href="http://www.snort.org">Snort</A> and<A href="http://www.lids.org">
LIDS</A> are intrusion detection system for Linux</LI>
<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A> System
Administrators Tool for Analysing Networks</LI>
<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
Venema's page</A> with various tools</LI>
<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
, various tools to analyze network traffic, mostly scripts to organise
and format tcpdump(8) output for specific purposes</LI>
<LI><A name="ssmail">ssmail -- sendmail patched to do</A><A href="glossary.html#carpediem">
opportunistic encryption</A>
<UL>
<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
links to code and to a Usenix paper describing it, in PDF</LI>
</UL>
</LI>
<LI><A href="http://www.openca.org/">Open CA</A> project to develop a
freely distributed<A href="glossary.html#CA"> Certification Authority</A>
for building a open<A href="glossary.html#PKI"> Public Key
Infrastructure</A>.</LI>
</UL>
<H3><A name="people">Links to home pages</A></H3>
<P>David Wagner at Berkeley provides a set of links to<A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
home pages</A> of cryptographers, cypherpunks and computer security
people.</P>
<HR>
<A HREF="toc.html">Contents</A>
<A HREF="mail.html">Previous</A>
<A HREF="glossary.html">Next</A>
</BODY>
</HTML>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
cb04c52ccedb52ab907eaca84d718eba
>
files
>
160
