Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crypto and IPSec Merged into 2.5

Posted by Hemos on from the gettin-it-on dept.

Corbet writes "Linus has just merged the new crypto API and IPSec implementation into his 2.5 BitKeeper tree. This is the first time that serious cryptographic code has made an appearance in the mainline kernel, and it will hopefully lead to more secure communications for all Linux users in the future."

21 of 229 comments (clear)

  1. exportation issues? by kochsr · · Score: 5, Interesting

    how does exportation work with this? i thought people weren't allowed to export code w/ serious type crypto in it.

    1. Re:exportation issues? by Angry+White+Guy · · Score: 5, Funny

      I think that this would be the same as not letting Stephen Hawking leave the country because he knows too much

      --
      You think that I'm crazy, you should see this guy!
    2. Re:exportation issues? by JKR · · Score: 5, Informative
      The requirements have been relaxed recently; see here for more details. In particular:

      Also in 740.13, to, in part, take into account the "open source" approach to software development, unrestricted encryption source code not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code can, without review, be released from "EI" controls and exported and reexported under License Exception TSU.

      Jon.

    3. Re:exportation issues? by leto · · Score: 5, Interesting

      If you had followed the entire debate, you know
      that these "relaxations" are declarations (yes,
      those like a King makes), and can be withdrawn by Bush at any time, without any democratic process.
      That's why Gilmore and Daniel are taking the stance they are taking.

      Crypto is your fundamental right, not a fluffy
      allowance from your Emperor.

    4. Re:exportation issues? by Skirwan · · Score: 5, Funny
      exportation
      Is anyone else subtly annoyed that 'exportation' is a word?

      It sounds like something completifically inventorated, but sure enough the dictionary verificates its existification. I am extremifically annoyarated to be denyified this oppurtunitization to drop a Bush joke.

      --
      Damn the Emperor!
  2. Re:Excellent - no more FreeSWAN patches by LWolenczak · · Score: 5, Informative

    somewhat, but from what I read bout a week and a half ago... the ipsec impmentation that they are putting in does not yet support ipv4 transport.... ie is useless unless you have hosts fully using ipv6 on both sides of the tunnel. Keep in mind, its not frees/wan, its from the linux ipv6 project.

    With the atitude that the frees/wan project maintains, we will never see freeswan merged with mainstream kernel... hell... they still refuse to take patches from us citiziens and residents (that includes linus)

  3. Too bad it's not Freeswan by leto · · Score: 5, Interesting

    Too bad that full ipsec, such as provided by
    Freeswan is still not in the kernel. I find it a
    bit sad that Dave Miller and John Gilmore can't
    figure out a proper way to resolve their problem

    (John wants no US hands on the code, Dave wants
    no code he can't touch in the kernel)

    But at least the beginning is there, and if the
    USAGI ipsec gets in, it should learn to talk to the userland tools, such as Freeswan, because Freeswan has extra features that "stock ipsec" doesn't have, such as Opportunistic Encryption.

    1. Re:Too bad it's not Freeswan by The+Pim · · Score: 5, Insightful
      While I appreciate all the work that freeswan has done for us, I am much more confident for the long term in work done by the core Linux networking hackers. The freeswan guys seem much more concerned with making it work (in typical situations) than making it right, with the result that the implementation is horribly klugy.

      Two examples are the need for a "nexthop" parameter, when the kernel already has this information in its routing tables; and the need to turn off route filtering. Both make it clear that freeswan is not properly integrated (and if you look at the freeswan docs, you'll see that this general problem been on the "to fix" list for a long time).

      --

      The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
  4. Re:Kernel bloat ? by Alioth · · Score: 5, Insightful

    With kernel modules you don't need to have the stuff loaded *in* the kernel all the time. All the distros I've used recently only have the stuff essential to run in the kernel image in /boot - the rest is all modules.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  5. Looking for FreeSWAN? Try freeswan.ca by caluml · · Score: 5, Informative

    I only found this out recently, but the freeswan.org site lags behind the actual development of freeswan quite a lot. A nice friendly guy runs freeswan.ca, and keeps it chockablock with all the latest patches and stuff.

    I've mirrored the downloads as they're so useful.

    --
    Get your own free personal location tracker
    1. Re:Looking for FreeSWAN? Try freeswan.ca by velkro · · Score: 5, Funny

      You bastard... you've /.'d my server! =)

      Oh well, so much for hiding in anonymity.

      ken@freeswan.ca

  6. Re:Kernel bloat ? by GreyWolf3000 · · Score: 5, Interesting

    This is great that these things are comming as standard in the kernel, but so many things are "standard" now its getting pretty large for joe-schmo average user who will get a full kitchen sink kernel with their distro.

    This is also great for creating products like VPN gateways et al, but is it time to consider a different structure for kernel builds, with modules being seperately managed with a smarter installation procedure.

    Due to kernel modules and the fact that you can "roll your own," the kernel can be as bloated as you want, the only downside is the size of the download. The current installation procedure works well enough for this, though the only feature it really lacks imho is querying dependencies satisfied by an entry.

    Really though, kernels can and will always fit on teeny floppies, providing they're trimmed down enough. Regarding your comment about the end user getting the kitchen sink, have you ever looked at how distros handle this?

    Most make a generic trimmed down kernel cross-compiled for the architecture and build all the modules. It may be the case that the distro copies hoards of modules, but that still isn't going to be as big a package as, say, glibc. If "joe-shmoe" doesn't have Bluetooth or scsi hardware, the corresponding modules won't get loaded, and as a result the bloatedness of the /lib/modules// directory won't bleed into the performance of the actual running kernel.

    --
    Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
  7. IPSec lets us get Win2k from the flank by GreatDave · · Score: 5, Insightful

    In my experience, Windows 2000's support for IPSec is one reason why it has snared a foothold in many businesses. Having IPSec in mainstream Linux distributions would let us cut Bill off at the pass.

    I hope we're not far from seeing adoption of Linux in places like the financial services industry. If the distributors can make IPSec painless to configure, Linux will make inroads in such industries very quickly.

    --
    "I am root. Bow before me." To this I say, "You are root, and you bear the sins of the world upon your shoulders."
    1. Re:IPSec lets us get Win2k from the flank by LWolenczak · · Score: 5, Interesting

      In all honesty, Win2k's IPSec impmentation sucks. It dosen't seem to be able to keep track of time... and it forgets esp tunnels like crazy. Linux is already being used quite a bit for the hidden thins in business. The firewalls.. The proxy servers, the VPN Routers. Linux makes a very good box to sit in the corner w/o a monitor, and run a few hundred ipsec tunnels with lets say OSPF on top of it all.

      Many of the non-us distribuions ship with ipsec, but the big problem is creating some very easy way that can allow elmer fud to create a host to host or a subnet to host or a subnet to subnet ipsec tunnel in under 10 minutes. Preferably 2 minutes.

      What is going to start shifting many businesses to linux is seeing applications such as AutoCAD run on linux. Seeing APIs for controling PLCs on factory floors. If we are able to woo the design and engineering firms to linux.... we will have a powerful foothold on the market.

    2. Re:IPSec lets us get Win2k from the flank by phorm · · Score: 5, Insightful

      Forget the "linux Vs windows" attitude for a moment, and lets just hope that the new linux kernel works nicely with the windows (bad or otherwise) implementation of IPSec for VPN, etc.

      You'll probably snag a lot more users by showing cross-OS compatability as opposed to desktop replacement. As in most cases, it would likely be linux server, windows desktop, with VPN being a nice communication feature in both.I know that I would like my VPN's to work properly between OS's, without the half-baked configurations in FreeSwan.

  8. Re:Kernel bloat ? by LordHunter317 · · Score: 5, Informative

    No, the whole kernel is about 32MB source. Binary is far smaller.

    Don't compare a 43 MB binary download to a 32MB source download. That's apples to oranges.

  9. Re:Kernel bloat ? by GreyWolf3000 · · Score: 5, Informative
    If you roll your own, it is possible to get a working Linux system as small as you want, depending on the functionality. 5MB for a webserver--before compression!

    Sources themselves are huge compared to the bins they create especially considering source trees for projects like the kernel and X, which have support for many architectures. Much of the source code doesn't even get into the binary in the end.

    --
    Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
  10. Re:Keeping stuff away from terrorists? by DuBois · · Score: 5, Insightful
    No. Nobody can. Crypto can be used for good or ill, just like any self-defense tool. Keeping it out of the hands of "enemies" also keeps it out of the hands of people rebelling against our "enemies."

    Freedom of speech also implies freedom of anonymous, or even encrypted speech, a concept that politicians have destroyed completely with "campaign reform."

    --
    The IPCC has purposely engineered a massive scientific fraud.
  11. Re:If I want IPSec stuff by Teancom · · Score: 5, Insightful

    Well, seeing as this isn't FreeSWAN, maybe you want to restate your objections? I mean, complaining about FreeSWAN when talking about putting ipsec in the kernel, doesn't make much sense if it isn't FreeSWAN that they are using...

    But on the other hand, who wants to read the article when you can, instead, spout off and look like an idiot?

  12. Re:Excellent - no more FreeSWAN patches by velkro · · Score: 5, Insightful

    Why no fork yet?

    Because it's a large project, it's really complex, and it's a bitch to keep up with things.

    I should know - I'm the author of Super FreeS/WAN, a pseudo fork with includes alot of patches (NAT-T, X.509 Certs, AES/Blowfish/etc... ) @ http://www.freeswan.ca/code/super-freeswan

    It takes a few hours a day to stay on top of things. One the major ones is user support. IPSec is not easy to configure currently, especially once you introduce X.509 certs & MS Windows clients using any number of clients. So there's hundred of questions about configs, how tos, etc...

    If you want to fork it, please, go ahead. Just remember that a fork isn't just the code - you take users with you.

  13. Three kinds of bloat by DickBreath · · Score: 5, Insightful

    One man's bloat is another man's features.

    Hypothetical: I can't believe OpenOffice is so bloated compared to EDLIN from MS-DOS!

    Maybe it's "feature loaded" instead of bloated? While it is true that you can use OpenOffice to duplicate tasks that you might have done in EDLIN, it is capable of so much more.

    There is another kind of bloat which is not caused by features. This kind of bloat does not appear to be present in Linux. The kind of bloat I'm talking about is caused by "optimization". I don't mean optimizing for fast code or small code, but optimizing for "release date". Hey Mr. Customer, would take that new spreadsheet upgrade six months sooner if it required 25% more computing resources to run? All consumers I know would answer Yes. So this is a type of optimization. Optimizing for development time instead of optimizing for computer resources. Given the current low and decreasing cost of computer resources, there is some balance of this that makes sense. Just as once upon a time the "bloat" and value of high level programming languages was hugely debated. Now everyone uses high level languages to optimize for development time. The fact that I could spend six extra months doing it smaller and faster in assembler doesn't matter. Well, today it's the same thing. I don't mean that bad code is written on purpose, just that development time is valued above comptuer resources and machine optimizations, profiling, etc. Again, Linux does not appear to "suffer" from this type of "optimization".

    Another type of bloat is just from plain bad programming. It was not a purposeful decision to optimize development time, it was just the the program is badly written. Linux does not appear to suffer from this kind of bloat either.

    --

    I'll see your senator, and I'll raise you two judges.