Crypto and IPSec Merged into 2.5

Corbet writes "Linus has just merged the new crypto API and IPSec implementation into his 2.5 BitKeeper tree. This is the first time that serious cryptographic code has made an appearance in the mainline kernel, and it will hopefully lead to more secure communications for all Linux users in the future."

Re:Kernel bloat ?

[Alioth]

With kernel modules you don't need to have the stuff loaded *in* the kernel all the time. All the distros I've used recently only have the stuff essential to run in the kernel image in /boot - the rest is all modules.

IPSec lets us get Win2k from the flank

[GreatDave]

In my experience, Windows 2000's support for IPSec is one reason why it has snared a foothold in many businesses. Having IPSec in mainstream Linux distributions would let us cut Bill off at the pass.

I hope we're not far from seeing adoption of Linux in places like the financial services industry. If the distributors can make IPSec painless to configure, Linux will make inroads in such industries very quickly.

Re:IPSec lets us get Win2k from the flank

[phorm]

Forget the "linux Vs windows" attitude for a moment, and lets just hope that the new linux kernel works nicely with the windows (bad or otherwise) implementation of IPSec for VPN, etc.

You'll probably snag a lot more users by showing cross-OS compatability as opposed to desktop replacement. As in most cases, it would likely be linux server, windows desktop, with VPN being a nice communication feature in both.I know that I would like my VPN's to work properly between OS's, without the half-baked configurations in FreeSwan.

Re:Keeping stuff away from terrorists?

[DuBois]

No. Nobody can. Crypto can be used for good or ill, just like any self-defense tool. Keeping it out of the hands of "enemies" also keeps it out of the hands of people rebelling against our "enemies."

Freedom of speech also implies freedom of anonymous, or even encrypted speech, a concept that politicians have destroyed completely with "campaign reform."

Re:If I want IPSec stuff

[Teancom]

Well, seeing as this isn't FreeSWAN, maybe you want to restate your objections? I mean, complaining about FreeSWAN when talking about putting ipsec in the kernel, doesn't make much sense if it isn't FreeSWAN that they are using...

But on the other hand, who wants to read the article when you can, instead, spout off and look like an idiot?

Re:Too bad it's not Freeswan

[The+Pim]

While I appreciate all the work that freeswan has done for us, I am much more confident for the long term in work done by the core Linux networking hackers. The freeswan guys seem much more concerned with making it work (in typical situations) than making it right, with the result that the implementation is horribly klugy.

Two examples are the need for a "nexthop" parameter, when the kernel already has this information in its routing tables; and the need to turn off route filtering. Both make it clear that freeswan is not properly integrated (and if you look at the freeswan docs, you'll see that this general problem been on the "to fix" list for a long time).

Re:Excellent - no more FreeSWAN patches

[velkro]

Why no fork yet?

Because it's a large project, it's really complex, and it's a bitch to keep up with things.

I should know - I'm the author of Super FreeS/WAN, a pseudo fork with includes alot of patches (NAT-T, X.509 Certs, AES/Blowfish/etc... ) @ http://www.freeswan.ca/code/super-freeswan

It takes a few hours a day to stay on top of things. One the major ones is user support. IPSec is not easy to configure currently, especially once you introduce X.509 certs & MS Windows clients using any number of clients. So there's hundred of questions about configs, how tos, etc...

If you want to fork it, please, go ahead. Just remember that a fork isn't just the code - you take users with you.

Three kinds of bloat

[DickBreath]

One man's bloat is another man's features.

Hypothetical: I can't believe OpenOffice is so bloated compared to EDLIN from MS-DOS!

Maybe it's "feature loaded" instead of bloated? While it is true that you can use OpenOffice to duplicate tasks that you might have done in EDLIN, it is capable of so much more.

There is another kind of bloat which is not caused by features. This kind of bloat does not appear to be present in Linux. The kind of bloat I'm talking about is caused by "optimization". I don't mean optimizing for fast code or small code, but optimizing for "release date". Hey Mr. Customer, would take that new spreadsheet upgrade six months sooner if it required 25% more computing resources to run? All consumers I know would answer Yes. So this is a type of optimization. Optimizing for development time instead of optimizing for computer resources. Given the current low and decreasing cost of computer resources, there is some balance of this that makes sense. Just as once upon a time the "bloat" and value of high level programming languages was hugely debated. Now everyone uses high level languages to optimize for development time. The fact that I could spend six extra months doing it smaller and faster in assembler doesn't matter. Well, today it's the same thing. I don't mean that bad code is written on purpose, just that development time is valued above comptuer resources and machine optimizations, profiling, etc. Again, Linux does not appear to "suffer" from this type of "optimization".

Another type of bloat is just from plain bad programming. It was not a purposeful decision to optimize development time, it was just the the program is badly written. Linux does not appear to suffer from this kind of bloat either.