Crypto and IPSec Merged into 2.5

Corbet writes "Linus has just merged the new crypto API and IPSec implementation into his 2.5 BitKeeper tree. This is the first time that serious cryptographic code has made an appearance in the mainline kernel, and it will hopefully lead to more secure communications for all Linux users in the future."

exportation issues?

[kochsr]

how does exportation work with this? i thought people weren't allowed to export code w/ serious type crypto in it.

Re:exportation issues?

[leto]

If you had followed the entire debate, you know
that these "relaxations" are declarations (yes,
those like a King makes), and can be withdrawn by Bush at any time, without any democratic process.
That's why Gilmore and Daniel are taking the stance they are taking.

Crypto is your fundamental right, not a fluffy
allowance from your Emperor.

Too bad it's not Freeswan

[leto]

Too bad that full ipsec, such as provided by
Freeswan is still not in the kernel. I find it a
bit sad that Dave Miller and John Gilmore can't
figure out a proper way to resolve their problem

(John wants no US hands on the code, Dave wants
no code he can't touch in the kernel)

But at least the beginning is there, and if the
USAGI ipsec gets in, it should learn to talk to the userland tools, such as Freeswan, because Freeswan has extra features that "stock ipsec" doesn't have, such as Opportunistic Encryption.

Re:Kernel bloat ?

[GreyWolf3000]

This is great that these things are comming as standard in the kernel, but so many things are "standard" now its getting pretty large for joe-schmo average user who will get a full kitchen sink kernel with their distro.

This is also great for creating products like VPN gateways et al, but is it time to consider a different structure for kernel builds, with modules being seperately managed with a smarter installation procedure.

Due to kernel modules and the fact that you can "roll your own," the kernel can be as bloated as you want, the only downside is the size of the download. The current installation procedure works well enough for this, though the only feature it really lacks imho is querying dependencies satisfied by an entry.

Really though, kernels can and will always fit on teeny floppies, providing they're trimmed down enough. Regarding your comment about the end user getting the kitchen sink, have you ever looked at how distros handle this?

Most make a generic trimmed down kernel cross-compiled for the architecture and build all the modules. It may be the case that the distro copies hoards of modules, but that still isn't going to be as big a package as, say, glibc. If "joe-shmoe" doesn't have Bluetooth or scsi hardware, the corresponding modules won't get loaded, and as a result the bloatedness of the /lib/modules// directory won't bleed into the performance of the actual running kernel.

Re:IPSec lets us get Win2k from the flank

[LWolenczak]

In all honesty, Win2k's IPSec impmentation sucks. It dosen't seem to be able to keep track of time... and it forgets esp tunnels like crazy. Linux is already being used quite a bit for the hidden thins in business. The firewalls.. The proxy servers, the VPN Routers. Linux makes a very good box to sit in the corner w/o a monitor, and run a few hundred ipsec tunnels with lets say OSPF on top of it all.

Many of the non-us distribuions ship with ipsec, but the big problem is creating some very easy way that can allow elmer fud to create a host to host or a subnet to host or a subnet to subnet ipsec tunnel in under 10 minutes. Preferably 2 minutes.

What is going to start shifting many businesses to linux is seeing applications such as AutoCAD run on linux. Seeing APIs for controling PLCs on factory floors. If we are able to woo the design and engineering firms to linux.... we will have a powerful foothold on the market.