From owner-freebsd-security Thu May 28 18:20:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA14183 for freebsd-security-outgoing; Thu, 28 May 1998 18:20:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA14154 for ; Thu, 28 May 1998 18:20:27 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu ([198.223.41.41]) by adk.gr (8.8.8/8.8.5) with ESMTP id VAA03275; Thu, 28 May 1998 21:19:30 -0400 (EDT) Message-Id: <199805290119.VAA03275@adk.gr> To: simestd@alaska.net Subject: Re: SKIP problems Cc: freebsd-security@FreeBSD.ORG Date: Thu, 28 May 1998 21:14:44 EDT From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: simestd@alaska.net Subject: Re: SKIP problems Cc: freebsd-security@FreeBSD.ORG Date: 05/28/98, 21:14:42 > SKIP is not an IETF standard and was rejected by the IPSEC wg several > years ago (along with photuris))... Touche' Although the circumstances were different in the two situations. > 1. freebsd/NRL/psu/me as found at http://www.cs.pdx.edu/research/SMN > in case you have been asleep... VPNs via route(8), route(4), > and keyadmin(1). I could try to briefly clarify on-line if Sounds similar to the OpenBSD code, although I haven't seen the NRL code (being a foreigner and all that). > there was interest. I suspect there are at least two or more > IPSEC implementor (camps) that read this list. Maybe we could > all do that (or I could just go on vacation). FYI, the linux-ipsec@clinet.fi mailing list (which was originally intended to be the FreeSWAN list) has occasionally interesting discussions, and at least 4 or 5 implementors are on it (that I know of). > 2. the openBSD used to be netBSD implementation. ...used to be BSD/OS :-) > what about ISAKMP? Not using it. No good free implementations available (yet). FreeSWAN is working on it, maybe when they have something stable. > what are the kernel interfaces? PF_ENCAP (looks like a simplified PF_KEYv2) > how do the kernel parts work? http://www.cis.upenn.edu/~angelos/ipsec.ps.gz >how do you add a new security transform? ipsecadm (1) or photurisd (8) and possibly isakmp in the future >how tested is the code? (how buggy?) The first version of the code was written back in 1995. I can't claim that there aren't any bugs left, but the code has been tested (and is being tested) and used > is the code well written? I'm probably biased, but I've heard from 3 people who have no connection to the project that it's well written and tight. It's at least reasonably good. > what is the user (or sysadmin) api? PF_ENCAP..expect a draft soon >how does key management work? Which part ? > is ASN involved :-> No! > does it support user-level or only network level? Supports both user-level and network level. It'll at some point be able to also act as bump-in-the-wire >policy for packets in/out in the o.s.; i.e., when to IPSEC > and when not? Outgoing packets based on source/destination addresses (possibly subnetted), transport protocol, UDP/TCP source/destination ports. Recently added per-socket policies with the automated keying. > tunnel security attributes? Yes. > could joe average routing daemon use it? Routing daemon ?! You could have your routing infrastructure point everything at your IPsec firewall, if that's what you mean. > multicast semantics? Not completed (yet). We haven't focused on that, since there hasn't been much demand on it (yet). > how many tons of docs, if any? Not many. Some man pages, a paper (URL above). A short article in the OpenBSD Journal. >you claim "interoperation", exactly what did that mean? > end to end apps > end to router tunnel > AH with transform Y > which AH acc. to which RFC/draft End-to-end, firewall-to-firewall tunnel telnet, ping and ftp. Have tested: old ESP DES and 3DES old AH MD5 and SHA1 new ESP DES and 3DES, with MD5 and SHA1 new AH MD5 and SHA1 I believe Rodney Thayer (rodney@sabletech.com) maintains a sort-of-recent interoperability matrix, you can find OpenBSD there. The most recent tests were last September at the ANX Interop Workshop in Ottawa (interoped with 2-3 implementors, I remember mentat.com and I think IBM), and at SNDSS at the end of March with Dan McDonald (Sun Microsystems -- Solaris implementation). We also support RIPEMD-160 authentication and CAST128 and Blowfish encryption. >and of course, our favorite, export control aspects. No export control, as the code was written, lives and is being maintained outside the US. Hope this is informational enough. Cheers, - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNW4MAr0pBjh2h1kFAQFBpwQAhAPJqPIW39D8efkBwsmd7RxqT5oarcVH l1FJayHW2z7T9qqvOriklnMXOZ4E/m0bZzOgfBjj960sdZiJNKK29fBhxVeubuQJ 2ol26SAcGYtfAFuGOZMY6FMxCJhK9fxgM8NFOUkVcV2lvAx/jbUqgJz2SD6pHbZ3 tXmVyNAiNLM= =HxLS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message