Crypto and IPSec Merged into 2.5

Corbet writes "Linus has just merged the new crypto API and IPSec implementation into his 2.5 BitKeeper tree. This is the first time that serious cryptographic code has made an appearance in the mainline kernel, and it will hopefully lead to more secure communications for all Linux users in the future."

Wow!

[Cyph]

I really like the way the 2.5 kernel is progressing, a lot of the patches that I've been applying manually to the 2.4 tree have already been merged into the main tree of the 2.5 kernel.

Can't wait until release, this thing is going to rock. :)

Eh?

[PhysicsScholar]

Why would superior theft abilities become part of kernel-proper?

Oh, you said crypto!

Re:Eh?

Eh? Huh? Wha?

Re:Eh?

[BluBrick]

HUH? A klepto/crypto pun gets a +5 funny? Stop the world, I want to get off!

Re:Eh?

um, that's not even half-funny, you karma whore.

Re:Eh?

[Klync]

I think it's time we bumped the max rating up to 20, but still only let browsing only go 5+. I've seen too many things at +5 that were just miles overhead of anything else. Or maybe an all-time high score.

Excellent - no more FreeSWAN patches

[JKR]

This should make VPN-in-a-box simpler to set up, particularly for distros that use their own kernel packaging scripts.

Jon.

Re:Excellent - no more FreeSWAN patches

[LWolenczak]

somewhat, but from what I read bout a week and a half ago... the ipsec impmentation that they are putting in does not yet support ipv4 transport.... ie is useless unless you have hosts fully using ipv6 on both sides of the tunnel. Keep in mind, its not frees/wan, its from the linux ipv6 project.

With the atitude that the frees/wan project maintains, we will never see freeswan merged with mainstream kernel... hell... they still refuse to take patches from us citiziens and residents (that includes linus)

Re:Excellent - no more FreeSWAN patches

No, the ipsec in the kernel is actually IPv4 specific at the moment. It is NOT the USAGI IPv6 IPSEC code.

Re:Excellent - no more FreeSWAN patches

[LWolenczak]

Since when? If the patches are being supplied by the linux ipv6 people then wouldnt it be their project? i'd think so?

Re:Excellent - no more FreeSWAN patches

[SpamJunkie]

If frees/wan won't take contributions from the US why doesn't someone in the US fork it? Isn't this the way OSS is supposed to deal with stubborn maintainers that have different ideals than a large number of developers?

Re:Excellent - no more FreeSWAN patches

I expect the code is ipsec_tunnel by Tobias
Ringstrom... but I've not read the patch yet.

ipsec_tunnel is good code, after looking at FreeSwan and
deciding it was really poorly done, we looked at
this and even though (at the time) it was not yet
useable, we felt it better to contribute to it
to make a so then to go with the lesser
alternative.

Very clean, it's a fine design :-) Something
worthy of inclusion in the kernel and a real
credit to Tobias.

D. Jeff Dionne
Arcturus Networks.

Re:Excellent - no more FreeSWAN patches

[LWolenczak]

Thats a question I really can't answer. I should have thought about it many months ago when I found routing bugs in frees/wan internal routing table.... when they refused to hear anything about it and claimed it must have been a configuration error..... but I've been using frees/wan for years... since frees/wan 1.3 i think..... I know it inside and out. Perhaps it is time to fork... or wait till FreeS/WAN 2, and fork it. You are right.... it is time to fork it.

Re:Excellent - no more FreeSWAN patches

[4of12]

Simpler setups for important security features are great and definitely do depend on this infrastructure being in the default kernel distributions. (I kind of like the idea of cryptographic filesystems enabled by default on laptop computers that could stolen.)

But, as we all know, that's not enough.

That simple setup has to be exceedingly well-designed so that 2-minute Click-through VPN installations are not left vulnerable due to some trade-off for more convenience.

Everyone knows and has deservedly berated Microsoft for making poor choices in this matter; let's not have widely-deployed commercial Linux distributions make the same mistake.

"Everything should be made as simple as possible, but not simpler."

-- Albert Einstein

Re:Excellent - no more FreeSWAN patches

[velkro]

Why no fork yet?

Because it's a large project, it's really complex, and it's a bitch to keep up with things.

I should know - I'm the author of Super FreeS/WAN, a pseudo fork with includes alot of patches (NAT-T, X.509 Certs, AES/Blowfish/etc... ) @ http://www.freeswan.ca/code/super-freeswan

It takes a few hours a day to stay on top of things. One the major ones is user support. IPSec is not easy to configure currently, especially once you introduce X.509 certs & MS Windows clients using any number of clients. So there's hundred of questions about configs, how tos, etc...

If you want to fork it, please, go ahead. Just remember that a fork isn't just the code - you take users with you.

Re:Excellent - no more FreeSWAN patches

[LWolenczak]

One of the major problems with frees/wan is the documentation. "Oh, you might be able to do this, we dont know.." When it has been posted to the mailing lists, and discussed "oh, Here is how you do it".

I was going to use your fork, but I lost my job. :( Perhaps I should write a patch that allows for more then one type of network interface so it is easier to sue ospf..... and changing the internal routing table so its more kind to other things such as routing protocols.

Re:Excellent - no more FreeSWAN patches

[BESTouff]

Hell, if they refuse the you US citizens/residents touch the code, it's because you government has silly laws against crypto.

Ok, I must confess my government (France) is no better in this respect. *sob*

Re:Excellent - no more FreeSWAN patches

[velkro]

2.00 + snapshots, and forthcoming 1.99 have vastly improved docs, and a way better inter-op doc.

I run OSPF + BGP over FreeS/WAN using GRE, which seems to be the simplest way to do it - there's been alot of dicussion lately on the lists about doing this.

Sorry to hear about the job loss, but when you get back on your feet and want to continue, just flip me a note and I'll give you a CVS repository if you want to start with.

ken@freeswan.ca

Re:Excellent - no more FreeSWAN patches

[wandernotlost]

With the atitude that the frees/wan project maintains, we will never see freeswan merged with mainstream kernel... hell... they still refuse to take patches from us citiziens and residents (that includes linus)

Considering the US's asinine stance on crypto export, that's just good sense.

That said, there's no reason the frees/wan code couldn't go into the kernel in a stable form, but still be maintained separately overseas.

Re:Excellent - no more FreeSWAN patches

[shepd]

>With the atitude that the frees/wan project maintains, we will never see freeswan merged with mainstream kernel... hell... they still refuse to take patches from us citiziens and residents (that includes linus)

Not to mention they refuse to include support for the faster (but less secure) type of IPSec, thereby causing me to run Win2k on my router for a short while. I believe they even say it's fully valid to use IPSec in this manner (in fact it's part of the spec, so without it they shouldn't be calling it IPSec, IMHO), but they just don't want to support it in the faq, 100% due to attitude.

Developers may have a right to any attitude they desire, but they should understand their software is just going to be replaced (in the mainstream) by software from someone with less attitude. Let's hope that's what happens with freeswan. I think we don't need another OSS-style crippled set of kernel software. (Did they move to ALSA yet? I hope so!)

Just my 2 cents.

Re:Excellent - no more FreeSWAN patches

[Junta]

Not 100% due to the attitude more than anything else. They by default choose not to allow single DES to protect users/organizations from themselves. Tell me a legitimate reason why, with today's hardware, you need only single DES? It is really not that secure in this day and age? In any case, when I set up FreeS/WAN on a system, two sets of patches immediately go on, x509 cetificataes (ala http://www.strongsec.com), and cipher plugins (http://www.irrigacion.gov.ar/juanjo/ipsec/). I usually do AES when going to other patched FreeS/WAN, and use the enhanced 3DES from that suite when dealing with implementation lacking AES...

AES is truly the way to go. There are a number of aspects of FreeS/WAN where they felt things the standards required to be available were too weak to be secure. They are mostly compliant with the specs, but I agree with them that certain things really have no use in security except to make things easier on organizations like the NSA...

Re:Excellent - no more FreeSWAN patches

Or maybe it's time for you to step back and learn to code properly, you fairy!

Re:Excellent - no more FreeSWAN patches

The patches are not supplied by the ipv6 (USAGI) people.

The new IPSEC code is writen by Dave Miller and Alexey Kuznetsov.

Re:Excellent - no more FreeSWAN patches

[Shamanin]

True, they are doing things to "help" protect the users, but some of their reasoning seems antiquated.

For instance, their stance on crypto hardware is

"Supporting hardware cryptography accelerators has not been a high priority for the development team because it raises a number of fairly complex issues:

* Can you trust the hardware? If it is not Open Source, how do you audit its security? Even if it is, how do you check that the design has no concealed traps?
* If an interface is added for such hardware, can that interface be subverted or misused?
* Is hardware acceleration actually a performance win? It clearly is in many cases, but on a fast machine it might be better to use the CPU for the encryption than to pay the overheads of moving data to and from a crypto board.
* the current KLIPS code does not provide a clean interface for hardware accelerators

"

Re:Excellent - no more FreeSWAN patches

[MindStalker]

If its all internal, or inside a different encypted channel. Especially if there is a need for very high speed, no reason to slow it down, even if slightly, if the encryption isn't needed.

Re:Excellent - no more FreeSWAN patches

[AxelTorvalds]

I believe that's kind of what the article is announcing. A fork and Linus likes it enough to include it in his kernel.

Re:Excellent - no more FreeSWAN patches

[shepd]

>Tell me a legitimate reason why, with today's hardware, you need only single DES?

Because I don't control the uplink and like my satellite internet access fast. Agressive mode/singe DES does this, anything else (IPSec-wise) is suicide on a satellite link.

There ya go.

Re:Excellent - no more FreeSWAN patches

[Junta]

Ok, then why use IPSec at all, if you think the traffic is secure anyway? If your objective is not security, what does IPSec provide? It makes no sense to say you need IPsec, but the traffic is not going through an untrusted network unprotected.... That defies the purpose of IPSec...

Re:Excellent - no more FreeSWAN patches

[Junta]

That seems to defy logic.

If talking latency, your Satellite uplink penalty is far greater than the 1-2 milliseconds added by stronger crypto, so it wouldn't be noticed...

If talking bandwidth, having a relatively narrow pipe means even a wimpy processor can more than saturate the link even doing 3DES. AES is even better, secure *and* less intensive. AFAIK, 3DES consumes no more traffic than DES, just slightly larger, rarely exchanged keys.

Single DES is nearly completely pointless. It provides insufficient security. Relying on DES to protect data relies on some bad assumptions.

Re:Excellent - no more FreeSWAN patches

[shepd]

>If talking latency, your Satellite uplink penalty is far greater than the 1-2 milliseconds added by stronger crypto, so it wouldn't be noticed...

My complaint is more than their lack of stronger crypto. There's also the lack of Agressive mode, which reduces the amount of trips a packet needs to take before it gets to it's final destination. An extra trip adds 250 ms latency. This is bad, especially when your latency is already at 500 ms to 750 ms. :-/

I am assuming they were using single DES because at that time their router would occasionally "backup" and simply run out of the horsepower to do the job (it's since been upgraded/replaced). If that happened I'd probably switch it to single DES too.

Sometimes people want to use IPSec for its ability to do a tunnel unencumbered by a lack of documentation, and not necessarialy for the security purposes. I think that's what happend with my old ISP. The data being protected at all was just a side effect of using IPSec for tunnelling.

exportation issues?

[kochsr]

how does exportation work with this? i thought people weren't allowed to export code w/ serious type crypto in it.

Re:exportation issues?

[Angry+White+Guy]

I think that this would be the same as not letting Stephen Hawking leave the country because he knows too much

Re:exportation issues?

[JKR]

The requirements have been relaxed recently; see here for more details. In particular:

Also in 740.13, to, in part, take into account the "open source" approach to software development, unrestricted encryption source code not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code can, without review, be released from "EI" controls and exported and reexported under License Exception TSU.

Jon.

Re:exportation issues?

[leto]

If you had followed the entire debate, you know
that these "relaxations" are declarations (yes,
those like a King makes), and can be withdrawn by Bush at any time, without any democratic process.
That's why Gilmore and Daniel are taking the stance they are taking.

Crypto is your fundamental right, not a fluffy
allowance from your Emperor.

Re:exportation issues?

[streepje]

Exportation from where? Where *is* Linux?

Nobody is preventing "people" around here from exporting crypto.

Re:exportation issues?

[Skirwan]

exportation

Is anyone else subtly annoyed that 'exportation' is a word?

It sounds like something completifically inventorated, but sure enough the dictionary verificates its existification. I am extremifically annoyarated to be denyified this oppurtunitization to drop a Bush joke.

--
Damn the Emperor!

Re:exportation issues?

[kbielefe]

Crypto export laws were always kind of a joke anyway. It seems like the only difference was in the number of bits, like 1024-bit was prohibited but 128-bit was not. What's keeping people from just extending the code a little bit? Can someone who knows more about this please comment?

Re:exportation issues?

and can be withdrawn by Bush at any time, without any democratic process.

That should be President or Chief Executive. It could be Bush, it could be the next President, and it's perfectly within his power as President. Interesting that you complain that he might withdraw the relaxation of the exportation restrictions, but you don't thank him for relaxing the restrictions to begin with.

Having said that, and leaving aside the Bush bashing. This is all the more reason to put encryption into as many open-source projects as possible. It will make it all the more difficult to tighten-up the restrictions later.

Re:exportation issues?

[FauxPasIII]

>> I think that this would be the same as not letting Stephen Hawking leave the country because he knows too much

Last I checked he was in England anyway, serving in the Lucasian Professorship at Cambridge.

Re:exportation issues?

[dr_dank]

Many crypto products have a weaker bitcount version for export sale (i.e. - Win 2k crypto export module is 64 bit while the US high encryption pack delivers 128 bit crypto).

In the Stephen Hawking example, its like letting him leave, but removing the batteries from his speech board. :)

Re:exportation issues?

You think you're joking, but that's more common than you think. Plenty of people aer not allowed to travel to China or Russia (now probably Iraq and North Korea as well).

Our government spends more money keeping track of people that it doesn't want to defect than the KGB ever did.

Re:exportation issues?

[astrashe]

If that's the case, the inclusion of the crypto code in the kernel is a good thing.

An awful lot of people use the kernel, and interfering with its distribution would generate lots of waves, interfere with lots of businesses, anger lots of tech journalists, etc.

Politically, I just don't see how they could muck with it.

Re:exportation issues?

[danish]

Is anyone else subtly annoyed that 'exportation' is a word?

"Exportation" is a perfectly cromulent word.

Re:exportation issues?

What a stupid question! No one around here knows more about this. You are on slashdot!

Re:exportation issues?

[noahm]

If you had followed the entire debate, you know that these "relaxations" are declarations (yes, those like a King makes), and can be withdrawn by Bush at any time, without any democratic process.

Yes, but it was exactly the same kind of executive decree that made crypto illegal to export to begin with. There is no law in the US that states that crypto is a munition or that it can't be exported.

At this point, it really just doesn't make sense to hold off on adopting crytpo out of fear that the US is going to surprise everybody and yank our crypto rights out from under us. The cat, as they say, is out of the bag. It won't go back in. The government is welcome to try to re-regulate crypto export, but it won't work. (They actually tried this briefly after 9/11, and the proposals died silently.)

This news about crypto in the Linux kernel is wonderful. The more crypto is out there, integrated into our daily lives, the harder it will be for somebody to try to take it away from us.

noah

Re:exportation issues?

[sab39]

What would you prefer? Exportion?

Re:exportation issues?

[gorilla]

Not just 'in England', he was born there, and has always lived there.

Re:exportation issues?

[Sloppy]

I think it should be "enexportationment".

Re:exportation issues?

The parent never said he was in the US in the first place.

Re:exportation issues?

[Jeremi]

<pedantic>The original poster never referred to which country... perhaps he meant not letting Stephen Hawking leave England.</pedantic>

Re:exportation issues?

Using the word pedantic in tags!

</pedantic>

Re:exportation issues?

[jbolden]

Nothing. The main concepts behind cryptography could be explained to a bright 7th grader in an hour and have been known since the time of Fermat. There never was any intention of preventing technically literate people from having cryptography. What the export controls did was prevented it from being built in to thousands of products and thus used as an everyday feature by average criminals and prevent intellegence gathering abroad.

Re:exportation issues?

[rweir]

The US government relaxed crypto export laws a bit last year. IIRC, you can export open source software with strong crypto if you report it some government agency. Debian's solution for getting crypto into the main distribution is to have the archive software automatically email the export control agency when a new package is uploaded.

Re:exportation issues?

"Our government spends more money keeping track of people that it doesn't want to defect than the KGB ever did."

Do you honestly believe this drivel?

Put down the bong. No one is out to get you. No one even cares if you exist or not.

Who would want to "defect" to any of those countries for any price?

Too bad it's not Freeswan

[leto]

Too bad that full ipsec, such as provided by
Freeswan is still not in the kernel. I find it a
bit sad that Dave Miller and John Gilmore can't
figure out a proper way to resolve their problem

(John wants no US hands on the code, Dave wants
no code he can't touch in the kernel)

But at least the beginning is there, and if the
USAGI ipsec gets in, it should learn to talk to the userland tools, such as Freeswan, because Freeswan has extra features that "stock ipsec" doesn't have, such as Opportunistic Encryption.

Re:Too bad it's not Freeswan

Uh, calling FreeSWAN a "full" implementation is very misleading. Its IKE does not support Aggressive Mode which is pretty much a requirement for virtually every Hardware IPSEC VPN out there.

FreeSWAN may be good for crypto, but bad for actually getting your work done. Regardless, the new IPSec code gets the hard part integrated, an ipv4 implementation should be trivial.

Re:Too bad it's not Freeswan

[tjw]

Reyk Floeter is doing work to port OpenBSD's isakmpd to the Linux ipsec_tunnel implementation. From the sounds of things, it actually works.

Unfortunetly, Reyk's web server has been down for some time, so I have been unable to get a copy to test it.

When coupled with isakmpd Tobias's IPSec tunnel implementation will be much closer to Free S/WAN feature-wise. Although, i'm not sure if Opportunistic Encryption will be supported by isakmpd.

As a user of Free S/WAN, ipsec_tunnel, and also non-IPSec tunnels on Linux, I can say that I found the ipsec_tunnel implentation to be a much easier to use.

Re:Too bad it's not Freeswan

[JohnFluxx]

Whats Aggressive mode please?

Re:Too bad it's not Freeswan

[The+Pim]

While I appreciate all the work that freeswan has done for us, I am much more confident for the long term in work done by the core Linux networking hackers. The freeswan guys seem much more concerned with making it work (in typical situations) than making it right, with the result that the implementation is horribly klugy.

Two examples are the need for a "nexthop" parameter, when the kernel already has this information in its routing tables; and the need to turn off route filtering. Both make it clear that freeswan is not properly integrated (and if you look at the freeswan docs, you'll see that this general problem been on the "to fix" list for a long time).

Re:Too bad it's not Freeswan

IPSec depends on authenticating both ends of the tunnel as opposed to most https connections. FreeSWAN's preferred method is to hardcode the static IP addresses of both endpoints in the configuration. The sad reality is that most workers have a dynamic address even on a broadband connection.

Aggressive Mode gets around this by collapsing two steps of the negotiation and transmitting a username in the clear. This is considered "insecure" by the FreeSwan team.

What's more "insecure"? Using AM or using a broken implementation of PPTP?

Re:Too bad it's not Freeswan

Well when you play with free code and you've got a bee up your arse about a certain group of people then it just doesn't work. There is no legal reason why Americans couldn't hack on the IPSec code.

Re:Too bad it's not Freeswan

[Junta]

Ummm, not so, I have not ever specified nexthop in any of my configuration. Same with route filtering, I leave it on, without consequence....

I've seen these complaints about the non-integration of FreeS/WAN before, but usually because people fail to understand the system. They make recommendations so you know exactly what is going on and give the ability to override certain settings just in case, but most of the time the extremely verbose ways of dealing with the parameters as recommended in many howtos is overkill, and could be omitted...

Re:Too bad it's not Freeswan

[hardaker]

You'll be glad to know that the Cerberus/PlutoPlus implementations done by NIST are going to be more widely available in the near future. Specifically, I've been working on extending them to support large-scale configuration management of it. I ported the cerberus (read: ipsec) support to the 2.4 kernel, and am wrapping up the final details at the moment. The good news about it is that it's not done in the hacky way that freeswan did stuff. I'll be creating a sourceforge project for it within the week (I have a deadline to do it by next week), so look for it shortly.

I actually tried to approach the FreeSWAN folk to considering instrumenting their code with our policy-role-based configuration management support infrastructure, but they said "no US no way" and I didn't really have a choice if I wanted my patches rolled back into the project. The Cerberus and PlutoPlus developers, on the other hand, have been much more polite and helpful.

Re:Too bad it's not Freeswan

[swb]

Is PPTP all that bad? My impression was always that it was specific NT server implementations that had weaknesses and an early protocol version that used weak encryption.

I find IPSec harder and more complex to support for remote users compared to PPTP, on both the workstation and network sides. IPSec is pretty simple for dedicated tunnels.

Re:Too bad it's not Freeswan

[infra-red]

IPSec will allow you to encrypt all traffic to each end host. So for example, your traffic to /. would be encrypted by your end, and decrypted by their end. At least thats the ideal.

PPTP will let you setup encrypted tunnels, but its still out in the open after some point in time.

Re:Too bad it's not Freeswan

[leto]

Funny that. Currently, a whole /24 is tunneled
over a completely dynamic IP for use at IETF next week. I am tunneling that /24 to a key, or a FQDN
name with a KEY or TXT record. On top of that, we're about to roll out DNSSEC in .nl, and adding freeswan.nl to it.

So, if the "dynamic ip" issue is the only reason to use Aggressive Mode, then surely AM is obsoleted and indeed rightdully is not implemented.

Kernel bloat ?

[MosesJones]

This is great that these things are comming as standard in the kernel, but so many things are "standard" now its getting pretty large for joe-schmo average user who will get a full kitchen sink kernel with their distro.

This is also great for creating products like VPN gateways et al, but is it time to consider a different structure for kernel builds, with modules being seperately managed with a smarter installation procedure.

Re:Kernel bloat ?

[Alioth]

With kernel modules you don't need to have the stuff loaded *in* the kernel all the time. All the distros I've used recently only have the stuff essential to run in the kernel image in /boot - the rest is all modules.

Re:Kernel bloat ?

[LordHunter317]

I can't believe everyone calles 32MB of source "bloat". 32 MB is small compared to soemthings on your system, like X, KDE, GNOME sources. And in a lot of way, the Kernel is a lot more featureful than any of those. X for example, has a lot of "bloat" due to its build system.

Joe-Schmo is goign to use the binary kernel supplied by his Distribution anyway, and probably never upgrade it, until he goes and downloads a whole new ISO image. The actual running kernel stays really small due to the use of such things as MODULES, allowing only what is needed to be running at any given moment to run.

Bitch Bitch Bitch. Stop bitchin' about stuff you really don't have any idea about. The kernel is for all intents and purposes, small, and is indcredibly featureful for its size. So deal.

Re:Kernel bloat ?

[technix4beos]

geesh man.

Didn't you ever do assembler back in the day?

Do you realize that BeOS R5 Personal Edition was a 43 meg download? Smaller than most games today, by far!

This is a patch, and it's 32 megs!?!? holy cow.

Re:Kernel bloat ?

[GreyWolf3000]

This is great that these things are comming as standard in the kernel, but so many things are "standard" now its getting pretty large for joe-schmo average user who will get a full kitchen sink kernel with their distro.

This is also great for creating products like VPN gateways et al, but is it time to consider a different structure for kernel builds, with modules being seperately managed with a smarter installation procedure.

Due to kernel modules and the fact that you can "roll your own," the kernel can be as bloated as you want, the only downside is the size of the download. The current installation procedure works well enough for this, though the only feature it really lacks imho is querying dependencies satisfied by an entry.

Really though, kernels can and will always fit on teeny floppies, providing they're trimmed down enough. Regarding your comment about the end user getting the kitchen sink, have you ever looked at how distros handle this?

Most make a generic trimmed down kernel cross-compiled for the architecture and build all the modules. It may be the case that the distro copies hoards of modules, but that still isn't going to be as big a package as, say, glibc. If "joe-shmoe" doesn't have Bluetooth or scsi hardware, the corresponding modules won't get loaded, and as a result the bloatedness of the /lib/modules// directory won't bleed into the performance of the actual running kernel.

Re:Kernel bloat ?

[LordHunter317]

No, the whole kernel is about 32MB source. Binary is far smaller.

Don't compare a 43 MB binary download to a 32MB source download. That's apples to oranges.

Re:Kernel bloat ?

[rmadmin]

Just for clarification.. thats 36~ meg compressed!

[KungFu] rmadmin:~$ ls -sh linux-2.5.44.tar.gz
36M linux-2.5.44.tar.gz
[KungFu] rmadmin:~$ gunzip linux-2.5.44.tar.gz
[KungFu] rmadmin:~$ ls -sh linux-2.5.44.tar
160M linux-2.5.44.tar
[KungFu] rmadmin:~$

Wanna rephrase your statement?

Re:Kernel bloat ?

[GreyWolf3000]

If you roll your own, it is possible to get a working Linux system as small as you want, depending on the functionality. 5MB for a webserver--before compression!

Sources themselves are huge compared to the bins they create especially considering source trees for projects like the kernel and X, which have support for many architectures. Much of the source code doesn't even get into the binary in the end.

Re:Kernel bloat ?

[LordHunter317]

The bzip2 is 32MB. Get a real compression mechanism.

Unzipped only counts in terms of disc space. 160MB is small change for most machines. If its not, compile the kernel somewhere else and ship it over.
Still, it further proves my point, because that means we're goign from 160MB source to 10MB compiled code.

My whole point is people bitch about bloat when the kernel is anything but bloated. For all the stuff it contains (which is a lot), submitted by all those different people (which is a lot), its incredibly lean.

Re:Kernel bloat ?

[Pr3d4t0r]

32MB is a bit heavy for serious embedded work and as I understand, more and more developers are considering it for that purpose. It is a legitimate concern for certain applications.

Re:Kernel bloat ?

[RAMMS+EIN]

``I can't believe everyone calles 32MB of source "bloat". 32 MB is small compared to soemthings on your system, like X, KDE, GNOME sources. And in a lot of way, the Kernel is a lot more featureful than any of those. X for example, has a lot of "bloat" due to its build system.''
I'm sorry. This really doesn't make sense. Just because the kernel is smaller than some other package doesn't mean it can't be bloated. When I download the kernel source, I get sources not only for my build platform but also for a myriad of other architectures that I don't have. This _is_ bloat. It's good that Linux runs on so many architectures, it's good that the kernel has so many featurs, but anyone saying that all this source code they get but never use is bloat is just correct.

In my opinion, GNOME, X, and KDE come with a lot of bloat that I don't want to cope with. I don't use GNOME or KDE, but I do use X, because I lack a better alternative. The Linux kernel is a fantastic piece of software, exactly because it offers so many features (that many don't need). The source download is pretty huge (and unnecessarily so), but once compiled it's greatly efficient. Any new features is a win, and if you don't want it, you can disable it at configure time.

Re:Kernel bloat ?

[Gheesh]

This is great that these things are comming as standard in the kernel, but so many things are "standard" now its getting pretty large for joe-schmo average user who will get a full kitchen sink kernel with their distro.

1. Joe Average will continue to buy larger and larger PCs just to be able to run Windows XP, and prices will lower due to that trend
2. Although everything is included in the kernel *SOURCE* you don't have to compile and load into memory every module
3. You may have noticed that lately even home needs are quite broad: from 3D and multimedia to routing to allow more than one PC to be using the Internet at a time, so it's a good thing all these capabilities are available if needed

Re:Kernel bloat ?

[irc.goatse.cx+troll]

"My whole point is people bitch about bloat when the kernel is anything but bloated. For all the stuff it contains (which is a lot), submitted by all those different people (which is a lot), its incredibly lean."

So what you're saying is, For somethign that contains a lot of bloated patches/features, its pretty lean?

Re:Kernel bloat ?

[jim3e8]

If you want to see bloat, take a look at the commercial UNIXes.
For example, on a random HP 11.0 box here:

-rwxr-xr-x 1 root sys 18946872 May 9 08:43 /stand/vmunix

That is a 19 megabyte binary kernel. It would be interesting to see how big the source is...

Re:Kernel bloat ?

[rgmoore]

But the 32MB is for the compressed source, not for the binary. By the time you've compiled and compressed the binary image, it's typically down to about 5-700 KB, and I'd assume that if you have an embedded system with clearly defined minimal hardware you can probably get it a bit smaller than that. It's certainly not tiny, but the size of the end product (which is what really matters for the vast majority of people) is very reasonable.

Re:Kernel bloat ?

[shepd]

>No, the whole kernel is about 32MB source

What the heck did they remove?

My kernel is 100+ MB of source (assuming that 99% of what makes up the kernel in that dir is sourcecode). And the other day my teacher said that C basically doesn't scale. If only I had a printer and a few weeks...

Re:Kernel bloat ?

[a-moll]

ok, lets compare this orange to some other oranges: the BSD's(maybe an other kind of oranges but oranges non the less).
Just checked the FreeBSD kernel, and the sources is just below 12MB in tgz, the uncompressed GENERIC(the one with everything neaded by almost all people included) is 4MB uncompressed. I'm not sure (because i'm at school sitting on a winnt-box), but i believe the last kernels i kompiled is about 2-3MB uncompressed.
NetBSD's (1.6) kernel has a 22MB tar.gz src-file. but then you have to remember that includes support for 53platforms using 18 different cpu-types (and all ibm-pc-clones is just one of these platforms and cpu-types). and the compiled generic-kernel for i386 is just about 6 meg in size uncompressed.
and OpenBSD (3.1) has a kernelsource that is compressed down to 14MB. and uncompressed generic-kernel is 4.4MB.

and all of these (not 100% sure about NetBSD) has IPSEC in the kernel.

Re:Kernel bloat ?

What he's getting at is that when you only add one or two modules to your configuration and build, it recompiles ALL the modules. I agree; Compiling a new sound card module should only take 1-2 seconds, not 30+

Re:Kernel bloat ?

[Lumpy]

that's funny... I bet I can still fit the kernel on a floppy. along with a filesystem and apps to make a firewall...

1.4 meg for a functional system is bloat? what do you call Microsoft then?

the kernel CANT get bloated... that's the great part of only using what you want and the rest doesnt exist.

Re:Kernel bloat ?

[Rich0]

Perhaps - but you still have to download the source to make the binary. Last time I checked, downloading a 32MB source file for gentoo takes me about 2 hrs and 40 minutes. (I have a 56K modem which gets about 26K typically - and I'm about 20,000 feet from the switch so forget DSL.)

Granted, I do understand that source will always take up more space than the final code, but bandwidth isn't free, so developers shouldn't come up with build systems that have no consideration whatsoever for download size.

Of course, it would be nice if source-based distributions were smart enough to notice that I already have version x.y.z.tar.bz2 and download the x.y.z-x.y.z+1 patch and apply it rather than going directly for the monster tarball...

Whether 32MB is too much is debatable. However, I would argue that a 1MB tarball is undebatably fine. When you get into source files that go into the tends of MBs you start to get into a realm where users start to wonder what the heck is in there...

Re:Kernel bloat ?

[GreyWolf3000]

Agreed. They could probably save a lot by simply breaking up the source into chunks by architectures, but that would take time off of coding.

Re:Kernel bloat ?

[The+Bungi]

I can put DOS 6.0 and Norton Commander in a 1.4MB floppy... that would be roughly equivalent to your "kernel on a floppy", wouldn't it?

Re:Kernel bloat ?

[jmauro]

They gzip'ed. It's about 128mb after a gnuzip and untar.

Re:Kernel bloat ?

[cjpez]

I don't think trimming off architectures alone would save that much. The 2.4.19 tbz2 is about 25MB. I untarred it, stripped out all arches !i386, retarred, and the resulting tarball was still about 21MB. Not that big of a difference; you're still downloading 21 megs. What's the extra four, really?

pez@arrakis:~/tmp/kernel$ ls -l
total 46628
drwxr-sr-x 2 pez pez 4096 Oct 30 11:40 ./
drwxr-sr-x 10 pez pez 4096 Oct 30 11:29 ../
-rw-r--r-- 1 pez pez 21630684 Oct 30 11:35 linux-2.4.19-i386.tar.bz2
-rw-r--r-- 1 pez pez 26042494 Oct 30 11:40 linux-2.4.19.tar.bz2

Re:Kernel bloat ?

[Jeremiah+Cornelius]

I can put DOS 6.0 and Norton Commander in a 1.4MB floppy... that would be roughly equivalent to your "kernel on a floppy", wouldn't it?

O.K. I'll feed the troll!

"Equivalent", if Norton Commander came with an
IP stack,
and a packet-filter system,
and a dhcp server,
and a secure, hardened nameserver,
and mutiuser capabilities with secure virtual terminals,
and 386 real-mode support,
and access to compressed ramdisks,
and a text editor with regex support..
etc....

Re:Kernel bloat ?

[GreyWolf3000]

What's the extra four, really?

Well, at 3k/sec, 4 mb = ~ 4000k, so 4000k/3k.s = 1333 sec, or roughly 20 minutes.

I did think that stripping alternate archs would save much more, however. Thanks for the bit.

Re:Kernel bloat ?

[rgmoore]

No. It's not bloated. Bloat is unnecessary size. The kernel isn't bloated because that size is necessary. The kernel has a huge number of features: it runs on a zillion different architectures, it can handle almost any hardware you throw at it, and it can handle almost any protocol and format that you might want your kernel to do. Those aren't things that are in there because some marketroid decided to put them in for buzzword compliance. They're things that are in there because actual users wanted them enough to write the code. You're not going to fit all of those available features into a small package, no matter how hard you try.

At the same time, the end product of a compiled kernel can be very compact because it doesn't have to include any features that the user doesn't want. The existence of code for dozens of architectures doesn't result in a bigger compiled kernel because those architectures aren't compiled in. Neither are drivers for hardware not present on your system, or protocols that you're not going to use. The net result is a kernel that's capable of doing whatever you want it to do without carrying the weight of the things that you don't want to do.

Re:Kernel bloat ?

[Lumpy]

sure if your floppy can use USB devices, have a TCP/IP stack and can funtion as a complete firewall/ NAT/ router. How about FTP, SSH, a text editor? How about a Web server? a FTP server?

I can do all of that in one floppy disk(ALL AT ONCE!)... check out one of the hundreds of linux on a floppy distros or the linux router project....

Re:Kernel bloat ?

[rgmoore]

How much you save probably depends a lot on how you go about stripping out the code. I assume that there are also drivers for hardware that isn't available on x86 machines, so if you stripped out those you'd save some more space. There have to be some drivers specific to IBM mainframes, for instance, that are irrelevant to people using commodity hardware.

What would be really nice would be a system that would let you download a minimal configuration system, run you through the configuration, and then only download the files you need to compile the things you specified. If you run SCSI only, it wouldn't download the IDE drivers. If you run an x86, it wouldn't download the files specific to other processors. If you don't want to talk to Macs, it wouldn't download the HFS+ filesystem or appletalk drivers. I realize that adding a build system like that wouldn't be practical for the kernel developers, but it's nice to dream.

Re:Kernel bloat ?

[Dahan]

and all of these (not 100% sure about NetBSD) has IPSEC in the kernel.

NetBSD has KAME IPsec in the kernel source tree, but the GENERIC kernels have the option commented out (I don't know why):

% grep IPSEC /usr/src/sys/arch/i386/conf/GENERIC
#options IPSEC # IP security
#options IPSEC_ESP # IP security (encryption part; define w/IPSEC)
#options IPSEC_DEBUG # debug for IP security

I've got a NetBSD machine at home running a VPN to the office LAN and it works great.

Re:Kernel bloat ?

[looxix]

The size of the source doesn't matter. But what's annoy me it's the fact that the size of my kernel binary grow faster than the source.

Re:Kernel bloat ?

[rplacd]

It's most likely because adding IPSEC adds your build time. Also, few people use it.

A problem with KAME IPSEC (and, I think, pretty much every non-free/swan IPSEC implementation) is that they don't do opportunistic encryption. You need pre-arranged certs or shared keys. If it did have something like that, I bet more people would use IPSEC by default.

(Annoying problem if people do start doing that: tcpdump becomes pretty much useless as a diagnostics tool.)

Re:Kernel bloat ?

[cjpez]

Yeah, I think the ratios make that 20 minutes pretty negligible. I mean, you're still spending over two hours. I believe that the reason why they've never bothered to split arches out of the kernel tree was specifically because so much of it was platform-independant. I think Linus has mentioned that somewhere, but I don't feel like searching for the reference right now. Maybe on Kernel Notes?

Re:Kernel bloat ?

[cjpez]

That would be somewhat nice, but I'd go a step further from "wouldn't be practical" and move into the "would be a complete nightmare" territory. :) Especially with header dependencies + the like to contend with. Plus you're still going to be downloading a sizeable chunk of tarball, and bzip2 isn't exactly processor-easy. It would be pretty nice to just be able to input a .config file and get your minimum kernel, though . ..

Re:Kernel bloat ?

[conway]

I used to work on the HP-UX kernel.
The kernel grew from Also, HP-UX is not very (read: at all) modular -- since HP sells all the hardware for the PA servers anyway, most of the driver development is in-house, and in-kernel.
The sources are in the area of 100MB (with a full build getting into the 3-400MB range when all the objects are built, etc.) And it takes a couple of hours to compile on a 4-CPU N-class. (Of course that also because all the files were sitting on NFS..)

Re:Kernel bloat ?

[jlcooke]

RH 8.0 looks like it's going to have cryptoAPI in its shipped kernel.

I am the horse and I have a mouth.

Re:Kernel bloat ?

Interesting! Two things strike me as funny. The first is that even though the hooks for dynamically loadable kernel modules are now in, they don't seem to be used. The second is, HP has only one architecture to compile for, and the kernel is still huge. Much of the source code in the "large" Linux kernel is there to support a wide range of architectures. Some people just don't know how good they've got it ;)

Re:Kernel bloat ?

[Dahan]

Well, the GENERIC kernels have pretty much every other option turned on, and are built by the NetBSD release team, so it's not gonna affect your build time unless you feel like recompiling the GENERIC kernel even though there's already a perfectly good one you can download :) And if you're building your own kernel, might as well go through the configuration and turn off the stuff you don't need.

What do you mean by "opportunistic encryption"? KAME's IPsec comes with the racoon daemon that speaks IKE and will negotiate the keys and change them every once in a while, so you don't need shared keys. I think you do still need at least a certificate though.

Re:bad idea..

[add1]

IPv6 has "builtin" IPSec

Re:Linux Moving to PHP

[mr_z_beeblebrox]

PHP is to immature. Basic has been around forever. So I offer the first line of code:
10 rem *** Basic Linux kernel Implementation ***
Forseeable problems are many but the biggest is:

A) Basic needs an interpreter
B) Interpreter needs an OS
C) OS written on Basic might be tricky

If I want IPSec stuff

[smnolde]

I'll stick with FreeBSD thanks. And then there's OpenBSD and NetBSD for fully implemented IPSec and IPv6.

FreeSWAN barely talks to anything but itself, yet I can get FreeBSD's IPSec to talk to Cisco routers and do other things. Other things that are well-documented too, and there are no physical tussles over the code and where it goes.

For FreeBSD, I add IPSEC, IPSEC_DEBUG, and IPSEC_ESP to the kernel, recompile and install the kernel, and I'm ready to go. Adding IPv6 support is equally simple.

Plus, most of the applications that I use (mail, irc, ssh, etc...) already use both tcp4 and tcp6 sockets.

You linux guys are still lagging (IMO) with IPSec.

Whatever.

Re:If I want IPSec stuff

[Teancom]

Well, seeing as this isn't FreeSWAN, maybe you want to restate your objections? I mean, complaining about FreeSWAN when talking about putting ipsec in the kernel, doesn't make much sense if it isn't FreeSWAN that they are using...

But on the other hand, who wants to read the article when you can, instead, spout off and look like an idiot?

Re:If I want IPSec stuff

[isa-kuruption]

I agree! The linux kernel is at least 2 years behind in any IPsec implementation compared to OpenBSD or even FreeBSD. What's going on here? Does that make sense? Usually it's the Linux folks that are ahead of the game, but not this time.

I guess the Linux folks wanted to make EXTRA SURE they didn't leave any BSD code in the kernel without a copyright before they added it to CVS.

Go ahead... troll me! I dare you!

Re:If I want IPSec stuff

This is complete FUD. Freeswan interoperates with almost all implementations.

See http://www.freeswan.org/freeswan_trees/freeswan-1. 97/doc/interop.html
and http://www.hsc.fr/ressources/ipsec/ipsec2001/#succ ess for details.

I have used both OpenBSD VPN and Freeswan many times. IMHO
OpenBSD completly sucks. Debugging is a pain in the neck.
Freeswan is both easier to configure and debug. Error messages
are informative. OpenBSD messages are not.

IMHO, you do not know what you are talking about. Maybe
you've never used FreeBSD also.

Re:If I want IPSec stuff

[velkro]

FreeS/WAN doesn't talk to anything but itself? Stop spreading bullshit around, unless you're a farmer.


Here is a massive document with 25-30 other products listed, with instructions, sample configs, and links to more information.

Re:If I want IPSec stuff

[noahm]

FreeSWAN barely talks to anything but itself, yet I can get FreeBSD's IPSec to talk to Cisco routers and do other things. Other things that are well-documented too, and there are no physical tussles over the code and where it goes.

I have had no trouble getting the KAME IPsec implementation (the one in {Net,Free}BSD) to talk to FreeS/WAN. Using either pre-shared keys or X509 certificates. In fact, I use exactly such a setup to keep my home network on a VPN with my colocated server. It works flawlessly.

Yes, I had to patch Linux to make it work, but the Debian FreeS/WAN packages make this really easy.

I've written some documentation describing how I got KAME to talk to FreeS/WAN. Most of the docs really relate to X509 certificate authentication, but there's some discussion of the various IKE parameters that need to be changed. Different implementations choose different defaults for things like key lifetime and stuff, and you need to know how to get them to agree in order to get them to communicate happily.

noah

What about...

[WhyDoubt]

countries with harsh import/export restrictions on crypto code? What will the impacts on
developers and users in those places be?

Re:What about...

[jlcooke]

This is our attempt at "helping" this. OSS isn't in the business of being the "thought police" (aka. intellectual property control)

Funny how country codes AF, IQ and KP don't have laws forbidding export/use of crypto.

I am the horse and I have a mouth.

Keeping stuff away from terrorists?

I would be interested in knowing if the distribution of this version of Linux will be controlled by the Open Source community so that our enemies cannot use it to plan and communicate terrorist strikes?

If not, can our government do something about it? I remember that during the cold war we successfully prevented our high grade crypto getting into the hands of the warsaw pact. Could we do the same thing now?

Re:Keeping stuff away from terrorists?

[DuBois]

No. Nobody can. Crypto can be used for good or ill, just like any self-defense tool. Keeping it out of the hands of "enemies" also keeps it out of the hands of people rebelling against our "enemies."

Freedom of speech also implies freedom of anonymous, or even encrypted speech, a concept that politicians have destroyed completely with "campaign reform."

Re:Keeping stuff away from terrorists?

they would get all the encryption they need from the ir terrorist loving european pals.

i've never quite understood why these people insist on supporting terrorists like arafat and, now, saddam by opposing any firm action against them.

Re:Keeping stuff away from terrorists?

[Afty0r]

Freedom of speech also implies freedom of anonymous [speech]

It does? I thought it implied being responsible for your speech. If you *have* true freedom of speech there is no requirement for anonymous speech.

Re:Keeping stuff away from terrorists?

[DuBois]

If we managed to contain the warsaw pact...

What evidence is there that crypto restrictions helped bring down the Warsaw pact? I've heard of none. The Warsaw pact folks "fell" because they had a rotten economic system that treated their people like dirt. People in the Warsaw pact (take, for example, the East Germans) only had to look across a border at their like-culture, like-language brethren, and know with a certainty that the only reason they were in deep doo-doo was their tyrannical economic system.

Western crypto restrictions had nothing to do with breaching the Berlin Wall, for example.

Re:Keeping stuff away from terrorists?

[DuBois]

If you *have* true freedom of speech there is no requirement for anonymous speech.

Oh yeah? What if you're a member of the NAACP in the 1950's and you want to raise money for your cause. The state of Mississippi is asking for your donor list because you're a political lobbying organization. (actual historical situation, BTW) Which trumps here? Anonymous speech?

Re:Keeping stuff away from terrorists?

[bankman]

From the Open Source Definition:

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

And this from the Free Software Definition:

The freedom to run the program, for any purpose (freedom 0).

So, the community can not (does not) restrict terrorists from using any GPL'd (or compatibly licensed) software. And by the way, one man's terrorist is another man's freedom fighter. As it stands the community does not want to engage in moral discussions about who uses its software and for what purpose.

I have no idea what the government can do about it, but how could it prohibit the use of something that is widely available? That's the reason why it would be completely useless to restrict the distribution of strong crypto to NATO countries only for example. In order for a crypto algorithm to be deemed secure by the security community, it has to be published and proven secure through years of peer review. Even if access to programs incorporating this crypto stuff could be restricted, anyone with access to academic publications (and decent programming skills) could write software based on the published algorithms.

Re:Keeping stuff away from terrorists?

[sheridan3003]

I think overall the crypto cat is out of the bag now.

Re:Keeping stuff away from terrorists?

I'd prefer to keep M16's, stinger missiles and C4 (all good American products, no less) away from terrorists. Get US governments and weapons manufactureres to do that, and we'll talk about the OS community.

Looking for FreeSWAN? Try freeswan.ca

[caluml]

I only found this out recently, but the freeswan.org site lags behind the actual development of freeswan quite a lot. A nice friendly guy runs freeswan.ca, and keeps it chockablock with all the latest patches and stuff.

I've mirrored the downloads as they're so useful.

Re:Looking for FreeSWAN? Try freeswan.ca

[velkro]

You bastard... you've /.'d my server! =)

Oh well, so much for hiding in anonymity.

ken@freeswan.ca

Re:Looking for FreeSWAN? Try freeswan.ca

[caluml]

Sorry Ken - I didn't make a hyperlink so I thought that might stop happy-clickers ;)

You can't hide the good work you do :)

Re:Looking for FreeSWAN? Try freeswan.ca

[velkro]

No worries - everyone seems too lazy to cut & paste, so my webstats aren't going crazy. Whew :)

Thanks...

ken@freeswan.ca

Re:Looking for FreeSWAN? Try freeswan.ca

[Lothsahn]

No worries - everyone seems too lazy to cut & paste, so my webstats aren't going crazy. Whew :)

Must...resist...urge...to..cut..and..paste...

Re:Looking for FreeSWAN? Try freeswan.ca

/me is in awe at UID...

Re:Looking for FreeSWAN? Try freeswan.ca

[velkro]

Thanks for reminding me of my age... I was one of the 1st to get an account here back when this all began those many years ago...

IPSec lets us get Win2k from the flank

[GreatDave]

In my experience, Windows 2000's support for IPSec is one reason why it has snared a foothold in many businesses. Having IPSec in mainstream Linux distributions would let us cut Bill off at the pass.

I hope we're not far from seeing adoption of Linux in places like the financial services industry. If the distributors can make IPSec painless to configure, Linux will make inroads in such industries very quickly.

Re:IPSec lets us get Win2k from the flank

[LWolenczak]

In all honesty, Win2k's IPSec impmentation sucks. It dosen't seem to be able to keep track of time... and it forgets esp tunnels like crazy. Linux is already being used quite a bit for the hidden thins in business. The firewalls.. The proxy servers, the VPN Routers. Linux makes a very good box to sit in the corner w/o a monitor, and run a few hundred ipsec tunnels with lets say OSPF on top of it all.

Many of the non-us distribuions ship with ipsec, but the big problem is creating some very easy way that can allow elmer fud to create a host to host or a subnet to host or a subnet to subnet ipsec tunnel in under 10 minutes. Preferably 2 minutes.

What is going to start shifting many businesses to linux is seeing applications such as AutoCAD run on linux. Seeing APIs for controling PLCs on factory floors. If we are able to woo the design and engineering firms to linux.... we will have a powerful foothold on the market.

Re:IPSec lets us get Win2k from the flank

[phorm]

Forget the "linux Vs windows" attitude for a moment, and lets just hope that the new linux kernel works nicely with the windows (bad or otherwise) implementation of IPSec for VPN, etc.

You'll probably snag a lot more users by showing cross-OS compatability as opposed to desktop replacement. As in most cases, it would likely be linux server, windows desktop, with VPN being a nice communication feature in both.I know that I would like my VPN's to work properly between OS's, without the half-baked configurations in FreeSwan.

Re:IPSec lets us get Win2k from the flank

Go back to business school with your quasi-military analogies:

"get Win2k from the flank"
"snared a foothold"
"cut Bill off at the pass"
"Linux will make inroads"

Re:IPSec lets us get Win2k from the flank

[imadork]

What is going to start shifting many businesses to linux is seeing applications such as AutoCAD run on linux. Seeing APIs for controling PLCs on factory floors. If we are able to woo the design and engineering firms to linux.... we will have a powerful foothold on the market.

Bingo. We've got a rather serious effort here to use linux servers for our Engineering software. It all started when one of our guys got a loaner box from IBM, and figured out that our apps ran on it twice as fast as they ran on one of our Sun processors, at a fifth of the cost. Vroom!

Too bad I still need a PC on my desk to I can read all the management edicts that come out embedded in Powerpoint slides!

Re:IPSec lets us get Win2k from the flank

[LWolenczak]

Hi, I eat coffee....

Have you tried openoffice?

Re:IPSec lets us get Win2k from the flank

[cpeterso]

I think the Linux kernel has a spotty reputation for working well with outhers. The Linux kernel developers (bless their souls) are more interested in doing the "Right Thing" than being compatible. I remember during Linux 2.3 development (I think), a Linux TCP/IP connection could crash SGI Irix boxes. David S. Miller refused to add a workaround to Linux because it was doing the "Right Thing". Then there was the time David S. Miller enabled ECN on kernel.org. ECN breaks many Cisco firewalls, so people behind broken firewalls could not access kernel.org mailing lists or download kernel patches.

Re:IPSec lets us get Win2k from the flank

[imroy]

I agree that interopability is important for Linux. But I don't think you give good examples. Those problems were limited to specific platforms. Is it the kernel developers' job to work around other developers' errors? Why should they muddy and complicate the linux kernel (or whatever else) to work around someone elses errors?

In both cases, I think David's stand on the issues caused the respective companies and developers to move faster to fix their problems with their products, and the people using them.

A little help, please...

[jaredcoleman]

So other than ease of installation, what advantages are there to building this in the kernel?

I'm sure I'm dense but I don't understand.

Re:A little help, please...

[jlcooke]

Crypto is used everywhere. /dev/random uses MD5 and SHA1, shadow-utils uses DES and MD5. The kernel uses MD5 for non-crypto reasons all over the place.

Aside: MD5 should not be used.

Basicly it was a design decision, get rid of repeated code. Linux is also being used for new applications. Servers with Encrypted File Systems, IPSec routers, etc etc. So this means Linux needs to evolve too. If the kernel only kept up with hardware changes, then Linux should be dead in 2 years.

I am the horse and I have a mouth.

stick to the Physics

[DrSkwid]

and leave the comedy to the experts

Re:stick to the Physics

[PhysicsScholar]

Coming from a guy with a signature that advocates breast feeding of babies with beer, that hurts ;-)

Mergint trends

[VitrosChemistryAnaly]

Oh man...

First ICQ and AIM merge.

Then Crypto and IPSec merge.

Next you're gonna tell me that cats and dogs have merged.

What's the world coming to?

Re:Mergint trends

[IcePic]

Next you're gonna tell me that cats and dogs have merged.

At least they rain together.

Re:Mergint trends

[foofboy]

Good ... we'll have a miracle hybrid with the loyalty of a cat and the cleanliness of a dog!

Re:Mergint trends

[anshil]

KDE and GNOME merge, finally a common desktop for all.

Redhat and SuSE merge, and bring yast to redhat.

BSD and LINUX will merge.

The vim and emacs teams join together and will bring out a new editor together in teamwork.

Linus agrees on using CVS.

The english world will make a big grammar reform, enabling a polyphonic script again.

Star Wars will meet Star Treck.

America decides to officaly use the metric system.

The brits drive on the right side of the road. ...

Re:Mergint trends

I presume you're fishing for this: CatDog

Re:Mergint trends

[gik]

...Me and your mom roll around naked together. ...Oh wait... that already happened. :)

Re:Mergint trends

[Yarn]

we already drive on the right side of the road: the left.

Re:Mergint trends

[styrotech]

Good ... we'll have a miracle hybrid with the loyalty of a cat and the cleanliness of a dog!


If that's what you want, you may as well have children.

Export Ramifications?

[nurb432]

Does this create any export ramifications since Linus ( and i assume the code he reviews/packages )is now located here in the states?

Just curious.. i know how hard of a time everyone else ( like BSD ) has with this garbage.

Information should never be restricted on the basis of governmental boundries. Phfft.

Great. . .

[mntgomery]

so we can't sell encryption to our enemies, but giving it to them is fine? ;)

Re:What SUCKS about Freeswan?

[rovingeyes]

Even though this is offtopic, I have to answer your comment. Every one has to understand that the developers of the open source community spend a lot of time and money developing a nice product just to give it away or rather share. At the same time they also spend equal amount of time in writing those manuals. But many of these late bloomers need answers quick and easy. Then what are those manulas for - for you not to ask same question twice. And it doesn't hurt to spend a couple of hours reading those when a person has spent months and even years on that.

If you need answers quick and easy, well that is why you have paid consultants. Go hire them. Till then SHUT UP & RTFM.

Banned in the USA

Imagine if some legislator somewhere decided that this new crypto API (though it's for legitimate reasons) is somehow to be classified as a munitions and thus is a crime to export to other countries. He circulates a letter which his trusting co-legislators sign blindly. A week after its passing Linus gets locked up for anti-American activities. Alan Cox gets shipped to Guantanamo. Somewhere in Redmond a bowl-cut, bespectacled man cackles gleefully.

Re:Banned in the USA

[Harik]

Alan's avoiding visting the USA due to the DMCA anyway. We'd have to extradite him.

But then again...

[Pooh22]

Exporting Stephen Hawking requires a lot more effort!

VPN w/Firewall

[gotvim]

Anyone know if this will support VPN's using IPSEC wjhere either peer may be behind 1 or more firewalls? Right now, this has become an issue for a project I'm working on, and we're havin all sorts of issues. Thanks

Re:VPN w/Firewall

[velkro]

FreeS/WAN + NAT-Traversal patch manages this fine, by encapsulating the packets in UDP.

Re:VPN w/Firewall

[gotvim]

Yeah, but from reading the docs on FreeS/WAN it appears that the only patch is for 2.2 kenrels not 2.4's? Is this correct? Also, It'd be nice if they put this patch or something similar in the 2.5 kernel along with the regular IPSEC support! thanks

Re:VPN w/Firewall

NAT-Traversal patch for FreeS/WAN is available at http://open-source.arkoon.net/

Re:VPN w/Firewall

[velkro]

No... http://open-source.arkoon.net - NAT-T patch for 1.98b. Works on kernel 2.4.*.

Oh my, it's so big...

So, by the time we hit 2.6 this will be a 100M download?

Mac OSX + IPSEC

[hfastedge]

i remember seeing that osx provided IPSEC since 10.1 or 10.2, so they beat linux.

Anyone know how the osx IPSEC compares to whats going into 2.5?

Re:bad idea..

[kasperd]

Yes. IIRC IPSec originated as a part of the IPv6 specification. Since then it has been backported to IPv4. This is a little unfortunate because that might actually slow down the transition from IPv4 to IPv6. Had IPv6 been a requirement to use IPSec, we might have seen IPv6 getting adopted a little faster.

Aggressive Mode is "Optional", not "Required".

[Jacco+de+Leeuw]

According to the FreeS/WAN documentation, Aggressive Mode is not required for an IPSEC implementation, as long as you support Main Mode. Fix those hardware boxes, I'd say. If they don't support Main Mode, are they still IPSEC compliant?

The only reason I can think of why you want this, is when you have a dynamic IP address and you want to use a Preshared key. Get a fixed IP or start using X.509 certs.

Aggressive Mode exposes some information, plus it might make DDoS easier to do.

Re:Aggressive Mode is "Optional", not "Required".

[shepd]

>The only reason I can think of why you want this, is when you have a dynamic IP address and you want to use a Preshared key.

So I see. Basically any home user using an ISP shouldn't expect to ever have any kind of crypto at all because it is slightly weak.

Next up: Master quits making front door locks. States that most homes have windows and therefore their locks are ineffective, so they will quit selling them altogether.

A lack of Agressive Mode (among other things) is the _only_ reason my previous ISP didn't support Linux. In fact, they wanted to support Linux, and eventually switched over to a non-encrypted system and released a Linux client for it.

So, who really wins in the end? Nobody. Ho hum.

Freeswan

[rosewood]

Ive been using Freeswan for the last few months (1.98b) + quite a few patches (found them at www.freeswan.ca ) to get the results I need. How does this factor in to this equation? Is this a stupid-simple implementation that will also need lots of patches to be able to do what I need it to do (ie x509 certs, NAT transversal, DHCP over VPN) ?

Re:Freeswan

[velkro]

Yes, you'll need patches to do all that sort of stuff just like you do now. In fact, now the patch maintainers will, if they are interested, have to port all the patches to this variant of IPSec, so don't expect that to happen soon, since this is still 2.5 work, and 2.6 probably won't be out until June of 2003.

ken@freeswan.ca

Three kinds of bloat

[DickBreath]

One man's bloat is another man's features.

Hypothetical: I can't believe OpenOffice is so bloated compared to EDLIN from MS-DOS!

Maybe it's "feature loaded" instead of bloated? While it is true that you can use OpenOffice to duplicate tasks that you might have done in EDLIN, it is capable of so much more.

There is another kind of bloat which is not caused by features. This kind of bloat does not appear to be present in Linux. The kind of bloat I'm talking about is caused by "optimization". I don't mean optimizing for fast code or small code, but optimizing for "release date". Hey Mr. Customer, would take that new spreadsheet upgrade six months sooner if it required 25% more computing resources to run? All consumers I know would answer Yes. So this is a type of optimization. Optimizing for development time instead of optimizing for computer resources. Given the current low and decreasing cost of computer resources, there is some balance of this that makes sense. Just as once upon a time the "bloat" and value of high level programming languages was hugely debated. Now everyone uses high level languages to optimize for development time. The fact that I could spend six extra months doing it smaller and faster in assembler doesn't matter. Well, today it's the same thing. I don't mean that bad code is written on purpose, just that development time is valued above comptuer resources and machine optimizations, profiling, etc. Again, Linux does not appear to "suffer" from this type of "optimization".

Another type of bloat is just from plain bad programming. It was not a purposeful decision to optimize development time, it was just the the program is badly written. Linux does not appear to suffer from this kind of bloat either.

Re:Linux Moving to PHP

Basic needs an interpreter

Oh, I see. That should be BASIC.
Beginners
All-purpose
Symbolic
Instruct ion
Code

Watching kernel dev out-of-band

[dcowart]

Linus has yet to post a message to linux-kernel since his return, but he continues to merge patches at a high rate.

What's cool about this is that people are watching kernel development without having to read the lkml or being on irc or whatever. People can now just watch the patches flow into the bk system. I think that's kind of cool. It's like a Kernel News Network.

where are binaries for other platforms ?

[frodo+from+middle+ea]

I run solaris at my office, and i need binaries damn it.

Re:where are binaries for other platforms ?

[Darren.Moffat]

Solaris 8 onwards already has IPsec integrated into the core kernel. Solaris 9 introduced IKE.

Crypto Export Regulations

[man_ls]

Wouldn't this run afoul of many of the U.S. Cryptography export regulations? U.S. DoD prohibits exporting of any product containing mathematically "strong" cryptography (usually, 128-bit) to a lot of places.

That, and the DMCA which prohibits reversing of any of the encryption that would be found in the new kernel, would create a risk for many of the users downloading the software if they were from anywhere outside the US (and, for US users downloading the software, because it couldn't be explained to them.)

I'm sure the U.S. government is going to have a lot of fun with this...

Re:Crypto Export Regulations

[MikeBabcock]

Distributing source is now legal, I believe (but IANAL!) partly because of the DJB lawsuit ...

fundamental right?

[budalite]

There are no such things as fundamental rights. nowhere, never. Have a nice day.:{)||

Re:fundamental right?

[XNormal]

There is also no such thing as reputation, money or birthdays.

If enough people believe that something is a fundamental right then it is. The poster was just trying to convince more people to believe in his version of fundamental rights which happens to include encryption. You are trying to convince more people to believe that they have no way to affect what our society considers to be fundamental rights and give up in despair.

Good luck to both of you.

Makes you feel sorry about those tattoos

[Wee]

The requirements have been relaxed recently

If only the people who got those Perl RSA tattoos could have known...

-B

we love crypto

[shren]

...it will hopefully lead to more secure communications for all Linux users in the future.

Or the banning of Linux in several countries. Whichever comes first, you know.

Re:we love crypto

[DuBois]

Or the banning of Linux in several countries.

Which would help the spread of Linux in those countries tremendously.

Just look at the Drug War in the formerly free United States. Make certain drugs (not ethanol or nicotine!) illegal, and suddenly the profit in spreading them around and getting people hooked on them is extremely high. The business case becomes very attractive, especially for poorly(read: government)-educated young people in the socialist-destroyed American inner cities.

The same will happen when Linux is illegal. You'll have vendors on every street corner selling "banned" CDs. Best thing that ever could happen to Linux. Maybe, if the encryption is good enough, Linux would be banned even in the formerly free United States. Running Linux could become an act of civil disobedience.

Perhaps, with 64 bits (*Hammer, PPC 670, Yamhill) on the desktop, 1024 or 2048 bit encryption will become easy to do quickly.

Ah, now *there* would be a reason to upgrade.

Remember when the G4 first came out, with Altivec doing gigaflops, and Macs were considered munitions, not shippable to some countries?

Re:we love crypto

[shren]

I'm not sure... I think there's a flaw in your argument somewhere. I think the profit made by linux vendors would improve from the artifical scarcity of a black market. I think that people would think of guys in outfits out of the Matrix when they thought of Linux users, instead of fat guys with beards. I think Linux would become more widely known.

But, would banning Linux actually cause more users? Somehow I doubt it. If we find a jurisdiction where suicide isn't illegal and make it so, then we're not going to see a doubling of suicide rates or anything like that. (Note to self. Is there a jurisdiction where suicide is legal? This would be... interesting... to test.) The goal of legislation is to repress the growth in usage of something the government doesn't want you to use. The legislation didn't cause the growth - it just failed to stop it. The growth is already there, as the law generally does not legislate truly fringe elements. (For instance, there are plenty of drugs that you can get by mail order now that are at least as 'druggy' as marajuana and lsd, but they arn't illegal because of the exceptional minority of users.)

Re:we love crypto

[DuBois]

If we find a jurisdiction where suicide isn't illegal and make it so, then we're not going to see a doubling of suicide rates or anything like that. (Note to self. Is there a jurisdiction where suicide is legal? This would be... interesting... to test.)

Rumor has it that Oregon has made some kinds of suicide legal. I don't know what that has done to Oregon's suicide rate, but I'm sure it's a checkable statistic (that I'm too lazy to Google up). I suspect your choice of suicide as a comparison to marijuana, heroin, ethanol, or nicotine is likewise flawed. Suicide is not normally seen (or felt) as desireable, even by the infinitesimally small minority who actually commit suicide. On the other hand, most heroin, ethanol, nicotine, or marijuana users see those drugs as highly desireable.

The goal of legislation is to repress the growth in usage of something the government doesn't want you to use. The legislation didn't cause the growth - it just failed to stop it.

The problem with "goals" in legislation is that they are almost always unattainable. In the case of drugs (or crypto'd Linux), the goal is to reduce the usage of something the government doesn't like, but the result is the growth of that usage far beyond what it would have been had the government kept its busybody fingers to itself and let the people make their own choices and take personal responsibility for those choices.

Banning crypto is like banning crack. Or worse. It's a lot easier to get crypto that works well (gpg, pgp, openssl, openssh) anywhere in the world with a phone connection, than it is to get crack, and crytpo costs a lot less. Banning crypto just makes it more obvious that governments are populated by a bunch of clueless idiots who have no idea what they're doing and no understanding of the consequences thereof.

Re:we love crypto

[shren]

Rumor has it that Oregon has made some kinds of suicide legal. I don't know what that has done to Oregon's suicide rate, but I'm sure it's a checkable statistic (that I'm too lazy to Google up).

Irrelevant, come to think of it. People heading there to off themselves would throw off the statistics.

I suspect your choice of suicide as a comparison to marijuana, heroin, ethanol, or nicotine is likewise flawed. Suicide is not normally seen (or felt) as desireable, even by the infinitesimally small minority who actually commit suicide. On the other hand, most heroin, ethanol, nicotine, or marijuana users see those drugs as highly desireable.

That's essentially the core of my original point. Drugs zap the pleasure center of your brain, directly or indirectly, and thus usage rises regardless of laws. Suicide doesn't zap the pleasure center. Neither does Linux. You state, without evidence, that linux becoming illegal will increase it's use. I invite you to prove this statement instead of just saying it in many different ways.

The problem with "goals" in legislation is that they are almost always unattainable. In the case of drugs (or crypto'd Linux), the goal is to reduce the usage of something the government doesn't like, but the result is the growth of that usage far beyond what it would have been had the government kept its busybody fingers to itself and let the people make their own choices and take personal responsibility for those choices.

I'm worried that you're just repeating retoric, which makes me feel like I'm talking /dev/null.

Demonstrating that making something illegal causes growth is far from trivial. Lots of factors affect growth. It doesn't help that drug use for any given drug is largely untracked. But if we take cocaine as an example, usage per capita has plummeted since it became illegal - because cocaine used to be used in medicines and beverages sold over the counter, so you could become a user by buying the wrong soda. It's my guess that drug use depends a lot more on other factors than legality.

Banning crypto is like banning crack. Or worse. It's a lot easier to get crypto that works well (gpg, pgp, openssl, openssh) anywhere in the world with a phone connection, than it is to get crack, and crytpo costs a lot less. Banning crypto just makes it more obvious that governments are populated by a bunch of clueless idiots who have no idea what they're doing and no understanding of the consequences thereof.

That's great copy but it's pretty much irrelevant to what we're talking about.

bloat

[budalite]

My un-favorite types of Bloat:
- In Apps, Games, whatever, it would be a lot nicer to be able to add features, rather than have the whole bloated thing copied/downloaded/installed onto your drive. (Cygwin has a nice setup.exe program that actually lets the user *pick* what he wants *before* the download. Very nice.)
- Programs that say "Standby while we figure out what system you are running" and then copy every bloated driver for every type system, and its various peripherals, that ever existed onto your hard drive, anyway. Maybe this is not a problem anymore with the huge disks that exists these days, but it does signify sloppy development work that is usually mirrored in the app. :{)||

Re:What SUCKS about Freeswan?

[The+Bungi]

SHUT UP & RTFM

You are so 1337! I bet supermodels line up to have your babies!

More Pervasive Insecurities?

[brandido]

I am not very knowledgeable about security issues, but I am curious if the inclusion of security modules in the kernel will provide for a single point of failure. In other words, as more programs become dependent on the kernel module for security, if an exploit becomes available, will all these dependent programs become exploitable?

I ask this specifically because of the problem the IE ran into, where it depended on security APIs from Windows, the Windows API had an exploitable bug, and ta-da, IE had an exploitable bug.

Re:More Pervasive Insecurities?

[oh]

I am not very knowledgeable about security issues, but I am curious if the inclusion of security modules in the kernel will provide for a single point of failure. In other words, as more programs become dependent on the kernel module for security, if an exploit becomes available, will all these dependent programs become exploitable?

The single point of failure argument is interesting.

With a Single point of failure, if there is a bug everything is broken.

With multiple points of failure, if there is a bug in one, the rest are unaffected. Of course, you still get hacked (unless you have defence in depth).

In the simple case, I'd prefer a single point, which is easier to manage, then to worry about the security of ssh + kerberos + SSL + IPSec + GPG + anything else that uses crypto.

Another point is that this is only a crypto API, not security itself. An application still has to use it correctly, and most security related issues are things like buffer overflows, which are not directly related to crypto implementations.

Finally, most of the crypto apps I use (OpenSSH, Apache, GPG) work accross multiple platforms. If Linux is the one of the few that supplies a crypto API, they will still have to develop and ship their own impelmentations. If they have to write and ship their own implementation anyway, why bother to use the Linux API at all?

Re:More Pervasive Insecurities?

[MikeBabcock]

With single point of failure in open source software, you also have single point of bugfix.

Think of all the statically linked programs that used zlib and had to be recompiled against 1.4 when the patches were released ... that's multiple points of failure even with one piece of base code.

With a dynamically linked program, you update your libraries and voìla, your security problem is gone.

If everything _does_ use the CryptoAPI, all we'll have to watch is the one copy of it, not every little program that links against its own API (although openssl is almost at that position now anyway).

You have no idea how many programs I've reconfigured to use openssl dynamically linked so I can do updates faster (requires compatibility between subversions of course, which some authors aren't very good at ...)

Linus?

[Call+Me+Black+Cloud]

It couldn't be Linus Van Pelt...hmmm..who else might it be?

Oh yeah, that Linus. What, he's like Prince and Madonna now, only needs one name?

Re:Linus?

Linus is only Linus.

pretty soon we're just going to start calling him "big L".

Re:Linus?

[Call+Me+Black+Cloud]

Call him "Rumpole of the Kernel"...he who must be obeyed...

Re:Linus?

[sprprsnmn]

I more envision Linus as a penguin in a blue and red spandex suit with a large L on the chest.

Of course, that is just me.

Who cares - use ringstrom ipsec.

It should satisfy most users wanting a static secure VPN, and it is not nearly as bloated as frees/wan. http://ringstrom.mine.nu

Why not Twofish and Blowfish??

Why da heck are not those two included?

Re:Why not Twofish and Blowfish??

[Shamanin]

I think Dr. Seuss has a copyright on these (or some like work).

New java keyword: Importationize

[douglips]

The verb form of Exportation is of course Exportationize. This leads to the new java construct:

importationize javax.swing.*;

Re:IN SOVIET RUSSIA,

:-)

Thanks for the laugh, Yakoff.

Shrubbery bashing.

I agree. Bush bashing is Bush league. Shrubbery for President; it isn't capable of understanding the issues, either. See the new movie, Bowling for Columbine. Many people think there is no need to try to understand when you live in a country that can bomb people.

Re:Linux Moving to PHP

[kobaz]

It appeared that the OS for most apple2 applications was BASIC. There was the CP/M side as well, but I think at least 99% of my apple2 games, when you boot off the disk the OS is BASIC.

Re:Will this new kernel pass CC standards?

Linux is not a trademark, it's copyrighted by Linus Torvalds.

All this means is that you can't make a frying pan and sell it as "Linux"

Re:Will this new kernel pass CC standards?

Haha why is it that every time your article says Linux it has the TM there? Linux isn't a trademark. Windows and Microsoft also should be annotated in your article as copyright material, just like Linux is.

Re:Will this new kernel pass CC standards?

[Alphix]

But Linux *is* a trademark, see linuxmark.org for details...

Linux is dying.

Who gives a fat fuck? Linux is dying.

Re:Will this new kernel pass CC standards?

Thats because nobody gives a rats ass. Anything that certifies the security of Windows is obviously a joke.

There's more to cryptoAPI then IPsec/VPN

[jlcooke]

The cryptoAPI is the real kicker here folks.

Once cryptoAPI is in the kernel, /dev/random will no longer us its own crypto librtaries (SHA-1). IPSec will not use its own crypto (well, freeswan will because they feel there's value there).

CryptoAPI will also permit people to have encrypted filesystems, swap partitions, even BOOT partitions.

Present applications include: eliminate duplicated code, harmonize/facilitate crypto in the kernel, encrypted file systems, swap paritions, cdroms, etc., "turnkey" ipsec

Later applications include: load-time code-signing (that is all binaries and .so's can have their digital signature verified before execution), and other majic stuff.

JLC

N ways around export regulations

[billstewart]

There are lots of ways to work around the US export regulations (and the export regulations of other countries that the US bullied into supporting us by protecting the world from Communist access to cryptography.):

• Sue the Feds to make them change (Gilmore, Bernstein, EFF, others have done this.)
  
• Lobby the government (mainly Congress) to get the laws changed.
  
• Ridicule the government loudly about their policies - T-Shirts, RSA Tattoos, etc. had a big impact.
  
• Ignore the regulations and export your products quietly.
  
• Ignore the regulations and export your products AS LOUDLY AS POSSIBLE. (Variation: do this anonymously.)
  
• Put your software on the net with a README warning that only Americans are allowed to download it. Lots of people did this. Some people added scary-copyright-lawyer words. Nobody actually usd the copyright lawyers to sue foreigners who downloaded it, though.
  
• Put your software on the net with some trivial verification that requires anyone who downloads it to make some pretense of being in the US. (MIT did this.)
  
• Find loopholes such as printing your source code on dead trees and exporting it to libraries and to people who OCR it and put it on the web, like PGP did with several versions.
  
• Export products that obey the limits, but are easily fixed. Netscape's 40-bit versions could be restored to 128-bit capability using the UK-distributed "fortify.net" patching program. Some of the versions could be fixed with a 1-line Javascruft patch that you could include in a signature line.
  
• Convince the NSA to try to foist some blazingly offensive and stupid product on the US, like Clipper, and get 50000 people to sign petitions beating them up about how blazingly offensive and stupid their proposals were. (No, I don't think Dorothy Denning had pro-crypto-export ulterior motives....)
  
• Develop your software outside the US, with Open Source or public-domain licensing, and put it on the net so anybody in the world can download it. John Gilmore's FreeS/WAN project has always worked this way, but for a number of years before that, there was free DES software available from an ftp software at a university in Finland.
  
• Develop commercial software outside the US and sell it everywhere in the world. Loudly taunt the Happy Fun Ball\\\\Feds about how their crypto export ban is helping create jobs in Australia, Finland, Netherlands, Switzerland, and Russia. Lots of people did this.
  

FreeSWAN helped make everybody compatible

[billstewart]

FreeS/WAN has been a major player in the IPSEC interoperability field since their first quasi-releases, back when almost nobody talked to much of anybody else. Because they weren't a commercial product, and because they were trying hard to get as much compatibility as possible, they served as a useful neutral reference point for other vendors and developers to talk to.

The two big interoperability problems for FreeS/WAN have been explicit non-support for Aggressive Mode (they don't support it, mainly because there are security problems that affect the general user that don't affect most commercial applications), and lack of support for various proprietary authentication systems (not that I've been thrilled with their Opportunistic Encryption work, since the versions I've seen assume levels of control over reverse DNS space that most people don't have.)

Their concerns for user-friendliness have been legendary ("First recompile your Linux kernel cleanly, then you can start to install the IPSEC stuff...." :-) It's not the same goals as other parts of the IPSEC vendor community ("First find the end of the brown wire with the two little prong-thingies and plug it into the electric socket in the wall. See Figure 37 if this is difficult for you.") Not surprising, because while they really do want everybody in the world to be able to communicate securely, they also had a lot of research to do on how to make things work well, and the world around them that they've had to support has been changing rapidly while they were working - it's been a lot like changing the tires on a moving truck, while your users are rebuilding the truck and other people are rebuilding the road or inventing chemistry for vulcanizing rubber. If it's not always obvious why their work has been so critically important and valuable, well, it has been anyway.